What is the difference between an Authorization Server and an Identity Provider?

An Authorization Server issues the OAuth2 tokens your gateway validates. An Identity Provider signs users in to your API Portal. They solve different problems and are configured separately.

Does Apiable create a new OAuth2 client for every subscription?

Yes. Apiable uses Dynamic Client Registration to register one client per subscription on your provider, then updates that client's scopes in place as access changes.

Can one Authorization Server serve multiple gateways?

Yes. Scopes live in the Authorization Server, not on a single gateway, so one connected server can issue tokens for every gateway you run.

Integrations

Authorization Servers

An Authorization Server is the OAuth2 provider that issues your API access tokens. Connect Keycloak or Auth0 once, then reuse it across every gateway you run.

An Authorization Server is your OAuth2 provider, the system that issues access tokens and holds your scope definitions. You connect it once in Apiable under Integrations → Authorization Servers and reuse it across every API gateway you operate. It is the prerequisite for Scopes and OAuth2 plans.

What is an Authorization Server in Apiable?

An Authorization Server is the OAuth2 system that issues your API access tokens and stores your scope definitions. Apiable connects to it, registers a client per subscription, and binds the scopes each subscription holds.

Your gateway then validates the tokens it issues. The Authorization Server is where tokens come from; the gateway is where they are checked.

How is an Authorization Server different from an Identity Provider?

An Authorization Server issues the OAuth2 tokens your gateway validates for machine-to-machine API calls. An Identity Provider signs human users in to your API Portal. They solve different problems and are configured separately in Apiable.

	Authorization Server	Identity Provider
Job	Issues OAuth2 access tokens for API calls	Signs users in to your API Portal
Who it serves	Subscriptions and their machine clients	People logging in to the portal
Where you set it up	Integrations → Authorization Servers	Integrations → Identity Providers
Examples	Keycloak, Auth0	Microsoft Entra ID, Amazon Cognito, OIDC

Which authorization servers does Apiable support?

Keycloak and Auth0 are connectable today. Amazon Cognito, Okta, and Duende are coming soon and cannot be selected yet.

Provider	Status
Keycloak	Connectable
Auth0	Connectable
Amazon Cognito	Coming Soon
Okta	Coming Soon
Duende IdentityServer	Coming Soon

What is Dynamic Client Registration (DCR)?

Dynamic Client Registration is the OAuth2 standard (RFC 7591 and 7592) for creating and updating clients programmatically. Apiable uses it, or your provider's management API, to register one client per subscription bound to that subscription's scopes.

When a developer's access changes, Apiable updates the same client's scopes in place. Your consumers keep their existing credentials and pick up the new access on their next token. They never have to re-integrate.

How do you connect an Authorization Server?

Go to Integrations → Authorization Servers, choose + Add AuthZ, pick Keycloak or Auth0, fill in the connection fields, and save. Apiable then runs OIDC discovery and you confirm the connection with Test Connection.

Open Integrations → Authorization Servers and choose + Add AuthZ.
Select Keycloak or Auth0 on the Select Authorization Server type screen, then choose Connect Authorization Server.
Fill in the connection fields for that provider (see the per-provider summary below).
Click Save. Apiable kicks off OIDC discovery in the background and lists what it finds under Discovered Auth Methods.
Open the saved server and use Test Connection to confirm it is reachable. Its status reads Connected, Error, or Not tested.

Credentials you enter are stored in Apiable's secret store, not in plain configuration.

What does each provider need?

Each provider asks for a different set of connection fields. The exact labels are below; the task pages walk through every field.

Provider	Connection fields
Keycloak	Name, Server URL, Realm, DCR Endpoint, DCR Client ID, DCR Client Secret, and optionally Admin API Client ID and Admin API Client Secret
Auth0	Name, Domain, API Audience, Client ID, and Client Secret (Management API)

Connect Keycloak

Server URL, Realm, the DCR endpoint and its credentials, and optional Admin API credentials.

Connect Auth0

Domain, API Audience, and Management API credentials.

How do you point a gateway at an Authorization Server?

Open the gateway under Integrations → API Gateways, go to its Authorization tab, choose Authorization Server as the OAuth handler, and select your server from the picker. This lets the gateway validate the tokens that server issues.

On the Authorization tab, the OAuth handler choice is Gateway-native only or Authorization Server. Picking Authorization Server reveals a picker listing your connected servers. Select one and click Save Changes.

How do you bind an Authorization Server to a plan?

Open an OAuth2 plan's Access Control tab and choose the Authorization Server that will issue its tokens. An Authorization Server must be selected before you can configure scopes for the plan.

See Assign scopes to a plan for the full plan setup, and Scopes for how a scoped request gets authorized end to end.

Where to next

Connect Keycloak

The configure-along guide for a Keycloak connection.

Connect Auth0

The configure-along guide for an Auth0 connection.

Scopes

What scopes are and how a scoped request gets authorized.

Assign scopes to a plan

Set each scope to Active, Optional, or Restricted on a plan.