The policies in this stage provide different ways of identifying and authorizing the application, and provide the required access rights for the application. The policies included in this stage are:

The Inbound authentication policies at transport and message level are used to authenticate the application by specifying user-based SPN or host-based SPN for a Kerberos token, using the basic credentials for the HTTP basic authentication or through various token assertions or through the XML security actions.

The Authorize User policy authorizes the application against a list of users and a list of groups registered in API Gateway.

The Identify and Authorize policy is used to identify the application and authorize it against all application registered in API Gateway.