Authentication in Kyma

The identity federation in Kyma is managed through an OpenID Connect (OIDC)-compliant identity provider.

The diagram shows the user authentication flow:

Authentication diagram

  1. Access Kyma Dashboard.
  2. Kyma Dashboard redirects you to an OIDC-compliant identity provider to handle the authentication.
  3. After successful authentication, the identity provider issues a JWT token that is stored in the browser session and used for all subsequent requests.

ID Tokens

ID Tokens are JSON Web Tokens (JWTs) signed by an OIDC-compliant identity provider and returned as part of the OAuth2 response that attest to the end user's identity. An example of the decoded JWT looks as follows:

Click to copy
"iss": "",
"sub": "CgcyMzQyNzQ5EgZnaXRodWI",
"aud": "example-app",
"exp": 1492882042,
"iat": 1492795642,
"at_hash": "bi96gOXZShvlWYtal9Eqiw",
"email": "",
"email_verified": true,
"groups": [
"name": "Jane Doe"

Service-to-service authentication

As Kyma is built on top of Istio Service Mesh, service-to-service authentication and encryption is enabled with Istio MutualTLS. For details, read the Kyma-specific Istio configuration documentation.

User-to-service authentication

Kyma uses a custom API Gateway component that is built on top of ORY Oathkeeper. The API Gateway allows exposing user applications within the Kyma environment and secures them if necessary. You can then access the secured resources using authentication options.