The Fusion API gateway requires incoming requests to be authenticated. The gateway supports a number of authentication mechanisms, including SAML, OIDC, basic auth, and Kerberos. Once authenticated, the gateway issues a JWT and returns it in the id cookie. Client applications will get the best performance by using the id cookie (or JWT Authorization header) instead of using Basic Auth for every query request because hashing a password is CPU intensive and slow by design (we use bcrypt), whereas verifying a JWT is fast and safe to cache. We show an example of this in
Query Load Tests with Gatling,
including how to refresh the JWT before it expires.
All Fusion services require requests to include a JWT to identify the caller.