Connect to any backend, anywhere — without sharing secrets
Workload identity federation, Azure AD, mTLS, secure tunnels, and a full resilience toolkit — retries, timeouts, and a circuit breaker — all running at the edge across 300+ data centers.
Most gateways forward the request and call it a day
The hard problems start after the request leaves the gateway: how it authenticates to your backend, what happens when the backend fails, and whether your origin is reachable from a SaaS gateway in the first place. These are the parts that make procurement nervous and on-call rotations long.
Static secrets in your gateway
Service-account keys, long-lived JWTs, copy-pasted client secrets — sitting in your gateway config, rotating once a year if you're lucky, and a single misconfigured PR away from the public internet.
Cascading backend failures
One slow downstream service ties up your gateway pool, requests queue, timeouts spread, and your whole API surface goes red — even endpoints that have nothing to do with the failing backend.
Private backends on the public internet
Your origin shouldn't be exposed, but the gateway lives in a SaaS account, so you carve a NAT hole, file a security exception, and hope the IP allowlist holds.
Retries you can't reason about
Built-in retry knobs without backoff, no shared circuit state across instances, and timeouts that don't compose — so when an outage hits, retry storms make it worse.
Identity, resilience, and reachability — solved at the gateway
No shared secrets to your origins
Workload identity federation, OAuth 2.0 client credentials, and Zuplo-signed JWTs let your backend trust the gateway without storing a single static credential — proven cryptographically per request.
Outages absorbed at the edge
Retries with backoff, AbortSignal timeouts, and a circuit breaker keep failing backends from taking the whole API surface down — and your customers never see the wobble.
Reach private backends safely
WireGuard secure tunnel, mTLS, PrivateLink, VPC peering, and cloud IAM federation — pick the path that fits your network. The gateway stays public; your origin stays private.
Connect to any backend without sharing static secrets
Zuplo ships five upstream-authentication policies that mint and rotate credentials at the edge — workload identity federation for GCP, OAuth 2.0 client credentials for Azure AD, Zuplo-signed JWTs for your own services, plus mTLS and a WireGuard secure tunnel when the network needs to be private.
Zuplo gateway
Inbound policy mints upstream credentials
upstream-gcp-federated-auth-inbound
Workload Identity Federation
No shared secret
Inbound request
GET /api/v2/orders
Authorization: Bearer eyJhbGc…
Cloud Run
GCP · IAP · Identity Aware Proxy
Azure Functions
Azure AD · App Service
Kubernetes Service
On-prem · mTLS · Private Network
Mainframe API
Behind firewall · WireGuard tunnel
Stop cascading failures before they reach your origin
Retries with exponential backoff, per-request timeouts via AbortSignal, and a circuit-breaker pattern using ZoneCache for shared state — all defined as TypeScript policies that run at the edge. When a backend wobbles, the gateway absorbs the impact instead of forwarding the pain.
Circuit breaker
CLOSED
all requests passing
The backend story most gateways skip
Forwarding a request is the easy part. Authenticating, retrying, and reaching private origins is where most gateways punt to you, your security team, or a sidecar.
Short-lived backend credentials, by default
Skip the service-account JSON in env vars. The gateway exchanges its identity for short-lived backend credentials per request — Workload Identity Federation for GCP, OAuth client credentials for Azure AD, Zuplo-signed JWTs for your own services. Token caching and rotation run inside the runtime; your handlers stay clean.
Programmable resilience, not a checkbox
Retries, timeouts, fallbacks, and circuit breakers are TypeScript policies — so you can branch on response payloads, retry only specific status codes, apply jitter, or call a degraded-mode service. The patterns are real code you can read, test, and own.
Built into the gateway, not bolted on
Backend authentication, retries, timeouts, and circuit breakers run inside the gateway runtime across 300+ edge data centers. No envoy filter to deploy, no separate process to update, no Helm chart to keep in version-sync with the gateway.
Layered defense, by default
Run mTLS for transport trust, an upstream-auth policy for identity, a Zuplo JWT for project provenance, and a WireGuard tunnel for the network — combined on the same route in plain JSON config. Defense in depth without a vendor proposal.
What teams use this for
“We can't store a GCP service-account JSON in another vendor's system.”
Use Upstream GCP Federated Auth — Zuplo mints a token via Workload Identity Federation and exchanges it for GCP credentials at the edge. No JSON key, no static secret, no audit conversation about cross-cloud secret sprawl.
“Our payments backend hiccups under load.”
Wire up the circuit-breaker example. After N failures the breaker opens; the inbound policy fast-fails with a 503 RFC 7807 response in microseconds, your origin gets to recover, and a half-open probe re-admits traffic when it does.
“The mainframe team will never put their API on the public internet.”
Stand up a WireGuard secure tunnel from your VPC to Zuplo. The mainframe stays private; the gateway dials in. Same single config that handles your public REST endpoints.
“How do we prove to security a request actually came from our gateway?”
Attach the Upstream Zuplo JWT policy. Every outbound call carries a Zuplo-signed JWT your backend can validate against the gateway's JWKS. Combine with mTLS for transport-level proof.
Frequently Asked Questions
Common questions about backend authentication and resilience with Zuplo.
Lock down your backends without slowing them down
Spin up a free Zuplo project, point it at your origin, and turn on workload identity federation in minutes.