--- title: "Secure and Govern" description: "Protect your APIs from abuse with built-in authentication, validation, rate limits, and centralized policy enforcement at the edge." canonicalUrl: "https://zuplo.com/solutions/secure-and-govern" sourceUrl: "https://zuplo.com/solutions/secure-and-govern" pageType: "use-case" generatedAt: "2026-04-22" --- # Secure & Govern APIs by Default > Zuplo's security and governance solution protects APIs from abuse through > built-in authentication, request validation, rate limiting, and centralized > policy enforcement — all applied at the edge without boilerplate code. ## Security without the boilerplate ### Define security as reusable policies Auth, schema validation, traffic limits, and audit logging — configured once, applied everywhere. No middleware required. [Learn more about API security](/features/api-security) ### Your OpenAPI spec is your security contract Every request is validated against your spec before it ever touches your backend. Auth, schema, headers — enforced at the edge. [Learn more about OpenAPI](/features/open-api) ### Every request. Logged and observable. Real-time event feed for every auth check, rate limit, and rejection. Send enriched logs to Datadog, New Relic, Splunk, or your own platform. [Learn more about API observability](/features/api-observability) ### Built for real-world abuse Block by IP, region, user agent, key tier, or custom logic. Runs on Cloudflare's global network with built-in DDoS protection. [Learn more about monitoring your gateway](https://zuplo.com/docs/articles/monitoring-your-gateway) ## Enforce company-wide standards across every API Security shouldn't depend on which team wrote the service. Define reusable policies once and apply them across environments and APIs. - Require logging on all endpoints - Enforce auth across every route - Standardize rate limits by tier - Prevent accidental public exposure ## Know exactly what happened — and why Every request is traced end-to-end. See which policies ran, how long each step took, and exactly why a request succeeded or was rejected. Export enriched logs and traces to your observability stack: - **Datadog** - **New Relic** - **Splunk** - **Custom** (via any compatible endpoint) ## Built for production. Ready for enterprise Everything teams need to deploy API security at scale — without the ops overhead. ### Global edge network Deployed worldwide across hundreds of PoPs, with built-in DDoS protection and low-latency request handling. ### SOC2-friendly Compliance controls baked in. Ready for SOC2, HIPAA, and enterprise security reviews out of the box. ### High availability Redundant by design — no single point of failure, no maintenance windows, no surprises. ### Enterprise SLAs Contractual uptime guarantees backed by 24/7 incident response from our engineering team. ### Full audit trail Every request, policy decision, and config change logged, searchable, and exportable on demand. ### Access controls Role-based permissions, SSO support, and environment isolation built into every plan. ## FAQ **What authentication methods does Zuplo support?** Zuplo supports API key authentication, JWT/OAuth2 validation, mTLS, and custom authentication policies written in TypeScript. It integrates natively with Auth0, Clerk, Firebase, Supabase, Okta, AWS Cognito, and other identity providers — applying auth enforcement at the gateway before requests reach your backend. **How does Zuplo validate JWT tokens?** Zuplo validates JWT tokens against configurable JWKS endpoints or static public keys. Validation includes signature verification, expiry checks, audience and issuer claims, and custom claim extraction. Validated claims are forwarded to your backend on the request context so you don't duplicate validation logic. **Can I enforce IP allowlisting and blocklisting at the API gateway?** Yes. Zuplo's IP restriction policies let you define allowlists and blocklists at the route, route group, or gateway level. Rules are evaluated at the edge before any upstream traffic is forwarded, making enforcement both consistent and extremely low-latency. **Does Zuplo support mTLS for service-to-service API security?** Yes. Zuplo supports mutual TLS (mTLS) for authenticating clients using certificates. This is commonly used in service-to-service communication and zero-trust architectures where API keys or JWTs alone are insufficient. **What compliance certifications does Zuplo hold?** Zuplo is SOC 2 Type II certified. It enforces TLS 1.2+ on all connections, supports GitHub secret scanning integration, and provides audit logging for all gateway policy changes. Enterprise customers can also deploy on dedicated infrastructure to satisfy data residency and isolation requirements. **How does Zuplo handle API key management at scale?** Zuplo provides a built-in API key service with programmatic key creation, rotation, revocation, and metadata tagging — all via API or the developer portal. Keys can carry custom metadata (plan, tier, user ID) that policies read at runtime to enforce access control without database round-trips. ## Next steps - [Start free](/signup) — secure your APIs today at no cost - [Talk to our team](https://zuplo.com/meeting) — get a guided walkthrough for enterprise use cases