About Microservices.io

Microservices.io is brought to you by Chris Richardson. Experienced software architect, author of POJOs in Action and the creator of the original CloudFoundry.com. His latest startup is eventuate.io, a microservices application platform.

Microservices consulting and training

Chris offers a comprehensive consulting services, workshops and hands on training classes to help you use microservices effectively.

Avoid the pitfalls of adopting microservices and learn essential topics, such as service decomposition and design and Kubernetes. Find out more

Learn more about microservices

Chris offers a comprehensive set of resources for learning about microservices including articles, an O'Reilly training video, and example code.

Learn more

Example microservices applications

Want to see an example? Check out Chris Richardson's example applications. See code

Get the book: Microservice patterns

Signup for the newsletter

A new microservices application platform that solves distributed data management problems.

Join the microservices google group

Pattern: Access token


You have applied the Microservice architecture and API Gateway patterns. The application consists of numerous services. The API gateway is the single entry point for client requests. It authenticates requests, and forwards them to other services, which might in turn invoke other services.


How to communicate the identity of the requestor to the services that handle the request?


  • Services often need to verify that a user is authorized to perform an operation


The API Gateway authenticates the request and passes an access token (e.g. JSON Web Token) that securely identifies the requestor in each request to the services. A service can include the access token in requests it makes to other services.


See JSON Web Token for usage examples and supporting libraries.

Resulting context

This pattern has the following benefits:

  • The identity of the requestor is securely passed around the system
  • Services can verify that the requestor is authorized to perform an operation

Copyright © 2018 Chris Richardson • All rights reserved • Supported by Kong.