TL;DR: Identity APIs are especially exposed to server-side request forgery because they fetch URLs, metadata, and provider data from both internal and external sources, and a single unvalidated request can expose credentials or internal services, according to Stytch. The control problem is not awareness but layered enforcement: validation, egress restrictions, redirect handling, and network segmentation all have to hold at once.
At a glance
What this is: This is an analysis of how SSRF threatens identity APIs by turning outbound requests into a path to internal services, credentials, and authentication data.
Why it matters: It matters because IAM and platform teams often trust identity back ends more than application front ends, yet SSRF exploits that trust boundary and can compromise login flows, tokens, and sensitive identity data.
By the numbers:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
👉 Read Stytch's analysis of SSRF defenses for identity APIs
Context
Server-side request forgery, or SSRF, is what happens when a backend service is tricked into making network requests it was never meant to make. In identity APIs, that matters because the service often sits close to authentication data, provider metadata, and internal admin endpoints that should never be reachable through user-controlled input.
The article’s core point is that identity systems are especially vulnerable when they treat outbound requests as trusted by default. That assumption breaks down in hybrid and cloud-native environments where public-facing services can be induced to reach internal resources, exposing credentials, configuration, or authentication context.
For IAM teams, the issue is not just a web vulnerability. It is a governance problem around trust boundaries, egress policy, URL handling, and how much implicit authority an identity service has when it fetches data on behalf of a request.
Key questions
Q: How should security teams prevent SSRF in identity APIs?
A: Use layered controls. Validate and allowlist outbound destinations, block internal and link-local address ranges, disable unsafe redirect handling, and enforce strict egress rules from identity workloads. The key is to assume user-controlled input will eventually find a bypass, so the network and the HTTP client must both refuse dangerous destinations.
Q: Why is SSRF especially dangerous for IAM systems?
A: IAM systems often sit near credentials, provider metadata, and internal admin services, so a successful SSRF flaw can turn a normal backend request into trusted access to sensitive resources. That makes the impact larger than in ordinary web applications because the service already has authority the attacker does not.
Q: What do teams get wrong about SSRF defenses?
A: They often stop at URL parsing and blocklists. That misses redirects, DNS rebinding, alternate IP encodings, and network-layer reachability. A service that can still connect to private or link-local destinations remains vulnerable even if its input validation looks strict on paper.
Q: Who is accountable when an identity API leaks credentials through SSRF?
A: Accountability usually spans application owners, platform engineering, and identity governance. The app team owns the vulnerable fetch path, platform teams own egress and segmentation, and identity teams own the sensitive credentials and trust boundaries that make the blast radius so high.
Technical breakdown
How SSRF turns an identity API into an internal proxy
SSRF works when an application accepts a URL or redirect target and then fetches it server-side. In identity systems, that can be an avatar URL, webhook target, SAML metadata reference, or OIDC document retrieval. The danger is not the fetch itself but the trust inheritance: the backend may have network reach, tokens, or internal DNS access that the original caller does not. Once the server issues the request, it can be used to reach metadata services, admin panels, or private APIs that were assumed to be unreachable from outside.
Practical implication: treat every identity-service outbound request as a potential trust boundary crossing and restrict what the backend is allowed to fetch.
Why metadata endpoints and internal services are high-value SSRF targets
Cloud metadata endpoints are attractive because they often expose temporary credentials, role data, and instance configuration. Internal admin services are equally risky because they may assume requests originate from a trusted network segment. SSRF becomes severe when the backend can pivot from a harmless-looking URL to a link-local address such as 169.254.169.254 or an internal service name. This is why simple blocklists fail. Attackers can use redirects, numeric IP encodings, DNS rebinding, or alternate hostnames to reach the same destination through different paths.
Practical implication: block link-local and internal destinations at both the application layer and the network layer, not just by checking the URL string.
Why allowlists, egress controls, and redirect handling must work together
A single defense rarely holds against SSRF. URL allowlists stop obvious abuse, but they are not enough if redirects, DNS resolution, or downstream libraries can bypass them. Stronger designs validate the final resolved destination, disable unsafe automatic redirects, and enforce default-deny egress rules so services can only reach approved hosts. In identity infrastructure, this is especially important because a compromised request path can leak JWT signing keys, internal cookies, or provider secrets. The technical pattern is layered control, not one perfect filter.
Practical implication: combine strict destination validation with egress filtering and hardened HTTP clients so one missed control does not become a breach path.
Threat narrative
Attacker objective: The attacker’s objective is to turn a trusted identity backend into a proxy for internal access and credential exposure.
- Entry begins when an attacker supplies a malicious URL, redirect, or metadata reference to an identity-facing service that fetches remote content on their behalf.
- Escalation occurs when the backend follows that request into internal or link-local destinations, exposing cloud metadata, internal APIs, or trusted admin services.
- Impact follows when exposed credentials, tokens, or internal context are used to access sensitive systems or widen the compromise into the broader identity environment.
Breaches seen in the wild
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
- IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
SSRF in identity infrastructure is a trust-boundary failure, not just an application flaw. Identity services are built to handle sensitive requests and often sit close to provider integrations, internal databases, and authentication tokens. When those services can be induced to fetch attacker-chosen URLs, the backend becomes a trusted intermediary for hostile traffic. The implication is that IAM architecture must account for outbound authority, not only inbound authentication.
Implicit trust in backend requests is the governance assumption SSRF breaks. That assumption was designed for controlled service-to-service communication, where destinations are known and bounded. It fails when user input can steer the request path because the identity service is then making decisions about network reach on behalf of an attacker. The implication is that request provenance and destination control must be treated as identity governance concerns.
Identity APIs amplify SSRF impact because they sit near the most sensitive secrets in the stack. Provider metadata, JWT signing material, internal cookies, and admin endpoints all become reachable if the request path is not tightly constrained. This is why SSRF against identity infrastructure is often more damaging than the same bug elsewhere. Practitioners should assume that any identity backend with outbound fetch capability can become a credential-exposure vector.
Runtime URL validation without egress control remains fragile. Hostname checks, parsing rules, and redirect filters can all be bypassed if the network layer still permits private, loopback, or link-local access. The field should treat this as a layered-control problem under OWASP-NHI and zero-trust design, not as an input-validation exercise alone. The practitioner takeaway is to govern both what the service may request and where it may connect.
Identity governance now has to include outbound request permissions. If an identity service can fetch arbitrary content, its effective privilege is larger than its authentication role suggests. That creates identity blast radius, where one request path can expose unrelated systems through trusted backend behaviour. Teams should re-evaluate service boundaries, egress policy, and secrets exposure together rather than as separate security workstreams.
From our research:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means most teams cannot confidently trace which non-human identities are exposed to SSRF-adjacent reachability.
- For deeper context, see 52 NHI Breaches Analysis for the credential exposure patterns that most often precede internal compromise.
What this signals
Identity teams should treat outbound request policy as part of the authentication perimeter. SSRF shows that the control surface extends beyond login, federation, and token issuance into the services that fetch metadata and enrich identity workflows. When those requests are not tightly bounded, an attacker can use the identity stack to reach assets that are otherwise isolated.
Identity blast radius is the right concept for this problem. A single SSRF path can touch credentials, internal services, and authentication state in one chain of trust. That is why this risk belongs in identity governance conversations, not only in application security reviews, and why it should be measured alongside secrets exposure and service-account reachability.
With 96% of organisations storing secrets outside of secrets managers in vulnerable locations, the practical question is no longer whether a backend can be tricked into making a request. It is whether the resulting request can reach something valuable before detection or containment kicks in.
For practitioners
- Inventory every identity-service outbound fetch path Map avatar imports, webhooks, OIDC metadata retrieval, SAML configuration lookups, and any URL-based enrichment flows. Classify each path by destination type, authentication context, and whether it can be influenced by user or tenant input.
- Enforce destination allowlists and block internal ranges Allow only known hosts and protocols, then deny RFC1918, loopback, and link-local destinations at the application and network layers. Validate the final resolved IP address, not only the text of the URL, because DNS rebinding and redirects can bypass naive checks.
- Disable unsafe redirects in identity HTTP clients Treat automatic redirect following as a control decision, not a convenience setting. If a redirect is required, validate each hop and re-check the final destination before any request is sent to sensitive services.
- Strip credentials before any outbound request leaves the service Remove cookies, bearer tokens, internal auth headers, and session context from outbound calls that are triggered by external input. This prevents a malicious request path from inheriting privileged identity state.
- Segment identity workloads from sensitive internal services Isolate request-fetching components in separate subnets or containers with strict egress rules so a single SSRF flaw cannot directly reach databases, admin panels, or metadata services. Pair this with monitoring for unusual outbound destinations.
Key takeaways
- SSRF is a trust-boundary problem in identity systems because backend request capability can be abused to reach internal services and sensitive credentials.
- The scale of the identity risk is already high, with 80% of identity breaches involving non-human identities such as service accounts and API keys.
- Practitioners need layered controls, including destination allowlists, egress restrictions, redirect hardening, and segmentation, because no single SSRF defense is reliable on its own.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | The article focuses on SSRF paths that expose secrets and trusted backend access. |
| NIST CSF 2.0 | PR.AC-4 | Identity API SSRF is a privileged access and boundary-control issue. |
| NIST SP 800-53 Rev 5 | SC-7 | Boundary protection is central to preventing identity services from reaching internal targets. |
| NIST Zero Trust (SP 800-207) | Zero Trust supports removing implicit trust from backend fetch paths. | |
| MITRE ATT&CK | TA0007 , Discovery; TA0006 , Credential Access; TA0010 , Exfiltration | SSRF is used to discover internal systems and steal credentials or data. |
Map SSRF exposure to discovery and credential access techniques to prioritise containment and monitoring.
Key terms
- Server-side request forgery: Server-side request forgery is a flaw where an application can be tricked into making network requests on behalf of an attacker. In identity systems, that matters because the backend may have trusted access to internal resources, cloud metadata, or secrets that the attacker cannot reach directly.
- Cloud metadata endpoint: A cloud metadata endpoint is a local service that exposes instance details and, in some environments, temporary credentials to workloads running on that instance. It is highly sensitive because SSRF can sometimes reach it from within the application and extract information meant only for trusted code.
- Egress control: Egress control is the policy layer that governs where a service can send outbound traffic. For identity workloads, it is a critical boundary because a request fetch path without outbound restrictions can be turned into a proxy for internal access, credential leakage, or data exfiltration.
- Identity blast radius: Identity blast radius is the amount of damage that can occur when a single identity component is compromised or misused. For backend fetch paths, it includes not just the service itself but the internal systems, secrets, and authentication context that the service can reach.
What's in the full article
Stytch's full blog post covers the implementation detail this analysis intentionally leaves for the source:
- Concrete examples of URL allowlists, redirect handling, and destination validation in identity services
- HTTP client hardening patterns for blocking private, loopback, and link-local destinations
- Network segmentation and egress policy patterns for backend services that fetch external content
- Examples of metadata, webhook, and OIDC fetch flows that need tighter control
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org