Event-driven APIs and governance gaps teams are missing

TL;DR: API gateways can impose authentication, validation, transformation, and rate limits on event flows, while preserving a familiar policy layer for REST and broker traffic, according to Kong. The broader implication is that event mediation now sits inside identity and access governance, not outside it.

NHIMG editorial — based on content published by Kong: Connecting Kong and Solace: Building Smarter Event-Driven APIs

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: How should security teams govern access to event brokers through API gateways?

A: Security teams should treat event broker access as part of the same entitlement model used for APIs.

Q: Why do event-driven systems increase the need for NHI governance?

A: Event-driven systems increase NHI governance needs because publishers are often service accounts or tokens that can send high-volume traffic without direct human oversight.

Q: What breaks when API and event security are governed separately?

A: When API and event security are governed separately, teams usually get inconsistent validation, weaker audit trails, and mismatched access controls.

Practitioner guidance

• Treat event publishers as governed NHIs Map every Solace publisher to a named service identity, owner, and purpose so broker access can be reviewed like any other non-human entitlement.
• Apply schema validation before broker ingress Reject malformed or incomplete payloads at the gateway so invalid events never enter the broker and downstream services do not inherit bad data.
• Enforce per-publisher throughput limits Set rate limits and payload caps for each publish path to keep authenticated clients from overwhelming the broker or creating downstream fan-out spikes.

What's in the full article

Kong's full blog post covers the implementation detail this post intentionally leaves for the source:

• Step-by-step Kong and Solace configuration, including the route definitions and plugin settings used in the demo.
• The exact decK configuration structure for authentication, validation, transformation, and protection policies.
• Hands-on test cases showing how malformed requests, unauthorised access, and traffic floods are handled.
• The example repository and local setup instructions needed to reproduce the event mediation flow.

👉 Read Kong’s engineering demo for event mediation between APIs and Solace →

Event-driven APIs and governance gaps teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →