Corsha Introduces Kong Gateway Plugin to Enable MFA for Non-Human Identities

Read full announcement here: https://corsha.com/blog/corsha-kong-integration/?utm_source=nhimg

In a major step toward strengthening API security, Corsha has released a custom plugin for Kong Gateway, the world’s most widely adopted open-source API gateway. This integration brings automated, one-time-use MFA credentials to machine-to-machine communication, addressing one of the most persistent weaknesses in modern infrastructure: static, long-lived secrets.

Built using Kong’s Go Plugin Development Kit (PDK), the Corsha plugin connects Kong Gateway directly to Corsha’s Identity Provider (IdP) for Machines. With this, Kong administrators can enforce machine MFA on any API route, providing a seamless way to authenticate and verify trusted workloads before requests reach upstream services.

Why It Matters

Traditional API authentication often relies on static API keys, tokens, or certificates that are difficult to manage and rotate. These static credentials are frequently the root cause of breaches stemming from key leakage, credential stuffing, or machine spoofing. Corsha’s solution replaces this brittle model with dynamic, one-time-use MFA credentials, giving organizations a scalable and resilient approach to securing their APIs and microservices.

Key Benefits

• Automated and Continuous Protection: Machine MFA ensures that every API call is dynamically verified, blocking credential replay and adversary-in-the-middle attacks.
• Seamless Integration: The plugin is easy to deploy within existing Kong environments using a few environment variables or Helm configuration.
• Deep Observability: Combined with Kong Manager, teams gain real-time visibility into API traffic and credential verification across distributed workloads.

How It Works

When a client sends an HTTPS request through Kong, the Corsha Authenticator adds a one-time credential to the header. The plugin validates this credential through Corsha’s Distributed Ledger Network (DLN) before forwarding the request upstream. The result is an end-to-end trusted communication flow — from machine to API — enforced at the gateway level.

Why This Integration Is Strategic

This release underscores a critical shift in non-human identity (NHI) security. As APIs, workloads, and automated pipelines dominate enterprise infrastructure, machine-to-machine trust becomes just as important as human authentication. Corsha’s Kong plugin operationalizes this trust by embedding dynamic identity verification into every API call, moving security left into the gateway layer where it belongs.

About Corsha

Corsha is an Identity Provider for Machines, enabling enterprises to build dynamic, zero-trust-based identities for workloads, services, and systems. Its platform replaces static secrets with ephemeral, MFA-backed credentials that are automatically rotated, revoked, and verified, ensuring that only trusted machines communicate across environments.