D

API Gateway Explorer

Sign in with your Depoint Google account to access the API documentation.

API Gateway

Centralized access control for Depoint services. All external API calls are proxied through this gateway with authentication and route-level access enforcement.

https://api.depoint.app
● Public

Joomla JWT or OIDC

Authenticated users from *.depoint.app frontends, plus internal GCP services.

● Private

GCP OIDC Only

Internal Cloud Run, GKE, and Cloud Functions within depoint-project-2024.

● Closed

No Access

Endpoint disabled. Always returns 403. Managed via routes.yaml configuration.

Authentication

Joomla JWT HS256

For frontend applications hosted on *.depoint.app subdomains. Token issued by Joomla during SSO login flow.

Header Authorization: Bearer <joomla-jwt-token>

Required claims: email, iat, exp, iss · Max age: 1 hour · Origin: *.depoint.app

GCP OIDC Identity Token RSA

For internal service-to-service calls. Automatically available to Cloud Run and GKE workloads.

Python import google.auth.transport.requests import google.oauth2.id_token audience = "https://api.depoint.app" request = google.auth.transport.requests.Request() token = google.oauth2.id_token.fetch_id_token(request, audience)
Node.js const { GoogleAuth } = require('google-auth-library'); const auth = new GoogleAuth(); const client = await auth.getIdTokenClient('https://api.depoint.app'); const headers = await client.getRequestHeaders();
cURL curl -H "Authorization: Bearer $(gcloud auth print-identity-token \ --audiences=https://api.depoint.app)" \ https://api.depoint.app/messaging/api/notifications

Audience: https://api.depoint.app · SA suffix: @depoint-project-2024.iam.gserviceaccount.com

Gateway-Injected Headers

The gateway adds identity headers to every authenticated request before forwarding to backends.

HeaderSourceDescription
X-Gateway-User-EmailJWTUser's email address
X-Gateway-User-IdJWTJoomla user ID
X-Gateway-Service-AccountOIDCGCP service account email
X-Gateway-Auth-MethodBothjoomla-jwt or gcp-oidc