> ## Documentation Index
> Fetch the complete documentation index at: https://docs.conduktor.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Gateway authentication and authorization

> Configure Kafka client authentication in Conduktor Gateway: Gateway-managed mode with local service accounts and Kafka-managed mode with delegated auth.

Conduktor <Tooltip tip="A Kafka proxy that deploys extensible plugins for encryption, filtering, and data processing.">Gateway</Tooltip> provides flexible authentication and authorization for Kafka clients, allowing you to choose where and how clients are authenticated and what permissions they have.

## Two authentication modes

Gateway offers two distinct modes for managing client authentication and authorization:

**Gateway-managed mode**

* Gateway handles all authentication and authorization
* <Tooltip tip="A service account is a non-human identity used by Kafka clients to authenticate and perform actions on resources.">Service accounts</Tooltip> and <Tooltip tip="Access Control List.">ACLs</Tooltip> defined in Gateway
* Supports both local and external service accounts
* Full control over client access without touching Kafka configuration
* Enables <Tooltip tip="A logical representation of a Kafka cluster in Gateway.">Virtual Clusters</Tooltip> and other Gateway-specific features

**Kafka-managed mode**

* Authentication and authorization delegated to the backing Kafka cluster
* Existing Kafka service accounts and ACLs continue to work
* Useful for gradual migration to Gateway
* External service accounts can still be mapped for friendly names in Gateway
* Virtual resources (Virtual Clusters, alias topics) not available

## Key decisions

When configuring Gateway authentication, you need to decide:

* **Where to authenticate**: at Gateway or delegate to Kafka
* **Authentication method**: SASL (PLAIN, SCRAM, OAUTHBEARER), mTLS, or anonymous
* **Service account type**: local (Gateway-managed) or external (identity provider)
* **Authorization location**: Gateway ACLs or Kafka ACLs

## Benefits

* **Gradual adoption**: start with Kafka-managed mode and migrate to Gateway-managed
* **Unified access control**: manage authentication across multiple clusters from one place
* **Flexible identity integration**: work with existing identity providers or use Gateway's built-in authentication
* **Enhanced security**: add Gateway policies and <Tooltip tip="Conduktor Interceptors are Gateway plugins that transform and manipulate data.">Interceptors</Tooltip> without changing Kafka security

## Related resources

* [View supported authentication methods table](/guide/reference/gateway-reference#supported-authentication-methods)
* [Gateway service accounts](/guide/conduktor-concepts/gateway-service-accounts)
* [Manage service accounts using Gateway](/guide/tutorials/manage-gateway-service-accounts)
* [Manage service accounts and ACLs using Console](/guide/manage-kafka/kafka-resources/service-accounts-acls)
* [Give us feedback/request a feature](https://conduktor.io/roadmap) <Icon icon="up-right-from-square" />