Is RequestAuthentication between services a valid use case?

my current setup is as follows:

  1. Public → API gateway is verified using an opaque token
  2. API-Gateway creates a signed JWT and propagates it to downstream services
  3. Service’s Istio sidecar verifies JWT from api-gateway


  • this RequestAuthentication policy is only applied for traffic that enters our ecosystem from the public internet (not other internal service to service traffic)
  • we already have PeerAuthentication setup for mTLS in the mesh
  • we plan on implementing AuthorizationPolicy soon for ensuring only the traffic that should be allowed is being forwarded inward beyond the api-gateway (my colleague feels this is enough and RequestAuthentication is overkill/redundant/weird)

- is using RequestAuthentication for this specific use case awkward?

  • I have a colleague telling me that its only meant for end-user authentication
  • my rationale is to apply security in layers and protect from teams applying liberal ALLOW * AuthzPolicies in their namespaces
  • also there is a concern about the VirtualService being modified with a bug then bypassing api-gateway hence I want to apply some added protection that only the api-gateway allows traffic in from the outside world
  • am I just being overly paranoid? Am I misusing the policy for something it was not meant to do?