> ## Documentation Index
> Fetch the complete documentation index at: https://ngrok.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Validate Requests Against Identity Service

> Enrich your upstream service with customer details, use other authentication methods, and simplify developer experience by adding identity logic to your gateway through an HTTP request.

export const domain_0 = undefined

When you use ngrok as your gateway, you can then use Traffic Policy and the [`http-request` action](/traffic-policy/actions/http-request) to make requests to your other services as part of the request lifecycle and before the request ever hits your upstream service.

By validating requests against an internal identity service, you can:

* Add details about a customer to the request, without storing it at your gateway, to enrich your upstream service and its response.
* Use an authentication method not currently supported by a Traffic Policy action, like API keys you've provisioned through your API's developer portal.
* Apply ["pre-tiering"](/traffic-policy/actions/rate-limit) to your customers requests based on data associated with their account at the [`rate-limit`](/traffic-policy/actions/rate-limit) action.
* Simplify the developer experience for your customers by not requiring they include their information as headers or in the request body.

## 1. Create endpoints for your services

Start an internal [Agent Endpoint](/gateway/agent-endpoints/), replacing `$PORT` based on where your upstream service listens.
You can also use one of the [SDKs](/agent-sdks) or the [Kubernetes Operator](/k8s).

```bash theme={null}
ngrok http $PORT --url https://service.internal
```

Start a second endpoint for your identity service.

```bash theme={null}
ngrok http $PORT --url https://id.internal
```

## 2. Reserve a domain

Navigate to the [**Domains** section](https://dashboard.ngrok.com/domains) of the ngrok dashboard and click **New +** to reserve a free static domain like {<code>{domain_0}</code> || `https://your-service.ngrok.app`} or a [custom domain](/gateway/custom-domains/) you already own.

We'll refer to this domain as `$NGROK_DOMAIN` from here on out.

## 3. Create a Cloud Endpoint

Navigate to the [**Endpoints** section](https://dashboard.ngrok.com/endpoints?sortBy=updatedAt\&orderBy=desc) of the ngrok dashboard, then click **New +** and **Cloud Endpoint**.

In the **URL** field, enter the domain you just reserved to finish creating your [Cloud Endpoint](/gateway/cloud-endpoints/).

## 4. Validate requests against your internal identity service with Traffic Policy

While viewing your new Cloud Endpoint in the dashboard, copy the policy below and paste it into the Traffic Policy editor.
You'll need to change:

* `https://id.internal/api/user`: Replace the path according to your identity service's API.
* `$ID_API_TOKEN`: RReplace with an API key or other authentication method generated by your identity service.

```yaml theme={null}
on_http_request:
  - actions:
      - type: http-request
        config:
          url: https://id.internal/api/user
          method: POST
          headers:
            Authorization: "Bearer $ID_API_KEY"
            Content-Type: "application/json"
          body: |
            {
              "path": "${req.url.path}",
              "token": "${req.headers['Authorization']}",
            }
          timeout: 1s

  # If the identity server responds with a `200 OK` status code, then assume the user is authenticated and their request should continue
  - expressions:
      - "actions.ngrok.http_request.res.status_code == 200"
    actions:
      - type: forward-internal
        config:
          url: https://service.internal


```

**What's happening here?**
This policy first sends an authenticated HTTP request to your internal identity service at `https://id.internal` with a body containing a few attributes injected with CEL interpolation, including the `Bearer ...` token they included as a header with their request.
If the identity service responds with a `200 OK` status code, the policy assumes they were authenticated correctly and then forwards their request to your upstream service.

## Try out your endpoint

Visit the domain you reserved either in the browser or in the terminal using a tool like `curl`.
You should see the app or service at the port connected to your internal Agent Endpoint.

## What's next?

* See how to use your identity service's customer data to ["pre-tier" requests](/gateway/examples/pre-tier-requests) based on whether a user is part of the `Bronze`, `Silver`, and `gold` tier.
* Explore other examples of using the [`http-request`](/traffic-policy/actions/http-request/#examples) and [`forward-internal`](/traffic-policy/actions/forward-internal/#examples) Traffic Policy actions.
* View your traffic in [Traffic Inspector](https://dashboard.ngrok.com/traffic-inspector).
