What's New


IBM will no longer host IBM Security Verify containers on Docker Hub after December 31st, 2022

All containers should be sourced from the IBM Cloud Container Registry, see Software Downloads > Containers for more information.
This may be a breaking change to any automated deployment processes.


Requesting new features

Ideas for new features can be submitted using the IBM Application Gateway Ideas Community.


Critical Change - Content Security Policy

Public Assets

  • The application gateway can now serve a set of public assets, which are resources available to all clients regardless of whether or not they are authenticated.
  • The default set of error and management pages has been updated to conform with the new stricter Content Security Policy. The embedded JavaScript and CSS has now been moved to the public assets area. (see: Tasks/Custom Pages/Public Assets)

Language Control

HTTP Transformations with Lua

Kubernetes Operator

  • The Kubernetes Operator has been published to the RedHat operator catalog
  • Sidecar support is now configured automatically as a part of the Kubernetes Operator deployment



  • Authorization policies can now indicate that a client must re-authenticate before accessing a resource. (see: Tasks/Re-Authentication)

Rate Limiting


  • Bug Fixes, Security Updates and behind the scenes improvements.



  • Bug Fixes, Security Updates and behind the scenes improvements.


Authentication Flow Redirects


  • Additional Bug Fixes, Security Updates and behind the scenes improvements.


PROXY Protocol Support

OAuth Introspection

  • IAG can now include additional HTTP headers when making requests to OAuth introspection endpoints. (see oauth)

Resource Severs


  • IAG can now directly reference data from a Kubernetes ConfigMap by name and field in the configuration YAML (see: "Special Types Available in Kubernetes" in Concepts/Configuration)



  • IAG can now direct unauthenticated clients to a specific URL to perform authentication. (See auth_challenge_redirect)
  • Applications running on protected resource servers can now authenticate clients using the External Authentication Interface. (See External Authentication)


  • An authorization policy can now redirect clients to a specific URL when denying access. (See obligation/redirect_url)

Configuration YAML User Interface

  • A new browser based application which can be used to author and visualise the IAG configuration YAML has been made available at the following URL: ibm.biz/ibm-app-gateway-yaml.


Session Sharing Between Containers

Kerberos Constrained Delegation Single Sign-On

OAuth Introspection


Kubernetes Operator

Username/Password Single Sign-on

LTPA Single Sign-on

  • IAG can now generate LTPA token for single sign-on to protected applications. (see identity_headers/ltpa)


  • A new "Hello World" topic which demonstrates the various IAG deployment models has been added to the Developer Portal (see Hello World in the sidebar)
  • A new demonstration resource server application has been created. This application can be used when exploring IAG deployment models or experimenting with configuration (see References/Demo Resource Server)

Preview Capability: OAuth Introspection

  • IAG can now perform OAuth introspection to authenticate clients. (see Current Preview Features)
    Note: This is a preview capability and may be changed in a future release.




  • IAG can now read obfuscated and encrypted entries from the configuration YAML (see: "Special Types" in Concepts/Configuration)
  • Certificate related entries can now be specified as an array of certificate and key entries and do not need to be concatenated into a single string (see: Tasks/Managing Certificates)


  • IAG can now directly reference data from Kubernetes Secrets by name and field in the configuration YAML (see: "Special Types Available in Kubernetes" in Concepts/Configuration)



  • Credentials from an IBM Security Verify Access or IBM Security Access Manager identity provider can be consumed, where IBM Application Gateway (IAG) acts as OpenID Connect (OIDC) Relying Party (see: Protecting Web Applications with IBM Security Verify Access);
  • The 'identity/ci_oidc' YAML configuration node is no longer the preferred way to configure IBM Security Verify as the Identity Provider. The new 'identity/oidc' YAML configuration node should be used instead (see: OIDC).


  • IAG can now be configured to listen on port 8080 for HTTP traffic (see: Server/Protocols)


Application Protection


v19.12 (Initial Release)


Application Protection


Whatโ€™s Next

Do you have an idea for a new feature? Learn about requesting new capabilities.