The WCH system does have different service endpoints that are not required for 2typical use" and given that they are not exposed via the default dispatcher "/api" routes.

But to call internal interfaces a VPN access is required.

Also after the VPN direct access is established the graylog does not hold the acting user in audit logs.

So e.g. feature toggle, userProfile apis should be accessible via a protected route (only from IBM network and IBMid login) to then call internal APIs with custon set headers etc.

This item is for the core support for admin services and exposing the toggle service entry points.

* A new gateway for admin access
* Access control via bluegroups
* includes log-in service
* Toggle service access for Create/Delete APIs

Other backlog items will be used for admin UI and for additional services that are exposed.

Expose public APIs through API Gateway, which are intended for managing the system behavior, e.g. set values of feature toggles, set Akamai configurations, ...
These APIs are intended for IBMers who operate and manage the system. They are not intended for normal users of tenants
These APIs need to be properly protected by a kind of access control, and probably also by a different kind of authorization.

While this capability is NOT implemented, the current workaround is, that such APIs need to be called internally within the production system (which requires VPN Access to the system).