The image shows a zero-trust architecture with the Policy Decision Point (PDP) using an OCI API Gateway and the Policy Enforcement Point (PEP) using OCI Identity and Access Management.

The workflow is shown in the following six steps, which is described in greater detail in the surrounding text:

1. Generate Access Token is two-way communication between the end user's client application and IAM.
2. Call with Access Token (JWT) is one way communication from the end user's client application to OCI API Gateway.
3. Policy Verification and JWT Validation with IAM is two-way communication between the OCI API Gateway and IAM.
4. Policy Decision is determined by OCI Identity and Access Management (PDP).
5. Grant Access to Backends is granted by OCI API Gateway (PEP).
6. Response (200 OK / 403 Forbidden) status is sent by the OCI API Gateway (PEP) to the client application.