receiving, at a service provider network, a first request from a client device to access a backend service of the service provider network;

performing, by an identity provider system associated with the service provider network, a first authentication protocol with the client device to authenticate a user of the client device;

providing the client device with a first JavaScript Object Notation (JSON) web token based on completion of the first authentication protocol, the first JSON web token being associated with a first access scope according to which the user of the client device interacts with the backend service;

receiving, at a stateless application programming interface (API) gateway that manages API calls for the backend service of the service provider network, an API call from the client device including the first JSON web token and a second request to interact with the backend service;

determining that the API call is a privileged API call associated with performing a privileged interaction on the backend service;

identifying, by a pluggable authorizer component of the service provider network, a rule from a rules database that is associated with the privileged API call;

determining, by the pluggable authorizer component and based on the rule, that the privileged interaction is disallowed under the first access scope associated with the first JSON web token;

performing, by the identity provider system, a second authentication protocol with the client device; and

providing the client device with a second JSON web token based on completion of the second authentication protocol, the second JSON web token being associated with a second access scope for the client device to perform the privileged interaction with the backend service using the privileged API call.