The admin API will be implemented as a separate topology. This will allows for a separate authentication and authentication and authorization from normal topologies/clusters. The admin topology will be called admin. This may conflict with existing customer topologies but that could be addressed by the customer renaming the admin topology.
<topology> <gateway> .... </gateway> <service> <role>ADMIN</role> </service> </topology>
Note: The <url> element is not required as this will be an "internal" service.
The internal service will likely be implemented as a Jersey based dispatch based on the module gateway-provider-jersey.