Systems and methods for authenticating clients to access data

What we claim is: 1 . A method, comprising: receiving, by one or more processors, at a first layer, a request from a client to access data in a compartment of plurality of compartments via a second layer, the request comprising authentication information for the client; generating, by the one or more processors, responsive to authentication of the request using the authentication information, (i) a context in which the client is to access the compartment and (ii) a first token generated based on an identifier of the compartment; sending, by the one or more processors, from the first layer to a gateway on the second layer, the context and the first token; and obtaining, by the one or more processors, at the first layer from the gateway on the second layer, an indication comprising a second token to grant the client access the data in the compartment in accordance with an access permission selected by the gateway based on the context upon authorization of the client using the first token. 2 . The method of claim 1 , further comprising: receiving, by the one or more processors, at the first layer, a second request from the client to access the data in the compartment of plurality of compartments via the second layer, the second request comprising second authentication information for the client; and sending, by the one or more processors, from the first layer to the client, an indication of failure to authenticate the client, responsive to unsuccessful authentication of the second request using the second authentication information. 3 . The method of claim 1 , further comprising forwarding, by the one or more processors, from the second layer via the first layer to the client, the indication comprising the second token, wherein the client is configured to access the data in the compartment using the second token. 4 . The method of claim 1 , further comprising providing, by the one or more processors, via the first layer, a web application to the client for accessing the data in the compartment of the plurality of compartments. 5 . The method of claim 1 , further comprising routing, by the one or more processors, via an interface on the first layer, communications from the client for accessing the data in the compartment of the plurality of compartments on a third layer. 6 . The method of claim 1 , further comprising controlling, by the one or more processors, via the first layer, access to the data by the client in the compartment in accordance with the access permission selected by the gateway on the second layer. 7 . The method of claim 1 , wherein generating the context further comprises generating the context including one or more attributes of the data in the compartment to be accessed by the client, the one or more attributes comprising at least one of an identifier of the data, an identifier of the client, or a web application through which the client is to access the data. 8 . The method of claim 1 , wherein generating the first token further comprising generating the first token based on the identifier of the compartment to be accessed by the client and an encryption key generated by the gateway. 9 . The method of claim 1 , wherein sending the context and the first token further comprising adding, to a header of the request, the context and the first token to forward from the first layer to the gateway on the second layer. 10 . The method of claim 1 , wherein obtaining the indication further comprises obtaining the indication comprising (i) an identification of the access permission and (ii) the second token identifying the context, an encryption of the identifier of the compartment to be accessed, and an identifier of the client. 11 . A system, comprising: one or more processors coupled with memory, configured to: receive, at a first layer, a request from a client to access data in a compartment of plurality of compartments via a second layer, the request comprising authentication information for the client; generate, responsive to authentication of the request using the authentication information, (i) a context in which the client is to access the compartment and (ii) a first token generated based on an encryption of an identifier of the compartment; send, from the first layer to a gateway on the second layer, the context and the first token; and obtain, at the first layer from the gateway on the second layer, an indication comprising a second token to grant the client access the data in the compartment in accordance with an access permission selected by the gateway based on the context upon authorization of the client using the first token. 12 . The system of claim 11 , wherein the one or more processors are further configured to: receive, at the first layer, a second request from the client to access the data in the compartment of plurality of compartments via the second layer, the second request comprising second authentication information for the client; and send, from the first layer to the client, an indication of failure to authenticate the client, responsive to unsuccessful authentication of the second request using the second authentication information. 13 . The system of claim 11 , wherein the one or more processors are further configured to forward, from the second layer via the first layer to the client, the indication comprising the second token, wherein the client is configured to access the data in the compartment using the second token. 14 . The system of claim 11 , wherein the one or more processors are further configured to provide, via the first layer, a web application to the client for accessing the data in the compartment of the plurality of compartments. 15 . The system of claim 11 , wherein the one or more processors are further configured to route, via an interface on the first layer, communications from the client for accessing the data in the compartment of the plurality of compartments on a third layer. 16 . The system of claim 11 , wherein the one or more processors are further configured to control, via the first layer, access to the data by the client in the compartment in accordance with the access permission selected by the gateway on the second layer. 17 . The system of claim 11 , wherein the one or more processors are further configured to generate the context including one or more attributes of the data in the compartment to be accessed by the client, the one or more attributes comprising at least one of an identifier of the data, an identifier of the client, or a web application through which the client is to access the data. 18 . The system of claim 11 , wherein the one or more processors are further configured to generate the first token based on the identifier of the compartment to be accessed by the client and an encryption key generated by the gateway. 19 . The system of claim 11 , wherein the one or more processors are further configured add, to a header of the request, the context and the first token to forward from the first layer to the gateway on the second layer. 20 . The system of claim 11 , wherein the one or more processors are further configured to obtain the indication comprising (i) an identification of the access permission and (ii) the second token identifying the context, an encryption of the identifier of the compartment to be accessed, and an identifier of the client.