API Gateway
An API gateway acts as the front door for clients in a service-oriented architecture. It centralizes authentication, routing, throttling, and logging so downstream services can stay focused on domain logic.
Reading time
12 min
What an API Gateway Does
Instead of exposing every service directly to the client, an API gateway provides a single entry point. It applies cross-cutting concerns such as auth, rate limiting, and request transformation before routing to backend services.
Core Responsibilities
- Authentication and authorization
- Routing by path, method, or hostname
- Request throttling
- Logging and tracing
- API versioning
Benefits
A gateway reduces duplication because each service does not have to reimplement the same edge logic. It also gives teams a single place to enforce security policies, monitor traffic, and roll out changes without touching individual services.
Trade-offs
It can become a bottleneck or a place where too much business logic accumulates. If the gateway goes down, all client traffic is affected, making it a critical single point of failure that must be highly available.
Common Implementations
Popular API gateway solutions include Kong, AWS API Gateway, Nginx, Apigee, and Traefik. Cloud-native options integrate directly with IAM, logging, and autoscaling infrastructure, while self-hosted options offer more control over routing logic and plugin ecosystems.
Authentication Patterns
Gateways commonly handle OAuth 2.0 token validation, API key verification, and JWT signature checks before requests ever reach a backend service. This offloads security concerns from individual microservices and centralizes token introspection.
Rate Limiting and Throttling
Gateways enforce per-client or per-route request quotas to protect backends from traffic spikes and abuse. Rate limits can be applied globally, per API key, per IP, or per user tier. Exceeding the limit typically returns a 429 Too Many Requests response.
Request and Response Transformation
Gateways can rewrite headers, translate between REST and gRPC, strip sensitive fields from responses, or aggregate multiple upstream calls into a single response. This shields clients from internal service contracts and allows backends to evolve independently.
API Versioning
Gateways route traffic to different backend versions based on path prefixes like /v1/ and /v2/ or custom headers. This allows teams to run multiple API versions simultaneously and deprecate old ones gradually without forcing all clients to upgrade at once.
Observability
Every request passing through a gateway is a logging and tracing opportunity. Gateways emit structured logs, propagate distributed trace headers like W3C Trace Context or B3, and expose metrics such as request count, error rate, and latency per route.
Gateway vs Service Mesh
An API gateway handles north-south traffic, meaning requests coming in from external clients. A service mesh handles east-west traffic, meaning communication between internal services. They solve different problems and are often used together in large microservice architectures.
Interview Tip
Say that gateways should own cross-cutting concerns, not core business workflows. Also mention the distinction between north-south and east-west traffic to show you understand where a gateway fits relative to a service mesh.