API Gateway Patterns
Auth, routing, request transformation, aggregation, throttling
An API gateway is a reverse proxy that acts as the single entry point for all API traffic, centralizing cross-cutting concerns: authentication, routing, request/response transformation, rate limiting, circuit breaking, and observability. Modern gateways (AWS API Gateway, Kong, Envoy, Apigee, Azure API Management) operate at Layer 7, enabling routing decisions based on HTTP headers, paths, and query parameters. The Backend for Frontend (BFF) pattern creates gateway variants optimized per client type (mobile vs web vs third-party), avoiding one-size-fits-all API contracts.
Key Points
- Auth at the gateway: validate JWTs (RS256 signature check against JWKS endpoint), API keys (hash and compare against DB/cache), OAuth 2.0 token introspection — offloads auth from every backend service.
- Request routing rules: path-based (/api/v1/users → user-service), header-based (X-Feature-Flag: new → new-service), weight-based (10% traffic to canary, 90% to stable) — enable blue-green and canary deployments at gateway level.
- Request transformation: strip internal headers before forwarding, add correlation ID (X-Request-ID) if missing, translate auth format (API key → JWT for internal services), normalize request shape.
- Rate limiting at gateway: global limits (1000 req/min/tenant), per-endpoint limits (/search: 10 req/sec), burst limits using token bucket; return 429 with Retry-After; use Redis for distributed counter storage.
- Circuit breaker at gateway: after N consecutive upstream failures, open the circuit and return a cached response or 503; half-open after a timeout to probe recovery — prevents gateway overloading a struggling service.
- Aggregation/fan-out: a single client request triggers calls to 3–5 backend services; gateway collects responses and merges them — reduces client round-trips and mobile battery drain (GraphQL BFF pattern).
- Kong plugins: rate-limiting, JWT auth, IP restriction, request transformation, proxy cache, OpenTelemetry — each plugin runs in Lua or Go in-process; plugin chains are ordered and applied per route.
- AWS API Gateway: REST APIs (high config), HTTP APIs (2x cheaper, lower latency, fewer features), WebSocket APIs (stateful connections with route selection); integrations: Lambda, HTTP backend, Step Functions, AppSync.
Real-World Example
Netflix built Zuul (then Zuul 2, then replaced with Envoy) as their API gateway, handling all traffic from 200M+ subscribers; Zuul's filter chain processes auth, A/B test routing, and logging before forwarding to 700+ microservices. Airbnb uses a BFF pattern where their iOS app, Android app, and web app each have a dedicated GraphQL gateway layer that aggregates calls to the same set of microservices.