A single front door for many backend services that handles auth, rate-limiting, routing, observability in one place.
Call a service through the gateway. Sign out or spam it to see it blocked.
Instead of every one of your services handling auth, rate limiting, and routing, the gateway does it once at the front door. Bad requests die there, and the backend services stay simple and only see traffic that already passed the checks.
Plain English: one box that sits in front of your 50 microservices and handles the stuff every request needs (am I logged in? am I sending too fast? which service should this go to?). Lets the actual services stay simple.
A reverse proxy that sits in front of your microservices and centralizes cross-cutting concerns: authentication, authorization, rate-limiting, request transformation, routing, logging. Clients talk to the gateway; the gateway talks to the actual services.
In a microservices world, every backend would otherwise have to re-implement auth, rate-limiting, request logging, TLS termination, and CORS, and do it inconsistently. The gateway centralizes that boilerplate so services can focus on business logic.
Inbound requests hit the gateway. It validates the JWT/API key, checks the rate-limit counter, rewrites the URL if needed, attaches user context, then forwards to the right backend (often via service discovery). The response flows back through the gateway, which can do response transformations or logging on the way out.
Auth + rate-limit + routing to read vs write services
Zuul handles every control-plane API call; video bytes bypass it via the CDN
TLS termination, audit logging, API-key auth all in the gateway
Twitter removed free API access with 48-hour notice, breaking thousands of apps and bots instantly.
In February 2023, Twitter/X announced it would end free API access with roughly 48 hours notice, requiring all developers to move to paid tiers. This wasn't an outage in the traditional sense, but the outcome was the same: thousands of Twitter-integrated apps, bots, academic tools, and emergency-alert services stopped working simultaneously. Wildfire alert bots, public transit notification bots, journalism tools: all went dark. The lesson is about API contract stability, not fault tolerance. If you build on a third-party API, treat their rate limits and pricing as a failure mode, not a constant. Design your system so that a third-party API becoming unavailable or prohibitively expensive doesn't cascade into a user-facing outage.
An API gateway question is often really a question about cross-cutting concerns: where do auth, rate limiting, and logging live in a microservices system? The answer they want is 'at the gateway, not in every service.' Show you understand the failure mode too: a gateway is a single chokepoint, so you need multiple instances and a bypass plan for latency-critical paths like video streaming.