Reqflow
← All concepts
Networking·3 min read

API Gateway

A single front door for many backend services that handles auth, rate-limiting, routing, observability in one place.

Try it

Call a service through the gateway. Sign out or spam it to see it blocked.

Client
API Gatewayauth · rate limit · routing0/3 used
Users
Orders
Search

Instead of every one of your services handling auth, rate limiting, and routing, the gateway does it once at the front door. Bad requests die there, and the backend services stay simple and only see traffic that already passed the checks.

First time reading this? Start here

Plain English: one box that sits in front of your 50 microservices and handles the stuff every request needs (am I logged in? am I sending too fast? which service should this go to?). Lets the actual services stay simple.

What it is

A reverse proxy that sits in front of your microservices and centralizes cross-cutting concerns: authentication, authorization, rate-limiting, request transformation, routing, logging. Clients talk to the gateway; the gateway talks to the actual services.

The problem it solves

In a microservices world, every backend would otherwise have to re-implement auth, rate-limiting, request logging, TLS termination, and CORS, and do it inconsistently. The gateway centralizes that boilerplate so services can focus on business logic.

How it works

Inbound requests hit the gateway. It validates the JWT/API key, checks the rate-limit counter, rewrites the URL if needed, attaches user context, then forwards to the right backend (often via service discovery). The response flows back through the gateway, which can do response transformations or logging on the way out.

Why use it

  • One place to enforce auth + rate-limit policies across the entire backend
  • Backend services can stay 'dumb' about who's calling them
  • Easy to add new cross-cutting concerns (canary routing, A/B tests) without touching every service

What it costs you

  • Extra hop that adds latency to every request
  • If it goes down, everything goes down (must be HA)
  • Can become a god-object if too much logic accumulates here

Where it shows up in our architectures

  • URL Shortener

    Auth + rate-limit + routing to read vs write services

  • Netflix

    Zuul handles every control-plane API call; video bytes bypass it via the CDN

  • Payment Gateway

    TLS termination, audit logging, API-key auth all in the gateway

Gotchas

  • Treat the gateway as infrastructure, not business logic. Routing rules are fine; complex business logic belongs in services.
  • Latency-sensitive paths (video bytes, websocket frames) should bypass the gateway; the gateway is for control plane.
  • Run multiple instances behind a load balancer. A single-instance gateway is the most expensive SPOF in your architecture.
When this went wrong in production

Twitter's self-inflicted API shutdown · 2023

Twitter removed free API access with 48-hour notice, breaking thousands of apps and bots instantly.

In February 2023, Twitter/X announced it would end free API access with roughly 48 hours notice, requiring all developers to move to paid tiers. This wasn't an outage in the traditional sense, but the outcome was the same: thousands of Twitter-integrated apps, bots, academic tools, and emergency-alert services stopped working simultaneously. Wildfire alert bots, public transit notification bots, journalism tools: all went dark. The lesson is about API contract stability, not fault tolerance. If you build on a third-party API, treat their rate limits and pricing as a failure mode, not a constant. Design your system so that a third-party API becoming unavailable or prohibitively expensive doesn't cascade into a user-facing outage.

Interview angle

An API gateway question is often really a question about cross-cutting concerns: where do auth, rate limiting, and logging live in a microservices system? The answer they want is 'at the gateway, not in every service.' Show you understand the failure mode too: a gateway is a single chokepoint, so you need multiple instances and a bypass plan for latency-critical paths like video streaming.

Your notes

Private to you