API Gateways

Why This Matters

In a microservices architecture, your system might have a user service, an order service, a payment service, and a notification service -- each with its own API. Should your mobile app know the address of every service? Should each service implement its own authentication, rate limiting, and logging? That would be chaos. An API gateway solves this by providing a single entry point for all client requests.

The API gateway acts as a front door. Clients talk to the gateway; the gateway routes requests to the correct service. Along the way, it handles cross-cutting concerns: authentication, rate limiting, request transformation, logging, and caching. This keeps your backend services focused on business logic and gives you centralized control over security and traffic management. Every major API-driven company -- from Amazon to Stripe -- uses an API gateway.

Define Terms

Visual Model

Code Example

// Simple API Gateway implementation
class APIGateway {
  constructor() {
    this.routes = {};
    this.rateLimits = new Map();
    this.maxRequests = 5; // per minute
  }

  // Register a route to a backend service
  registerRoute(path, serviceUrl) {
    this.routes[path] = serviceUrl;
  }

  // Check rate limit for a client
  checkRateLimit(clientId) {
    const now = Date.now();
    const requests = this.rateLimits.get(clientId) || [];
    // Keep only requests from the last minute
    const recent = requests.filter(t => now - t < 60000);
    if (recent.length >= this.maxRequests) {
      return false; // rate limited
    }
    recent.push(now);
    this.rateLimits.set(clientId, recent);
    return true;
  }

  // Handle an incoming request
  handleRequest(request) {
    // Step 1: Authenticate
    if (!request.apiKey) {
      return { status: 401, body: "Unauthorized" };
    }

    // Step 2: Rate limit
    if (!this.checkRateLimit(request.apiKey)) {
      return { status: 429, body: "Too Many Requests" };
    }

    // Step 3: Route to service
    const serviceUrl = this.routes[request.path];
    if (!serviceUrl) {
      return { status: 404, body: "Route not found" };
    }

    return {
      status: 200,
      body: `Routed to ${serviceUrl}${request.path}`,
    };
  }
}

const gateway = new APIGateway();
gateway.registerRoute("/api/users", "http://user-service:3001");
gateway.registerRoute("/api/orders", "http://order-service:3002");

console.log(gateway.handleRequest({
  path: "/api/users", apiKey: "abc123"
}));

Interactive Experiment

Try these exercises:

• Send 6 requests with the same API key in quick succession. On which request does rate limiting kick in?
• Add a request without an apiKey. Verify that it is rejected with 401 before rate limiting is checked.
• Add a new route for /api/payments. Route a request to it and confirm the gateway forwards it correctly.
• Modify the gateway to support path prefixes: any path starting with /api/users (like /api/users/123) should route to the user service.

Quick Quiz

Coding Challenge

Real-World Usage

API gateways are essential infrastructure for modern systems:

• AWS API Gateway: A fully managed service that handles request routing, authentication (Cognito, Lambda authorizers), rate limiting, and request/response transformation for serverless and containerized backends.
• Kong: An open-source API gateway built on Nginx, used by companies like Nasdaq and Honeywell for high-throughput API management.
• Nginx / Envoy: Often used as lightweight API gateways that handle TLS termination, load balancing, and routing in Kubernetes environments.
• Stripe API: Uses API keys and rate limiting through their gateway to manage millions of payment API requests per day.
• GraphQL gateways (Apollo Federation): Combine multiple GraphQL services behind a single gateway endpoint.

Connections