Quick answer
An API gateway is an entry point that sits between clients and backend services. It can route requests, enforce authentication, apply rate limits, transform requests, collect metrics, and centralize cross-cutting API concerns.
Gateways are useful, but they can also become a bottleneck or a place where too much business logic accumulates.
Why API gateways exist
As backend systems grow, clients may need to call many services:
web app -> user service
-> order service
-> billing service
-> search service
An API gateway gives clients a single public entry point:
client -> API gateway -> internal services
The gateway can hide internal topology and expose a cleaner external API.
Common responsibilities
API gateways often handle:
| Responsibility | Example |
|---|---|
| Routing | /api/orders goes to the order service. |
| Authentication | Validate tokens before forwarding requests. |
| Authorization checks | Enforce coarse-grained access policies. |
| Rate limiting | Limit requests by account, API key, or IP. |
| Request logging | Record method, path, status, latency, and request ID. |
| Header management | Add trace IDs or remove unsafe headers. |
| Protocol bridging | Expose HTTP while calling internal gRPC services. |
Not every gateway should do all of these. Keep the boundary clear.
Gateway vs load balancer
A load balancer distributes traffic across instances. An API gateway usually understands API-level concerns such as routes, auth, quotas, and request metadata.
They can be separate systems or combined depending on the platform.
For example:
client -> load balancer -> API gateway -> service instances
or:
client -> edge gateway/load balancer -> service instances
Read Load Balancing Explained for the traffic distribution side.
Authentication at the gateway
Validating authentication at the gateway can reduce duplicated work in services.
For JWT-based systems, the gateway may verify:
- Signature.
- Issuer.
- Audience.
- Expiration.
- Required token shape.
The gateway can then forward trusted identity claims to internal services.
Be careful: internal services should still protect sensitive operations. Gateway auth is useful, but it should not become the only authorization thought in the system. Object-level permissions often belong closer to the domain service.
Read OAuth 2.0 Explained for Backend Developers and JWT vs Session Authentication for auth background.
Rate limiting and quotas
API gateways are a natural place for broad rate limiting.
Examples:
- 1,000 requests per minute per API key.
- 100 login attempts per hour per IP.
- 10 export requests per hour per account.
Gateway limits are good for coarse protection. Business-specific limits may still belong inside application services because they need domain context.
Read Rate Limiting in APIs Explained for algorithm and response-design details.
Observability
Gateways see most inbound traffic, so they are useful for:
- Access logs.
- Request IDs.
- Latency metrics.
- Status code metrics.
- Route-level error rates.
- Client or API key usage.
Gateway observability helps operators see whether failures are global, route-specific, client-specific, or downstream-service-specific.
Deployment checklist
Before putting an API gateway in front of production traffic, check the operational path. The gateway should have a rollback plan, health checks, request logging, and a clear owner for route configuration. If route changes require a manual dashboard edit with no review, the gateway can become a quiet source of production risk.
Also decide which failures the gateway may transform. It can add request IDs, normalize broad error envelopes, or enforce payload size limits. It should not hide domain-specific errors so aggressively that clients cannot recover. A good gateway makes cross-cutting concerns consistent while preserving enough downstream signal for debugging.
Common mistakes
The first mistake is putting too much business logic into the gateway. A gateway should coordinate API concerns, not become a hidden domain service.
The second mistake is assuming gateway authentication replaces service authorization. Sensitive operations still need domain-level checks.
The third mistake is making the gateway a single point of failure without redundancy and clear rollback plans.
The fourth mistake is hiding useful errors. A gateway should preserve enough error context for clients and operators while avoiding secret leakage.
When you need one
An API gateway is useful when:
- Multiple clients need a stable API surface.
- Multiple backend services sit behind one public API.
- Authentication, logging, or rate limiting should be centralized.
- Internal service topology should not be exposed.
- API versioning or routing needs are growing.
For a small monolith, a separate gateway may be unnecessary. The application itself can handle routing, auth, and observability until complexity justifies another layer.
Related reading
Read API Versioning Explained for evolving public contracts, CORS Preflight Explained for browser OPTIONS behavior at gateway boundaries, and REST API Status Codes Explained for gateway-safe error behavior. For traffic protection, read API Abuse Prevention Explained, Rate Limiting in APIs Explained, and Circuit Breaker Pattern Explained.
For protected API design, read API Authentication Best Practices, Service Accounts Explained, and Security Event Logging Explained. Use the HTTP Status Code Lookup when designing gateway responses. For the full sequence, browse the API Design Learning Path and the Backend Security Learning Path.