← Docs
Recipe

API Gateway Design

Single entry point for all client requests — routing, auth, rate limiting, and observability in one layer.

Problem

Microservices expose dozens of endpoints. Clients must know every host, handle auth per service, and deal with inconsistent error formats. Internal refactors break consumers.

Solution

Place a reverse proxy gateway in front of all services. It terminates TLS, validates JWTs, enforces per-route rate limits, and forwards requests to the correct upstream. Clients hit one base URL.

Architecture

Client → [TLS] → Gateway
                  ├── /api/auth/*  → auth-svc:4001
                  ├── /api/users/* → users-svc:4002
                  └── /api/billing/* → billing-svc:4003
                      │
                      ├── JWT validation (cache pub keys)
                      ├── Rate limiter (token bucket per route)
                      └── Request logging → observability stack

Key Decisions

  • Stateless gateway — no session storage, horizontal scale trivially.
  • Route table as config file, hot-reloaded on SIGHUP.
  • Circuit breaker per upstream — fail fast, don't cascade.
  • Request ID injected at edge, propagated via header to all services.

Trade-offs

Adds ~2ms latency per hop. Single point of failure if not deployed with redundancy. Avoid business logic in the gateway — it becomes a monolith otherwise. Keep it thin: route, auth, throttle, log.

← Back to docs