What is an API Gateway?

In a microservices world, every service speaks for itself — but someone has to manage the front door. That someone is the API Gateway. Let's break down what it is, why it exists, and how it fits into modern distributed systems.

You've built a system. It's grown. What started as one service is now ten - an auth service, a user service, an order service, a payment service, a notification service. Each one speaks its own language, runs on its own port, and has its own rules.

Now your mobile app needs to call five of them in a single screen load.

Welcome to the problem that API Gateways solve.

The Problem Without a Gateway

In a raw microservices architecture, clients talk directly to individual services. This sounds fine until you realize:

Multiple round trips - a dashboard page might need data from 4 services
CORS nightmares - every service needs cross-origin headers configured
Auth duplication - every service needs to validate tokens independently
No single throttle point - rate limiting lives in 10 different places
Service location hardcoded into clients - if a service moves, clients break

Direct communication at scale looks like this:

Every client knows every service's address. Every service handles its own auth. Adding a new service means updating every client. Changing a URL means updating everything. This is the distributed monolith trap - you got the complexity of microservices with none of the benefits.

Enter the API Gateway

An API Gateway is a single entry point that sits between clients and your backend services. It receives all incoming requests, applies cross-cutting concerns (auth, rate limiting, logging, routing), then proxies to the appropriate downstream service.

graph TD MobileApp["📱 Mobile App"] WebApp["🌐 Web App"] ThirdParty["🔌 Third-Party Client"] GW["🚪 API Gateway\n:8080"] AuthSvc["🔐 Auth Service"] UserSvc["👤 User Service"] OrderSvc["🛒 Order Service"] PaymentSvc["💳 Payment Service"] NotifSvc["🔔 Notification Service"] MobileApp --> GW WebApp --> GW ThirdParty --> GW GW -->|/auth/*| AuthSvc GW -->|/users/*| UserSvc GW -->|/orders/*| OrderSvc GW -->|/payments/*| PaymentSvc GW -->|/notifications/*| NotifSvc

One door. All rules enforced at the door. Services stay clean and focused on their domain.

What Does an API Gateway Actually Do?

Think of the gateway as a traffic cop + bouncer + translator - all in one.

1. Routing

The most basic function. A request comes in at /api/orders/123, the gateway maps it to http://order-service:3003/orders/123 and proxies it.

sequenceDiagram participant C as Client participant GW as API Gateway participant OS as Order Service C->>GW: GET /api/orders/123 GW->>GW: Match route /api/orders/* GW->>OS: GET /orders/123 OS-->>GW: 200 { order data } GW-->>C: 200 { order data }

2. Authentication & Authorization

The gateway validates JWT tokens (or API keys, OAuth tokens, etc.) before requests ever reach downstream services. Services don't need to implement auth - they trust that if the request got through, it's been verified.

sequenceDiagram participant C as Client participant GW as API Gateway participant Auth as Auth Service participant US as User Service

Lanjutkan Series Ini

L2 sampai L7 adalah konten premium. Dapatkan PIN akses dengan DM gue di Instagram.

Next Lesson

Project Setup: Fiber + Service Discovery