An API Gateway is a server that acts as an API front-end, receives API requests, enforces throttling and security policies, and passes requests to the back-end service.

Think of a Large Hotel:

1. You have a pool, a restaurant, a gym, and many rooms (Microservices).
2. You don't want guests walking into the kitchen or the laundry room directly.
3. The API Gateway is the Front Desk.
4. When you arrive, the Front Desk:
   • Checks your ID (Authentication).
   • Gives you a key card (Authorization).
   • Tells you how to get to the restaurant (Routing).
   • Makes sure you don't book 100 rooms at once (Rate Limiting).

---

Core Responsibilities

1. Routing: Taking a request for /v1/users and sending it to the User Service.
2. Authentication/Authorization: Verifying JWT tokens or API keys before the request even hits the heavy back-end.
3. Rate Limiting: Preventing DDoS attacks or abusive users from overwhelming your services.
4. Usage Monitoring: Tracking how many people use which API.
5. Protocol Translation: Converting between different protocols (e.g., HTTP to gRPC).

---

API Gateway vs Load Balancer

• Load Balancer: Focuses on Availability. It sends traffic to "Web Server A" or "Web Server B." It doesn't care what's in the URL.
• API Gateway: Focuses on Application Logic. It cares what you are asking for (e.g., users vs. products) and who you are.

Performance Concerns

Because every single request goes through the Gateway, it can become a bottleneck. The Solution: Keep the Gateway logic as "thin" as possible. Don't do heavy database lookups or business logic here. Just route and secure.

Popular Tools

• Kong, Tyk, AWS API Gateway, Apigee. 🛡️