API (Application Programming Interface)
An API, or Application Programming Interface, is a contract that lets software talk to other software. In a data context, APIs are how conne...
Read definitionAn API gateway is a single entry point that sits in front of one or more backend services. It handles cross-cutting work like authentication, rate limiting, routing, request transformation, caching, and logging, so each service does not have to reimplement it.
An API gateway is a single entry point that sits in front of one or more backend services. Clients call the gateway, and the gateway forwards each request to the service that should handle it. Nothing on the outside talks to those services directly.
The reason to add one is repetition. Every service behind it needs the same plumbing: check who is calling, decide whether they are allowed, cap how often they can call, write a log line, maybe reshape the response. Build that once in the gateway and the services stop implementing it five times over. Amazon describes its own Amazon API Gateway as a "front door" for applications to reach backend logic and data.
A common variation is the backend-for-frontend, or BFF, where you run a separate gateway per client type so the web app, the mobile app, and a partner API each get a response shaped for them.
The exact feature set depends on the product, but most gateways cover the same concerns:
Routing. Match the incoming path, method, and version to a backend service and forward the request there.
Authentication and authorisation. Verify an API key, a signed token, or an OAuth flow, and reject the call before it reaches a service. Azure API Management, for example, checks API keys, JWTs, and client certificates at the gateway.
Rate limiting. Cap how many requests a client may send in a window, so one caller cannot starve the rest. A rate limit and its quota usually live here rather than in every service.
Request and response transformation. Rewrite headers, rename fields, or convert between formats so an older backend can sit behind a clean public API.
Caching. Store a response for a short time and serve repeat calls from the cache instead of hitting the backend again.
Observability. Emit logs, metrics, and traces for every call, so you can see who uses which API, where errors come from, and where latency builds up.
Some gateways go further and add resilience features such as retries or a circuit breaker, or take over TLS termination. The line to hold is that these are cross-cutting concerns, not business rules.
A plain reverse proxy forwards requests and spreads load, but it does not understand API keys, quotas, or per-consumer policy; an API gateway is a reverse proxy that also applies that API-level policy on the way through.
A service mesh handles the opposite direction of traffic, the calls between your internal services through a sidecar next to each one, while the gateway handles the requests arriving from outside, which is why the two are usually run together rather than chosen between.
For a single internal API, a gateway is often more machinery than the job needs. It earns its place once you have several APIs, outside consumers, partner access, or mobile and web clients that each want a slightly different contract.
It also helps when you want to expose an older system without showing its internals: the gateway presents a tidy API on the outside and hides the complexity behind it. Microsoft frames API Management partly around this, unlocking legacy backends without the cost and delay of a full migration.
In data work the gateway tends to appear when connectors, automations, and AI tools need controlled access to operational systems. It sits in the same family as an iPaaS, a webhook receiver, or a reverse ETL sync, all of which move requests and data across system boundaries in a governed way.
It becomes a single point of failure. Every request flows through the gateway, so if it goes down, all the APIs behind it go down with it. That is why a gateway is run redundantly and sized for the full traffic load, and it is a real operational cost to plan for.
Business logic creeps in. The gateway is a tempting place to drop "just one" transformation, then a validation rule, then a bit of orchestration. Do that enough and it turns into a mini-monolith that every team has to redeploy and that couples all your services together. Keeping business rules in the services is the discipline that stops the gateway becoming the bottleneck it was meant to remove.
Logs can leak secrets. Gateway logging is useful, but access tokens, API keys, and personal data should be masked before they reach a log store.
An API, or Application Programming Interface, is a contract that lets software talk to other software. In a data context, APIs are how conne...
Read definitionBanking as a Service lets non-bank companies offer banking features under their own brand by using a licensed bank or regulated provider beh...
Read definitionA business key is the identifier a business already uses to recognise something real, like an invoice number, VAT number, EAN or employee nu...
Read definitionChange Data Capture (CDC) is the practice of detecting every change in a source system and forwarding it to downstream systems. It keeps you...
Read definitionA circuit breaker watches the calls your application makes to a dependency and, once failures cross a threshold, stops sending calls for a w...
Read definition
Seven new Data Panda connectors from June 2026, with practical reporting ideas for stock, finance, ticketing, route planning and operations.
The June 2026 Power BI Desktop Bridge lets an agent build and verify reports. Here is how to enable it and install the two CLIs the docs lea...