Dictionary

API gateway

An API gateway is a single entry point that sits in front of one or more backend services. It handles cross-cutting work like authentication, rate limiting, routing, request transformation, caching, and logging, so each service does not have to reimplement it.

What is an API gateway?

An API gateway is a single entry point that sits in front of one or more backend services. Clients call the gateway, and the gateway forwards each request to the service that should handle it. Nothing on the outside talks to those services directly.

The reason to add one is repetition. Every service behind it needs the same plumbing: check who is calling, decide whether they are allowed, cap how often they can call, write a log line, maybe reshape the response. Build that once in the gateway and the services stop implementing it five times over. Amazon describes its own Amazon API Gateway as a "front door" for applications to reach backend logic and data.

A common variation is the backend-for-frontend, or BFF, where you run a separate gateway per client type so the web app, the mobile app, and a partner API each get a response shaped for them.

The cross-cutting work it handles

The exact feature set depends on the product, but most gateways cover the same concerns:

  • Routing. Match the incoming path, method, and version to a backend service and forward the request there.

  • Authentication and authorisation. Verify an API key, a signed token, or an OAuth flow, and reject the call before it reaches a service. Azure API Management, for example, checks API keys, JWTs, and client certificates at the gateway.

  • Rate limiting. Cap how many requests a client may send in a window, so one caller cannot starve the rest. A rate limit and its quota usually live here rather than in every service.

  • Request and response transformation. Rewrite headers, rename fields, or convert between formats so an older backend can sit behind a clean public API.

  • Caching. Store a response for a short time and serve repeat calls from the cache instead of hitting the backend again.

  • Observability. Emit logs, metrics, and traces for every call, so you can see who uses which API, where errors come from, and where latency builds up.

Some gateways go further and add resilience features such as retries or a circuit breaker, or take over TLS termination. The line to hold is that these are cross-cutting concerns, not business rules.

API gateway, reverse proxy, and service mesh

A plain reverse proxy forwards requests and spreads load, but it does not understand API keys, quotas, or per-consumer policy; an API gateway is a reverse proxy that also applies that API-level policy on the way through.

A service mesh handles the opposite direction of traffic, the calls between your internal services through a sidecar next to each one, while the gateway handles the requests arriving from outside, which is why the two are usually run together rather than chosen between.

When you actually need one

For a single internal API, a gateway is often more machinery than the job needs. It earns its place once you have several APIs, outside consumers, partner access, or mobile and web clients that each want a slightly different contract.

It also helps when you want to expose an older system without showing its internals: the gateway presents a tidy API on the outside and hides the complexity behind it. Microsoft frames API Management partly around this, unlocking legacy backends without the cost and delay of a full migration.

In data work the gateway tends to appear when connectors, automations, and AI tools need controlled access to operational systems. It sits in the same family as an iPaaS, a webhook receiver, or a reverse ETL sync, all of which move requests and data across system boundaries in a governed way.

What to watch out for with API gateways

It becomes a single point of failure. Every request flows through the gateway, so if it goes down, all the APIs behind it go down with it. That is why a gateway is run redundantly and sized for the full traffic load, and it is a real operational cost to plan for.

Business logic creeps in. The gateway is a tempting place to drop "just one" transformation, then a validation rule, then a bit of orchestration. Do that enough and it turns into a mini-monolith that every team has to redeploy and that couples all your services together. Keeping business rules in the services is the discipline that stops the gateway becoming the bottleneck it was meant to remove.

Logs can leak secrets. Gateway logging is useful, but access tokens, API keys, and personal data should be masked before they reach a log store.

Last Updated: July 10, 2026 Back to Dictionary
Keywords
api gateway api ipaas reverse etl on-premises data gateway api management microservices rate limiting oauth reverse proxy integration