API Gateway
The system's entry point, responsible for cross-cutting concerns such as authentication, routing, and traffic control.
What is an API Gateway?
It is the component that receives external requests and acts as the single or primary entry point into the backend ecosystem.
It is not where business logic lives, but where cross-cutting edge responsibilities are handled.
Core responsibilities
Authentication and initial validation
For example, verifying JWTs or access tokens.
Routing
Sending each request to the correct destination: BFF, internal service, or specific endpoint.
Rate limiting
Protecting the system against abuse or overload.
CORS, TLS, and edge policies
Handling technical concerns specific to the system’s boundary.
Logging and correlation
Generating or propagating a correlationId, logging requests, and enabling traceability.
What it should not do
It should not contain business logic
If the gateway starts deciding functional rules, it stops being a cross-cutting layer and becomes hard to maintain.
It should not become a monolithic backend
It should not aggregate complex responses, transform screen DTOs, or replace the BFF.
It should not know too much about the domain
It should know how to route and protect, not model the business.
Relationship with the BFF
In this architecture, the gateway typically sends most requests to the BFF, which is the layer that adapts and orchestrates.
A simple way to tell them apart is:
Gateway — Controls entry, edge security, and routing.
BFF — Adapts the response for the frontend and composes business data.
Benefits
- Centralizes cross-cutting concerns
- Simplifies access from the frontend
- Improves control and security
- Enables entry-point observability
- Decouples the client from the internal backend
Risks if misused
- Business logic at the edge
- Excessive configuration that is hard to govern
- Coupling with domain details
- A gateway that is too “smart”
Common technologies
- Kong
- AWS API Gateway
- Express Gateway
- NGINX with plugins
- Cloud edge/API management solutions
Practical example
When an authenticated user requests to view their profile:
- The frontend calls the gateway
- The gateway validates the token
- It applies basic policies
- It routes to the BFF
- It propagates context and correlation
It does not build the final profile response; it only allows the request to enter the system correctly.
Summary
The API Gateway is the system’s entry point. Its value lies in centralizing authentication, routing, and edge policies, not in becoming the functional brain of the application.