API Gateway

The system's entry point, responsible for cross-cutting concerns such as authentication, routing, and traffic control.

What is an API Gateway?

It is the component that receives external requests and acts as the single or primary entry point into the backend ecosystem.

It is not where business logic lives, but where cross-cutting edge responsibilities are handled.

Core responsibilities

Authentication and initial validation

For example, verifying JWTs or access tokens.

Routing

Sending each request to the correct destination: BFF, internal service, or specific endpoint.

Rate limiting

Protecting the system against abuse or overload.

CORS, TLS, and edge policies

Handling technical concerns specific to the system’s boundary.

Logging and correlation

Generating or propagating a correlationId, logging requests, and enabling traceability.

What it should not do

It should not contain business logic

If the gateway starts deciding functional rules, it stops being a cross-cutting layer and becomes hard to maintain.

It should not become a monolithic backend

It should not aggregate complex responses, transform screen DTOs, or replace the BFF.

It should not know too much about the domain

It should know how to route and protect, not model the business.

Relationship with the BFF

In this architecture, the gateway typically sends most requests to the BFF, which is the layer that adapts and orchestrates.

A simple way to tell them apart is:

Gateway — Controls entry, edge security, and routing.

BFF — Adapts the response for the frontend and composes business data.

Benefits

  • Centralizes cross-cutting concerns
  • Simplifies access from the frontend
  • Improves control and security
  • Enables entry-point observability
  • Decouples the client from the internal backend

Risks if misused

  • Business logic at the edge
  • Excessive configuration that is hard to govern
  • Coupling with domain details
  • A gateway that is too “smart”

Common technologies

  • Kong
  • AWS API Gateway
  • Express Gateway
  • NGINX with plugins
  • Cloud edge/API management solutions

Practical example

When an authenticated user requests to view their profile:

  1. The frontend calls the gateway
  2. The gateway validates the token
  3. It applies basic policies
  4. It routes to the BFF
  5. It propagates context and correlation

It does not build the final profile response; it only allows the request to enter the system correctly.

Summary

The API Gateway is the system’s entry point. Its value lies in centralizing authentication, routing, and edge policies, not in becoming the functional brain of the application.