One front door
An API gateway sits between clients and your backend services. Instead of every client knowing about every service, they all talk to the gateway, which forwards requests to the right place. It is the single entry point for the system.
What it handles
- Routing requests to the correct backend service by path or host.
- Authentication checking tokens once at the edge so services do not each repeat it.
- Rate limiting to protect services from abuse and overload.
- TLS termination decrypting once at the edge.
- Aggregation sometimes combining several backend calls into one response.
Keep it thin
The gateway is powerful, which makes it tempting to put business logic there. Resist that. A gateway that owns domain rules becomes a bottleneck and a single point of failure. Keep it focused on cross cutting concerns.
Key idea
An API gateway is the single front door that routes, authenticates, and rate limits requests, handling cross cutting concerns while keeping business logic in the services.