API Gateway notes

API Gateway notes

Tiger Abrodi's photo
Tiger Abrodi
·

2 min read

Table of contents

Routing

A request comes in like "GET /users/123". The gateway knows where to send it. Maybe it goes to a users service running on port 3000, or maybe to a different server entirely. The gateway handles this mapping.

SSL Termination

SSL (Secure Sockets Layer) encrypts data between browsers and servers. Think of it like a secret code that only the sender and receiver can understand. When you see HTTPS, that's SSL in action.

SSL termination means the gateway decrypts incoming requests. Instead of every backend service handling encryption, the gateway does it once. It's like having one security checkpoint instead of many.

Here's how it works:

  1. Browser sends encrypted request

  2. Gateway decrypts it

  3. Gateway sends plain request to internal services

  4. Everything inside your network stays unencrypted (faster, less CPU)

Rate Limiting

Stops clients from sending too many requests. If someone hits your API 1000 times per second, they could crash your system.

The gateway tracks requests using rules like:

  • Max 100 requests per minute per IP

  • Max 1000 requests per hour per API key

  • Block if too many failures

Authentication

Checks if requests are allowed. The gateway verifies things like:

  • API keys

  • JWT tokens (encrypted tokens containing user info)

  • OAuth tokens (like when you "Login with Google")

This happens before requests hit your services. Bad requests get rejected immediately.

Load Balancing

Spreads traffic across multiple servers. If you have 3 copies of a service, the gateway shares requests between them.

If a server dies, the gateway stops sending it traffic. This keeps your system running even when parts fail.

Request Transformation

Changes requests before they hit your services. Common transformations:

  • Add headers (like user ID or trace ID)

  • Change URL paths

  • Modify request body

  • Convert between XML and JSON

Monitoring

Tracks everything flowing through your API:

  • Request counts

  • Response times

  • Error rates

  • Which endpoints get used most

  • Who's calling your API

This data helps you spot problems and plan capacity.

Caching

Stores responses temporarily. If 100 users request the same data, the gateway might serve it from memory instead of hitting your database every time.

This makes your API faster and reduces load on backend services.

backendAPIsSystem Designdistributed system