System Design · Guide

API Gateway

Routing, auth, aggregation, throttling at the edge.

— min read System Design

Theory

An API gateway is the front door for clients — centralize cross-cutting concerns so microservices stay focused on domain logic.

API gateways terminate TLS, authenticate clients (JWT, API keys, mTLS), route to backend services, and enforce rate limits and quotas.

They enable protocol translation (REST to gRPC), request/response transformation, and API versioning without changing every service.

BFF (Backend for Frontend) pattern: separate gateway graphs for mobile vs web clients to reduce over-fetching and tailor payloads.

Kong, AWS API Gateway, Envoy/Gateway API, and NGINX are common implementations — pick based on latency, ops model, and plugin ecosystem.

Gateways cache responses where safe (GET with Cache-Control), collapsing thundering herds on hot endpoints.

Observability: per-route metrics, distributed tracing headers (traceparent), and structured access logs feed SLO dashboards.

Failure modes: gateway becomes single point of failure — run multi-AZ, health-check upstreams, circuit-break when backends degrade.

Architecture Diagram

  Clients (web/mobile/partners)
            |
       API Gateway
     /    |    \    \
   auth rate  route cache
            |
    +-------+-------+
    v       v       v
  Orders  Users  Payments
  service service service

Examples

kong declarative
_format_version: "3.0"
services:
  - name: orders
    url: http://orders:8080
    routes:
      - name: orders-route
        paths: ["/api/orders"]
    plugins:
      - name: rate-limiting
        config: { minute: 100 }
pseudo — JWT validate
if (!verifyJwt(req.headers.authorization)) return 401;
req.headers["X-User-Id"] = claims.sub;
forwardToUpstream(req);

Interview Questions

Gateway vs load balancer?

LB distributes traffic L4/L7; gateway adds auth, routing, transformation, developer portal, and API product features.

How prevent gateway overload?

Rate limits, circuit breakers, autoscale gateway pool, cache idempotent GETs, shed load with 429 + Retry-After.

Design Stripe-like public API.

Versioned routes, API keys + OAuth, idempotency keys, per-key rate limits, webhooks, comprehensive audit logs.

What is a BFF (Backend for Frontend)?

A gateway graph tailored to mobile vs web clients — reduces over-fetching and hides microservice chattiness from clients.

Where terminate mTLS?

Often at gateway for public clients; service mesh mTLS inside the cluster for east-west zero trust.

Idempotency at the gateway?

Accept Idempotency-Key header, dedupe within TTL, return same response on retries — critical for payment APIs.

Gateway as single point of failure?

Run multi-AZ replicas, health-check upstreams, circuit-break degraded backends, autoscale on CPU/latency.

Best Practices

  • Version-control all API Gateway configuration and review changes like application code.
  • Automate validation (lint, policy checks) in CI before production apply.
  • Document ownership, on-call runbooks, and rollback for every production change.
  • Use least privilege for credentials and rotate secrets regularly.
  • Measure before/after: error rate, deploy time, cost, or toil hours saved.

Common Mistakes

  • Adopting API Gateway without a written problem statement or success metric.
  • Skipping staging that mirrors production networking and data volume.
  • No rollback path — forward-only changes during incidents.
  • Alert noise without actionable runbooks — on-call ignores pages.

Trade-off Analysis

Central gateway simplifies policy but can become a monolith — mitigate with strict plugin governance and horizontal scale.

Synchronous aggregation at gateway increases latency vs client-side parallel calls — aggregate only when round-trip savings justify it.

Managed cloud gateways reduce ops but add vendor lock-in and per-request cost at extreme scale.

mTLS everywhere is secure but painful for mobile/public clients — often terminate TLS at gateway and use JWT inside.

Cheat Sheet

BFFClient-specific API layer
Idempotency-KeySafe retry header
429Rate limited response

Practical Exercises

Rate limit tier

Design free vs paid quota model at gateway.

Canary route

Route 5% traffic to v2 upstream based on header.

Trace propagation

Inject W3C trace context through gateway to services.