API gateway
An API gateway is the single entry point in front of a service ecosystem that handles cross-cutting concerns — authentication, rate limiting, request routing, response aggregation, caching, observability — so each backend service doesn't reimplement them. Common examples: AWS API Gateway, Kong, Tyk, Apigee, Envoy as a gateway.
The pattern is most useful when many small services serve a heterogeneous client base (web, mobile, third-party API), where centralising auth and rate limits saves enormous duplication. The trade-off is the gateway becomes a chokepoint — both for performance (it sits in the critical path of every request) and for change management (gateway misconfig takes down everything). Healthy architectures keep gateway logic thin (auth, rate-limit, route) and push protocol-specific concerns to a backend-for-frontend layer behind the gateway. The pattern is sometimes confused with service mesh; the practical distinction is north-south traffic (gateway: external clients to services) vs east-west traffic (mesh: service to service).
Related terms
- Service mesh
A service mesh is an infrastructure layer for service-to-service communication, typically implemented as a sidecar proxy (Envoy, Linkerd-proxy) running alongside each service.
- Backend for frontend (BFF)
A backend-for-frontend is a dedicated server-side layer per client type (web, iOS, Android, partner API) that adapts the underlying services to that client's specific needs — aggregating multiple service calls, reshaping payloads, and exposing only the endpoints that client requires.
- Rate limiting
Rate limiting caps the number of requests a client can make to a service within a defined window — typically expressed as 'N requests per second' or 'N requests per minute per API key'.