What is an API Gateway?
Learn what an API gateway is, how it routes requests, centralizes auth and rate limiting, and fronts microservices at scale.
Expected Interview Answer
An API gateway is a single entry point that sits in front of a system’s backend services, routing client requests to the right service while centrally handling cross-cutting concerns like authentication, rate limiting, and request aggregation.
Instead of clients calling many microservices directly, they call the gateway, which authenticates the request, applies rate limits, logs and monitors traffic, and routes to the correct downstream service based on the path or headers. It can also aggregate several backend calls into one response for the client, translate protocols (e.g., REST in, gRPC to a service), and handle SSL termination. This centralization keeps cross-cutting logic out of every individual service, simplifies client integration to one endpoint, and gives operators a single place to enforce security policies and observe traffic. The trade-off is that the gateway becomes a critical component that must itself be highly available and horizontally scaled, since it fronts the entire system.
- Gives clients one stable entry point instead of knowing every service address
- Centralizes authentication, rate limiting, logging and monitoring
- Can aggregate multiple backend calls into a single client-facing response
- Decouples clients from internal service topology, letting services change freely
AI Mentor Explanation
An API gateway is like the team manager who receives every request from broadcasters, sponsors and press instead of letting each of them call individual players directly. The manager checks credentials (authentication), enforces how many interview slots each outlet gets per day (rate limiting), and routes each request to the right player or coach behind the scenes. If a broadcaster wants stats from three different players, the manager can gather all three and hand back one combined answer. That single, policy-enforcing front door is exactly what an API gateway provides for backend services.
Step-by-Step Explanation
Step 1
Client sends one request
The client calls the gateway’s single endpoint instead of knowing every backend service address.
Step 2
Gateway enforces cross-cutting policy
Authentication, rate limiting, logging and SSL termination happen centrally at the gateway.
Step 3
Route (and optionally aggregate)
The gateway routes to the right service by path/header, or fans out to several and combines the responses.
Step 4
Return a single response
The client gets back one coherent response, unaware of how many internal services were involved.
What Interviewer Expects
- Describes the gateway as a single entry point in front of microservices
- Names cross-cutting concerns centralized there: auth, rate limiting, logging, SSL termination
- Mentions request aggregation / protocol translation as an optional capability
- Recognizes the gateway itself must be made highly available (avoid single point of failure)
Common Mistakes
- Confusing an API gateway with a plain load balancer (gateway does far more: auth, routing by content, aggregation)
- Not mentioning that the gateway must itself be scaled/replicated to avoid being a bottleneck
- Forgetting cross-cutting concerns like authentication and rate limiting
- Assuming every request must go through business logic in the gateway itself (it should stay thin)
Best Answer (HR Friendly)
“An API gateway is the single front door that all client requests go through before reaching the actual backend services. It handles things like checking who is calling, limiting how many requests they can make, and routing each request to the right internal service, so clients only ever have to talk to one place.”
Code Example
routes:
- path: /api/users/*
service: user-service
auth: required
rateLimit: 100/min
- path: /api/orders/*
service: order-service
auth: required
rateLimit: 50/min
- path: /api/catalog/*
service: catalog-service
auth: optional
rateLimit: 200/min
crossCutting:
ssl: terminate
logging: enabled
cors:
allowedOrigins:
- "https://app.example.com"Follow-up Questions
- How is an API gateway different from a plain load balancer?
- What is the Backend-for-Frontend (BFF) pattern and how does it relate to API gateways?
- How do you keep an API gateway from becoming a single point of failure?
- What is request aggregation and when would a gateway perform it instead of the client?
MCQ Practice
1. What is the primary role of an API gateway in a microservices architecture?
An API gateway centralizes routing, authentication, rate limiting and other cross-cutting concerns in front of backend services.
2. Which of these is a cross-cutting concern typically handled at the API gateway?
Gateways commonly centralize authentication, rate limiting, logging, and SSL termination rather than domain-specific business logic.
3. Why must an API gateway itself be made highly available?
Since the gateway fronts all client traffic, it must be replicated and scaled to avoid becoming a single point of failure.
Flash Cards
What is an API gateway? — A single entry point in front of backend services that routes requests and handles cross-cutting concerns.
Name two cross-cutting concerns a gateway centralizes. — Authentication and rate limiting (also logging, SSL termination).
What is request aggregation? — The gateway calling several backend services and combining their responses into one for the client.
Key risk of an API gateway? — It can become a single point of failure or bottleneck if not made highly available and scaled.