skies.dev

Learn the API Gateway Pattern

5 min read

An API Gateway is the layer that sits between clients and a set of backend services. It gives you one place to shape requests, combine responses, and enforce cross-cutting concerns such as auth.

The pattern is useful when your clients should not talk to every backend service directly.

The Problem

Imagine a travel app with separate services for flights, hotels, and restaurants. Each team owns its service and deploys independently. That is good for team autonomy, but it creates a question:

  • do mobile and web clients call those services one by one?
  • or do they talk to a single entry point that coordinates everything?

If you expose every service directly, clients inherit the complexity of the backend.

Direct Client-to-Service Calls Create Three Problems

  • The client has to know too much about backend topology.
  • The client may need to stitch together several responses before it can render a screen.
  • Every screen can turn into multiple network hops over the public internet.

Apparently, Amazon reported that every 100ms of latency cost them 1% in sales.

That number is not the point. The point is that network round trips add up quickly, especially on mobile.

What The Gateway Actually Buys You

1. A Stable Client Interface

The gateway becomes the client’s entry point. That means you can evolve backend services behind it without forcing every client to learn new service APIs.

Good gateway behavior looks like this:

  • route /trips/123 to several services if needed
  • return a response shaped for the screen, not for the service boundary
  • hide service churn from older clients when possible

2. Response Aggregation

A gateway is a convenient place to combine data from multiple services.

For example, a trip details screen might need:

  • flight status from a flight service
  • hotel reservation details from a hotel service
  • restaurant recommendations from a dining service

Without a gateway, the client orchestrates that work. With a gateway, the backend does.

That usually makes the client thinner and easier to test.

3. Centralized Security Concerns

Authentication and authorization are often easier to manage in one place than in every service. A gateway can verify the user, apply coarse authorization, and forward trusted context to downstream services.

That does not remove service-level authorization entirely, but it reduces repeated plumbing.

Two Common Implementation Styles

REST Gateway

A REST gateway is straightforward when your needs are mostly request/response. Clients hit one endpoint, and the gateway uses HTTP requests to gather the data it needs.

GET /hero/1

The gateway can fan out to other services, gather the data, and respond with a shape that fits the UI:

{
  "hero": {
    "id": 1,
    "name": "R2-D2"
  }
}

Use this style when:

  • your screens map cleanly to resource-oriented endpoints
  • the payloads are small or moderately shaped
  • you do not need a client-selected response shape

GraphQL Gateway

GraphQL is a stronger fit when clients need to ask for exactly the fields they want. That can reduce overfetching and make a single gateway endpoint useful across many screens.

{
  hero(id: "1") {
    name
  }
}

The gateway resolves that query by talking to downstream services and returning only the requested data.

Use this style when:

  • different clients need different slices of the same domain model
  • you want one schema for many frontends
  • you expect the UI to evolve faster than the backend shape

When An API Gateway Is Worth It

An API Gateway is not automatically the right answer. It is useful when one or more of these are true:

  • clients need to aggregate multiple services for one screen
  • you want to keep service APIs private
  • you need a single place for auth, rate limits, or request shaping
  • you have many clients and want to reduce coupling to backend internals

It is less compelling when:

  • you only have one backend service
  • clients already talk to a BFF layer that solves the problem
  • the gateway would become a thin pass-through with no real logic

A Practical Checklist

Before adding a gateway, ask:

  • What problem are we solving that direct service calls cannot solve cleanly?
  • Which responses should be shaped for the client instead of for the backend?
  • Which service-to-service details should remain hidden from clients?
  • What auth rules belong at the gateway, and which must still live in services?
  • How will we observe failures when one downstream service is slow or unavailable?

If you cannot answer those questions, the gateway is probably being introduced too early.

Bottom Line

An API Gateway is valuable when it reduces client complexity and centralizes cross-cutting concerns without becoming a dumping ground for business logic. Used well, it gives product teams a stable API surface and gives backend teams room to evolve services independently.

Hey, you! 🫵

Did you know I created a YouTube channel? I'll be putting out a lot of new content on web development and software engineering so make sure to subscribe.

(clap if you liked the article)

You might also like