API Basics

What is an API gateway?

APIs (Application Programming Interfaces) are the building blocks of modern business, but a single API is rarely the only part of the story. Enterprises build an architecture around their APIs to ensure their quality and consistency. Here’s a look at one piece of that architecture, the API gateway: what it is, what it does — or what it should do — and why it’s especially important for securing, monitoring, and scaling your APIs.

What is an API gateway?

API gateways are API proxies that are put between the API Provider and the API Consumer. At its heart, an API gateway is a façade that provides an API interface to your complex subsystem.



An API gateway is programming that sits in front of an API and is the single-entry point for defined back-end APIs and microservices (which can be both internal and external). The gateway acts as a protector, enforcing security and ensuring scalability and high availability. To put it simply, the API gateway takes all API requests from a client, determines which services are needed, and combines them into a unified, seamless experience for the user.

The “front-end APIs” act as the “front door” for all your applications that have access to data, business logic, or functionality from your backend services. It decouples the interface that your clients see (in this case, API consumers that could be mobile apps, thin clients) from the actual underlying implementation.

Why do you need an API gateway?

APIs have become a strategic necessity for businesses. They facilitate agility, integration, and innovation. So, you expose an API to integrate and everything works just fine, right?

Well, not really. The APIs you expose internally and externally provide very valuable information. Hence, there are various concerns about security, availability, threats, and monitoring.

Gartner predicted that API abuses would be the most frequent attack vector for enterprise web application data breaches in 2022. And analysts find in a new report that “unmanaged and unsecured APIs create vulnerabilities that could accelerate multimillion-dollar security incidents.”

So what do you do? You invest in the right API gateway to make sure that things happening outside your enterprise are not breaking things within your enterprise.

Furthermore, an API is useless unless it is delivered with consistent quality – and someone actually uses it. A gateway is critical to help ensure great performance, high availability, and elastic scalability of APIs by enabling enterprises to initiate delivery with uniform supporting services, including traffic management, transformation, and system integration.

Related: Axway achieves Common Criteria EAL4+ certification for API Gateway

Gateways are part of an API architecture

Let’s take a quick step back to understand how an API gateway fits into an API architecture.

First, what’s an API architecture? Unlike API design, which focuses on why the API is being created, the outcome, and how it will be executed, API architecture is defining the entire methodology and process for running and exposing APIs.

It encompasses the API gateway (and how API security, caching, orchestration will work), developing an API portal for API analysis, API documentation, marketing APIs, making sure they work with web/mobile applications, and defining how they are exposed to internal, partner, and third-party developers.

Having a complete API architecture will help your business with the entire API lifecycle management process.

API gateways are core infrastructure

Think of an API gateway platform as an application server, but for APIs. It is seen as the API runtime environment, and provides these core services:

  • API security
  • API protocol connectivity
  • API virtualization
  • API scalability and elasticity
  • High availability
  • Manageability
  • Development simplicity

Since the core API infrastructure is provided, developers can focus on providing the application logic, and no longer need to build these services into their application.

How does an API gateway work?

By acting as a central interface for clients using APIs, an API gateway acts as the single entryway into a system allowing multiple APIs or microservices to act cohesively and provide a uniform experience to your users. An API gateway plays an important role in ensuring the reliable processing of every API call.

API gateway

As the diagram recommends, all your policies should be enforced at the API gateway — do not depend on your back-end APIs and certainly not on your front-end applications to build the right level of security to protect your APIs. All your API security challenges can and should be delegated to API gateway because you don’t have to write any code, it’s all about configuration.

Who is responsible for the platform and how is it administered?

There are two teams responsible for managing the platform: the operations team and the architecture team. Operations handles runtime management of message traffic, logs and alerts, and high availability. The security and systems architects define and manage the design-time policy, which determines the behavior of the API gateway platform.

There are five main stages in an API gateway administration lifecycle:

  1. Planning an API gateway system
  2. Installing API gateway components
  3. Configuring a domain
  4. Operating and managing the API gateway
  5. Upgrading the API gateway

Key aspects every API gateway should address

Here are some essential features to look for in an API gateway solution.

1. API Security

Access control is the number-one security driver for an API gateway technology. It serves as a governor of sorts, so an organization can manage who can access an API and establish rules around how data requests are handled. Authentication and Authorization are of primary importance. My colleague Dave McKenna shares a great analogy from a favorite movie that explains the capabilities of an API gateway.

An API gateway should ensure only authenticated users can access the backend APIs by providing an authentication layer. The API gateway should be able to integrate with existing and custom authentication providers. This ensures the back-end APIs doesn’t have to implement this logic and any changes to the authentication schemes require no changes to the backend.

Once Authenticated, the API gateway then authorizes “what” the authenticated user has access to. With Authorization, an API gateway should be able to abstract common complexities from back-end APIs. This avoids the back-end API having to maintain this logic and any subsequent changes to it.

An API gateway should be able to work with existing authorization mechanisms. It should also be able to provide fine-grained, centrally managed access rights to each individual method of an API.

In a nutshell, API security is about authentication and authorization. The effective implementation of a gateway “should be able to absorb all of that, so backend services don’t have to deal with authorization anymore.” This simplifies access rule configuration and, potentially, dealing with complex authorization logic.

Learn more from Forbes on why you need to pay attention to API security.

2. Rate-Limiting

An API gateway should help with reducing the load on backend APIs and prevent misuse. Rate-limiting provides restricted access to APIs by permitting only a certain number of requests. By exposing APIs to third-party consumers, this also could provide a revenue stream by opening up the possibilities of higher rate limits.

3. API Monitoring and Logging

An API gateway should provide default monitoring across all APIs and have the ability to track requests/response time is taken, SLA, etc. It should be able to integrate with a full-featured monitoring solution to help track this information.

Since it sits between the consumers and APIs, API gateways should provide default logging capabilities. API gateways help provide unified logging capabilities to all APIs. To help analyze multiple APIs together, the gateway should be able to provide a co-relation ID into their request headers, so backend APIs, front-end Apps can also include this ID into their logging activities.

4. Threat Protection

APIs are the gateways for enterprises to connect digitally with the world. Unfortunately, there are malicious users out there, waiting to gain access to enterprise backend systems. An API gateway needs to provide threat protection against potential hackers, malware, and/or anonymous outsiders to prevent against DDoS or SQL Injection attacks amongst others.

5. API Transformation

An API gateway should provide the capabilities to transform requests/response payloads. As organizations move from a legacy-based SOAP-based architecture to a more modern REST-base architecture and need a quick time-to-market strategy, payload transformation becomes an integral component of this requirement.

6. Scaling

As the API gateway sits between the consumers and backend APIs, it’s also in the unique position to determine any high or low activities based on the monitoring that’s enabled. Even though the gateway may not be expected to provide auto-scaling out of the box, it should be able to integrate with services that provide this capability.

An API gateway must support scalability and high availability, load balancing, shared state without compromising performance. It should provide linear scalability and fault tolerance on hardware or cloud infrastructure for mission-critical data. It should also support replicating across multiple data centers and providing lower latency for your consumers.

As the API market matures, so does the increase in security breaches. As decision-makers, you want assurances that exposing enterprise data via APIs will not create undue risk. The API gateway provides the ability to securely publish APIs in an automated manner, ensuring high availability so that developers can quickly and easily find and use them to deliver business value for your organization while ensuring integrity and confidentiality.

Read our checklist for 10 ways to stay ahead of rapidly evolving security threats