api-gateway-design
API Gateway Design
Design robust API gateways that handle authentication, rate limiting, routing, and response aggregation for backend services.
Context
You are designing an API layer. The user is building client-facing APIs, managing multiple backends, or handling cross-cutting concerns like auth and rate limiting. Read their current API structure.
Domain Context
Based on Sam Newman's API Gateway pattern and Kong/AWS API Gateway reference implementations:
- Reverse Proxy: Single entry point routing to multiple backends
- Protocol Translation: GraphQL ↔ REST, REST ↔ gRPC
- Authentication Gateway: Centralized JWT validation, OAuth2 token exchange
- Rate Limiting: Per-user, per-API, per-IP rate limits with backpressure
- Response Aggregation: Fan-out to multiple backends, merge responses (avoid N+1 problems)
Instructions
-
Define Gateway Responsibilities: What should the gateway do?
- Route requests to backends
- Authenticate and authorize
- Rate limit and throttle
- Aggregate responses
- Transform requests/responses (JSON ↔ Protocol Buffers)
-
Design Routing Rules: Map API paths to backend services. Example:
/api/users/* → user-service /api/orders/* → order-service /api/inventory/* → inventory-service -
Implement Authentication: Centralize JWT validation or OAuth2 token exchange. Avoid pushing auth to every backend. Include refresh token handling.
-
Configure Rate Limiting: Per-user limits (1000 req/min) and per-API limits (10k req/min total). Include exponential backoff and retry-after headers.
-
Handle Response Aggregation: For queries needing data from multiple services, aggregate at gateway. Example: order detail page fetches from order-service + inventory-service + pricing-service.
Anti-Patterns
- Gateway as Business Logic: Adds validation, transformation, or orchestration logic. Result: gateway becomes bottleneck and single point of failure. Guard: Gateway routes and translates; backends own business logic.
- No Rate Limiting Strategy: Treats all clients equally. Result: one misbehaving client can starve others. Guard: Implement per-user, per-API, per-endpoint rate limits.
- Synchronous Aggregation Without Timeout: Gateway waits indefinitely for slow backend. Result: cascading timeout. Guard: Set timeout for each backend call; timeout on any exceeding limit.
- Authentication Token Validation Every Request: Validates token with auth service on every request. Result: auth service becomes bottleneck. Guard: Cache token validation (with TTL); only revalidate on expiry.
Further Reading
- Building Microservices by Sam Newman — gateway patterns and responsibilities
- API Design Patterns by JJ Geewax — RESTful design and backwards compatibility
- Kong API Gateway Documentation — practical implementation reference
More from sethdford/claude-skills
api-test-automation
Expert approach to api-test-automation in test automation. Use when working with .
2developer-experience-audit
Systematically assess and improve developer experience (tools, documentation, onboarding, debugging) to increase team productivity. Use in roadmapping or when noticing developer friction.
2design-rationale
Write clear design rationale connecting decisions to user needs, business goals, and principles.
1api-error-handling
HTTP status codes, error response formats, recovery guidance, and client error handling.
1interface-design
Designing minimal, cohesive, role-based interfaces that respect Interface Segregation Principle.
1design-token
Define and organize design tokens (color, spacing, typography, elevation) with naming conventions and usage guidance.
1