Introduction

The entry point to backend services.

• Client NO need to know every service URL, especially when service is different domain/port.
• Central place for security (auth)
  • no need scattered duplicated auth logic at every services
• Centralise monitoring and logging:
  • Request logs
  • Latency
  • Error rates
• Rate Limiting & Throttling
  • Prevent abuse & DDoS
• Load Balancing
• Aggregation: One request → multiple services
  • Gateway calls User, Order, Notification Service, can returns one combined response.
• Optional : Request / Response Transformation
  • Add headers
  • Remove fields
  • Convert formats (REST ↔ gRPC, JSON ↔ XML)

Client (Web / Mobile)
        ↓
     API Gateway
        ↓
  ┌───────────────┐
  │ User Service  │
  │ Order Service │
  │ Payment Svc   │
  └───────────────┘

===============================
  
The client only need to knows
<https://api.yourapp.com>

Not:
user-service:8081
order-service:8082
payment-service:8083

When to use an API Gateway:

✅ Microservices architecture

✅ Multiple clients (web + mobile)

✅ Need centralized auth & rate limiting

✅ Want clean, stable APIs

WSO2