API Gateway Pattern for Microservices

Our company is engaged in the development, support and maintenance of sites of any complexity. From simple one-page sites to large-scale cluster systems built on micro services. Experience of developers is confirmed by certificates from vendors.
8+Years of work900+Completed projects100+In house employees19+Partners
Development and maintenance of all types of websites:
Informational websites or web applications
Business card websites, landing pages, corporate websites, online catalogs, quizzes, promo websites, blogs, news resources, informational portals, forums, aggregators
E-commerce websites or web applications
Online stores, B2B portals, marketplaces, online exchanges, cashback websites, exchanges, dropshipping platforms, product parsers
Business process management web applications
CRM systems, ERP systems, corporate portals, production management systems, information parsers
Electronic service websites or web applications
Classified ads platforms, online schools, online cinemas, website builders, portals for electronic services, video hosting platforms, thematic portals

These are just some of the technical types of websites we work with, and each of them can have its own specific features and functionality, as well as be customized to meet the specific needs and goals of the client.

Offered services
Showing 1 of 1 servicesAll 2065 services
API Gateway Pattern for Microservices
Complex
~2-4 weeks
FAQ
Our competencies:
Development stages
Latest works
  • image_web-applications_feedme_466_0.webp
    Development of a web application for FEEDME
    1161
  • image_ecommerce_furnoro_435_0.webp
    Development of an online store for the company FURNORO
    1041
  • image_crm_enviok_479_0.webp
    Development of a web application for Enviok
    822
  • image_crm_chasseurs_493_0.webp
    CRM development for Chasseurs
    847
  • image_website-sbh_0.png
    Website development for SBH Partners
    999
  • image_website-_0.png
    Website development for Red Pear
    451
Show more works

Implementing API Gateway Pattern for Microservices

An API Gateway is a single entry point for all clients in the system. Instead of frontend or mobile applications communicating directly with dozens of microservices, they interact with one gateway that routes requests, aggregates data, applies authentication, and enforces rate limiting.

API Gateway Functions

  • Routing/api/orders → Order Service, /api/users → User Service
  • Authentication and Authorization — JWT/OAuth2 is verified once at the gateway
  • Rate Limiting — protection against abuse
  • SSL Termination — TLS terminates at the gateway, microservices communicate via HTTP internally
  • Request/Response Transformation — modifying formats, adding headers
  • Request Aggregation — one client request → multiple service requests
  • Circuit Breaker — protection against cascading failures
  • Logging and Tracing — single point for collecting access logs

Implementation Options

Tool Type Features
Kong Self-hosted / Cloud Lua/Go plugins, Kubernetes Ingress
Traefik Self-hosted Auto-discovery in Docker/K8s
AWS API Gateway Managed Lambda integration, IAM
NGINX + Lua Self-hosted Maximum control
Envoy Proxy gRPC, complex scenarios
Express Gateway Node.js Simple cases

Kong Configuration

Kong is the most popular self-hosted gateway:

# kong.yaml (declarative configuration)
_format_version: "3.0"

services:
  - name: order-service
    url: http://order-service:3000
    routes:
      - name: orders-route
        paths: ["/api/orders"]
        methods: ["GET", "POST", "PUT", "DELETE"]

  - name: user-service
    url: http://user-service:3001
    routes:
      - name: users-route
        paths: ["/api/users"]
        methods: ["GET", "PUT"]

plugins:
  - name: jwt
    config:
      claims_to_verify: ["exp"]
  - name: rate-limiting
    config:
      minute: 100
      hour: 5000
      policy: local
  - name: request-transformer
    config:
      add:
        headers: ["X-Service-Version:1.0"]

Gateway-Level Authentication

JWT is verified at the gateway, and microservices receive already-validated headers with user data:

// Custom middleware on Express Gateway
async function jwtMiddleware(req, res, next) {
  const token = req.headers.authorization?.replace('Bearer ', '');
  if (!token) return res.status(401).json({ error: 'No token' });

  try {
    const payload = jwt.verify(token, process.env.JWT_SECRET);
    // Pass user data in headers
    req.headers['X-User-Id'] = payload.sub;
    req.headers['X-User-Role'] = payload.role;
    req.headers['X-User-Email'] = payload.email;
    next();
  } catch {
    res.status(401).json({ error: 'Invalid token' });
  }
}

Request Aggregation (BFF Pattern in Gateway)

A mobile client retrieves data from multiple services in a single request:

// Gateway aggregates data from multiple services
app.get('/api/dashboard/:userId', jwtMiddleware, async (req, res) => {
  const { userId } = req.params;

  const [user, orders, notifications] = await Promise.allSettled([
    userService.get(`/users/${userId}`),
    orderService.get(`/orders?customerId=${userId}&limit=5`),
    notificationService.get(`/notifications/${userId}/unread`)
  ]);

  res.json({
    user: user.status === 'fulfilled' ? user.value.data : null,
    recentOrders: orders.status === 'fulfilled' ? orders.value.data : [],
    unreadCount: notifications.status === 'fulfilled'
      ? notifications.value.data.count : 0
  });
});

Traefik Configuration in Kubernetes

# Traefik IngressRoute
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: api-gateway
spec:
  entryPoints:
    - websecure
  routes:
    - match: PathPrefix(`/api/orders`)
      kind: Rule
      services:
        - name: order-service
          port: 3000
      middlewares:
        - name: jwt-auth
        - name: rate-limit
    - match: PathPrefix(`/api/users`)
      kind: Rule
      services:
        - name: user-service
          port: 3001
      middlewares:
        - name: jwt-auth

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: rate-limit
spec:
  rateLimit:
    average: 100
    burst: 50
    period: 1m

Versioning via Gateway

// Header-based versioning
app.use((req, res, next) => {
  const version = req.headers['api-version'] || 'v1';

  if (version === 'v2') {
    req.url = req.url.replace('/api/', '/api/v2/');
  }
  next();
});

Implementation Timeline

  • Basic Kong or Traefik setup with routing and JWT — 3–5 days
  • Rate limiting, circuit breaker, logging configuration — 2–3 days
  • Aggregating gateway with custom business logic — 1–2 weeks