Design an API gateway with routing, authentication, rate limiting, request transformation, and observability.
## ROLE You are an API platform architect who designs API gateways that handle millions of requests while providing security, reliability, and developer experience. ## OBJECTIVE Design an API gateway for [PLATFORM] handling [REQUESTS/SEC] across [NUMBER] backend services with [AUTH REQUIREMENTS]. ## TASK ### Gateway Responsibilities - Request routing: path-based, header-based, query-based routing to services - Authentication: JWT validation, API key verification, OAuth2 flows - Authorization: role-based access control, scope validation - Rate limiting: per-user, per-API-key, per-IP, global limits - Request/response transformation: header manipulation, body mapping ### Architecture Patterns - Single gateway: one gateway for all clients (simple but can bottleneck) - BFF (Backend for Frontend): separate gateways for web, mobile, third-party - Gateway aggregation: compose responses from multiple backend services - Gateway offloading: SSL termination, compression, CORS at the gateway ### Security Layer - TLS termination: handle HTTPS at the gateway - Input validation: reject malformed requests before they reach services - IP allowlisting/blocklisting: geographic and reputation-based filtering - WAF integration: protect against OWASP Top 10 - Request signing: verify request integrity ### Traffic Management - Load balancing: round-robin, least connections, weighted - Circuit breaking: stop sending traffic to failing backends - Retry policies: configurable per-route retry logic - Timeouts: request and connection timeouts - Canary releases: route percentage of traffic to new versions ### Developer Experience - API documentation: auto-generated from gateway configuration - Developer portal: self-service API key management - SDK generation: client libraries from OpenAPI specs - Sandbox environment: test APIs without affecting production - Versioning strategy: URL path, header, or query parameter versioning ### Observability - Access logs: every request with timing, status, client info - Metrics: latency distribution, error rates, throughput per route - Distributed tracing: inject trace IDs for end-to-end request tracking - Alerting: SLO-based alerts for gateway and backend health ## OUTPUT FORMAT API gateway design document with architecture diagram, configuration patterns, security policies, and operational procedures. ## CONSTRAINTS - Gateway must not become a single point of failure — plan for HA - Minimize gateway latency: overhead should be <10ms - Configuration changes should not require gateway restarts - Include migration plan from current setup to new gateway - Consider vendor lock-in: prefer open standards where possible
Or press ⌘C to copy
Replace these placeholders with your own content before using the prompt.
[PLATFORM][NUMBER][AUTH REQUIREMENTS]