API Gateway Security Layer
API gateway enforces auth, rate limits, etc.
Authentication
The API gateway is the choke point through which every external request flows, which makes it the single most efficient layer at which to enforce authentication. Pushing authentication into individual services produces inconsistency: each service reimplements token validation, each service has its own subtle bugs, and the security posture is the union of every service's worst day. Centralizing authentication at the gateway fixes that whole class of problem.
What gateway-level authentication looks like:
- JWT validation.: The gateway validates the signature, the issuer, the audience, and the expiry of every incoming JWT. Tokens that fail any check are rejected before reaching backend services. The backends never have to write JWT validation code; they just trust the gateway has done it.
- API key checks.: For machine-to-machine traffic, the gateway maps API keys to tenant identities, validates them against a key store, and decorates the request with the tenant identity for downstream services. Key rotation, revocation, and rate limiting all happen at the gateway.
- OAuth flows handled centrally.: Authorization code, client credentials, refresh tokens. The gateway handles the OAuth dance; backends receive a validated identity in a request header. The OAuth complexity lives in one place.
- mTLS for service-to-service.: Internal service-to-service calls present client certificates; the gateway (or service mesh acting as a gateway) validates the cert chain and the SAN against the expected service identity. mTLS never leaks beyond the gateway boundary.
- Centralised secret rotation.: Validation keys, signing keys, and trust roots are rotated at the gateway without coordinating with every backend. The blast radius of a key rotation is the gateway's deploy cycle, not the union of every backend's deploy cycle.
The biggest reason to push authentication to the gateway is consistency. Whatever the policy is, every request gets the same treatment. The biggest reason teams resist is that it requires a working gateway, which is an investment many small teams have not made.
Authorization
Authentication answers "who is this." Authorization answers "what are they allowed to do." The gateway is also the right layer for the second question, but only for the coarse-grained policy. Fine-grained authorization (this user can edit row 47 because they own it) belongs in the service.
- Per-route role-based access control.: The gateway knows which routes require which roles. POST to /admin/users requires admin role; GET to /me requires authenticated user. The mapping is policy-as-code, version-controlled, reviewable. Routes added without an explicit policy default to deny.
- Policy enforced once, at the edge.: A request that lacks the required role is rejected at the gateway before consuming any backend resources. This is both a security property (defense in depth, even if a backend has a bug) and a capacity property (DDoS-style abuse against unauthenticated routes never reaches backends).
- Tenant isolation at the gateway.: Multi-tenant SaaS systems use the gateway to scope every request to its tenant. The tenant ID is extracted from the token and attached to the request; backends operate within that scope by default. Cross-tenant leakage at the gateway boundary is a class of bug that becomes much harder to introduce.
- Coarse-grained, not fine-grained.: The gateway enforces "this user can hit this route." The service enforces "this user can act on this object." Trying to do per-object authorization at the gateway requires the gateway to know about every object, which is a maintainability nightmare. Keep the gateway's policy at the route level.
- Policy as code, reviewed like code.: Authorization policy is checked into source control alongside the code it protects. Changes go through the same review process. Production policy is deployed via the same pipeline. This is the difference between policy that drifts and policy that is governed.
Splitting authorization between the gateway (route-level) and the services (object-level) is the pattern that scales. Putting all of it in the gateway is brittle; spreading all of it across services is inconsistent.
Audit
The third reason to centralize at the gateway is audit. Every request that touches the system passes through one place, which means audit logging at the gateway captures the complete trail without depending on every backend to log correctly.
- Every request logged.: Method, path, request ID, authenticated identity, response status, response time, tenant scope, source IP, user agent. The structured log entry is rich enough to reconstruct any request after the fact and to support compliance, security, and debugging investigations.
- Compliance trail.: Most regulatory frameworks (SOC 2, HIPAA, PCI DSS, ISO 27001) require comprehensive audit logging. Centralizing audit at the gateway gives auditors one source of truth instead of having to verify that every backend logs consistently.
- One audit point, complete coverage.: Backends might forget to log specific edge cases, especially error paths. The gateway sees the request regardless of whether the backend handled it correctly, so the audit trail covers cases that would otherwise be invisible.
- Tamper-evident retention.: Audit logs from the gateway flow to a write-once, append-only store with retention measured in years, not days. The retention store is separate from the operational logging system; access to it is restricted; signatures or hashes detect modification.
- Real-time anomaly detection.: Gateway audit logs are the input to real-time security monitoring. Unusual patterns (a single user hitting 100 different tenants, a credential being used from two countries simultaneously, a sudden spike in 401 errors) are detected on the audit stream rather than after the fact.
Authentication, authorization, and audit at the gateway is the security architecture pattern that scales from a 5-service startup to a 5,000-service enterprise. Nova AI Ops integrates with API gateway audit streams, correlates anomalies across the request log with backend SLO health, and surfaces the security signal alongside the operational signal so the SOC and the SRE team are looking at the same source of truth.