How is API Gateway used in practice?

See real-world examples and code snippets on the API Gateway glossary page at CDN Certified.

What concepts are related to API Gateway?

Related terms include: Rate Limiting, Token Authentication, WAF, JWT (JSON Web Token).

API Gateway

Architecture

A server that acts as the single entry point for API requests, handling authentication, rate limiting, routing, and transformation. CDNs increasingly serve as API gateways at the edge.

Updated Mar 17, 2026

Full Explanation

An API gateway sits between clients and your backend services. Every API request goes through it. The gateway handles cross-cutting concerns like authentication, rate limiting, request routing, protocol translation, and response caching so your individual services don't have to.

Traditional API gateways (Kong, AWS API Gateway, Apigee) run in your cloud region. But CDNs have been absorbing gateway functionality at the edge. Cloudflare API Shield, Fastly's edge compute, and Akamai's API acceleration all provide gateway features at hundreds of PoPs worldwide. This means your API auth and rate limiting happen milliseconds from the user instead of hundreds of milliseconds away at your origin region.

The typical gateway responsibilities break down like this. Authentication: validate JWTs, API keys, or OAuth tokens before requests reach your backend. Rate limiting: enforce per-client or per-endpoint limits using token bucket or sliding window algorithms. Routing: direct /v1/users to the users service and /v1/orders to the orders service. Transformation: convert between protocols (REST to gRPC) or reshape request/response bodies. Caching: serve repeated GET responses from cache.

Running gateway logic on a CDN edge has real advantages. DDoS attacks and abusive clients get blocked at the edge, never touching your infrastructure. Cached API responses are served from the nearest PoP. JWT validation at the edge means invalid tokens are rejected in 5ms instead of 200ms. Geographic routing decisions happen right where the traffic enters the network.

The tradeoff is complexity. Edge-based gateways have limited state. You can't easily do cross-request correlation or complex rate limiting that requires shared state across all edge nodes. Distributed rate limiting is an approximation, not exact. And debugging is harder when logic runs across 300 PoPs instead of one centralized gateway.

A common pattern is layered gateways: CDN edge handles authentication, basic rate limiting, and caching, while a centralized gateway behind the CDN handles complex routing, transformation, and stateful operations. This gives you the latency benefits of the edge with the precision of a centralized system.

Examples

# Cloudflare Worker as API Gateway
export default {
  async fetch(request) {
    // Rate limiting check
    const ip = request.headers.get('CF-Connecting-IP');
    const { success } = await env.RATE_LIMITER.limit(ip);
    if (!success) {
      return new Response('Rate limited', { status: 429 });
    }

    // JWT validation at edge
    const token = request.headers.get('Authorization');
    if (!await validateJWT(token, env.JWT_SECRET)) {
      return new Response('Unauthorized', { status: 401 });
    }

    // Route to backend
    const url = new URL(request.url);
    if (url.pathname.startsWith('/v1/users')) {
      return fetch('https://users-api.internal' + url.pathname);
    }
    return fetch('https://default-api.internal' + url.pathname);
  }
};

# Nginx as API Gateway with rate limiting
http {
    limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;

    upstream users_service {
        server users:8080;
    }

    server {
        location /v1/users {
            limit_req zone=api burst=20 nodelay;
            proxy_pass http://users_service;
        }
    }
}

Frequently Asked Questions

A server that acts as the single entry point for API requests, handling authentication, rate limiting, routing, and transformation. CDNs increasingly serve as API gateways at the edge.

# Cloudflare Worker as API Gateway
export default {
  async fetch(request) {
    // Rate limiting check
    const ip = request.headers.get('CF-Connecting-IP');
    const { success } = await env.RATE_LIMITER.limit(ip);
    if (!success) {
      return new Response('Rate limited', { status: 429 });
    }

    // JWT validation at edge
    const token = request.headers.get('Authorization');
    if (!await validateJWT(token, env.JWT_SECRET)) {
      return new Response('Unauthorized', { status: 401 });
    }

    // Route to backend
    const url = new URL(request.url);
    if (url.pathname.startsWith('/v1/users')) {
      return fetch('https://users-api.internal' + url.pathname);
    }
    return fetch('https://default-api.internal' + url.pathname);
  }
};

# Nginx as API Gateway with rate limiting
http {
    limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;

    upstream users_service {
        server users:8080;
    }

    server {
        location /v1/users {
            limit_req zone=api burst=20 nodelay;
            proxy_pass http://users_service;
        }
    }
}

Related CDN concepts include:

Rate Limiting — Restricting the number of requests a client can make within a time window. Protects origins …
Token Authentication — Protecting CDN-delivered content with signed URLs or tokens that expire after a set time. Prevents …
WAF (WAF) — Web Application Firewall. Inspects HTTP requests at the CDN edge and blocks malicious traffic: SQL …
JWT (JSON Web Token) (JWT) — A compact, URL-safe token format for securely transmitting claims between parties. Widely used for CDN …

Previous Term Anycast

Next Term A Record

Back to Glossary