API Gateway
An API Gateway is the public front door for your backend APIs.
Instead of exposing every backend service directly, you expose one gateway URL:
https://my-api.authgate.siteAuthGate receives the request, finds the matching route, checks security if needed, and forwards the request to the correct backend service.
Request flow
Client
-> Gateway URL
-> Route match
-> Security check
-> Backend serviceExample:
GET https://shop-api.authgate.site/api/products/1AuthGate can forward it to:
GET https://dummyjson.com/products/1Services
A service is the backend API that AuthGate forwards requests to.
Examples:
| Service name | Target URL |
|---|---|
catalog-api | https://dummyjson.com |
user-service | http://user-service:8080 |
payment-service | http://payment-service:8085 |
For your first test, use a public API such as:
https://jsonplaceholder.typicode.comor:
https://dummyjson.comRoutes
A route maps a gateway path to a service path.
| Route field | Meaning |
|---|---|
| Method | The HTTP method, such as GET, POST, PUT, PATCH, or DELETE. |
| Public path | The path users call on the gateway URL. |
| Target path | The path AuthGate calls on the backend service. |
| Service | The backend service that receives the request. |
| Security | Whether the route is PUBLIC or SECURE. |
Example route:
| Field | Value |
|---|---|
| Method | GET |
| Public path | /api/products/{id} |
| Target path | /products/{id} |
| Service | catalog-api |
| Security | PUBLIC |
If the user calls /api/products/1, AuthGate forwards to /products/1.
Route security
AuthGate routes can be:
| Security | Meaning |
|---|---|
PUBLIC | No authentication is required. Good for product lists, docs, and public content. |
SECURE | AuthGate validates the request before forwarding it. Good for profile, orders, writes, and admin actions. |
The gateway auth type decides what a SECURE route expects:
| Gateway auth type | Secure request needs |
|---|---|
| API Key | X-Api-Key header from an API consumer. |
| Basic Auth | Basic username and password from an API consumer. |
| JWT | Bearer token from the consumer auth flow. |
| OAuth2 | Access token issued by AuthGate IAM for the bound OAuth2 client. |
| BFF | Valid BFF session cookie. |
API consumers
An API consumer is an app, user, or partner system allowed to call a secure non-OAuth2 gateway route.
For API Key gateways, creating an API consumer gives you an API key. Store it carefully because secret values are usually shown only once.
curl https://my-api.authgate.site/api/private-data \
-H "X-Api-Key: <your_api_key>"Under the hood
AuthGate separates configuration from runtime traffic:
| Area | What it does |
|---|---|
| Management side | Stores gateways, services, routes, consumers, and frontend app settings. |
| Runtime side | Reads the active gateway config, matches requests, validates security, and forwards traffic. |
You do not need to understand CQRS, Redis, or Axon to use AuthGate, but those pieces help the platform update runtime gateway behavior without hardcoding routes.
Beginner rule: first make one PUBLIC GET route work. After that, make a SECURE route and test the auth behavior.