What is an API gateway?

Its functions include routing and transforming client requests, aggregating responses, enforcing security policies and integrating with analytics and monitoring tools.

An application programming interface (API) is a set of rules or protocols that enable software applications to exchange data, features and functionality. APIs help enterprises use both internal and third-party services without having to build custom integrations for each. More than eight in 10 companies have adopted some degree of an API-first strategy, while 25% consider themselves fully API-first, according to Postman’s 2025 State of the API Report.

API gateways play a key role in modern IT environments by streamlining API interactions and helping client applications access a wide variety of services (through those services’ respective APIs)—even services developed in different programming languages, hosted on diverse platforms or deployed across cloud, edge and on-premises environments.

API gateways can serve both internal users accessing a first or third-party application and external users, such as customers or business partners. In federated systems, enterprises use multiple gateways to enforce different security protocols and standards depending on API group or user type.

API gateways often feature two main architectural layers:

• The control plane handles configuration and management—setting security policies, logging and monitoring API requests and defining routing rules.
   

• The data plane routes API requests in real time while enforcing routing guidelines, security protocols and data constraints set by the control plane.

A request for data from a client to an API is known as an API call. The API gateway receives an API call (sometimes called an API request), routes it to one or more backend services, gathers the requested data and delivers it to the client in a single, combined response. Otherwise, the client would need to directly interface with multiple APIs to access each relevant service or data source.

For example, a healthcare system might use an API gateway to help patients connect to multiple backend services through a user-facing application. Using a laptop or phone, patients can review medical records, schedule appointments, make payments and send messages from the same dashboard. The API gateway acts as a single entry point, routing API calls to the appropriate service, so users do not need to navigate between multiple platforms to access each service. It also supports encryption, authorization enforcement and other security measures to help protect sensitive patient data.

Before exploring how API gateways are implemented, it’s important to understand how they differ from APIs themselves. APIs are sets of rules and protocols that enable different software applications to communicate, often through the web-based protocols HTTP or HTTPS. They are like floors inside an office building, with each floor representing a specific service. To retrieve data, the client must visit the corresponding floor to access the service inside.

An API gateway, meanwhile, is like the front door of the office building—the single pass-through point that clients must use to reach each floor. In many configurations, the gateway also acts as a door attendant: It checks visitors’ credentials to determine which floors they have permission to access. And instead of requiring clients to explore each floor on their own, it retrieves requested information or services on their behalf and returns it to them as a single package.

API gateways help organizations provide a consistent, secure and efficient API experience for users. Key functions and responsibilities include:

Acting as a unified API endpoint, the gateway receives incoming calls, authenticates them, processes them based on organizational policies and routes them to the appropriate backend services. Then, the gateway aggregates and returns the results to the API client (often a user-facing app or website) in composite form.

This process enables users to access several resources with a single API call and receive one cohesive response. In some configurations, the gateway operates alongside a workflow orchestration layer that can coordinate multi-step, automated tasks to streamline business functions.

API management is the scalable process of creating, publishing and managing APIs within an enterprise. According to multi-cloud firm f5, modern organizations often manage thousands of APIs simultaneously, making visibility, control and governance an ongoing challenge.

API gateways simplify this complexity by centralizing management tasks such as request routing, versioning, load balancing and traffic management. They also improve API observability by generating logs of API calls and integrating with analytics tools, giving teams deeper insight into API usage patterns and performance.

API security refers to the practices and procedures that protect APIs from misuse, malicious attacks and other cybersecurity threats. API gateways help enforce API security protocols by managing authentication, authorization and other permission and access controls.

They use encryption protocols such as transport layer security (TLS) and open authorization (OAuth) to help maintain a secure network and facilitate safe connections. Rate limiting, or allowing a certain number of requests per user, can protect against distributed denial of service (DDoS) attacks. Finally, the API gateway handles governance and oversight for every API in its purview, protecting against misalignments, shadow APIs and other security vulnerabilities.

API gateways can monitor and log API requests, responses and errors. Organizations use this analytics data to gain a better understanding of API traffic and performance, improve troubleshooting and strengthen security.

Logs and metrics not only improve visibility, helping teams quickly identify errors and security threats, but also provide context into how and why errors emerge. This contributes to long-term system health.

API gateways can strengthen enterprise efficiency by improving the performance and availability of backend services, and contributing to a more reliable, responsive experience for users. 

Response compression enables the gateway to transform large responses into smaller files, reducing bandwidth consumption and load times. Caching helps enterprises store commonly referenced data locally, enhancing performance while minimizing costs and server load.

Finally, while enterprises often implement rate limiting for security purposes, the tactic also promotes stability. It helps prevent servers from becoming overwhelmed and helps ensure that API access is distributed fairly.

While they share core functions, API gateway deployments can vary depending on architecture and implementation. Common frameworks include:

A microservices architecture is a software development approach that breaks applications into smaller, independently functioning parts. Each microservice is responsible for a single function and can be deployed and scaled autonomously. At the same time, services can easily communicate through APIs, serving as modular building blocks for larger programs. Nearly three-quarters of organizations use microservices, while an additional 23% plan to implement the framework in the future, according to a 2023 Gartner report.

In a microservices environment, API gateways often handle north-south traffic, routing API calls from external clients to the appropriate backend service. They often work together with service meshes, which mostly handle east-west traffic, or communications between services within the microservice environment.

There are some exceptions—an API gateway can be configured to route internal traffic, especially in modern settings. But the gateway tends to sit in a separate architectural layer, while service meshes are deployed alongside or integrated with each service to facilitate and manage internal connections.  

In a microservices environment, the API gateway plays a key role by enabling organizations to return requested resources through a single API call. For example, an e-commerce company might have separate services for product information, pricing and inventory. With an API gateway, an application can fetch information or access functions from each service through a single request. This streamlined workflow is especially useful as microservice environments grow more complex, with enterprises adding new services and APIs over time.

Kubernetes is an open source orchestration system that helps enterprises deploy, scale and manage services inside containerized environments, where applications are packaged as lightweight containers bundled with their dependencies. Kubernetes is frequently used in microservice architectures, although it can also support monolithic, serverless and other frameworks. The orchestration platform plays a critical role in modern cloud infrastructure, enabling developers to build applications once and deploy them anywhere.

API gateways can interact with a containerized Kubernetes cluster in multiple ways:

• When deployed in front of more than one Kubernetes cluster, an API gateway can integrate with a load balancer, directing traffic to the correct cluster so that no single instance becomes overloaded.
   

• When deployed at the edge of a Kubernetes cluster, an API gateway can act as an ingress controller. Ingress controllers direct traffic into a Kubernetes cluster, to the requested services and then back out again.
   

• When deployed inside a Kubernetes cluster, an API gateway can complement and work alongside a service mesh, which handles communication between internal containerized services. This integration can improve load balancing, service discovery, traffic routing and end-to-end encryption.

In a serverless model, developers do not directly interface with the servers that power their applications. Instead, cloud providers are responsible for provisioning and managing servers, so developers can focus solely on writing and deploying code.

In a serverless context, API gateways work like gateways in microservice environments, but instead of retrieving data from long-running services, they trigger events (instructions that initiate particular actions) based on client requests. This approach helps ensure that applications run only when needed, improving security and efficiency.

A serverless deployment model can be used to implement a microservices architecture, creating a sort of hybrid infrastructure, where each service operates as a serverless deployment (rather than a containerized or virtual machine deployment). Such a configuration can reduce costs and improve scalability, especially for variable workloads.

Not every API management implementation looks the same. Components might differ based on system complexity, architectural approach and intended use case—although the distinctions aren’t always clear, with some components sharing overlapping roles and functions.

An ingress controller is a Kubernetes-native software component that acts as a reverse proxy, routing external HTTP (or HTTPS) traffic to services within a Kubernetes cluster based on a set of ingress rules. Ingress controllers often feature load balancing capabilities, which intelligently direct traffic to different services to help ensure network stability. They can also dynamically adjust their routing behaviors to accommodate new deployments and configuration updates.

Although Kubernetes ingress controllers perform some of the same functions as API gateways, the role of API gateways is generally broader in scope, incorporating more high-level management capabilities such as auditing, logging, access control and security. Also, while API gateways can support various configurations, ingress controllers are specific to Kubernetes environments.

A service mesh is an infrastructure layer that facilitates communication between internal services, enabling them to efficiently share data and functions. While the control plane (which sets configurations and policies) is centralized, the data plane is distributed across every service through lightweight sidecar proxies.

These proxies, which sit alongside each service instance, execute control plane policies, including security, logging, routing and encryption. In contrast, API gateways typically exist at the edge of the network, in a separate architectural layer from both the client and the APIs they manage.

Although a service mesh helps internal services exchange data and information, it still needs a way to interact with external traffic. In this case, a special component called an ingress gateway acts as the mesh’s entry point, handling external traffic routing while maintaining security and performance policies. API gateways and service meshes are often used in conjunction—with the API gateway handling public-facing interactions and service meshes facilitating connections between services.

The more complex an API environment—and the greater the traffic APIs receive—the more value an API gateway can provide. Beyond routing traffic to backend services, API gateways can also:

API gateways can optimize traffic routing to help lower latency and improve the user experience. Rate limiting sets a cap on the number of requests that a client can make and blocks excessive requests. Request throttling manages traffic spikes by slowing, delaying or queuing requests. And load balancing helps enterprises determine the health of a server based on real-time metrics and adjust routing paths accordingly.

Together, these strategies protect backend services from becoming overloaded or compromised, minimize response times and contribute to faster, more reliable service.

API gateways help organizations balance API traffic and workloads as the organization scales. Gateways can integrate with automation systems to add or remove instances in real time based on traffic demand, enabling developers to focus on core business logic and API development rather than administration.

API gateways can also strengthen and accelerate DevOps deployments by defining and enforcing consistent security and traffic distribution policies. Because gateways reduce technical complexity and promote interoperability and integration, they enable developers to focus on building new, unique features rather than consistently rebuilding common functions like traffic control or protocol translation.

Finally, because gateways can effectively manage multiple versions of an API, developers can test several iterations before deployment—or maintain an instance of an older API version for a specific use case.

While APIs have distinct roles and responsibilities, they often share some common workflows.

For example, many API calls go through an identical authorization and validation process to comply with security protocols. Each API might be subject to the same logging and monitoring policies, which are used to gain insight into usage rates and traffic. Finally, if APIs are monetized, every call might need to be routed to a billing service. An API gateway can automate and orchestrate these tasks, promoting smooth workflows and system-wide consistency.

API gateways also support secure sockets layer (SSL) termination—a method used to decrypt sensitive data, such as passwords and credit card numbers, at the gateway—offloading this performance-intensive task away from individual APIs. Finally, when multiple iterations of an application are deployed on the same server, API gateways can seamlessly direct traffic to the appropriate version by reading headers, URL paths and query parameters.

Because APIs play a vital role in modern IT infrastructure, they are often at risk of cyberattacks, including DDoS attacks, parameter tampering, injection attacks and other threats. API gateways can help protect against these threats with rate limiting, API authentication, request authorization and other techniques.

API gateways often feature integrated identity and access management (IAM) systems, which provide visibility into who is attempting to interact with which services. They can also monitor API usage, log traffic and analyze metrics to identify suspicious behaviors or vulnerabilities before an attack occurs. Finally, API gateways can be used together with tools such as web application firewalls (WAF), which monitor, filter and block malicious HTTP traffic.

API gateways can unite services that use different data formats and APIs with different archtectures or protocols—such as representational state transfer (REST API), SOAP, gRPC and WebSocket.

Without an API gateway, different formats and protocols might cause communication issues between clients and backend services. Gateways mitigate this challenge by performing data and protocol conversion, automatically transforming requests and responses into compatible formats for both clients and servers.

Enterprises can also synchronize documentation and access keys between the API gateway and the developer portal (the central repository where developers can discover and implement new APIs) so that the development environment accurately reflects the latest API rollouts and updates.

Legacy applications can be a barrier to progress, especially when they are incompatible with modern environments and API implementations. However, legacy apps are often worth preserving because they contain essential data and functions that can’t be easily replaced.

API gateways help organizations integrate, reuse and repurpose legacy applications in modern cloud environments, rather than abandoning them or rebuilding them from scratch. The gateway’s conversion capabilities enable organizations to preserve a legacy app’s original code and formatting—even when the rest of the company has moved on to newer systems.

Decoupling, which involves breaking down services into smaller parts, enables API gateways to apply rate limiting, throttling and other practices to legacy apps to help modernize their functionality and extend their lifecycle. This strategy also helps organizations keep services online even as they update them behind the scenes.

As the control center of an application’s inbound traffic, API gateways can provide a comprehensive view of API use and performance. Custom charts and dashboards help organizations visualize traffic patterns, throughput, response times and other metrics. Notifications alert teams to potential errors and breaches before they affect application performance or security.

While API gateways can help resolve complicated routing issues, they can also introduce new problems. Common challenges include:

While API gateways can promote scalability in some regards, they can also present scalability challenges that must be addressed.

API gateways typically help streamline API communication, resource allocation and routing requests. However, misconfigurations and insufficient capacity can have the opposite effect—increasing the risk of bottlenecks (after all, an API gateway provides a single point of entry) and adding additional strain to the system.

Careful architecture design that considers horizontal scaling opportunities (using multiple gateways), load balancing strategies, auto-scaling policies and monitoring capabilities can help avoid scalability issues. 

As with scalability, a gateway’s effect on IT complexity is nuanced. A gateway does eliminate some IT complexity through uniform management and policy enforcement, as well as automatic data and protocol translation.

However, API gateways introduce an additional layer to an enterprise’s API ecosystem, requiring extra maintenance, compute and expertise. Developers might find it more difficult to test new deployments because API gateways can be difficult to accurately re-create in a virtual environment. This limitation makes it challenging for teams to know in advance how rollouts might impact the system.

A DevOps practice called infrastructure as code (IaC) can help address these challenges by using configuration files to automate infrastructure management and standardization. This approach simplifies maintenance and provisioning, helping IT teams maximize API gateway efficiency while reducing architectural complexity.

Because API gateways act as a single point of entry, the gateway itself can become a potential vector for cyberattacks or infiltrations. Threats and errors also have a greater chance of cascading through multiple backend services—potentially cutting off API traffic and damaging otherwise healthy applications.

To reduce this risk, enterprises can maintain several gateway instances across environments and availability zones, helping ensure that if one goes offline, another can temporarily take its place. Similarly, organizations can use different types of gateways, including edge gateways, to spread routing and management responsibilities across multiple entry points.

After an organization chooses an API gateway that meets its specific needs—and builds its API environment around that gateway—it can be expensive and time-consuming to move to another vendor. In some cases, an organization might choose to self-host an open source gateway, rather than using a managed service, to maintain finer control over configurations. However, if an organization chooses a self-hosted option, this approach can be more costly for the development team.