Gateways

Proxies that manage routing authentication rate-limiting and observability for APIs

The API gateway is the piece of infrastructure that sits between consumers and your backend services and makes an API into a managed, governed, observable thing rather than just an endpoint. At its core, a gateway is a proxy — it intercepts every request to your API and applies the cross-cutting concerns that every API needs: authentication, rate limiting, routing, transformation, logging, and observability. I’ve watched the gateway evolve from a simple proxy into the central control point of API operations, and it remains one of the most important and most contested pieces of the API stack. The gateway is where policy gets enforced at runtime, where consumers get authenticated, where usage gets metered, and where the abstract idea of “managing an API” becomes a concrete piece of software doing real work on every single request.

The gateway started as a battle over the proxy, and that framing tells you what was at stake. I wrote in 2011 about the battle for your API proxy — because whoever controlled the proxy layer controlled the API. The early API management companies — Mashery, Apigee, 3Scale, Layer7 — were fundamentally fighting to own that intermediary position between your API and its consumers, because the proxy is where the value-added services live. 3Scale’s launch of an open-source API proxy built on NGINX in 2012 was significant because it pointed toward a future where the gateway wasn’t a proprietary black box but open infrastructure you could run yourself. The proxy was never just plumbing; it was the strategic control point of the entire API management business, and the battle over it shaped the whole industry.

AWS API Gateway changed the landscape when it launched in 2015, and I marked the moment with characteristic enthusiasm. The arrival of a cloud-native, fully-managed gateway from AWS signaled that the gateway was becoming a commodity cloud primitive rather than a specialized enterprise product. I wrote about how you could see the expanding API lifecycle reflected in the new AWS API Gateway — it didn’t just proxy requests, it imported OpenAPI definitions, exported to Postman, integrated with Lambda for serverless backends, handled usage plans and multi-region deployment. The gateway became the place where serverless APIs were assembled: API Gateway in front, Lambda for compute, DynamoDB or RDS for storage, the whole stack composed at the gateway layer. This was a major shift — the gateway went from being a thing you bolted in front of an existing API to being the foundation you built the API on in the first place.

The modern gateway landscape is rich and competitive, and I’ve tracked all the major players. Kong became the dominant open-source gateway, built on NGINX, extensible through plugins, and I summarized it as a serious API management solution. Tyk built a strong open-source gateway with its own definition format and a focus on governance. Zuplo brought a programmable, code-first gateway to the conversation. And the cloud providers all have their own — AWS API Gateway, Apigee (now part of Google), Azure API Management. The competition is healthy, but it created a real problem I flagged in 2022: how are we going to consistently manage policies across multiple gateway vendors? Most enterprises don’t run one gateway; they run several, often inherited through acquisitions and team autonomy, and each one expresses policy differently. The multi-gateway reality makes consistent governance genuinely hard, which is why OpenAPI-driven, vendor-neutral policy definition matters so much.

The gateway is where governance becomes runtime reality, and this is the thread I care about most. For all the work that goes into design-time governance — linting OpenAPI, enforcing standards in CI/CD — the gateway is where governance actually executes against live traffic. I wrote in 2023 about why design-time matters in a gateway-runtime-dominated reality, because there’s a tendency to think the gateway is where governance happens and the design-time stuff is optional. The truth is they’re complementary: design-time governance shapes the contract, and the gateway enforces it at runtime. Cloudflare’s use of OpenAPI to standardize the redaction of audit log data at the gateway layer, which I wrote about in 2025, is the perfect example of this convergence — a governance/compliance policy (redacting sensitive data) expressed in the machine-readable contract and enforced automatically at the gateway. And the alignment runs both ways: OpenAPI aligns your API code with your gateway configuration, so the contract, the implementation, and the runtime enforcement all derive from the same source of truth.

The warning I’ve issued repeatedly is against treating the gateway as just infrastructure, because doing so misses what it actually is. I wrote in 2022 that we still treat our API gateway as just infrastructure — and the problem with that framing is that it reduces the gateway to plumbing when it’s actually the policy enforcement point, the observability layer, the place where the business rules of your API operation live. The gateway sees every request. It knows who’s calling, how often, with what, and what happened. That makes it the richest source of operational intelligence and the most powerful point of control in your entire API stack. As I traced in 2021, the evolution from API management to API gateway and beyond is the story of this realization deepening — the gateway is not the dumb proxy at the edge, it’s the brain of API operations, the place where authentication, rate limiting, routing, transformation, security, and observability all converge into a single enforceable layer. Treating it as mere infrastructure means leaving its real value — as the runtime home of governance, security, and operational intelligence — unrealized.

Guidance

API Learnings

APIs

API Governance

API Solutions

API Discovery

API Building Blocks

API Evangelist LLC

Gateways

References

Guidance Details

Explore more

Discover APIs