# API Gateway — Use case

> Where the API Gateway sits — between your mobile, web, partner, and AI clients and your microservices, legacy SOAP, databases, and LLMs. Auth, rate limiting, routing, transformation, and logging run as configurable policies.

*Developers · API Gateway · For developers*

## Put one gateway between your clients and your backends.

The Apinizer API Gateway is the single entry point for every request — mobile, web, partner, and AI. Authentication, rate limiting, routing, transformation, and logging run as policies, so you stop scattering that logic across services.

[Five-minute quickstart](https://apinizer.com/developers/quickstart) · [API Gateway product](https://apinizer.com/products/api-gateway)

---

## The problem

*The problem*

### Auth, rate limits, and logging don't belong in every service.

When each app talks straight to each backend, the cross-cutting concerns — who's calling, how often, in what shape, with what audit trail — get re-implemented in every codebase, in every language, slightly differently. An API Gateway moves them to one place: a reverse proxy that sits in front of your services and applies a consistent policy pipeline to every request before it reaches an upstream.

---

## At a glance

- **50+** — policies out of the box (auth · traffic · transform · logging)
- **9** — auth methods (OAuth2 · OIDC · JWT · mTLS · SAML …)
- **1** — runtime, every protocol (HTTP · gRPC · WS · SOAP · AI)

---

## Capabilities

### API Proxy — the front door

An API Proxy is a front-facing endpoint you define on the gateway. It terminates the client request, runs the policy pipeline, and forwards to your upstream. REST, SOAP, gRPC, WebSocket, and GraphQL all share one proxy model.

### Authentication & identity

Verify the caller before routing — OAuth 2.0 / OIDC / JWT for modern apps, mTLS / SAML / Basic for the enterprise and legacy estate. Each method is a first-class policy, not a plugin you have to write.

### Rate limit & quota

Protect upstreams with per-API throttling, per-subscriber quotas, burst windows, IP allow/deny lists, and message-size caps. Token-based limits (TPM) apply to AI traffic on the same surface.

### Transformation & mediation

Reshape payloads at the edge — SOAP↔REST, XML↔JSON, JOLT and XSLT, plus Groovy/JS scripts. Clients get a modern contract while the backend stays exactly as it is.

### Logging & audit

Every request, header rewrite, and routing decision is logged asynchronously to Elasticsearch — the request path never waits on the writer. The audit trail is enforced by the platform, not left optional.

### Caching & validation

A distributed response cache cuts upstream load; JSON Schema and XSD validation are primed at deploy time, so a malformed request is rejected at the edge — never on first request.

---

## Real-world examples

### Mobile → Backend

**Scenario:** The mobile app calls the gateway, not your services directly

**Outcome:** The gateway terminates TLS, validates the OAuth token, throttles per device, and forwards to the right service. Rotate a backend or split traffic without shipping a new app build.

**Metric:** edge auth + throttle

### Frontend → Backend (BFF)

**Scenario:** A web SPA talks to one origin that fans out to many services

**Outcome:** CORS, token exchange, and response aggregation handled at the edge. The browser sees a single API; the frontend stops needing to know your internal service map.

**Metric:** one origin

### Service → Service

**Scenario:** East-west calls between microservices route through the gateway

**Outcome:** Internal traffic gets the same auth, retries, routing, audit, and rate limits as north-south traffic — without a bespoke client library per service.

### Partner / B2B

**Scenario:** External partners get a governed, contract-bound entry point

**Outcome:** Per-partner quotas, IP allow-lists, and an Allowed-Hours policy. Front a 2008 SOAP service as clean REST without touching the legacy team.

**Metric:** per-partner quota

### AI / LLM apps

**Scenario:** Apps call LLMs through the gateway, not the provider SDK

**Outcome:** One OpenAI-compatible endpoint across 17+ providers, with token quotas, semantic caching, and a prompt firewall — the same gateway, one extra layer of policies.

**Metric:** 17+ providers, one facade

### Legacy modernization

**Scenario:** A new app needs a modern API over an old system

**Outcome:** The gateway exposes JSON or gRPC while the upstream stays SOAP/XML or a stored procedure. Validation and transformation run at the edge; the mainframe doesn't change.

---

## What happens to a request, in order.

Every call runs the same policy pipeline before it ever reaches a backend — and response policies run in reverse on the way out.

- **01 · Ingress & route match** — The gateway terminates the connection (HTTP/2, gRPC, WSS), matches the path to an API Proxy, and selects the upstream and load-balancing strategy.
- **02 · Identity & access** — Pre-flow policies verify the caller — token validation, mTLS, scope and tier checks — and reject anything unauthorized before any backend work happens.
- **03 · Traffic & shape** — Rate limit, quota, and size caps apply; request transforms (SOAP↔REST, JOLT/XSLT, scripts) and schema validation reshape and vet the payload.
- **04 · Forward, respond & log** — The request is forwarded upstream, response policies run in reverse order, and the call is logged asynchronously to Elasticsearch and captured in audit.

---

## Recommended modules

- [API Gateway](https://apinizer.com/products/api-gateway) — The runtime itself — protocols, 50+ policies, hot deploy, and per-request context.
- [Identity Manager](https://apinizer.com/products/identity-manager) — The identity surface behind the gateway's auth policies — OAuth2 / OIDC / JWT / LDAP / SAML.
- [Analytics Engine](https://apinizer.com/products/analytics-engine) — Where the gateway's async logs land — per-endpoint, per-consumer observability.
- [Cache](https://apinizer.com/products/cache) — The distributed cache behind response caching and coordinated invalidation.

---

## Resources

- [API Proxy concept](https://docs.apinizer.com/en/concepts/core-concepts/what-is-api-proxy) — The eight proxy types and how a request flows through the policy pipeline.
- [API Gateway product](https://apinizer.com/products/api-gateway) — The runtime in depth — protocols, policies, and operability.
- [Create an API Proxy](https://docs.apinizer.com/en/develop/api-proxy-creation/client-route-settings) — Step-by-step: client route, routing, and policies.
- [Five-minute quickstart](https://apinizer.com/developers/quickstart) — Deploy your first governed proxy end to end.
- [Analytics Engine](https://apinizer.com/products/analytics-engine) — Per-endpoint, per-consumer telemetry for every proxy.
- [Architecture overview](https://docs.apinizer.com/en/concepts/architecture) — How the gateway sits in the platform topology on Kubernetes.

---

## Related use cases

- [OpenAPI-first design](https://apinizer.com/solutions/openapi-first) — For developers
- [APIops (CI/CD)](https://apinizer.com/solutions/apiops) — For developers
- [DB-2-API](https://apinizer.com/solutions/db-2-api) — For developers
- [Connector library (15+)](https://apinizer.com/solutions/connector-library) — For developers

---

## Next step

*One entry point*

**Stop re-implementing auth and rate limits in every service.**

A 30-minute walkthrough of the Apinizer API Gateway — proxies, policies, and placement — on a Kubernetes of your choice.

[Book a Demo](https://calendly.com/apinizer/15min) · [Read the docs](https://apinizer.com/developers/docs)

---

## Links

- Products: https://apinizer.com/products
- AI Gateway: https://apinizer.com/products/ai-gateway
- Solutions: https://apinizer.com/solutions
- Pricing: https://apinizer.com/pricing
- Developers: https://apinizer.com/developers
- Documentation: https://docs.apinizer.com/index-en
- Blog: https://apinizer.com/blog
- Contact: https://apinizer.com/company/contact

© 2026 Apinizer. All rights reserved.