How it works

The API gateway is the core piece of infrastructure that enforces API security. Unlike traditional firewalls, API security requires analyzing messages, tokens and parameters, all in an intelligent way. The API gateway checks authorization, then checks parameters and the content sent by authorized users. It then ensures that when logs are written that they're redacted, that the customer data isn't in the logs, and does not get written into storage. And it accomplishes these steps in the proper order.

When configuring throttling rules, usage of API keys or OAuth, the API gateway acts as the enforcement point. This is the traffic cop, ensuring that the right users are allowed access, and the wrong ones are being blocked. An API gateway can be used either for incoming requests, coming into your APIs. The API gateway allows you to encrypt parts of the message or redact confidential information, then meter, control, and analyze how your APIs are being used. So much can be done with an API gateway, but its main benefit is moving security from the application to your organizational infrastructure, allowing you to treat the security of your application and API like a first-class citizen.