What is an API Gateway?

In a simple way a gateway is a filter somewhere in your web stack (hosted by you or a third party) which filter,manage,secure,translate,transform,monitor and log your API traffic in someway. Some of the possible filtration could happen are:


  • Access Control (filtering traffic so only authenticated/authorized traffic gets through)
  • Rate Limiting (restricting how much traffic can be sent by each client of the API)
  • Analytics/Metrics capture and logging (tracking what’s going on on the API)
  • Security Filtering (checking the content on incoming messages for attacks)
  • Redirection Traffic Routing (sending traffic to different endpoints in your own infrastructure depending on the sender or the request)
  • Transforming Data and ETC…


The gateway typically works as a set of modules and filters which treat the traffic as it flows
 through it at high speed and you can typically enable those modules / filters you need and
 control their parameters. There are obviously quite a few different ways to actually do the
 implementation + various vendors and open source systems to choose from. 

Access Control (filtering traffic so only authenticated/authorized traffic gets through)

  • Choose from a wide array of authentication schemes, standards and token types to ensure that only valid users and applications get access
  • Integrate with leading identity and access management providers or use the built-in access control system
  • Use existing enterprise security systems to create an OAuth authorization server.

Security Filtering (checking the content on incoming messages for attacks)

  • Ensure the privacy of data in flight and at rest (a key requirement for PCI Compliance)
  • Support SSL & TLS as well as message-based encryption and decryption using the XML-Encryption standards
  • Sign and verify messages and headers to provide non-repudiation
  • Simplify key and certificate generation, distribution and management with built-in PKI services

Threat Protection

  • Prevent Denial of Service (DoS) attacks, malformed messages or excessive XML/JSON depth and breadth.
  • Detect and prevent SQL, JavaScript or XPath/XQuery injection attacks
  • Provide a content firewall, protecting against malicious content including protection against viruses in attachments and validation of message content – XML and JSON data structure, form and query parameters.

Orchestration, Mediation and Transformation

  • Bi-directional protocol transformation – Convert existing SOAP or Plain-old-XML (POX) over MQ or JMS services into RESTful APIs with XML and/or JSON content
  • API & Message Routing – Route based on message content, headers, identity and other factors
  • Orchestration – Remove operations, aggregate multiple backend APIs or services, perform mediation, or composition – without writing code.
  • Scripting – Author reusable scripts using a variety of languages (e.g. node.js, JavaScript, Groovy, Jython, BeanShell) and embed them within processes

Analytics and Monitoring

  • Real-time system monitoring – Use the Web-based dashboards to get real-time visibility into service and API performance, dependencies, and alert status
  • Alert Management – Powerful alert management, monitoring, and distribution. Leverage alerts within compositions to control message routing, enforce SLAs or perform other runtime activities
  • Analytics – Dashboards and out-of-the-box reports provide visibility into the performance of APIs and services from different perspectives, including department, partner, application contract, API/service or operation

Unified API and SOA

  • Define and Manage API’s- Create APIs with multiple interfaces using different standards including REST/XML, REST/JSON and SOAP with no extra development effort
  • Comprehensive Integration with Akana’s Lifecycle Manager – Control the service production and consumption process from requirements definition to development
  • Contract Management – Manage relationships between service consumers and providers


Add a Comment

Your email address will not be published. Required fields are marked *