SYS / DESIGN
Blueprint
← all chapters
CHAPTER 04
3 DIAGRAMS · ~9 MIN

APIs & Security

Your services have one shared neighbour: the public internet. The API gateway, auth layer, and rate limiter are the thin membrane between curiosity and damage.

04.1 · CONCEPT

API Gateway

Cross-cutting concerns — TLS, auth, rate limiting, request shaping — don't belong in every service. Centralise them at one ingress and let services stay focused.

ONE OR MANY
A single gateway is simpler but becomes a critical path. Per-team gateways (BFFs) scale teams better at the cost of duplicated config.
PROTOCOL BRIDGING
gRPC inside, REST/GraphQL/WebSockets at the edge. The gateway translates so internal services pick the best wire format.
DON'T OVERLOAD
Resist putting business logic in the gateway. Once it owns a workflow, every team waits on gateway deploys to ship features.
FIG · 04.1
API GATEWAY · INGRESS BOUNDARYClientAPI GatewayTLSAuthRate-limitRouteCacheauthordersbillingusersone boundary for cross-cutting concerns · services stay focused
04.2 · CONCEPT

Auth Tokens

Stateless tokens (JWT) scale beautifully and revoke terribly. Stateful sessions revoke instantly and require a hot lookup. Pick per use case, not per blog post.

JWT REALITY
A JWT is valid until it expires. Revocation requires a deny-list — which is the session table you were trying to avoid. Keep TTLs short (5–15 min).
REFRESH TOKENS
Short-lived access token + long-lived refresh token gives you fast verification AND revocability. Rotate the refresh token on every use.
STORAGE
Never store tokens in localStorage if XSS is a concern (it always is). httpOnly secure cookies + CSRF tokens, or in-memory + silent refresh.
FIG · 04.2
JWT VS SESSION · STATELESS VS STATEFULJWTClientAPIheader.payload.sigverify w/ public keyno DB lookup✗ revoke is hard✗ token bloatSessionClientAPIRedissession store✓ instant revoke✓ tiny cookieJWT for service-to-service · sessions for human logins
04.3 · CONCEPT

Rate Limiting

Without a limiter, one buggy client can melt your fleet. With the wrong limiter, legitimate bursts get punished. The algorithm choice matters more than the threshold.

TOKEN BUCKET
Allows bursts up to bucket size, then enforces a steady refill rate. Best general-purpose choice — matches how humans actually use APIs.
WHERE TO ENFORCE
Edge for DDoS shielding. Gateway for per-tenant fairness. Service for protecting expensive endpoints. Layered defence beats one big number.
FAIL SHAPING
Return 429 with Retry-After. Don't 500. Don't silently drop. Good clients back off; bad clients are easier to ban when you label them.
FIG · 04.3
TOKEN BUCKET · BURST + STEADYcapacity 10refill 2/sreq 1200req 2200req 3200req 4200req 5200req 6429req 7429req 8429Algorithms· Fixed window· Sliding log· Token bucket· Leaky bucketprotect upstream · fair share · shed load before it cascades
← PREVIOUS · 03
Distributed Systems
↑ BACK TO TOP
Pick another chapter