← Back to architecture

REST API Gateway — Authentication, Routing & Rate Limiting

Primary API entry point for all client applications: mobile, web, partner integrations · handles auth, rate limiting, request transformation, and upstream routing · distinct from the AI Gateway

API consumers
Client apps
Mobile (iOS/Android)
Web portal (React)
Admin dashboard
Partner SDK
Integration clients
Bank partners
Fintech partners
Bureau webhooks
Payment callbacks
Internal services
AI agents
Cron workers
Event processors
Monitoring
Traffic stats
RPS peak
12K
Daily reqs
45M
Bandwidth
2.1TB/d
1 Edge layer — CDN, TLS & DDoS protection
CDN & DNS
CloudFront distribution
Route 53 health checks
Geo-routing
Edge caching (static)
TLS 1.3 termination
DDoS & WAF
AWS Shield Advanced
WAF rules (OWASP)
Bot detection
IP reputation filter
Geo-blocking
Request filtering
Header validation
Body size limit (10MB)
Content-type enforce
SQL injection block
XSS prevention
2 Authentication & authorization
Auth methods
JWT Bearer (user)
API Key (partner)
OAuth 2.0 (social)
mTLS (service-to-svc)
Webhook HMAC verify
Token management
Access token (15m TTL)
Refresh token (7d)
Token rotation
Revocation list (Redis)
JWK auto-rotation
Authorization
RBAC (roles)
ABAC (attributes)
Resource scoping
Tenant isolation
Permission caching
3 Rate limiting & traffic management
Rate limit tiers
Free: 60 req/min
Pro: 600 req/min
Enterprise: 6000 req/min
Partner: custom limits
Burst: 2x for 10s
Algorithms
Sliding window (Redis)
Token bucket (burst)
Per-user tracking
Per-endpoint limits
Global capacity guard
Throttle actions
429 response + retry-after
Graceful degradation
Priority queue (paid)
Request queuing
Auto-ban (abuse)
4 Request routing & transformation
Route resolution
/api/v1/credit → Credit svc
/api/v1/payments → Pay svc
/api/v1/users → User svc
/api/v1/fx → FX svc
/api/v1/ai → AI Gateway
Transformation
Request body mapping
Header injection
Query param normalize
Version negotiation
Protocol translation
Load balancing
Round-robin (default)
Weighted (canary)
Least connections
Health-aware routing
Sticky sessions (WS)
5 API observability & versioning
API versioning
v1 (current, stable)
v2 (beta, opt-in)
v0 (deprecated, EOL Q3)
URL-based versioning
Sunset header
Documentation
OpenAPI 3.1 spec
Swagger UI (internal)
Developer portal
SDK generation
Changelog (auto)
Monitoring
Access logs (CloudWatch)
Error tracking (Sentry)
Latency dashboards
Usage analytics
SLA reporting
Upstream services
Core microservices
Credit Service
Payment Service
User Service
FX Service
Notification Svc
AI services
AI Gateway
Prael Agent
Credit LLM
Fraud Model
Infrastructure
Redis (cache/session)
PostgreSQL
MongoDB
SQS queues
Gateway metrics
p50 latency
8ms
p99 latency
45ms
Error rate
0.02%
Cache hit
78%
Gateway overhead: ~5ms avg