# API Gateway & Security The gateway layer exposes backend capabilities to clients and applies the controls around them. It maps requests to runners, enforces authentication, shapes responses, and adds resilience and transport security. ### What this section covers * [Gateway Servers](/devops/api-gateway-and-security/gateway-servers.md) covers the gateway runtime, controller endpoints, request and trace IDs, refresh behavior, and shared security settings. * [Gateway Tokens](/devops/api-gateway-and-security/gateway-servers/gateway-tokens.md) define token lifetimes, claims, cookies, auth providers, and session settings. * [Gateway Channels](/devops/api-gateway-and-security/gateway-servers/gateway-channels.md) map public paths to backend systems and apply per-path auth, aliases, headers, retries, and resilience rules. * [Gateway Services](/devops/api-gateway-and-security/gateway-servers/gateway-services.md) configure direct gateway integrations for Kafka and file operations. * [Gateway Systems](/devops/api-gateway-and-security/gateway-servers/gateway-systems.md) define how the gateway reaches runners over RPC, CRUD, Kafka, or RSocket. * [APIs](/devops/api-gateway-and-security/apis.md) covers the exposed gateway endpoints for requests, auth, tracking, files, control, commands, and ad hoc messages. * [OpenAPI Specification](/devops/api-gateway-and-security/apis/openapi-specification.md) explains how gateway, runner, schema, and saga configuration become generated API docs. * [Response Formats](/devops/api-gateway-and-security/apis/response-formats.md) explains JSON, XML, HTML, plain text, and CSV responses. * [Server Sent Events](/devops/api-gateway-and-security/apis/server-sent-events.md) explains how `/api/stream/...` turns repeated saga calls into an SSE feed using `list`, `continue`, `wait`, and `next`. * [Rate Limiting](/devops/api-gateway-and-security/rate-limiting.md) covers built-in user and IP based throttling at gateway and channel level. * [Dynamic TLS & mTLS](/devops/api-gateway-and-security/dynamic-tls-and-mtls.md) explains runtime certificate loading and rotation for both server and client connections. ### How the pieces fit together 1. A client calls a gateway API on a channel. 2. The channel applies auth, path rules, headers, and resilience. 3. The channel uses a system to reach the target runner or service. 4. Tokens and sessions enrich the request with identity and claims. 5. The gateway returns JSON by default, or another supported format. 6. Optional controls such as rate limits, SSE, and mTLS apply at the edge. ### Common use cases * Expose a saga or CRUD endpoint through a public API. * Protect paths with token-based auth and role checks. * Add retries, circuit breakers, and rate limits for unstable dependencies. * Stream incremental results to clients over SSE. * Secure gateway-to-runner traffic with rotated TLS or mTLS certificates. * Publish generated OpenAPI docs for API consumers. ### Start here * Start with [Gateway Servers](/devops/api-gateway-and-security/gateway-servers.md) if you are wiring a new gateway. * Go to [Gateway Channels](/devops/api-gateway-and-security/gateway-servers/gateway-channels.md) and [Gateway Systems](/devops/api-gateway-and-security/gateway-servers/gateway-systems.md) when exposing a runner. * Go to [Gateway Tokens](/devops/api-gateway-and-security/gateway-servers/gateway-tokens.md) when setting up login, claims, or cookies. * Go to [Rate Limiting](/devops/api-gateway-and-security/rate-limiting.md) or [Dynamic TLS & mTLS](/devops/api-gateway-and-security/dynamic-tls-and-mtls.md) when hardening production traffic. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.rierino.com/devops/api-gateway-and-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.