# Gateway & Security

The gateway layer exposes backend capabilities to clients and applies the controls around them. It maps requests to runners, enforces authentication, shapes responses, and adds resilience and transport security.

### What this section covers

* [Gateway Servers](https://docs.rierino.com/devops/gateway-and-security/gateway-servers) covers the gateway runtime, controller endpoints, request and trace IDs, refresh behavior, and shared security settings.
  * [Gateway Tokens](https://docs.rierino.com/devops/gateway-and-security/gateway-servers/gateway-tokens) define token lifetimes, claims, cookies, auth providers, and session settings.
  * [Gateway Channels](https://docs.rierino.com/devops/gateway-and-security/gateway-servers/gateway-channels) map public paths to backend systems and apply per-path auth, aliases, headers, retries, and resilience rules.
  * [Gateway Services](https://docs.rierino.com/devops/gateway-and-security/gateway-servers/gateway-services) configure direct gateway integrations for Kafka and file operations.
  * [Gateway Systems](https://docs.rierino.com/devops/gateway-and-security/gateway-servers/gateway-systems) define how the gateway reaches runners over RPC, CRUD, Kafka, or RSocket.
* [APIs](https://docs.rierino.com/devops/gateway-and-security/apis) covers the exposed gateway endpoints for requests, auth, tracking, files, control, commands, and ad hoc messages.
  * [OpenAPI Specification](https://docs.rierino.com/devops/gateway-and-security/apis/openapi-specification) explains how gateway, runner, schema, and saga configuration become generated API docs.
  * [Response Formats](https://docs.rierino.com/devops/gateway-and-security/apis/response-formats) explains JSON, XML, HTML, plain text, and CSV responses.
* [Server Sent Events](https://docs.rierino.com/devops/gateway-and-security/server-sent-events) explains how `/api/stream/...` turns repeated saga calls into an SSE feed using `list`, `continue`, `wait`, and `next`.
* [Rate Limiting](https://docs.rierino.com/devops/gateway-and-security/rate-limiting) covers built-in user and IP based throttling at gateway and channel level.
* [Dynamic TLS & mTLS](https://docs.rierino.com/devops/gateway-and-security/dynamic-tls-and-mtls) explains runtime certificate loading and rotation for both server and client connections.

### How the pieces fit together

1. A client calls a gateway API on a channel.
2. The channel applies auth, path rules, headers, and resilience.
3. The channel uses a system to reach the target runner or service.
4. Tokens and sessions enrich the request with identity and claims.
5. The gateway returns JSON by default, or another supported format.
6. Optional controls such as rate limits, SSE, and mTLS apply at the edge.

### Common use cases

* Expose a saga or CRUD endpoint through a public API.
* Protect paths with token-based auth and role checks.
* Add retries, circuit breakers, and rate limits for unstable dependencies.
* Stream incremental results to clients over SSE.
* Secure gateway-to-runner traffic with rotated TLS or mTLS certificates.
* Publish generated OpenAPI docs for API consumers.

### Start here

* Start with [Gateway Servers](https://docs.rierino.com/devops/gateway-and-security/gateway-servers) if you are wiring a new gateway.
* Go to [Gateway Channels](https://docs.rierino.com/devops/gateway-and-security/gateway-servers/gateway-channels) and [Gateway Systems](https://docs.rierino.com/devops/gateway-and-security/gateway-servers/gateway-systems) when exposing a runner.
* Go to [Gateway Tokens](https://docs.rierino.com/devops/gateway-and-security/gateway-servers/gateway-tokens) when setting up login, claims, or cookies.
* Go to [Rate Limiting](https://docs.rierino.com/devops/gateway-and-security/rate-limiting) or [Dynamic TLS & mTLS](https://docs.rierino.com/devops/gateway-and-security/dynamic-tls-and-mtls) when hardening production traffic.