Open API Gateway
External API layer with HMAC-SHA256 authentication for third-party integrations
Background
External-facing API gateway that exposes a subset of platform capabilities to third-party integrators. Must enforce strict authentication, rate limiting, and request logging independently from the internal gateway to maintain separate security boundaries.
Architecture
External client → Gin router (separate from internal gateway) → HMAC-SHA256 signature middleware → Redis rate limiter (token bucket per API key) → handler → internal gRPC services. Request/response pairs logged to MySQL.
Key Implementations
HMAC-SHA256 Signature Verification
Every request is verified against an HMAC-SHA256 signature computed from the request body, timestamp, and API key secret.
Why: HMAC-SHA256 provides tamper-proof request authentication and prevents replay attacks when combined with timestamp validation.
Token Bucket Rate Limiting
Each API key has a Redis-backed token bucket that enforces per-key request rate limits with configurable burst capacity.
Why: Per-key rate limiting prevents any single integrator from monopolizing capacity while allowing short bursts for legitimate traffic.
Request/Response Logging
Full request and response payloads are logged to MySQL for every external API call, associated with the API key and timestamp.
Why: External API disputes require complete audit trails; logged payloads enable reproducing and diagnosing integration issues.
Technical Decisions
| Technical Decisions | Chosen | Alternative | Reason |
|---|---|---|---|
| Separation from internal gateway | Dedicated Gin service | Shared gateway with role-based routing | A separate service isolates external traffic from internal services, preventing external load or attacks from impacting internal API availability. |
| Signature algorithm | HMAC-SHA256 | RSA signatures | HMAC-SHA256 is simpler for integrators to implement and has lower computational overhead than asymmetric signing. |