Building a Unified API Gateway: Lessons from 12 Microservices
Consolidating twelve independent REST APIs behind a single GraphQL gateway — authentication, rate-limiting, and schema stitching war stories.
The Unified API Orchestrator project required consolidating twelve microservices behind a single developer-friendly interface. We chose GraphQL federation over REST aggregation for its type-safety and self-documenting schema. Here's what we learned.
Schema Stitching vs Federation
Schema stitching combines schemas at runtime — flexible but fragile. Federation defines ownership at the subgraph level, with each service owning its portion of the graph. Federation won for us because service teams could deploy schema changes independently without coordinating a central gateway release.
import { createGateway } from "@apollo/gateway";
import { authPlugin } from "./plugins/auth";
import { rateLimitPlugin } from "./plugins/rateLimit";
export const gateway = createGateway({
subgraphs: [
{ name: "users", url: process.env.USER_SERVICE_URL },
{ name: "content", url: process.env.CONTENT_SERVICE_URL },
],
buildService({ url }) {
return new AuthenticatedDataSource({ url });
},
plugins: [authPlugin, rateLimitPlugin],
});Never trust claims forwarded from subgraphs. Re-validate JWT signatures at the gateway layer regardless of what a downstream service reports.