Do I need an API gateway for just handling the authentication for all my micro-services?

Hi, pardon my noob question, I’m new to the API gateway concept and have been perusing the product description of a few including Tyk and WSO2. I get the idea that it is easy for developers to publish and update their services for subscribers, but those are not really important for most of my api services, which are consumed only by specific sets of mobile app, not to public.

What I couldn’t see is if each of these micro-services would still need to implement their own authentication or would the API gateway takes care of that for them - ie. all services can be hit without authentication? Would that also mean that the way we deploy the micro-services would require some security, ie. perhaps opened only to localhost, or only to the fix ip of the API gateway?

Hi @namisan,

From what I understood there, I think your APIs wouldn’t require specific auth. Tyk will manage access for you through policies/keys.

But since all the access and authorization will be managed from Tyk, I think it’s indeed better to have some security that only allows Tyk to call the APIs.
Be careful though that if your APIs are already in use by some mobile apps, adding this limitation may break the older version of the app that will still try to access the API directly.

That was my 2 cents :slight_smile: