Hi @Olu ! I’m revisiting this issue recently and have a few questions 
As for the question I previously asked, we simply disabled the cache and let the auth middleware do the auth every time, since we don’t have much traffic and our client is not sensitive to latency
We’re setting up a new service recently, and it requires us to do the Authorization header as well as a cookie validation at the same time, so the same question comes again. I’m trying to solve this problem once and for all this time
There’re several options i can think of, and I’m wondering if you could help evaluate them:
- set up another api definition as a proxy. I haven’t tried it out, but as you said, in theory it works. My concern is just it might complicate our api definitions
- disable id extractor and set up a cache in the auth middleware side, which can be managed by us. it adds up the traffic time between gateway instances and middleware instances, but it can be neglected since in-node network time should be < 1 ms
- use a
premiddleware, reference — Cookie + Authorization Bearer. It looks like it works. One question is thatprehook should be run before id extractor, if my understanding is correct
Looking forward to your insights! Thank you!