Berkeley's API gateway serves as a single, centralized entry-point for API requests from across the campus.
The gateway obfuscates from clients both the internal workings of the source system and the physical host of the API. It also centralizes functions common to all APIs, such load balancing, authentication, authorization, and rate limiting. The API gateway is available at https://apis.berkeley.edu.
All incoming API requests are handled by an nginx reverse proxy, which interacts on the client's behalf with the target API service. It's load-balanced for high availability and performs SSL acceleration, intelligent compression, and caching for the API. The result is that client access is decoupled from the physical API server, which can thus be altered without requiring corresponding changes in any client. The API has a consistent, simplified URL, and the access control defined in the developer portal is enforced seamlessly.
The gateway tracks requests sent by each client to each API, allowing providers to limit the rate at which their API can be accessed. This protects the API service against both malicious denial-of-service attacks and innocent (but no less harmful) client programming errors—preserving the API host's finite resources. Limits can be set on per-second and per-day rates per client.
Berkeley's entire API management platform has passed assessment by campus security for P4 / A4, their highest data access standards. API providers should only allow our gateway servers to access their physical hosts to ensure that this high level of security is maintained.