What is an API Gateway: Functions and Benefits

Want to level up from simple CRUD projects? Build a secure RESTful To-Do List API that lets users create, update, and track their tasks with authentication.

I was always confused what "stateless" means in the REST API architecture style. So basically what it means is that each request from a client to the server must contain all the information needed to understand and process that request and the server does not store any information about the client’s state between requests. 🧩 For Example: We have a REST API for a shopping site. Client request 1: GET /products -> Server returns a list of products. Client request 2: POST /cart with body { "product_id": 101 } -> Server adds the product to the user’s cart. Here, the second request must include: The user’s authentication token (like a JWT) The cart data or user ID in the payload The server doesn’t remember that “this user already logged in earlier” — it only knows what’s in the current request. ⚙️ Key Characteristics: - No session on the server: The server doesn’t keep session data (like user login state, cart, or preferences). - Self-contained requests: Each request has all the required info — authentication, parameters, etc. - Scalable: Because the server doesn’t store session data, any server in a cluster can handle any request. - Simpler recovery: If a server crashes, no session data is lost.

🫠 𝗜 𝗮𝗹𝗺𝗼𝘀𝘁 𝘀𝗵𝗶𝗽𝗽𝗲𝗱 𝗮 𝗰𝘂𝘀𝘁𝗼𝗺 𝗠𝗖𝗣 𝗶𝗻𝘁𝗲𝗴𝗿𝗮𝘁𝗶𝗼𝗻...  𝘶𝘯𝘵𝘪𝘭 𝘮𝘺 𝘵𝘦𝘤𝘩 𝘭𝘦𝘢𝘥 𝘴𝘢𝘪𝘥 𝘰𝘯𝘦 𝘴𝘦𝘯𝘵𝘦𝘯𝘤𝘦 𝘵𝘩𝘢𝘵 𝘤𝘩𝘢𝘯𝘨𝘦𝘥 𝘦𝘷𝘦𝘳𝘺𝘵𝘩𝘪𝘯𝘨. Recently at work, I was integrating #MCP (Model Context Protocol) into one of our FastAPI services. Our service generates dynamic endpoints at runtime, so I designed a mechanism where:  1. These dynamically created endpoints register themselves with the MCP server.  2. And the MCP server is exposed as a separate FastAPI route. It worked — but during a discussion, my tech lead asked a simple question: ➡️ “𝙒𝙝𝙮 𝙙𝙞𝙙𝙣’𝙩 𝙮𝙤𝙪 𝙪𝙨𝙚 #FastMCP? 𝙄𝙩 𝙖𝙡𝙧𝙚𝙖𝙙𝙮 𝙞𝙣𝙩𝙚𝙜𝙧𝙖𝙩𝙚𝙨 𝙈𝘾𝙋 𝙬𝙞𝙩𝙝 𝙁𝙖𝙨𝙩𝘼𝙋𝙄.” At first, my thought was: 𝗙𝗮𝘀𝘁𝗠𝗖𝗣 doesn’t support dynamic endpoint exposure without writing wrapper methods, so implementing it myself felt cleaner. Even several LLM agents I checked with suggested that a custom implementation was reasonable. 𝘽𝙪𝙩 𝙢𝙮 𝙩𝙚𝙘𝙝 𝙡𝙚𝙖𝙙 𝙞𝙣𝙨𝙞𝙨𝙩𝙚𝙙 𝙤𝙣 𝙁𝙖𝙨𝙩𝙈𝘾𝙋 — 𝙖𝙣𝙙 𝙄 𝙬𝙖𝙨 𝙢𝙞𝙨𝙨𝙞𝙣𝙜 𝙖 𝙠𝙚𝙮 𝙥𝙞𝙚𝙘𝙚 𝙤𝙛 𝙩𝙝𝙚 𝙥𝙪𝙯𝙯𝙡𝙚. 🔍 𝗧𝗵𝗲 𝗠𝗶𝘀𝘀𝗶𝗻𝗴 𝗜𝗻𝘀𝗶𝗴𝗵𝘁 He gave me two practical, grounded reasons that honestly reshaped how I think about framework choices: 1️⃣ 𝗙𝗮𝘀𝘁𝗠𝗖𝗣 is actively maintained and widely adopted With 140+ contributors and strong community momentum, it’s far more future-proof than a custom in-house integration. A self-built solution works today… …but long-term maintenance, patches, security fixes, and upgrades become your responsibility. 2️⃣ Scaling considerations matter more than elegance If our MCP endpoint suddenly receives 10× or 50× more traffic, a 𝗙𝗮𝘀𝘁𝗠𝗖𝗣-driven implementation that runs as its own FastAPI microservice gives far better operational flexibility. My version tightly coupled MCP behavior into the existing service. 𝗙𝗮𝘀𝘁𝗠𝗖𝗣 lets you:  • Spin it out as its own deployable  • Scale it independently  • Use standard FastAPI patterns for monitoring, autoscaling, load balancing, etc. This is something you only fully appreciate after seeing systems evolve in the wild. 🎯 𝗠𝘆 𝗧𝗮𝗸𝗲𝗮𝘄𝗮𝘆 Sometimes the tradeoff isn’t “my implementation vs. their package” — it’s “short-term neatness vs. long-term durability and scalability.” 𝘛𝘩𝘪𝘴 𝘤𝘰𝘯𝘷𝘦𝘳𝘴𝘢𝘵𝘪𝘰𝘯 𝘳𝘦𝘪𝘯𝘧𝘰𝘳𝘤𝘦𝘥 𝘴𝘰𝘮𝘦𝘵𝘩𝘪𝘯𝘨 𝘦𝘷𝘦𝘳𝘺 𝘚𝘋𝘌 𝘦𝘷𝘦𝘯𝘵𝘶𝘢𝘭𝘭𝘺 𝘭𝘦𝘢𝘳𝘯𝘴: 👉 𝘊𝘩𝘰𝘰𝘴𝘪𝘯𝘨 𝘵𝘩𝘦 𝘳𝘪𝘨𝘩𝘵 𝘢𝘣𝘴𝘵𝘳𝘢𝘤𝘵𝘪𝘰𝘯 𝘪𝘴 𝘢𝘴 𝘪𝘮𝘱𝘰𝘳𝘵𝘢𝘯𝘵 𝘢𝘴 𝘸𝘳𝘪𝘵𝘪𝘯𝘨 𝘤𝘭𝘦𝘢𝘯 𝘤𝘰𝘥𝘦. 👉 𝘊𝘰𝘮𝘮𝘶𝘯𝘪𝘵𝘺, 𝘦𝘤𝘰𝘴𝘺𝘴𝘵𝘦𝘮, 𝘢𝘯𝘥 𝘰𝘱𝘦𝘳𝘢𝘵𝘪𝘰𝘯𝘢𝘭 𝘪𝘮𝘱𝘭𝘪𝘤𝘢𝘵𝘪𝘰𝘯𝘴 𝘮𝘢𝘵𝘵𝘦𝘳 𝘫𝘶𝘴𝘵 𝘢𝘴 𝘮𝘶𝘤𝘩 𝘢𝘴 𝘵𝘦𝘤𝘩𝘯𝘪𝘤𝘢𝘭 𝘤𝘰𝘳𝘳𝘦𝘤𝘵𝘯𝘦𝘴𝘴. 𝗗𝗼 𝘆𝗼𝘂 𝗮𝗹𝘀𝗼 𝗲𝘃𝗮𝗹𝘂𝗮𝘁𝗲 𝗯𝘂𝗶𝗹𝗱-𝘃𝘀-𝗮𝗱𝗼𝗽𝘁 𝘁𝗵𝗶𝘀 𝘄𝗮𝘆? #MCP #FastAPI #FastMCP #BackendEngineering #SDLC #SystemDesign #Scalability #BuildVsBuy #SoftwareArchitecture

What Does an API Gateway Do? Step 1 - The client sends an HTTP request to the API gateway. Step 2 - The API gateway parses and validates the attributes in the HTTP request. Step 3 - The API gateway performs allow-list/deny-list checks. Step 4 - The API gateway talks to an identity provider for authentication and authorization. Step 5 - The rate limiting rules are applied to the request. If it is over the limit, the request is rejected. Steps 6 and 7 - Now that the request has passed basic checks, the API gateway finds the relevant service to route to by path matching. Step 8 - The API gateway transforms the request into the appropriate protocol and sends it to backend microservices. Steps 9-12 - The API gateway can handle errors properly and deals with faults if the error takes a longer time to recover (circuit break). It can also leverage ELK (Elastic-Logstash-Kibana) stack for logging and monitoring. We sometimes cache data in the API gateway.

🧠 𝗿𝘀𝘆𝘀𝗹𝗼𝗴 & 𝗹𝗼𝗴𝗿𝗼𝘁𝗮𝘁𝗲 — 𝗧𝗵𝗲 𝗨𝗻𝘀𝘂𝗻𝗴 𝗛𝗲𝗿𝗼𝗲𝘀 𝗼𝗳 𝗘𝘃𝗲𝗿𝘆 𝗟𝗶𝗻𝘂𝘅 𝗦𝗲𝗿𝘃𝗲𝗿 One thing I’ve learned working in environments: 𝗹𝗼𝗴𝘀 𝗰𝗮𝗻 𝘀𝗮𝘃𝗲 𝘆𝗼𝘂… or kill your system if you ignore them. That’s where two silent heroes step in — 𝗿𝘀𝘆𝘀𝗹𝗼𝗴 and 𝗹𝗼𝗴𝗿𝗼𝘁𝗮𝘁𝗲. Both work quietly in the background, but together, they keep your servers healthy and stable. ⚙️ 𝗿𝘀𝘆𝘀𝗹𝗼𝗴 — 𝗧𝗵𝗲 𝗟𝗼𝗴 𝗖𝗼𝗹𝗹𝗲𝗰𝘁𝗼𝗿 This is the service responsible for collecting, filtering, and routing logs. Every message from your system — whether it’s the kernel, SSH, NGINX, or your custom app — passes through rsyslog. It decides where logs go and how they’re stored. You can even forward logs to a central log server or your ELK stack from here. In short: 𝗶𝘁’𝘀 𝘁𝗵𝗲 𝗯𝗿𝗮𝗶𝗻 𝗼𝗳 𝘆𝗼𝘂𝗿 𝗹𝗼𝗴𝗴𝗶𝗻𝗴 𝘀𝘆𝘀𝘁𝗲𝗺. ♻️ 𝗹𝗼𝗴𝗿𝗼𝘁𝗮𝘁𝗲 — 𝗧𝗵𝗲 𝗟𝗼𝗴 𝗛𝗼𝘂𝘀𝗲𝗸𝗲𝗲𝗽𝗲𝗿 Once logs are written and stored, logrotate handles the maintenance. It automatically rotates, compresses, and removes old log files — preventing /var/log from eating up all your disk space. It enforces retention, saves space, and keeps your system running smoothly — no manual cleanup, no surprises. 🔁 𝗛𝗼𝘄 𝗧𝗵𝗲𝘆 𝗪𝗼𝗿𝗸 𝗧𝗼𝗴𝗲𝘁𝗵𝗲𝗿 rsyslog writes and manages the flow of logs. logrotate manages their lifecycle. One captures, the other cleans — and that balance keeps production servers running 24/7 without drama. 💡 Why This Duo Matters in Production ✅ Prevents disk space issues ✅ Keeps logs organized and searchable ✅ Automates cleanup and retention ✅ Reduces manual maintenance ✅ Supports compliance and monitoring setups Logs might look boring, but trust me — ignoring them is how you learn the hard way. 🌟 A big thanks to Al Nafi International College for designing such a comprehensive and practical learning program. Get your rsyslog and logrotate setup right, and you’ll sleep better knowing your systems won’t break because of a 50GB log file. 😅

HTTP STATUS CODE, you need to know for API Development HTTP status codes are 3-digit numbers returned by a web server to indicate the result of a client's request/response. In API development choosing the right codes enhances clarity, debugging, and align with industry standard. Automated error handling in client applications Proper caching behavior by intermediary servers Meaningful monitoring and alerting in production systems Better developer experience during integration The Five Categories (1xx–5xx): Informational responses (100 – 199) Successful responses (200 – 299) Redirection messages (300 – 399) Client error responses (400 – 499) Server error responses (500 – 599) Code Name Description Typical Use 100 Continue Server has received the headers; client should continue. Rarely used directly; used in chunked requests. 101 Switching Protocols Server switches protocols as requested by the client. WebSocket handshake upgrade. 102 Processing WebDAV: server is processing but no response yet. Long-running requests, WebDAV. 103 https://lnkd.in/gHtcp6Bv

Let’s Talk About SOAP API — The Old Yet Reliable Web Service Standard When we talk about web services today, REST and GraphQL often steal the spotlight. But there’s another hero that’s been quietly powering some of the most secure and critical systems for decades — SOAP API (Simple Object Access Protocol). 🧠 So, what exactly is SOAP? SOAP is a protocol-based way of communication between systems. It uses XML to format messages and typically works over HTTP or HTTPS. Unlike REST, which is flexible, SOAP follows strict standards defined in something called WSDL (Web Services Description Language) — basically, a contract that tells the client exactly what operations are available and how to use them. ⚙️ How does it work? 1. A client sends a request (in XML format) to a SOAP server. 2. The server processes it and responds with another XML message. 3. Everything — from structure to data types — follows the WSDL contract. 🧩 What’s inside a SOAP message? Envelope: The wrapper for the whole message. Header: Holds extra info like authentication. Body: The main request or response data. Fault: Used for error details (SOAP handles this really well). 💼 Where do we still use SOAP? Even though it’s not as “modern” as REST, SOAP is still heavily used in: Banking and Finance: Where data integrity and security matter most. Telecom Systems: For handling complex, structured data. Government and Enterprise Applications: Where stability and compliance are top priorities. Legacy System Integration: Because SOAP provides well-defined, contract-based communication. 🚀 Why developers still trust SOAP: SOAP may seem old-school, but it’s rock-solid. It’s reliable, secure (thanks to WS-Security), and perfect for systems where precision and standards matter more than simplicity.

We have finalized full Model Context Protocol compliance for MCP Proxy. This is not marketing wording. The proxy now implements the complete MCP spec — including version negotiation, streamable HTTP transport, headers, error codes and detailed behavioral rules — not just the surface level API shapes. Both stateful and stateless modes are fully supported. This gives predictable behavior in persistent connections and in serverless style deployments. Documentation is here: https://lnkd.in/dfyPMfef For teams who are integrating MCP, the value is simple: no workarounds, no gray areas, no protocol guesswork. Our approach has been that protocol compliance is not a “nice to have feature”. It is a requirement if you want the ecosystem to scale. This documentation will stay alive — and we will maintain the same strictness as the spec evolves.

Understanding HTTP Methods: Idempotency and the Forgotten OPTIONS I've been reviewing API design lately, and it struck me how often we overlook the fundamental concepts behind HTTP methods. Let me break down something that changed how I think about building APIs. What is Idempotency? An idempotent operation produces the same result no matter how many times you execute it. Think of it like a light switch set to "on." Flipping it to "on" once or ten times gives you the same result: the light is on. The Idempotent Methods: GET - Reading data never changes it. Request the same resource 100 times, you get the same response. PUT - Designed to replace a resource completely. Update a user's profile with the same data repeatedly, and the end state remains identical. DELETE - Remove a resource once or multiple times, the result is the same: it's gone. Subsequent DELETE requests typically return 404. PATCH - While technically it can be idempotent, it depends on implementation. A well-designed PATCH that sets absolute values is idempotent. HEAD and OPTIONS - These are also idempotent by nature. The Non-Idempotent Method: POST - Each request can create a new resource or trigger a new action. Submit a payment form twice? You might get charged twice. This is why we implement safeguards like idempotency keys in payment systems. The Underutilized OPTIONS Method Here's something most developers don't use enough: OPTIONS tells clients what methods are available for a resource and what the API supports. When a client sends an OPTIONS request, the server responds with allowed methods in the Allow header. This is crucial for: - CORS preflight requests that browsers send automatically - API discovery and documentation - Determining supported operations before attempting them Example response headers: Allow: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Methods: GET, POST, PUT Why This Matters: Understanding idempotency helps you: - Design more reliable APIs - Handle retries gracefully in distributed systems - Prevent duplicate operations in unreliable networks - Make informed decisions about which HTTP method to use Next time you're building an API, ask yourself: should this operation be idempotent? Your answer will guide you toward the right HTTP method

➡️Dependency Injection (DI) Lifetimes in .NET Core When you register services in Program.cs using builder.Services.Add..., you specify how long each instance should live — this is called service lifetime. 1. Transient ✅ New instance created every time it’s requested. 👉 Best for lightweight, stateless services. Example use: Helper classes, formatters, or short operations. 2. Scoped ✅ One instance per HTTP request. 👉 Most common for Web API — keeps request data consistent. Example use: Business logic services, repositories. 3. Singleton Single instance for the entire application lifetime. 👉 Ideal for shared resources (e.g., cache, configuration). Example use: Logging, caching, configuration providers. ✅app.Use(), app.Run(), and app.Map() — Middleware Flow In .NET Core, middleware defines the HTTP request pipeline. ✅ Executes logic before and after next middleware. 👉 Great for logging, authentication, or request handling. ✅app.Run() Defines the end of the pipeline. Once it runs, no other middleware executes. ✅ Usually the last middleware — acts as a terminal handler. ✅app.Map() Used to branch the pipeline based on URL path. ✅ Great for defining specific route-based pipelines (like /api, /admin, etc.). 1.Use Use() for middleware, 2.Map() for routing branches, 3.and Run() to end the pipeline. ✅What is the Request Pipeline in .NET Core? The request pipeline is the sequence of middleware components that handle an HTTP request before it reaches your endpoint (controller or Razor page). Each middleware: • Can perform work before and after the next middleware. • Either passes the request to the next middleware or short-circuits the pipeline (ends response early). ✅Example pipeline flow: Request → ExceptionHandler → Routing → Authentication → Authorization → Endpoint → Response