An API gateway is a server that sits between clients and backend services, acting as the single entry point through which all API traffic passes. Every request goes through the gateway, which can inspect, modify, authenticate, route, transform, and rate-limit that traffic before it reaches any backend service. For teams running multiple services, an API gateway centralizes concerns that would otherwise be duplicated across every service independently.

Understanding what a gateway provides — and what it does not — is the prerequisite to deciding whether one belongs in your architecture.

Most SaaS APIs are multi-tenant: the same infrastructure serves many customers, each operating in isolation from the others. A user of Tenant A should never see, modify, or even know about the data of Tenant B. This isolation is the foundational guarantee of a multi-tenant system, and it must hold at every layer of the stack — not just at the query level, but at the API design level, the authentication level, and the operational level.