Edge & Ingress
API Gateway
Single entry point for APIs: authentication, quotas and routing. A Policy Enforcement Point (PEP) at the system edge.
Plane
Edge & Ingress
Flow steps
1
Frameworks
NIST 800-53 · 800-207 · OWASP LLM10
Technology
Why use it
Centralize API access (authentication, quotas, routing) instead of exposing each service directly.
Why it matters to security
It is a PEP at the edge: it enforces mTLS, JWT, rate limits and validation before a request reaches the application.
Implementations KongApigeeAzure API ManagementAWS API GatewayNGINX
No exposed API without a gateway: a directly reachable service is a bypassed control.
Recommendations by maturity tier
Foundation
Minimum viable baseline
- mTLS / TLS and call authentication (JWT). NIST 800-53 AC-3 · IA-5 · SC-8Every call is encrypted and authenticated at ingress.
- Request schema validation. NIST 800-53 SI-10Rejecting anything off-contract closes the door to malformed inputs.
- Baseline rate limiting. NIST 800-53 SC-5A simple cap prevents a single client from saturating the service.
Enterprise
Enterprise standard
- Per-consumer quotas. NIST 800-53 SC-5OWASP LLM10:2025Per-identity quotas bound usage and cost, not just global throughput.
- Holder-bound JWT with restricted audience. NIST 800-53 AC-3 · IA-5A stolen token is useless outside its intended audience.
- Full call logging. NIST 800-53 AU-2 · AU-12Call traceability is the basis of investigation and compliance.
Advanced
High-assurance / regulated
- Delegate the decision to the PDP (PEP → PDP). NIST 800-53 AC-3 · AC-24NIST 800-207 §3.1The gateway enforces; the PDP decides, consistently across the whole system.
- Risk-adaptive quotas. NIST 800-53 SI-4The cap tightens automatically as risk rises.
- Usage-anomaly detection. NIST 800-53 SI-4Out-of-norm usage triggers an alert or a block.
Architecture notes
- Externalize authorization to the PDP.details ▸The gateway enforces, it does not decide.Coding rules into the gateway recreates policy silos; delegate the decision to the PDP.
References
NIST SP 800-53 Rev5
AC-3 (Access Enforcement), IA-5 (Authenticators), SC-5 (DoS), SC-8 (Transmission), SI-10, AU-12.
NIST SP 800-207
§3.1 — the gateway acts as a Policy Enforcement Point (PEP).
OWASP LLM10:2025
Unbounded Consumption — per-consumer quotas.
Abbreviations
PDP
Policy Decision Point
PEP
Policy Enforcement Point
PIP
Policy Information Point
PAP
Policy Administration Point
IdP
Identity Provider
TSS
Token Service
NHI
Non-Human Identity
RBAC
Role-Based Access Control
ABAC
Attribute-Based Access Control
MFA
Multi-Factor Authentication
HITL
Human-in-the-loop
JIT
Just-In-Time
CAE
Continuous Access Evaluation
CAEP
Continuous Access Evaluation Profile
DPoP
Demonstrating Proof-of-Possession
mTLS
mutual TLS
PII
Personally Identifiable Information
KMS
Key Management Service
CI/CD
Continuous Integration / Continuous Delivery
SIEM
Security Information and Event Management
SOAR
Security Orchestration, Automation and Response
SCIM
System for Cross-domain Identity Management
XACML
eXtensible Access Control Markup Language
OPA
Open Policy Agent
OWASP
Open Worldwide Application Security Project
NIST
National Institute of Standards and Technology
ATLAS
Adversarial Threat Landscape for Artificial-Intelligence Systems
LLM
Large Language Model
WAF
Web Application Firewall
CDN
Content Delivery Network
DDoS
Distributed Denial of Service
DLP
Data Loss Prevention
JWT
JSON Web Token
API
Application Programming Interface
CRS
Core Rule Set (OWASP)
RAG
Retrieval-Augmented Generation
MCP
Model Context Protocol
PBAC
Permission-Based Access Control
HSM
Hardware Security Module
UEBA
User and Entity Behavior Analytics
SBOM
Software Bill of Materials
SLSA
Supply-chain Levels for Software Artifacts
WORM
Write Once, Read Many
SPIFFE
Secure Production Identity Framework For Everyone