API security gateway processing occurs in two phases

The inbound phase

When the API security gateway receives an HTTP request, it generates a policy request with an action label including the phase and the HTTP method, such as inbound-POST or inbound-GET. Based on the result returned by the policy engine, the request might be rejected immediately or it might be forwarded to the API server, potentially with modifications.

The following diagram illustrates the inbound request processing

Produced by OmniGraffle 7.18.5\n2021-09-03 19:36:51 +0000 Half Page API Security Gateway as reverse proxy API HTTP request 4. Forwarded HTTP request 4. Forwarded HTTP request Line API Directory PAZ Brand Processes API Security Gateway API Security Gateway Lego Policy Engine Policy Engine Gear Arrows 3. Policy decision 3. Policy decision 2. Policy request 2. Policy request PingAuthorize HTTP client request 1. Client HTTP request 1. Client HTTP request Line Partners User HTTP client Inbound request processing
The outbound phase

When the API server returns an HTTP response to the API security gateway, another policy request is generated, again with an action label including the phase and HTTP method, such as outbound-POST or outbound-GET. Based on the result returned by the policy engine, the response might be modified, and then it is forwarded back to the HTTP client.

The following diagram illustrates the outbound request processing.

Produced by OmniGraffle 7.18.5\n2021-09-03 20:11:02 +0000 Half Page API Security Gateway as reverse proxy API Response API Directory PAZ Brand Processes API Security Gateway API Security Gateway Lego Policy Engine Policy Engine Gear Arrows 3. Policy decision 3. Policy decision 2. Policy request 2. Policy request PingAuthorize Final HTTP response Partners User HTTP client 4. Final HTTP response 4. Final HTTP response Line 1. API server HTTP response 1. API server HTTP response Line Outbound request processing

Service name must match Gateway API Endpoint name

In Adding a policy for the Create Game endpoint, we named the service to match the name of the Gateway API Endpoint in the PingAuthorize configuration. This is important. When PingAuthorize receives an HTTP request, it generates a policy request that represents the HTTP request and sends it to its policy engine for processing. The policy request will include a service field, and its name will be the name of the Gateway API Endpoint that handled the HTTP request.