JWT authentication, token-bucket rate limiting, and reverse proxying — no framework, no queue, one binary. Everything below is a real request against this running instance.
Rejects missing or invalid tokens with 401 before anything else runs.
Token bucket per IP, per route. Exhausted buckets get 429.
Prefix match, strip, forward — full method, headers, and body.
Each action below sends a real HTTP request from your browser to this instance. Responses land in the log on the right, in the order they return.
Generate a token to unlock the protected calls. The rate limiter resets after a few seconds of idle time.
For this demo deployment, the gateway and both upstream services run as one process on one port. In production they'd ship as separate services — nothing about the routing logic changes either way.
Public port. Auth, rate limiting, and routing all happen here.
In-process upstream, unreachable from outside the container.
Same isolation as users — internal only.
Liveness check for the platform's health probe.
Backend services trust the gateway completely — they implement no auth of their own. Everything past the routing layer assumes the request already passed both checks.
Everything is injected at runtime. No secrets are committed to the image.
| Variable | Default | Purpose |
|---|---|---|
JWT_SECRET |
supersecretkey (demo only) |
HMAC key used to sign and verify tokens. Always override this outside of local dev. |
USERS_SERVICE |
localhost:3001 |
Upstream target for the /api/users prefix. |
ORDERS_SERVICE |
localhost:3002 |
Upstream target for the /api/orders prefix. |