A simple api gateway.

JWT authentication, token-bucket rate limiting, and reverse proxying — no framework, no queue, one binary. Everything below is a real request against this running instance.

How it's built
01 — AUTHENTICATE

Validate JWT

Rejects missing or invalid tokens with 401 before anything else runs.

02 — THROTTLE

Check rate limit

Token bucket per IP, per route. Exhausted buckets get 429.

03 — ROUTE

Proxy upstream

Prefix match, strip, forward — full method, headers, and body.

interactive

Run requests against the live gateway

Each action below sends a real HTTP request from your browser to this instance. Responses land in the log on the right, in the order they return.

no session token

Generate a token to unlock the protected calls. The rate limiter resets after a few seconds of idle time.

— waiting for first request —
token — none generated yet
architecture

One container, three roles

For this demo deployment, the gateway and both upstream services run as one process on one port. In production they'd ship as separate services — nothing about the routing logic changes either way.

entry :8080

Public port. Auth, rate limiting, and routing all happen here.

/api/users 127.0.0.1:3001

In-process upstream, unreachable from outside the container.

/api/orders 127.0.0.1:3002

Same isolation as users — internal only.

/health 200 OK

Liveness check for the platform's health probe.

Backend services trust the gateway completely — they implement no auth of their own. Everything past the routing layer assumes the request already passed both checks.

configuration

Environment

Everything is injected at runtime. No secrets are committed to the image.

Variable Default Purpose
JWT_SECRET supersecretkey (demo only) HMAC key used to sign and verify tokens. Always override this outside of local dev.
USERS_SERVICE localhost:3001 Upstream target for the /api/users prefix.
ORDERS_SERVICE localhost:3002 Upstream target for the /api/orders prefix.