Internal API gateway
|
|
| ID |
MOD-075 |
| System |
SD07 |
| Repo |
bank-platform |
| Build status |
Deployed |
| Deployed |
Yes |
| Last commit |
bbdfbac46a1b5cf6dc25b4c7cd428a8daa669d03 |
The internal API gateway is the single entry point for all service-to-service and app-to-backend communication within the platform. Every API call from the customer app, the back-office app, and inter-service integrations passes through this gateway, which handles TLS termination, service authentication, rate limiting, request routing, API version negotiation, and request logging before forwarding to the target service.
Unlike the Open Banking gateway (MOD-061) — which handles external third-party CDR access — and the JWT RBAC module (MOD-044) — which handles token validation — the internal gateway owns the routing and reliability layer: circuit breaking, retry with backoff, timeout enforcement, and canary routing for deployments. It is the chokepoint that prevents any single misbehaving service from degrading the platform, and the place where cross-cutting concerns (logging, tracing header injection, correlation ID stamping) are applied uniformly.
API versioning is managed here: multiple versions of a service can be live simultaneously, with the gateway routing requests to the correct version based on the Accept or API-Version header. Deprecation notices are injected as response headers so consumers can track sunset timelines without consulting documentation.
Module dependencies
Depends on
| Module |
Title |
Required? |
Contract |
Reason |
| MOD-044 |
JWT role-based access control |
Required |
— |
Service-to-service request authentication is validated using JWT tokens issued by the RBAC module. |
| MOD-045 |
Secrets & key management |
Required |
— |
mTLS certificates and service credentials used for mutual authentication are managed by the secrets module. |
| MOD-104 |
AWS shared infrastructure bootstrap |
Required |
— |
AWS shared infrastructure provisioned by MOD-104 (EventBridge buses, S3, KMS, Kinesis, Cognito) is required before this module can be deployed. |
Required by
| Module |
Title |
As |
Contract |
| MOD-061 |
Open banking API platform |
Hard dependency |
— |
| MOD-068 |
Authentication & session management |
Hard dependency |
— |
| MOD-176 |
Snowflake read API service |
Hard dependency |
— |
| MOD-177 |
SD06 risk dashboard renderer |
Hard dependency |
— |
Policies satisfied
| Policy |
Title |
Mode |
How |
| DT-001 |
Information Security Policy |
GATE |
All service-to-service traffic passes through TLS-terminated endpoints with mutual authentication — no plaintext internal API calls are permitted. |
| DT-002 |
Cybersecurity Policy |
GATE |
Rate limiting and request signing enforce that only registered, authenticated services can call platform APIs — unauthenticated requests are rejected at the gateway. |
Capabilities satisfied
| Capability |
Title |
Mode |
How |
| CAP-121 |
API rate limiting & throttling |
GATE |
Enforces per-service and per-consumer rate limits, returning 429 responses before upstream services are reached — protects backend services from traffic spikes and abuse. |
| CAP-122 |
API versioning & request routing |
AUTO |
Routes requests to the correct service version based on the API version header, supporting multiple live versions simultaneously during migration windows. |
Part of SD07 — Data Platform & Governance Infrastructure
Compiled 2026-05-22 from source/entities/modules/MOD-075.yaml