Topic on Talk:Core Platform Team/Initiatives/API Gateway

I understand that this document outlines the initiative for the API Gateway, but IMHO it needs a section on how is this fitting into the broader picture.

I think we have to be honest with ourselves that non-OAuth2 auth methods or Action API are not going anywhere in the foreseeable future (before we are all deceased from old age). This means that if the purpose of rate limiting here is to protect our infrastructure, we mustn't only protect one tiny corner while keeping the 99% of it exposed, or we're building something like this

We should at least mention that the rate limiting and perhaps routing infrastructure is intended to be used for all API access eventually and not be tightly coupled with the new APIs only.

+1.

We've had decent success to date in adding rate limits and concurrency limits into specific expensive endpoints when infrastructure actually needs protecting. We haven't needed OAuth or global limits to do that, and I've yet to see an explanation of how those would improve the situation without causing significant other problems.

I think this fits into a larger architecture picture, which we don't know yet. Yes we will probably apply this further than in two places in the future, but we should first test this initial assumption and see how it goes before trying to plan for everything in the future.