Do I need an API gateway?

Once you have multiple backend services or external API consumers, yes. Centralizes auth, rate limiting, observability. For a single-service app, you can defer.

Cloudflare Workers as gateway or dedicated Kong/Envoy?

Cloudflare Workers if you're already on Cloudflare and want edge. Kong/Envoy when you need plugins, mTLS, or complex routing logic. Many teams use both — Cloudflare at edge, Kong/Envoy inside.

API Gateway Patterns in 2026 — Kong, Envoy, Cloudflare, and the Hybrids

API gateways in 2026 fall into two camps: edge-first (Cloudflare Workers) and dedicated proxies (Kong, Envoy). This post is the comparison.

What gateways do

The classic responsibilities:

Auth: validate tokens; pass user context downstream.
Rate limiting: per-user, per-key, per-endpoint.
Routing: which backend handles which path.
Transformations: rewrite headers, modify bodies.
Observability: logs, metrics, traces.
TLS termination.
Aggregation: combine multiple backend responses.

A monolithic backend doesn’t need a gateway. The moment you have 3+ services, you do.

The contenders

Kong

Lua-based plugins on Nginx (or Kong-Gateway 3.x on a custom proxy). Mature. Plugin ecosystem.

services:
  - name: api
    url: http://api.svc:8080
    routes:
      - paths: ["/api"]
    plugins:
      - name: jwt
      - name: rate-limiting
        config: { minute: 100 }

Strong for traditional gateways at scale.

Envoy

Lyft’s; the data plane behind Istio. Programmable via xDS API. Heavier; more capable.

Best for: service-mesh-shaped deployments. See Cilium and eBPF .

Tyk

Like Kong but with a polished commercial offering. Open-source core; SaaS option.

Cloudflare Workers as gateway

Run gateway logic at the edge:

const app = new Hono();
app.use("*", auth({ secret }));
app.use("*", rateLimit({ window: "1m", max: 100 }));
app.use("*", logger());

app.all("/api/*", async (c) => {
  const url = new URL(c.req.url);
  url.host = "origin.example.com";
  return fetch(url, c.req.raw);
});

export default app;

Sub-50ms globally. Free for most workloads. See Hono on Cloudflare Workers .

AWS API Gateway

AWS-native. Tightly integrated. Pricey at scale. Cumbersome OpenAPI ergonomics.

Patterns

Edge + inside hybrid

Client → Cloudflare Workers (auth, rate limit, basic routing)
         ↓
       Origin gateway (Kong / Envoy) inside cluster
         ↓
       Backend services

Edge handles: TLS, DDoS, basic auth, rate limit, geo-routing. Inside handles: mTLS between services, complex routing, plugin-rich logic.

For most production this two-layer hybrid wins.

Per-service gateway

Each microservice exposes through its own Hono router; a thin gateway just routes /api/X to /api/X.

Simple. Each service owns its API surface. Coordination via OpenAPI specs.

BFF (Backend-for-Frontend)

For mobile / web with different needs: a per-client BFF aggregates backend calls into client-shaped responses.

Mobile client → Mobile BFF → 5 backend services
Web client → Web BFF → same 5 services, different aggregation

Adds operational complexity; pays back in client-side simplicity.

Auth at the gateway

# Kong JWT plugin
plugins:
  - name: jwt
    config:
      claims_to_verify: [exp]
      key_claim_name: sub

Gateway validates JWT; passes claims downstream as headers (X-User-Id, X-Tenant-Id). Backend trusts the gateway.

For Authentication .

Rate limiting at the gateway

# Kong
plugins:
  - name: rate-limiting
    config:
      minute: 100
      hour: 5000
      day: 100000
      policy: redis

Per-key limits. Distributed via Redis. See Design a Rate Limiter and Distributed Rate Limiter .

Observability

Gateway emits:

Per-request logs (status, latency, route).
Metrics (RPS, error rate, p99).
Traces (span per backend call).

For OTel forwarding: most gateways have OTel plugins. See OpenTelemetry End-to-End .

Transformations

Common gateway transforms:

Strip auth tokens before forwarding.
Add request ID header.
Rewrite paths (/v1/foo → /foo).
Enrich with user context.
Drop headers per security policy.

Keep transformations minimal. Backend should expect clean inputs.

Common mistakes

1. Gateway-only auth

Backend trusts the gateway-provided headers. If anything bypasses the gateway, backend’s exposed. Defense in depth: backend ALSO checks.

2. Plugin sprawl

20 plugins per route → unpredictable interactions, slow. Curate.

3. No fallback

Gateway down → all APIs down. Run multiple gateway replicas; health-check; auto-failover.

4. Caching at the gateway for personalized responses

Gateway returns user A’s data to user B. Disastrous. Only cache by full request key including user.

5. No versioned plugin updates

Bumping Kong plugin breaks routes. Test in staging; deploy plugins like code.

Read this next

If you want my Hono-as-edge-gateway template, it’s at rajpoot.dev .

Building something AI-, backend-, or data-heavy and want a second pair of eyes? I do consulting and freelance work — see my projects and ways to reach me at rajpoot.dev .

What gateways do#

The contenders#

Kong#

Envoy#

Tyk#

Cloudflare Workers as gateway#

AWS API Gateway#

Patterns#

Edge + inside hybrid#

Per-service gateway#

BFF (Backend-for-Frontend)#

Auth at the gateway#

Rate limiting at the gateway#

Observability#

Transformations#

Common mistakes#

1. Gateway-only auth#

2. Plugin sprawl#

3. No fallback#

4. Caching at the gateway for personalized responses#

5. No versioned plugin updates#

Read this next#