API Gateways
Managed API infrastructure · Auth, rate limiting, and transformation for RFID and IoT
What are API gateways?
An API gateway is a managed service that sits between clients and backend services, acting as a single entry point for all API traffic. Rather than exposing backend services directly, every request passes through the gateway, which handles cross-cutting concerns such as authentication, authorization, rate limiting, request and response transformation, caching, and monitoring.
In RFID and IoT deployments, backend services include RFID middleware, tag data ingestion pipelines, reader management APIs, and inventory query services. Without a gateway, each of those services must independently implement auth, rate limiting, and observability. The gateway centralises that logic so backend services can focus on their domain.
Cloud-managed API gateways such as AWS API Gateway, Azure API Management, and Google Cloud Endpoints eliminate the need to operate gateway infrastructure. Self-hosted options such as Kong, Tyk, and KrakenD provide the same capabilities on any infrastructure, at the cost of operational overhead.
How they work
Request routing
The gateway receives every inbound request and routes it to the appropriate backend service based on the URL path, HTTP method, hostname, or request headers. A single gateway can front many backend services, presenting a unified API surface to clients while the underlying architecture can be decomposed into independent microservices or serverless functions.
In RFID deployments, routing rules might direct requests to /readers/{id}/config to a reader management service, requests to /events/epc to a tag read ingestion pipeline, and requests to /inventory to a query service backed by a time-series database.
Authentication and authorization
The gateway enforces authentication before requests reach backend services. Common mechanisms include API key validation, OAuth 2.0 JWT bearer token verification, mutual TLS client certificate validation, and HMAC request signing. The gateway can also enforce authorization policies - allowing only specific API keys to access certain routes, or requiring specific JWT scopes for write operations.
For RFID reader fleets, this means each reader is issued an API key or client certificate scoped to the routes it is permitted to call. A dock-door reader can POST tag reads but cannot call reader management endpoints for other readers.
Rate limiting
Rate limiting controls how many requests a client can make within a time window. The gateway tracks request counts per API key, IP address, or authenticated user and rejects requests that exceed configured thresholds with an HTTP 429 Too Many Requests response. Rate limiting protects backend services from traffic spikes, prevents runaway readers from flooding ingestion pipelines, and enables tiered service offerings where different API consumers have different quotas.
Request and response transformation
Gateways can modify requests before forwarding them to backends and modify responses before returning them to clients. Transformations include adding or removing headers, rewriting URLs, converting between data formats (such as XML to JSON), injecting authentication credentials that backends expect, and filtering response fields to remove sensitive data.
In RFID contexts, a gateway might transform raw EPC hex strings into human-readable SGTIN representations before forwarding tag read events to a downstream inventory service, or strip internal reader metadata from responses before returning data to external API consumers.
Caching
For read-heavy endpoints such as inventory queries or reader configuration reads, the gateway can cache backend responses and serve repeated requests from cache without hitting the backend. This reduces load on backend services and improves response latency for clients. Cache invalidation is typically time-based (TTL) or triggered by write operations.
Monitoring and analytics
Every request passing through the gateway is logged and measured. Gateways emit metrics including request counts, error rates, latency percentiles, and per-route traffic breakdowns. Logs capture request details for debugging and audit. Cloud-managed gateways integrate with native cloud observability stacks (CloudWatch, Azure Monitor, Cloud Logging) and most also support export to third-party platforms such as Datadog and Grafana.
API gateways in RFID and IoT
Exposing RFID reader APIs securely
Enterprise RFID readers typically expose management APIs on private networks. An API gateway allows those APIs to be securely exposed to cloud platforms, integration partners, or internal applications without requiring direct network access to the reader. The gateway handles TLS termination, authentication, and rate limiting, presenting a consistent and secure interface regardless of the reader's native API capabilities.
Rate limiting tag read endpoints
Dense RFID deployments - conveyor belts, dock doors, retail floors - can generate thousands of tag reads per second. If each read event is forwarded individually as an HTTP POST to a cloud API, a single misbehaving reader or a brief antenna configuration error can flood backend services. An API gateway provides a controlled chokepoint: readers are rate-limited per API key, and bursts beyond the configured threshold are rejected at the gateway before they reach ingestion infrastructure.
API key management for reader fleets
Managing authentication credentials for dozens or hundreds of readers is a significant operational challenge. Cloud API gateways provide built-in key management: each reader receives a unique API key, keys can be rotated or revoked without modifying backend services, and usage metrics are tracked per key. When a reader is decommissioned, its key is revoked immediately and that change takes effect globally at the gateway.
Transforming raw EPC data
Readers report tag data as raw EPC hex strings. Downstream systems often expect decoded identifiers - SGTINs, SSCCs, or GS1 Digital Link URIs. Gateway transformation policies can apply this decoding at the API boundary, so backend services and API consumers receive structured, human-readable identifiers rather than raw binary representations. This keeps transformation logic centralised and out of individual reader firmware or backend services.
Major platforms
| Platform | Type | Key features | Best for |
|---|---|---|---|
| AWS API Gateway | Cloud-managed (AWS) | REST, HTTP, and WebSocket APIs; Lambda integrations; usage plans and API keys; WAF integration; VPC private endpoints | AWS-native RFID backends, serverless tag processing pipelines |
| Azure API Management | Cloud-managed (Azure) | Policy-based transformation engine; developer portal; self-hosted gateway for on-premises; built-in OAuth 2.0 and JWT validation | Enterprise RFID platforms on Azure, hybrid cloud and on-premises deployments |
| Google Cloud Endpoints | Cloud-managed (GCP) | OpenAPI and gRPC support; Cloud IAM integration; per-method quotas; service identity with service accounts | GCP-hosted RFID data pipelines, gRPC reader APIs |
| Kong Gateway | Self-hosted or Kong Konnect (SaaS) | Plugin architecture (300+ plugins); supports any cloud or on-premises deployment; Lua and Go plugin extensibility; declarative config | Multi-cloud or on-premises RFID infrastructure, highly customised gateway logic |
Self-hosted vs cloud-managed
The choice between a self-hosted gateway and a cloud-managed service depends on deployment environment, operational capacity, and requirements for customisation.
| Self-hosted (Kong, Tyk, KrakenD) | Cloud-managed (AWS, Azure, GCP) | |
|---|---|---|
| Infrastructure | Operator runs and scales gateway instances | Provider manages all infrastructure |
| Deployment flexibility | Any cloud, on-premises, or edge | Within the provider's cloud regions |
| Customisation | Full plugin/middleware extensibility | Limited to provider's feature set and policy language |
| Operational overhead | High - patching, scaling, HA all manual | Low - provider handles availability and scaling |
| Cost model | Infrastructure cost; predictable at scale | Per-request pricing; can be expensive at high volume |
| Vendor lock-in | Low - portable across environments | High - tied to cloud provider APIs and config formats |
| On-premises support | Native - runs anywhere | Partial (Azure APIM self-hosted gateway; AWS VPC Link) |
For RFID deployments with on-premises readers that must route through a gateway before reaching cloud backends, self-hosted gateways such as Kong or Tyk can run at the network edge, applying auth and rate limiting locally before forwarding to cloud services. Azure API Management's self-hosted gateway component supports the same pattern on Azure infrastructure.
Advantages
- Centralised auth and rate limiting: Authentication, authorization, and rate limiting are enforced once at the gateway rather than duplicated across every backend service. A single policy change applies immediately to all routes.
- Monitoring and analytics: Every request is measured and logged at the gateway. Request counts, error rates, and latency metrics are available per route and per consumer without instrumenting individual backend services.
- Protocol transformation: Gateways can bridge protocol differences - exposing a REST interface to clients while communicating with backends over gRPC, or converting XML payloads from legacy RFID middleware to JSON expected by modern cloud services.
- Developer portals: Cloud-managed gateways (especially Azure API Management) include built-in developer portals where API consumers can browse documentation, test endpoints, and manage their own API keys without involving operations teams.
- No infrastructure management for cloud options: Cloud-managed gateways scale automatically with traffic, handle availability and patching, and require no server provisioning. This is particularly valuable for RFID platforms that experience unpredictable traffic spikes during inventory cycles.
- API versioning: Gateways support routing different API versions to different backend deployments, allowing gradual migration of readers and integrations to new API contracts without flag days.
Limitations
- Added latency: Every request passes through an additional network hop. For latency-sensitive RFID operations, the gateway adds single-digit to low-double-digit milliseconds. This is negligible for most integrations but relevant for hard real-time control loops.
- Vendor lock-in for cloud options: AWS API Gateway policies, Azure API Management transformation expressions, and GCP Endpoints configurations are not portable. Migrating between cloud providers requires rewriting gateway configuration from scratch.
- Cost at high volume: Cloud-managed gateways price per request. At the tag read volumes typical in dense RFID deployments (millions of events per hour), per-request costs can be substantial. Batching tag reads before submission is essential to manage cost.
- WebSocket support varies: AWS API Gateway supports WebSocket APIs but with limitations on connection duration and message size. Azure API Management and Google Cloud Endpoints have limited or no native WebSocket support. For RFID streaming use cases requiring WebSockets , a self-hosted gateway or dedicated infrastructure is often needed.
- Complexity for simple deployments: For a single RFID reader posting to a single cloud endpoint, a full API gateway is architectural overhead. Simpler alternatives such as Nginx as a reverse proxy or direct HTTPS endpoints are more appropriate at small scale.
- Configuration complexity: Policy-based transformation in Azure API Management and usage plan management in AWS API Gateway have steep learning curves. Misconfigured gateways are a common source of integration failures and security gaps.
Common RFID deployments
- Securing RFID middleware APIs: On-premises RFID middleware (such as Impinj Octane, Zebra FXConnect, or custom middleware) exposes internal management APIs. An API gateway fronts those APIs with authentication and TLS termination, allowing secure access from cloud platforms without exposing middleware directly to the internet.
- Multi-tenant RFID-as-a-service: Managed RFID service providers use API gateways to enforce tenant isolation. Each tenant's readers authenticate with tenant-specific API keys. Rate limits and quotas are applied per tenant. Usage metrics are aggregated per tenant for billing.
- Rate limiting reader data ingestion: High-density deployments (distribution centres, manufacturing lines) route all reader POST traffic through an API gateway with per-reader rate limits. Burst traffic from antenna misfires or reader misconfiguration is rejected at the gateway before it overwhelms ingestion backends.
- API versioning for reader firmware: When RFID reader firmware updates change the tag read payload format, an API gateway routes requests from old firmware versions to a compatibility backend that handles the legacy format, while new firmware posts to an updated ingestion endpoint. Both versions coexist without a coordinated cutover.