bakery-ia/gateway

API Gateway Service

Overview

The API Gateway serves as the centralized entry point for all client requests to the Bakery-IA platform. It provides a unified interface for 18+ microservices, handling authentication, rate limiting, request routing, and real-time event streaming. This service is critical for security, performance, and operational visibility across the entire system.

Key Features

Core Capabilities

• Centralized API Routing - Single entry point for all microservice endpoints, simplifying client integration
• JWT Authentication & Authorization - Token-based security with cached validation for performance
• Rate Limiting - 300 requests per minute per client to prevent abuse and ensure fair resource allocation
• Request ID Tracing - Distributed tracing with unique request IDs for debugging and observability
• Demo Mode Support - Special handling for demo accounts with isolated environments
• Subscription Management - Validates tenant subscription status before allowing operations
• Read-Only Mode Enforcement - Tenant-level write protection for billing or administrative purposes
• CORS Handling - Configurable cross-origin resource sharing for web clients

Real-Time Communication

• Server-Sent Events (SSE) - Real-time alert streaming to frontend dashboards
• WebSocket Proxy - Bidirectional communication for ML training progress updates
• Redis Pub/Sub Integration - Event broadcasting for multi-instance deployments

Observability & Monitoring

• Comprehensive Logging - Structured JSON logging with request/response details
• Prometheus Metrics - Request counters, duration histograms, error rates
• Health Check Aggregation - Monitors health of all downstream services
• Performance Tracking - Per-route performance metrics

External Integrations

• Nominatim Geocoding Proxy - OpenStreetMap geocoding for address validation
• Multi-Channel Notification Routing - Routes alerts to email, WhatsApp, and SSE channels

Technical Capabilities

Authentication Flow

1. JWT Token Validation - Verifies access tokens with cached public key
2. Token Refresh - Automatic refresh token handling
3. User Context Injection - Attaches user and tenant information to requests
4. Demo Account Detection - Identifies and isolates demo sessions
5. Subscription Data Extraction - Extracts subscription tier from JWT payload (eliminates per-request HTTP calls)

Request Processing Pipeline

Client Request
  ↓
CORS Middleware
  ↓
Request ID Generation
  ↓
Logging Middleware (Pre-processing)
  ↓
Rate Limiting Check
  ↓
Authentication Middleware
  ↓
Subscription Validation
  ↓
Read-Only Mode Check
  ↓
Service Router (Proxy to Microservice)
  ↓
Response Logging (Post-processing)
  ↓
Client Response

Caching Strategy

• Token Validation Cache - 15-minute TTL for validated tokens (Redis)
• User Information Cache - Reduces auth service calls
• Health Check Cache - 30-second TTL for service health status

Real-Time Event Streaming

• SSE Connection Management - Persistent connections for alert streaming
• Redis Pub/Sub - Scales SSE across multiple gateway instances
• Tenant-Isolated Channels - Each tenant receives only their alerts
• Reconnection Support - Clients can resume streams after disconnection

Business Value

For Bakery Owners

• Single API Endpoint - Simplifies integration with POS systems and external tools
• Real-Time Alerts - Instant notifications for low stock, quality issues, and production problems
• Secure Access - Enterprise-grade security protects sensitive business data
• Reliable Performance - Rate limiting and caching ensure consistent response times
• Faster Response Times - JWT-embedded subscription data eliminates 520ms overhead per request

Performance Impact

Before JWT Subscription Embedding:

• 5 synchronous HTTP calls per request to tenant-service
• 2,500ms notification endpoint latency
• 5,500ms subscription endpoint latency
• ~520ms overhead on EVERY tenant-scoped request

After JWT Subscription Embedding:

• Zero HTTP calls for subscription validation
• <1ms subscription check latency (JWT extraction only)
• ~200ms notification endpoint latency (92% improvement)
• ~100ms subscription endpoint latency (98% improvement)
• 100% reduction in tenant-service load for subscription checks

For Platform Operations

• Cost Efficiency - Caching reduces backend load by 60-70%
• Scalability - Horizontal scaling with stateless design
• Security - Centralized authentication reduces attack surface
• Observability - Complete request tracing for debugging and optimization

For Developers

• Simplified Integration - Single endpoint instead of 18+ service URLs
• Consistent Error Handling - Standardized error responses across all services
• API Documentation - Centralized OpenAPI/Swagger documentation
• Request Tracing - Easy debugging with request ID correlation

Technology Stack

• Framework: FastAPI (Python 3.11+) - Async web framework with automatic OpenAPI docs
• HTTP Client: HTTPx - Async HTTP client for service-to-service communication
• Caching: Redis 7.4 - Token cache, SSE pub/sub, rate limiting, token freshness tracking
• Logging: Structlog - Structured JSON logging for observability
• Metrics: Prometheus Client - Custom metrics for monitoring
• Authentication: JWT (JSON Web Tokens) - Token-based authentication with embedded subscription data
• WebSockets: FastAPI WebSocket support - Real-time training updates

JWT Subscription Architecture

Overview

The gateway implements a JWT-embedded subscription data architecture that eliminates runtime HTTP calls to the tenant-service for subscription validation. This provides significant performance improvements while maintaining security.

JWT Payload Structure

{
  "user_id": "uuid",
  "email": "user@example.com",
  "tenant_id": "uuid",
  "tenant_role": "owner",
  "subscription": {
    "tier": "professional",
    "status": "active", 
    "valid_until": "2025-12-31T23:59:59Z"
  },
  "tenant_access": [
    {"id": "tenant-uuid", "role": "admin", "tier": "starter"}
  ],
  "exp": 1735689599,
  "iat": 1735687799,
  "iss": "bakery-auth"
}

Security Layers

The architecture implements defense-in-depth with multiple validation layers:

1. Layer 1: JWT Signature Verification - Gateway validates JWT signature
2. Layer 2: Subscription Data Extraction - Extracts subscription from verified JWT
3. Layer 3: Token Freshness Check - Detects stale tokens after subscription changes
4. Layer 4: Database Verification - For critical operations (optional)
5. Layer 5: Audit Logging - Comprehensive logging for anomaly detection

Token Freshness Mechanism

• When subscription changes, gateway sets tenant:{tenant_id}:subscription_changed_at in Redis
• Gateway checks if token was issued before subscription change
• Stale tokens are rejected, forcing re-authentication
• Ensures users get fresh subscription data within token expiry window (15-30 min)

Multi-Tenant Support

• JWT contains tenant_access array with all accessible tenants
• Each tenant entry includes role and subscription tier
• Gateway validates access to requested tenant
• Supports hierarchical tenant access patterns

JWT Service Token Authentication

Overview

The Gateway now supports JWT service tokens for secure service-to-service (S2S) communication. This replaces the deprecated internal API key system with a unified JWT-based authentication mechanism for both user and service requests.

Service Token Support

User Tokens (frontend/API consumers):

• type: "access" - Regular user authentication
• Contains user ID, email, tenant membership, subscription data
• Expires in 15-30 minutes
• Validated and cached by gateway

Service Tokens (microservice communication):

• type: "service" - Internal service authentication
• Contains service name, admin role, optional tenant context
• Expires in 1 hour
• Automatically grants admin privileges to registered services

Service Token Validation Flow

┌─────────────────┐
│  Calling Service│
│  (e.g., demo)   │
└────────┬────────┘
         │
         │ 1. Create service token
         │    jwt_handler.create_service_token(
         │        service_name="demo-session",
         │        tenant_id=tenant_id
         │    )
         │
         ▼
┌─────────────────────────────────────────┐
│  HTTP Request to Gateway                │
│  --------------------------------       │
│  POST /api/v1/tenant/clone             │
│  Headers:                               │
│    Authorization: Bearer {service_token}│
│    X-Service: demo-session-service      │
└────────┬────────────────────────────────┘
         │
         ▼
┌─────────────────┐
│  Gateway        │
│  Auth Middleware│
└────────┬────────┘
         │
         │ 2. Extract and verify JWT
         │    jwt_handler.verify_token(token)
         │
         │ 3. Identify service token
         │    if token.type == "service":
         │
         │ 4. Check internal service registry
         │    if is_internal_service(service_name):
         │        grant_admin_access()
         │        skip_tenant_membership_check()
         │
         │ 5. Inject service context headers
         │    X-User-ID: demo-session-service
         │    X-User-Role: admin
         │    X-Service-Name: demo-session
         │
         ▼
┌─────────────────┐
│  Target Service │
│  (e.g., tenant) │
└─────────────────┘

Internal Service Registry

The gateway uses a centralized registry of all 21 microservices:

• File: shared/config/base.py
• Constant: INTERNAL_SERVICES set
• Services: gateway, auth, tenant, inventory, production, recipes, suppliers, orders, sales, procurement, pos, forecasting, training, ai-insights, orchestrator, notification, alert-processor, demo-session, external, distribution

Automatic Privileges for Registered Services:

• Admin role granted automatically
• Skip tenant membership validation
• Access to all tenants within scope
• Optimized database queries

Service Token Payload

{
  "sub": "demo-session",
  "user_id": "demo-session-service",
  "email": "demo-session-service@internal",
  "service": "demo-session",
  "type": "service",
  "role": "admin",
  "tenant_id": "optional-tenant-uuid",
  "exp": 1735693199,
  "iat": 1735689599,
  "iss": "bakery-auth"
}

Gateway Processing

Token Validation (_validate_token_payload)

# Validates token type and required fields
token_type = payload.get("type")
if token_type not in ["access", "service"]:
    return False

# Service tokens with tenant context are valid
if token_type == "service" and payload.get("tenant_id"):
    logger.debug("Service token with tenant context validated")

User Context Extraction (_jwt_payload_to_user_context)

# Detect service tokens
if payload.get("service"):
    service_name = payload["service"]
    base_context = {
        "user_id": f"{service_name}-service",
        "email": f"{service_name}-service@internal",
        "service": service_name,
        "type": "service",
        "role": "admin",  # Services get admin privileges
        "tenant_id": payload.get("tenant_id")  # Optional tenant context
    }

Tenant Access Control

# Skip tenant access verification for service tokens
if user_context.get("type") != "service":
    # Verify user has access to tenant
    has_access = await tenant_access_manager.verify_basic_tenant_access(
        user_context["user_id"], tenant_id
    )
else:
    # Services have automatic access
    logger.debug(f"Service token granted access to tenant {tenant_id}")

Migration from Internal API Keys

Old System (Deprecated - Removed in 2026-01):

# REMOVED - No longer supported
headers = {
    "X-Internal-API-Key": "dev-internal-key-change-in-production"
}

New System (Current):

# Gateway creates service tokens for internal calls
from shared.auth.jwt_handler import JWTHandler

jwt_handler = JWTHandler(settings.JWT_SECRET_KEY, settings.JWT_ALGORITHM)
service_token = jwt_handler.create_service_token(service_name="gateway")

headers = {
    "Authorization": f"Bearer {service_token}"
}

Security Benefits

1. Token Expiration - Service tokens expire (1 hour), preventing indefinite access
2. Signature Verification - JWT signatures prevent token forgery and tampering
3. Tenant Scoping - Service tokens can include tenant context for proper authorization
4. Unified Authentication - Same JWT verification logic for user and service tokens
5. Audit Trail - All service requests are authenticated and logged with service identity
6. No Shared Secrets - Services don't share API keys; use shared JWT secret instead
7. Rotation Ready - JWT secret can be rotated without code changes

Performance Impact

• Token Creation: <1ms (in-memory JWT signing)
• Token Validation: <1ms (in-memory JWT verification with shared secret)
• Caching: Gateway caches validated service tokens for 5 minutes
• No Additional HTTP Calls: Service auth happens locally at gateway

Unified Header Management System

The gateway uses a centralized HeaderManager for consistent header handling across all middleware and proxy layers.

Key Features:

• Standardized header names and conventions
• Automatic header sanitization to prevent spoofing
• Unified header injection and forwarding
• Cross-middleware header access via request.state.injected_headers
• Consistent logging and error handling

Standard Headers:

• x-user-id, x-user-email, x-user-role, x-user-type
• x-service-name, x-tenant-id
• x-subscription-tier, x-subscription-status
• x-is-demo, x-demo-session-id, x-demo-account-type
• x-tenant-access-type, x-can-view-children, x-parent-tenant-id
• x-forwarded-by, x-request-id

Context Header Injection

When a service token is validated, the gateway injects these headers for downstream services:

X-User-ID: demo-session-service
X-User-Email: demo-session-service@internal
X-User-Role: admin
X-User-Type: service
X-Service-Name: demo-session
X-Tenant-ID: {tenant_id}  # If present in token

Gateway-to-Service Communication

The gateway itself creates service tokens when calling internal services:

Example: Demo Session Validation for SSE

# gateway/app/middleware/auth.py
service_token = jwt_handler.create_service_token(service_name="gateway")

async with httpx.AsyncClient() as client:
    response = await client.get(
        f"http://demo-session-service:8000/api/v1/demo/sessions/{session_id}",
        headers={"Authorization": f"Bearer {service_token}"}
    )

Shared JWT Secret

All services (including gateway) use the same JWT secret key:

• File: shared/config/base.py
• Variable: JWT_SECRET_KEY
• Default: usMHw9kQCQoyrc7wPmMi3bClr0lTY9wvzZmcTbADvL0=
• Environment Override: JWT_SECRET_KEY environment variable
• Production: Must be set to a secure random value

API Endpoints (Key Routes)

Authentication Routes

• POST /api/v1/auth/login - User login (returns access + refresh tokens)
• POST /api/v1/auth/register - User registration
• POST /api/v1/auth/refresh - Refresh access token
• POST /api/v1/auth/logout - User logout

Service Proxies (Protected Routes)

All routes under /api/v1/ are protected by JWT authentication:

• /api/v1/sales/** → Sales Service
• /api/v1/forecasting/** → Forecasting Service
• /api/v1/training/** → Training Service
• /api/v1/inventory/** → Inventory Service
• /api/v1/production/** → Production Service
• /api/v1/recipes/** → Recipes Service
• /api/v1/orders/** → Orders Service
• /api/v1/suppliers/** → Suppliers Service
• /api/v1/procurement/** → Procurement Service
• /api/v1/pos/** → POS Service
• /api/v1/external/** → External Service
• /api/v1/notifications/** → Notification Service
• /api/v1/ai-insights/** → AI Insights Service
• /api/v1/orchestrator/** → Orchestrator Service
• /api/v1/tenants/** → Tenant Service

Real-Time Routes

• GET /api/v1/alerts/stream - SSE alert stream (requires authentication)
• WS /api/v1/training/ws - WebSocket for training progress

Utility Routes

• GET /health - Gateway health check
• GET /api/v1/health - All services health status
• POST /api/v1/geocode - Nominatim geocoding proxy

Middleware Components

1. CORS Middleware

• Configurable allowed origins
• Credentials support
• Pre-flight request handling

2. Request ID Middleware

• Generates unique UUIDs for each request
• Propagates request IDs to downstream services
• Included in all log messages

3. Logging Middleware

• Pre-request logging (method, path, headers)
• Post-request logging (status code, duration)
• Error logging with stack traces

4. Authentication Middleware

• JWT token extraction from Authorization header
• Token validation with cached results
• User/tenant context injection
• Demo account detection
• Subscription tier extraction from JWT - Eliminates 5 synchronous HTTP calls per request to tenant-service
• Token freshness verification - Detects stale tokens after subscription changes

5. Rate Limiting Middleware

• Token bucket algorithm
• 300 requests per minute per IP/user
• 429 Too Many Requests response on limit exceeded

6. Subscription Middleware

• JWT-based subscription validation - Uses subscription data embedded in JWT tokens
• Zero HTTP calls for subscription checks - Subscription tier extracted from verified JWT
• Checks subscription expiry
• Allows grace period for expired subscriptions
• Defense-in-depth verification - Database verification for critical operations

7. Read-Only Middleware

• Enforces tenant-level write restrictions
• Blocks POST/PUT/PATCH/DELETE when read-only mode enabled
• Used for billing holds or maintenance

Metrics & Monitoring

Custom Prometheus Metrics

Request Metrics:

• gateway_requests_total - Counter (method, path, status_code)
• gateway_request_duration_seconds - Histogram (method, path)
• gateway_request_size_bytes - Histogram
• gateway_response_size_bytes - Histogram

Authentication Metrics:

• gateway_auth_attempts_total - Counter (status: success/failure)
• gateway_auth_cache_hits_total - Counter
• gateway_auth_cache_misses_total - Counter

Rate Limiting Metrics:

• gateway_rate_limit_exceeded_total - Counter (endpoint)

Service Health Metrics:

• gateway_service_health - Gauge (service_name, status: healthy/unhealthy)

Health Check Endpoint

GET /health returns:

{
  "status": "healthy",
  "version": "1.0.0",
  "services": {
    "auth": "healthy",
    "sales": "healthy",
    "forecasting": "healthy",
    ...
  },
  "redis": "connected",
  "timestamp": "2025-11-06T10:30:00Z"
}

Configuration

Environment Variables

Service Configuration:

• PORT - Gateway listening port (default: 8000)
• HOST - Gateway bind address (default: 0.0.0.0)
• ENVIRONMENT - Environment name (dev/staging/prod)
• LOG_LEVEL - Logging level (DEBUG/INFO/WARNING/ERROR)

Service URLs:

• AUTH_SERVICE_URL - Auth service internal URL
• SALES_SERVICE_URL - Sales service internal URL
• FORECASTING_SERVICE_URL - Forecasting service internal URL
• TRAINING_SERVICE_URL - Training service internal URL
• INVENTORY_SERVICE_URL - Inventory service internal URL
• PRODUCTION_SERVICE_URL - Production service internal URL
• RECIPES_SERVICE_URL - Recipes service internal URL
• ORDERS_SERVICE_URL - Orders service internal URL
• SUPPLIERS_SERVICE_URL - Suppliers service internal URL
• PROCUREMENT_SERVICE_URL - Procurement service internal URL
• POS_SERVICE_URL - POS service internal URL
• EXTERNAL_SERVICE_URL - External service internal URL
• NOTIFICATION_SERVICE_URL - Notification service internal URL
• AI_INSIGHTS_SERVICE_URL - AI Insights service internal URL
• ORCHESTRATOR_SERVICE_URL - Orchestrator service internal URL
• TENANT_SERVICE_URL - Tenant service internal URL

Redis Configuration:

• REDIS_HOST - Redis server host
• REDIS_PORT - Redis server port (default: 6379)
• REDIS_DB - Redis database number (default: 0)
• REDIS_PASSWORD - Redis authentication password (optional)

Security Configuration:

• JWT_PUBLIC_KEY - RSA public key for JWT verification
• JWT_ALGORITHM - JWT algorithm (default: RS256)
• RATE_LIMIT_REQUESTS - Max requests per window (default: 300)
• RATE_LIMIT_WINDOW_SECONDS - Rate limit window (default: 60)

CORS Configuration:

• CORS_ORIGINS - Comma-separated allowed origins
• CORS_ALLOW_CREDENTIALS - Allow credentials (default: true)

Events & Messaging

Consumed Events (Redis Pub/Sub)

• Channel: alerts:tenant:{tenant_id}
  • Event: Alert notifications for SSE streaming
  • Format: JSON with alert_id, severity, message, timestamp

Published Events

The gateway does not publish events directly but forwards events from downstream services.

Development Setup

Prerequisites

• Python 3.11+
• Redis 7.4+
• Access to all microservices (locally or via network)

Local Development

# Install dependencies
cd gateway
pip install -r requirements.txt

# Set environment variables
export AUTH_SERVICE_URL=http://localhost:8001
export SALES_SERVICE_URL=http://localhost:8002
export REDIS_HOST=localhost
export JWT_PUBLIC_KEY="$(cat ../keys/jwt_public.pem)"

# Run the gateway
python main.py

Docker Development

# Build image
docker build -t bakery-ia-gateway .

# Run container
docker run -p 8000:8000 \
  -e AUTH_SERVICE_URL=http://auth:8001 \
  -e REDIS_HOST=redis \
  bakery-ia-gateway

Testing

# Unit tests
pytest tests/unit/

# Integration tests
pytest tests/integration/

# Load testing
locust -f tests/load/locustfile.py

Integration Points

Dependencies (Services Called)

• Auth Service - User authentication and token validation
• All Microservices - Proxies requests to 18+ downstream services
• Redis - Caching, rate limiting, SSE pub/sub
• Nominatim - External geocoding service

Dependents (Services That Call This)

• Frontend Dashboard - All API calls go through the gateway
• Mobile Apps (future) - Will use gateway as single endpoint
• External Integrations - Third-party systems use gateway API
• Monitoring Tools - Prometheus scrapes /metrics endpoint

Security Measures

Authentication & Authorization

• JWT Token Validation - RSA-based signature verification
• Token Expiry Checks - Rejects expired tokens
• Refresh Token Rotation - Secure token refresh flow
• Demo Account Isolation - Separate demo environments

Attack Prevention

• Rate Limiting - Prevents brute force and DDoS attacks
• Input Validation - Pydantic schema validation on all inputs
• CORS Restrictions - Only allowed origins can access API
• Request Size Limits - Prevents payload-based attacks
• SQL Injection Prevention - All downstream services use parameterized queries
• XSS Prevention - Response sanitization

Data Protection

• HTTPS Only (Production) - Encrypted in transit
• Tenant Isolation - Requests scoped to authenticated tenant
• Read-Only Mode - Prevents unauthorized data modifications
• Audit Logging - All requests logged for security audits

Performance Optimization

Caching Strategy

• Token Validation Cache - 95%+ cache hit rate reduces auth service load
• User Info Cache - Reduces database queries by 80%
• Service Health Cache - Prevents health check storms

Connection Pooling

• HTTPx Connection Pool - Reuses HTTP connections to services
• Redis Connection Pool - Efficient Redis connection management

Async I/O

• FastAPI Async - Non-blocking request handling
• Concurrent Service Calls - Multiple microservice requests in parallel
• Async Middleware - Non-blocking middleware chain

Compliance & Standards

GDPR Compliance

• Request Logging - Can be anonymized or deleted per user request
• Data Minimization - Only essential data logged
• Right to Access - Logs can be exported for data subject access requests

API Standards

• RESTful API Design - Standard HTTP methods and status codes
• OpenAPI 3.0 - Automatic API documentation via FastAPI
• JSON API - Consistent JSON request/response format
• Error Handling - RFC 7807 Problem Details for HTTP APIs

Observability Standards

• Structured Logging - JSON logs with consistent schema
• Distributed Tracing - Request ID propagation
• Prometheus Metrics - Industry-standard metrics format

Scalability

Horizontal Scaling

• Stateless Design - No local state, scales horizontally
• Load Balancing - Kubernetes service load balancing
• Redis Shared State - Shared cache and pub/sub across instances

Performance Characteristics

• Throughput: 1,000+ requests/second per instance
• Latency: <10ms median (excluding downstream service time)
• Concurrent Connections: 10,000+ with async I/O
• SSE Connections: 1,000+ per instance

Troubleshooting

Common Issues

Issue: 401 Unauthorized responses

• Cause: Invalid or expired JWT token
• Solution: Refresh token or re-login

Issue: 429 Too Many Requests

• Cause: Rate limit exceeded
• Solution: Wait 60 seconds or optimize request patterns

Issue: 503 Service Unavailable

• Cause: Downstream service is down
• Solution: Check service health endpoint, restart affected service

Issue: SSE connection drops

• Cause: Network timeout or gateway restart
• Solution: Implement client-side reconnection logic

Debug Mode

Enable detailed logging:

export LOG_LEVEL=DEBUG
export STRUCTLOG_PRETTY_PRINT=true

Competitive Advantages

1. Single Entry Point - Simplifies integration compared to direct microservice access
2. Built-in Security - Enterprise-grade authentication and rate limiting
3. Real-Time Capabilities - SSE and WebSocket support for live updates
4. Observable - Complete request tracing and metrics out-of-the-box
5. Scalable - Stateless design allows unlimited horizontal scaling
6. Multi-Tenant Ready - Tenant isolation at the gateway level

Future Enhancements

• GraphQL Support - Alternative query interface alongside REST
• API Versioning - Support multiple API versions simultaneously
• Request Transformation - Protocol translation (REST to gRPC)
• Advanced Rate Limiting - Per-tenant, per-endpoint limits
• API Key Management - Alternative authentication for M2M integrations
• Circuit Breaker - Automatic service failure handling
• Request Replay - Debugging tool for request replay

---

For VUE Madrid Business Plan: The API Gateway demonstrates enterprise-grade architecture with scalability, security, and observability built-in from day one. This infrastructure supports thousands of concurrent bakery clients with consistent performance and reliability, making Bakery-IA a production-ready SaaS platform for the Spanish bakery market.