API Gateway with Rate Limiting, Authentication & Circuit Breaker
MicroGateway is a full-featured API gateway built with FastAPI that provides service registry, intelligent routing, token bucket rate limiting, circuit breaker protection, JWT authentication, and real-time monitoring. Designed for microservices architectures, it acts as a single entry point for all API traffic, providing observability and resilience patterns out of the box.
- Register and manage upstream microservices
- Configure base URLs and health check endpoints
- Automatic health check monitoring with latency tracking
- Enable/disable services without removing configuration
- Track per-service request counts and error rates
- Map gateway paths to upstream services
- Method-based filtering (GET, POST, PUT, DELETE, PATCH)
- Path prefix stripping for clean upstream forwarding
- Priority-based route matching
- Configurable timeouts and retry counts
- Real token bucket algorithm implementation
- Per-API-key rate limits (configurable requests/minute)
- Burst capacity for handling traffic spikes
- Thread-safe concurrent access
- In-memory bucket state with automatic token refill
- Custom rate limit rules for specific paths
- Full state machine: CLOSED -> OPEN -> HALF_OPEN -> CLOSED
- Configurable failure threshold for circuit trips
- Recovery timeout before half-open retry
- Gradual recovery with configurable success threshold
- Manual circuit reset capability
- Per-service circuit isolation
- Generate JWT tokens from valid API keys
- Configurable token expiry
- Token validation with issuer verification
- Standard claims (sub, iat, exp, iss)
- Create and revoke API keys
- Per-key rate limit configuration
- Usage tracking (total requests, rejections)
- Key expiration support
- Owner/team assignment
- Rolling window metrics (configurable time window)
- Requests per second calculation
- Latency percentiles: P50, P95, P99
- Error rate tracking
- Per-service traffic breakdown
- Request volume history for charting
- Rate limiting statistics
- Log every request with full context
- Latency, status code, upstream service
- Rate limiting and circuit breaker flags
- Filterable by method, status, service
- Paginated log viewer
| Component | Technology |
|---|---|
| Framework | FastAPI |
| Language | Python 3.10+ |
| Database | SQLite + SQLAlchemy ORM |
| Authentication | PyJWT |
| Caching | In-memory (simulating Redis) |
| Frontend | Vanilla JS SPA |
| Styling | Custom CSS (dark theme) |
- Python 3.10 or higher
- pip package manager
# Clone the repository
git clone https://github.com/yourusername/microgateway.git
cd microgateway
# Create virtual environment
python -m venv venv
source venv/bin/activate # Linux/Mac
# venv\Scripts\activate # Windows
# Install dependencies
pip install -r requirements.txt
# Start the server
uvicorn app:app --host 0.0.0.0 --port 8017 --reloadThe application will be available at http://localhost:8017
# Build and run with Docker Compose
docker-compose up --build
# Or with Docker directly
docker build -t microgateway .
docker run -p 8017:8017 microgateway| Method | Endpoint | Description |
|---|---|---|
| GET | /api/services |
List all services |
| POST | /api/services |
Register a new service |
| GET | /api/services/{id} |
Get service details |
| PUT | /api/services/{id} |
Update a service |
| DELETE | /api/services/{id} |
Delete a service |
| POST | /api/services/{id}/health-check |
Run health check |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/routes |
List all routes |
| POST | /api/routes |
Create a new route |
| GET | /api/routes/{id} |
Get route details |
| PUT | /api/routes/{id} |
Update a route |
| DELETE | /api/routes/{id} |
Delete a route |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/keys |
List all API keys |
| POST | /api/keys |
Create a new API key |
| GET | /api/keys/{id} |
Get API key details |
| PUT | /api/keys/{id} |
Update an API key |
| DELETE | /api/keys/{id} |
Revoke an API key |
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/gateway/request |
Simulate a gateway request |
| POST | /api/gateway/batch |
Simulate batch requests |
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/auth/token |
Generate JWT token |
| POST | /api/auth/validate |
Validate JWT token |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/metrics/dashboard |
Full dashboard metrics |
| GET | /api/metrics/latency |
Latency percentiles |
| GET | /api/metrics/services |
Per-service breakdown |
| GET | /api/metrics/volume |
Request volume history |
| GET | /api/metrics/rate-limits |
Rate limiting statistics |
| GET | /api/logs |
Paginated request logs |
| DELETE | /api/logs |
Clear all logs |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/circuit-breakers |
List all states |
| POST | /api/circuit-breakers/{id}/reset |
Reset circuit breaker |
| Method | Endpoint | Description |
|---|---|---|
| GET | /health |
Gateway health check |
| GET | /api/health/services |
All service health |
| POST | /api/health/check-all |
Run all health checks |
Client Request
|
v
+------------------+
| MicroGateway |
| |
| 1. API Key Auth |
| 2. Rate Limiter |-----> Token Bucket (per key)
| 3. Router |
| 4. Circuit |-----> State Machine (per service)
| Breaker |
| 5. Proxy |
+------------------+
|
v
+------------------+
| Upstream Service |
+------------------+
MicroGateway uses the Token Bucket algorithm:
- Each API key has its own bucket with a configurable capacity (burst size)
- Tokens are replenished at a constant rate (requests_per_minute / 60 per second)
- Each request consumes one token
- If the bucket is empty, the request is rejected with HTTP 429
- The bucket never exceeds its capacity
+--------+ failure >= threshold +------+
| CLOSED |-------------------------->| OPEN |
+--------+ +------+
^ |
| successes >= threshold recovery timeout
| |
+-----------+ |
| HALF_OPEN |<---------------------------+
+-----------+
|
| failure -> back to OPEN
The SPA dashboard provides five views:
- Dashboard (
#/): Live metrics, request volume chart, error rates, circuit breaker states, and service health overview - Services (
#/services): Service registry management with health checks - Routes (
#/routes): Route configuration table with CRUD operations - API Keys (
#/keys): Key management with usage stats and JWT generation - Logs (
#/logs): Request log viewer with method, status, and service filtering
Environment variables:
| Variable | Default | Description |
|---|---|---|
MICROGATEWAY_PORT |
8017 |
Server port |
MICROGATEWAY_DEBUG |
false |
Debug mode |
DATABASE_URL |
SQLite | Database connection string |
JWT_SECRET |
dev-secret | JWT signing secret |
JWT_EXPIRY_MINUTES |
60 |
JWT token expiry |
DEFAULT_RATE_LIMIT |
60 |
Default requests/minute |
DEFAULT_BURST_SIZE |
10 |
Default burst capacity |
CIRCUIT_FAILURE_THRESHOLD |
5 |
Failures before circuit opens |
CIRCUIT_RECOVERY_TIMEOUT |
30 |
Seconds before half-open retry |
CIRCUIT_HALF_OPEN_MAX_CALLS |
3 |
Successes to close circuit |
# Run all tests
pytest tests/ -v
# Run with coverage
pytest tests/ --cov=. --cov-report=term-missing
# Run specific test file
pytest tests/test_services.py -v
# Run specific test class
pytest tests/test_services.py::TestTokenBucket -vmicrogateway/
+-- app.py # FastAPI application entry point
+-- config.py # Configuration management
+-- requirements.txt # Python dependencies
+-- Dockerfile # Container build file
+-- docker-compose.yml # Container orchestration
+-- start.sh # Startup script
+-- LICENSE # MIT License
+-- .gitignore # Git ignore rules
+-- .github/workflows/ci.yml # CI pipeline
+-- models/
| +-- __init__.py
| +-- database.py # SQLAlchemy engine and session
| +-- schemas.py # Service, Route, APIKey, etc.
+-- routes/
| +-- __init__.py
| +-- api.py # REST API endpoints
| +-- views.py # SPA frontend serving
+-- services/
| +-- __init__.py
| +-- gateway.py # Rate limiter, circuit breaker, JWT
| +-- monitor.py # Metrics collector, request logging
+-- frontend/
| +-- index.html # SPA entry point
| +-- static/
| +-- css/app.css # Dark infrastructure theme
| +-- js/app.js # SPA router and views
+-- tests/
| +-- conftest.py # Test fixtures
| +-- test_api.py # API endpoint tests
| +-- test_models.py # Data model tests
| +-- test_services.py # Service layer tests
+-- seed_data/
+-- data.json # Sample data for development
-
In-Memory Rate Limiting: Token buckets are stored in memory for sub-millisecond latency. In production, this would use Redis for distributed rate limiting across gateway instances.
-
SQLite for Persistence: Chosen for zero-dependency setup. The gateway stores service registry, routes, API keys, and request logs in SQLite. Production deployments would use PostgreSQL.
-
Simulated Upstream Calls: Since this is a demonstration gateway, upstream service calls are simulated with random latency and error rates. The gateway pipeline (auth -> rate limit -> route -> circuit breaker -> proxy) is fully functional.
-
Thread-Safe State: All in-memory state (buckets, circuit breakers, metrics) uses threading locks for safe concurrent access.
This project is licensed under the MIT License. See LICENSE for details.