Gateway Service
The Gateway is the single entry point for all external API traffic. It validates JWTs, enforces rate limits, and reverse-proxies requests to downstream services. It contains no business logic — it validates and routes.
Quick Reference
| Property | Value |
|---|---|
| Port | 8080 |
| Language | Go |
| Framework | Chi v5 |
| Module path | github.com/gospelib/main/services/gateway |
| Entry point | cmd/server/main.go |
| Docker image | Multi-stage → Alpine (~12MB) |
Responsibilities
- JWT validation — Verifies Clerk-issued JWTs and extracts user claims
- Rate limiting — Per-user and per-IP token bucket stored in Redis
- Reverse proxy — Routes
/api/v1/<resource>to the owning service - Entitlement enforcement — Checks plan-gated features via Redis cache
- Request ID injection — Generates and propagates
X-Request-IDheaders - CORS — Configures allowed origins for web and mobile clients
- Health checks — Exposes
/healthand/readyendpoints
What the Gateway Does NOT Do
- No database access
- No user management
- No business logic
- No direct response generation (except health checks and errors)
Running Locally
# From the repository root
cd services/gateway
go run ./cmd/server
The gateway starts on port 8080. It expects downstream services to be running at their configured URLs.
Environment Variables
| Variable | Default | Description |
|---|---|---|
GOSPELIB_GATEWAY_PORT | 8080 | HTTP listen port |
GOSPELIB_GATEWAY_CONTENT_URL | http://localhost:8100 | Content service URL |
GOSPELIB_GATEWAY_AUTH_URL | http://localhost:8200 | Auth service URL |
GOSPELIB_GATEWAY_BILLING_URL | http://localhost:8300 | Billing service URL |
GOSPELIB_GATEWAY_AI_URL | http://localhost:8400 | AI service URL |
GOSPELIB_GATEWAY_NOTIFICATIONS_URL | http://localhost:8500 | Notifications service URL |
GOSPELIB_GATEWAY_REDIS_URL | redis://localhost:6380 | Redis for rate limiting and entitlement cache |
GOSPELIB_GATEWAY_CLERK_JWKS_URL | — | Clerk JWKS endpoint for JWT validation |
GOSPELIB_GATEWAY_CORS_ORIGINS | http://localhost:3002 | Allowed CORS origins (comma-separated) |
Health Check
curl http://localhost:8080/health
# {"status": "ok"}
curl http://localhost:8080/ready
# {"status": "ready"}
Entry Point Pattern
The Go entry point at cmd/server/main.go follows the standard GospeLib pattern:
- Configure Zerolog (JSON structured logging)
- Load config from environment variables
- Create Chi router with the global middleware stack
- Register routes — health first, then grouped by auth requirement
- Create
http.Server - Start in a goroutine
- Wait for
SIGINT/SIGTERM - Graceful shutdown with 10-second context
Docker
FROM golang:1.25-alpine AS builder
WORKDIR /build
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 go build -o /app ./cmd/server
FROM alpine:3.20
RUN apk --no-cache add ca-certificates
COPY --from=builder /app /app
EXPOSE 8080
ENTRYPOINT ["/app"]
Related Pages
- Routing & Proxy Rules — how requests are mapped to downstream services
- Middleware Stack — the ordered middleware chain
- Architecture > Security > Auth Flow — JWT validation details