From api-gateway-builder
Builds a production-ready API gateway with intelligent routing, authentication, rate limiting, and load balancing. Supports Kong, Express Gateway, AWS API Gateway, and custom Node.js implementations.
How this command is triggered — by the user, by Claude, or both
Slash command
/api-gateway-builder:build-api-gatewayThe summary Claude sees in its command listing — used to decide when to auto-load this command
<!-- DESIGN DECISIONS -->
<!-- API gateways provide a single entry point for microservices, handling cross-cutting
concerns like authentication, rate limiting, and routing. This command generates
production-ready gateways using Kong, Express Gateway, or custom Node.js implementations. -->
<!-- ALTERNATIVES CONSIDERED -->
<!-- Direct service-to-service communication: Rejected due to lack of centralized control
Client-side load balancing: Rejected as it pushes complexity to clients
Service mesh only: Rejected as gateways better handle external traffic -->
# Build API Gat...Creates enterprise-grade API gateway infrastructure that serves as the single entry point for all microservices. Implements intelligent request routing, authentication, rate limiting, load balancing, and response transformation. Supports Kong, Express Gateway, AWS API Gateway, and custom implementations.
Use this command when:
Do NOT use this command for:
Before running this command, ensure:
The command examines your system architecture:
Creates comprehensive gateway setup:
Builds layered middleware architecture:
Sets up intelligent traffic distribution:
Integrates comprehensive observability:
The command generates complete gateway infrastructure:
api-gateway/
├── src/
│ ├── gateway/
│ │ ├── server.js
│ │ ├── routes/
│ │ │ ├── router.js
│ │ │ └── service-registry.js
│ │ ├── middleware/
│ │ │ ├── authentication.js
│ │ │ ├── rate-limiter.js
│ │ │ ├── transformer.js
│ │ │ └── circuit-breaker.js
│ │ └── plugins/
│ │ ├── logging.js
│ │ └── monitoring.js
│ ├── config/
│ │ ├── gateway.config.js
│ │ ├── services.json
│ │ └── rate-limits.json
│ └── utils/
│ ├── load-balancer.js
│ └── service-discovery.js
├── kong/
│ ├── kong.yml
│ └── plugins/
├── tests/
│ └── gateway.test.js
└── docs/
└── api-gateway-guide.md
Scenario: Microservices gateway with JWT auth and rate limiting
Generated Express Gateway Implementation:
// gateway/server.js
import express from 'express';
import httpProxy from 'http-proxy-middleware';
import jwt from 'jsonwebtoken';
import rateLimit from 'express-rate-limit';
import CircuitBreaker from 'opossum';
class APIGateway {
constructor(config) {
this.app = express();
this.services = config.services;
this.setupMiddleware();
this.setupRoutes();
this.setupErrorHandling();
}
setupMiddleware() {
// CORS configuration
this.app.use((req, res, next) => {
res.header('Access-Control-Allow-Origin', process.env.ALLOWED_ORIGINS);
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
res.header('Access-Control-Allow-Headers', 'Content-Type, Authorization');
if (req.method === 'OPTIONS') {
return res.sendStatus(200);
}
next();
});
// Request logging
this.app.use((req, res, next) => {
const startTime = Date.now();
res.on('finish', () => {
const duration = Date.now() - startTime;
console.log({
method: req.method,
path: req.path,
status: res.statusCode,
duration,
ip: req.ip,
userAgent: req.get('user-agent')
});
});
next();
});
// Global rate limiting
const globalLimiter = rateLimit({
windowMs: 60 * 1000, // 1 minute
max: 100, // 100 requests per minute
message: 'Too many requests, please try again later',
standardHeaders: true,
legacyHeaders: false
});
this.app.use(globalLimiter);
}
setupRoutes() {
// Service routes with specific configurations
Object.entries(this.services).forEach(([name, config]) => {
const { path, target, auth, rateLimit: limits, circuitBreaker } = config;
// Create middleware chain for this service
const middlewares = [];
// Authentication middleware if required
if (auth) {
middlewares.push(this.createAuthMiddleware(auth));
}
// Service-specific rate limiting
if (limits) {
middlewares.push(rateLimit({
windowMs: limits.windowMs || 60000,
max: limits.max || 50,
keyGenerator: (req) => {
return req.user?.id || req.ip;
}
}));
}
// Circuit breaker for resilience
const breaker = new CircuitBreaker(
this.createProxyMiddleware(target),
{
timeout: circuitBreaker?.timeout || 3000,
errorThresholdPercentage: circuitBreaker?.errorThreshold || 50,
resetTimeout: circuitBreaker?.resetTimeout || 30000
}
);
// Monitoring circuit breaker events
breaker.on('open', () => {
console.error(`Circuit breaker opened for ${name}`);
});
// Apply middlewares and proxy
this.app.use(path, ...middlewares, (req, res, next) => {
breaker.fire(req, res, next)
.catch(err => {
res.status(503).json({
error: 'Service temporarily unavailable',
service: name
});
});
});
});
}
createAuthMiddleware(authConfig) {
return async (req, res, next) => {
const token = req.headers.authorization?.split(' ')[1];
if (!token) {
return res.status(401).json({ error: 'No token provided' });
}
try {
const decoded = jwt.verify(token, process.env.JWT_SECRET);
req.user = decoded;
// Check permissions if specified
if (authConfig.requiredScopes) {
const hasPermission = authConfig.requiredScopes.some(scope =>
decoded.scopes?.includes(scope)
);
if (!hasPermission) {
return res.status(403).json({ error: 'Insufficient permissions' });
}
}
next();
} catch (error) {
return res.status(401).json({ error: 'Invalid token' });
}
};
}
createProxyMiddleware(target) {
return httpProxy.createProxyMiddleware({
target,
changeOrigin: true,
onProxyReq: (proxyReq, req) => {
// Add tracing headers
proxyReq.setHeader('X-Request-ID', req.id || uuid.v4());
proxyReq.setHeader('X-Forwarded-For', req.ip);
// Forward user context if authenticated
if (req.user) {
proxyReq.setHeader('X-User-ID', req.user.id);
proxyReq.setHeader('X-User-Roles', JSON.stringify(req.user.roles));
}
},
onProxyRes: (proxyRes, req, res) => {
// Add response headers
proxyRes.headers['X-Gateway-Version'] = '1.0.0';
proxyRes.headers['X-Response-Time'] = Date.now() - req.startTime;
}
});
}
}
// config/services.json
{
"userService": {
"path": "/api/users",
"target": "http://user-service:3001",
"auth": {
"required": true,
"requiredScopes": ["users:read", "users:write"]
},
"rateLimit": {
"windowMs": 60000,
"max": 100
},
"circuitBreaker": {
"timeout": 5000,
"errorThreshold": 50,
"resetTimeout": 30000
}
},
"productService": {
"path": "/api/products",
"target": "http://product-service:3002",
"auth": {
"required": false
},
"rateLimit": {
"windowMs": 60000,
"max": 200
}
}
}
Scenario: Enterprise Kong gateway with plugins
Generated Kong Configuration:
# kong.yml
_format_version: "2.1"
services:
- name: user-service
url: http://user-service:3001
routes:
- name: user-routes
paths:
- /api/users
strip_path: false
methods:
- GET
- POST
- PUT
- DELETE
plugins:
- name: jwt
config:
key_claim_name: kid
secret_is_base64: false
- name: rate-limiting
config:
minute: 100
hour: 10000
policy: local
- name: request-transformer
config:
add:
headers:
- X-Gateway:Kong
- X-Service:user-service
- name: product-service
url: http://product-service:3002
routes:
- name: product-routes
paths:
- /api/products
plugins:
- name: rate-limiting
config:
minute: 200
policy: redis
redis_host: redis
redis_port: 6379
- name: cors
config:
origins:
- https://app.example.com
methods:
- GET
- POST
headers:
- Accept
- Content-Type
credentials: true
- name: prometheus
upstreams:
- name: user-service
algorithm: round-robin
targets:
- target: user-service-1:3001
weight: 100
- target: user-service-2:3001
weight: 100
healthchecks:
active:
healthy:
interval: 10
successes: 3
unhealthy:
interval: 5
http_failures: 3
plugins:
- name: correlation-id
config:
header_name: X-Request-ID
generator: uuid
- name: request-size-limiting
config:
allowed_payload_size: 10
Scenario: Gateway that combines multiple service responses
Generated API Composition:
// gateway/api-composer.js
class APIComposer {
async composeUserProfile(userId, req) {
// Parallel requests to multiple services
const [user, orders, preferences, recommendations] = await Promise.allSettled([
this.fetchUser(userId, req.headers),
this.fetchUserOrders(userId, req.headers),
this.fetchUserPreferences(userId, req.headers),
this.fetchRecommendations(userId, req.headers)
]);
// Compose response with error handling
const profile = {
user: user.status === 'fulfilled' ? user.value : null,
orders: orders.status === 'fulfilled' ? orders.value : [],
preferences: preferences.status === 'fulfilled' ? preferences.value : {},
recommendations: recommendations.status === 'fulfilled' ? recommendations.value : []
};
// Add metadata
profile._meta = {
composed_at: new Date().toISOString(),
partial: Object.values(profile).some(v => v === null || v === undefined),
services: {
user: user.status,
orders: orders.status,
preferences: preferences.status,
recommendations: recommendations.status
}
};
return profile;
}
async fetchWithTimeout(url, options, timeout = 3000) {
const controller = new AbortController();
const timeoutId = setTimeout(() => controller.abort(), timeout);
try {
const response = await fetch(url, {
...options,
signal: controller.signal
});
clearTimeout(timeoutId);
return response.json();
} catch (error) {
clearTimeout(timeoutId);
throw error;
}
}
}
Symptoms: 503 errors, timeouts Cause: Backend service down or overloaded Solution:
// Implement circuit breaker and fallback
breaker.fallback(() => ({
data: [],
source: 'cache',
message: 'Using cached data due to service unavailability'
}));
Prevention: Health checks, circuit breakers, graceful degradation
Symptoms: High rate of 401/403 errors Cause: Token expiry, invalid credentials, or permission issues Solution: Implement token refresh mechanism and clear error messages
Symptoms: 429 Too Many Requests Cause: Client exceeding configured limits Solution: Implement backoff strategy and provide rate limit headers
--frameworkkong, express-gateway, custom, aws-api-gatewaycustom/gateway --framework kong--authjwt, oauth2, api-key, basic, nonejwt/gateway --auth oauth2--load-balancerround-robin, least-connections, weighted, ip-hashround-robin/gateway --load-balancer weighted✅ DO:
❌ DON'T:
💡 TIPS:
/api-rate-limiter - Dedicated rate limiting setup/api-monitoring-dashboard - Gateway monitoring/service-mesh-configurator - Internal service communication/load-balancer-configurator - Advanced load balancing⚠️ Security Considerations:
Solution: Check service response times, reduce middleware chain, enable caching
Solution: Monitor event listeners, implement proper cleanup, limit request body size
Solution: Review route precedence, check path matching patterns
Last updated: 2025-10-11 Quality score: 9.5/10 Tested with: Kong 2.8, Express Gateway 1.16, Node.js 18
20plugins reuse this command
First indexed Dec 31, 2025
Showing the 6 earliest of 20 plugins
npx claudepluginhub ktiseos-nyx/claude-code-plugins-plus-skills --plugin api-gateway-builder/build-api-gatewayBuilds a production-ready API gateway with intelligent routing, authentication, rate limiting, and load balancing. Supports Kong, Express Gateway, AWS API Gateway, and custom Node.js implementations.
/design-apiCreate API gateway and service contract specifications. Design scalable APIs.
/generate-grpc-serviceGenerates production-ready gRPC services with Protocol Buffer definitions, streaming support, and load balancing. Outputs server, client, interceptors, and documentation.
/add-rate-limitingAdds rate limiting to API endpoints using configurable token bucket, sliding window, or fixed window algorithms with Redis for distributed state management.
/implement-throttlingImplements API throttling with token bucket + sliding window algorithms, quota management, tiered pricing, and traffic control. Generates middleware, management service, usage tracking, config, and monitoring files.
/implement-eventsCreates event-driven API architecture with message queues, event streaming, and async communication patterns for microservices.