Note: Since the publication of this blog, the StrongLoop API Gateway was relaunched on August 5, 2015. Read this announcement blog to learn more about the latest version.

This morning, we released the open-source version of the LoopBack API Gateway. It’s been quite a while from the time we added a “Gateway” box in our architectural diagram marked as a “work in progress.” Before starting development, we wanted to gather customer use cases to make sure it addressed real-world needs. So, we captured customers’ requirements and also determined that the Gateway would use both declarative JSON as well as Node API calls.

What’s LoopBack? It’s an open source Node.js framework for developing, managing and scaling APIs. Learn more…

The LoopBack Gateway is open source and is the “minimum viable product” (MVP) that covers key use cases piloted with our co-development partners. Its behavior is completely “hard-wired.” In the future, we’ll release a commercial product, the StrongLoop API gateway, that will be dynamically configurable. It will also require some major enhancements to the LoopBack framework, including LoopBack components and policies. We’ll delve more into these in a moment; but first, let’s explain the often overloaded term “gateway”…


An API gateway externalizes, secures, and manages APIs. It is an intermediary between API consumers (clients) and backend API providers (API servers).

api gateway 2

In this intermediary position, the API gateway performs several functions depending on the needs of the enterprise, as summarized in the table below.


API Gateway Role


Acts as both provider and delegator to authentication, authorization, and auditing (AAA) sources within the enterprise as the first intercept to establish identity.

Mediation and Transformation

Mediates between protocols and transforms portions of the API payload (both header and body) for clients that have fixed and/or specific requirements for consumption.

Infrastructure QoS

Performs infrastructure-level API consumption functions required by client such as pagination, throttling, caching, delivery guarantee, firewall,  and so on.

Monitoring and Reporting

Instruments APIs to fulfill service-level agrements (SLAs) through the monitoring of APIs and also injects metadata to report on API usage, health, and other metrics.


Compose coarse-grain APIs (mashups) from fine-grain micro-APIs to fulfill specific business case operations through dynamic invocation and construction.


A layer of abstraction that virtualizes API endpoints and acts  as a reverse proxy to API server host instances for high availability, security and scale.

Want to see an example of the loopback-gateway in action? Check out Raymond Feng’s blog post that walks you through the application code.

LoopBack API Gateway

The LoopBack API Gateway is a LoopBack application that provides the above functions. You can incorporate the Gateway’s modules into any LoopBack API server instance to provide these functions in-process or run it as a separate process to segment traffic, load, and scale.

The Pipeline

The gateway creates a “pipeline” of layers for API requests and responses. The layers of the pipeline correspond to different stages of processing API requests, and orchestrating and constructing API responses.

There API Gateway “pipeline” has four layers:

  • Transport layer – receives requests at the protocol level.
  • Remoting layer – maps API requests to applicable ACLs for remote invocation.
  • Model layer – model invocation from API mapping and manipulation.
  • Connector layer – connector invocation from API response processing.

Minimal viable product (MVP) use cases

The use cases we addressed in the initial release of the gateway are:

  • Authenticate to API gateway using OAuth credentials: covers AAA through identity, authentication and API endpoint authorization
  • Generate token
  • Capture invocation and create metric for API endpoint invocation
  • Measure invocations per interval (for example: 5,000 requests per hour)
  • If number of invocation exceeds the policy, then block the request, otherwise…
  • Proxy request to LoopBack instance

StrongLoop API Gateway

The StrongLoop API Gateway will be the commercial version of the open-source LoopBack API Gateway. While the LoopBack API Gateway consists of a set of Express middleware components statically “wired together” within the pipeline, the StrongLoop API Gateway will enable you to dynamically specify LoopBack components that wrap Express middleware. Thus, it will be able to meet the same needs as the static LoopBack API Gateway, but with much greater flexibility. By providing a way to encapsulate Express middleware in a LoopBack component, you can take advantage of the rich ecosystem of Express middleware already out there and plug into the protocol layer of the pipeline.

You will also be able to specify and chain together the MVP use cases declaratively through LoopBack policies. You will be able to specify policies at any layer within the pipeline, enabling you to meet use cases that require evaluation and actions throughout the system.


The API Gateway evaluates conditions and generates data in each layer of the pipeline and adds it to an API context at the individual request scope, the resource endpoint or even globally by user, machine, or other dimension. The information is continually and conditionally evaluated to generate actions. In general, the deeper within the layer, the more information added to the API context and the further down the request/response chain.

LoopBack policies describe and govern the process of pipeline execution. A policy has three main components: a scope, a constraint, and an action. The API gateway’s functions are built on the backbone of the API gateway known as the LoopBack Policy Framework. LoopBack policies are first-class objects within the framework at the same level as models. The policy framework within LoopBack is attached to various objects within each pipeline layer.

The LoopBack runtime continuously evaluates policies throughout each pipeline layer as part of API request handling. Policies in general for the system can be scheduled for all aspects of the system using this same foundation.

LoopBack Components

As LoopBack’s popularity has grown, community contributors have developed lots of terrific domain-level features. We started out with modules for mobile use cases, and there are ones for MBaaS features such as push notification, storage services, third-party login, and so on.

LoopBack Components provide a standardized way to develop and provide plug-in features to the LoopBack framework. Components have an interface to expose models, datasources, configuration, and now policies to the LoopBack runtime. The current thinking is to break up the structure of LoopBack apps into discrete pieces of domain-level functionality and encapsulate them so they are easily separable and portable. The design is still in progress, but you can follow and participate in the discussion in the LoopBack Component wiki.


The open source LoopBack gateway provides key functionality that enables you to manually piece together middleware and specify your business rules through plain JavaScript hooks. The LoopBack API gateway serves as a reference implementation and will be limited to its current functionality. It currently fulfills the MVP use cases without components and policies.

We expect that complex enterprises need to manage API endpoints at runtime, using the dynamic controls and additional functionality of components and policies provided by the StrongLoop API Gateway. It will provide the commercial-grade features and performance required for top-tier enterprise API management.

What’s next?

  • Ready to develop APIs in Node.js and get them connected to your data? Check out the Node.js LoopBack framework. We’ve made it easy to get started either locally or on your favorite cloud, with a simple npm install.