# Api gateway

This feature exists to securizing third party backends easily. The objective is to call third party endpoints as similar as possible to how Vyou would be called.

# Calling Vyou endpoints

  • Imagine that Vyou backend url is https://vyou.backend.com.
  • Call one Vyou endpoint: https://vyou.backend.com/api/v1/customer
    • Option 1:
      • Headers: Authorization: Bearer <ACCESS_TOKEN>
    • Option 2: using vyou first-party cookies.

For more detailed explanation of how authorize and call vyou endpoints, see Authorization section

# Calling third-party backend client endpoints using Api-gateway feature

Imagine that third-party backend exists and someone wants to call this backend in a secure way.

  • For example, someone wants to call https://thirdparty.backend.com/api/v1/invoice.

    • Using api-gateway, someone can call it using this url: https://vyou.backend.com/_/api/v1/invoice (sending Authorization headers or cookies). That's all.


    Note the use of the '_' char in url

    • This gateway validates token or cookies in Vyou and then calls to proper url third-party backend with X-VYou-Token header that contains Vyou Id-Token.
    • If token or cookies are invalid, X-Vyou-Token header is not sent.

Once third-party endpoint is called, client's backend has to validate the X-Vyou-Token header with following rules:

  • If X-Vyou-Token is not sent and endpoint is public, execute endpoint without problems.
  • If 'X-Vyou-Token` is not sent and endpoint requires authorizarion, return 401.
  • If X-Vyou-Token is sent but is invalid, return 403.
  • If X-Vyou-Token is sent and is valid, execute endpoint without problems.

One of the features of the Vyou Server SDK is just validate this token.