# Api gateway
This feature exists to securizing third party backends easily. The objective is to call third party endpoints as similar as possible to how Vyou would be called.
# Calling Vyou endpoints
- Imagine that Vyou backend url is
https://vyou.backend.com
. - Call one Vyou endpoint:
https://vyou.backend.com/api/v1/customer
- Option 1:
- Headers:
Authorization: Bearer <ACCESS_TOKEN>
- Headers:
- Option 2: using vyou first-party cookies.
- Option 1:
For more detailed explanation of how authorize and call vyou endpoints, see Authorization section
# Calling third-party backend client endpoints using Api-gateway feature
Imagine that third-party backend exists and someone wants to call this backend in a secure way.
For example, someone wants to call
https://thirdparty.backend.com/api/v1/invoice
.- Using
api-gateway
, someone can call it using this url:https://vyou.backend.com/_/api/v1/invoice
(sending Authorization headers or cookies). That's all.
WARNING
Note the use of the '_' char in url
- This gateway validates token or cookies in Vyou and then calls to proper url third-party backend with
X-VYou-Token
header that contains Vyou Id-Token. - If token or cookies are invalid,
X-Vyou-Token
header is not sent.
- Using
Once third-party endpoint is called, client's backend has to validate the X-Vyou-Token
header with following rules:
- If
X-Vyou-Token
is not sent and endpoint is public, execute endpoint without problems. - If 'X-Vyou-Token` is not sent and endpoint requires authorizarion, return 401.
- If
X-Vyou-Token
is sent but is invalid, return 403. - If
X-Vyou-Token
is sent and is valid, execute endpoint without problems.
One of the features of the Vyou Server SDK is just validate this token.