# Api gateway
This feature exists to securizing third party backends easily. The objective is to call third party endpoints as similar as possible to how Vyou would be called.
# Calling Vyou endpoints
- Imagine that Vyou backend url is
- Call one Vyou endpoint:
- Option 1:
Authorization: Bearer <ACCESS_TOKEN>
- Option 2: using vyou first-party cookies.
- Option 1:
For more detailed explanation of how authorize and call vyou endpoints, see Authorization section
# Calling third-party backend client endpoints using Api-gateway feature
Imagine that third-party backend exists and someone wants to call this backend in a secure way.
For example, someone wants to call
api-gateway, someone can call it using this url:
https://vyou.backend.com/_/api/v1/invoice(sending Authorization headers or cookies). That's all.
Note the use of the '_' char in url
- This gateway validates token or cookies in Vyou and then calls to proper url third-party backend with
X-VYou-Tokenheader that contains Vyou Id-Token.
- If token or cookies are invalid,
X-Vyou-Tokenheader is not sent.
Once third-party endpoint is called, client's backend has to validate the
X-Vyou-Token header with following rules:
X-Vyou-Tokenis not sent and endpoint is public, execute endpoint without problems.
- If 'X-Vyou-Token` is not sent and endpoint requires authorizarion, return 401.
X-Vyou-Tokenis sent but is invalid, return 403.
X-Vyou-Tokenis sent and is valid, execute endpoint without problems.
One of the features of the Vyou Server SDK is just validate this token.