Skip to content

PATTERN Cited by 1 source

Gateway strips auth, dispatches cached backend

Problem

Authenticated API responses are traditionally uncacheable because the Authorization header triggers CDN cache bypass. Every request pays the full rendering cost even when the response for a given user would be identical to the one returned moments ago.

Solution

Split the application into a gateway (always runs) and a cached backend:

  1. Gateway authenticates every request — validates tokens, extracts user identity.
  2. Gateway strips Authorization from the forwarded request (prevents the CDN's automatic bypass from firing).
  3. Gateway passes user identity into ctx.props (or equivalent request metadata) — this becomes part of the cache key.
  4. Cached backend runs only on a miss, produces a response with Cache-Control + optional Cache-Tag.

The cache key includes the user/tenant identity from ctx.props, so each user gets a separate cache entry. One user's response can never leak to another's — the isolation is structural, not convention.

Structure

Request (with Authorization header)
  → Gateway [cache OFF: authenticate, extract userId]
      → strip Authorization, set ctx.props = { userId }
          → Cached Backend [cache ON, keyed on entrypoint + path + props]
              → HIT: return per-user cached response
              → MISS: run, store with Cache-Tag: user:${userId}

Write path:

POST /resource
  → Gateway [authenticate]
      → handleWrite()
      → ctx.exports.CachedBackend.invalidate(userId)
          → purge({ tags: ["user:${userId}"] })

Consequences

  • Authenticated APIs become cacheable per-user without sacrificing security.
  • Cache key isolation is automatic — structural property of ctx.props, not manual cache-key configuration.
  • Invalidation is precise — purge by user-tag on the write path; stale-while-revalidate on the read path.
  • No credential leakage — auth tokens are consumed by the gateway and never forwarded.

Known uses

Last updated · 568 distilled / 1,686 read