PATTERN Cited by 1 source
Gateway strips auth, dispatches cached backend¶
Problem¶
Authenticated API responses are traditionally uncacheable because the Authorization header triggers CDN cache bypass. Every request pays the full rendering cost even when the response for a given user would be identical to the one returned moments ago.
Solution¶
Split the application into a gateway (always runs) and a cached backend:
- Gateway authenticates every request — validates tokens, extracts user identity.
- Gateway strips
Authorizationfrom the forwarded request (prevents the CDN's automatic bypass from firing). - Gateway passes user identity into
ctx.props(or equivalent request metadata) — this becomes part of the cache key. - Cached backend runs only on a miss, produces a response with
Cache-Control+ optionalCache-Tag.
The cache key includes the user/tenant identity from ctx.props, so each user gets a separate cache entry. One user's response can never leak to another's — the isolation is structural, not convention.
Structure¶
Request (with Authorization header)
→ Gateway [cache OFF: authenticate, extract userId]
→ strip Authorization, set ctx.props = { userId }
→ Cached Backend [cache ON, keyed on entrypoint + path + props]
→ HIT: return per-user cached response
→ MISS: run, store with Cache-Tag: user:${userId}
Write path:
POST /resource
→ Gateway [authenticate]
→ handleWrite()
→ ctx.exports.CachedBackend.invalidate(userId)
→ purge({ tags: ["user:${userId}"] })
Consequences¶
- Authenticated APIs become cacheable per-user without sacrificing security.
- Cache key isolation is automatic — structural property of
ctx.props, not manual cache-key configuration. - Invalidation is precise — purge by user-tag on the write path; stale-while-revalidate on the read path.
- No credential leakage — auth tokens are consumed by the gateway and never forwarded.
Known uses¶
- systems/cloudflare-workers-cache —
ctx.propsin cache key +Authorizationbypass avoidance + per-entrypoint cache opt-in. Cloudflare states: "We don't know of another CDN that offers this as a built-in model for authenticated, multi-tenant APIs." (Source: sources/2026-07-06-cloudflare-workers-cache)