Gateway for API calls


Latest Version on Packagist Software License Build Status Coverage Status Quality Score Total Downloads

Cordo API Gateway - protection, caching, analytics & monitoring.

What is it? What is it for?

An API gateway is an API management tool that acts as reverse proxy and is located between a client and a backend service (or collection of services).

Most common use cases:

  • protection from overuse and abuse
  • analytics and monitoring
  • gathering multiple API calls into one for optimization
  • caching


  • PHP 7.4.0 or newer
  • Apache/Nginx
  • PHP Redis extension (nosql db for for request caching and rate limiting)


First make sure that you have Redis expansions installed. To check it run:

$ php -i |grep redis

If any of them is missing you can install it from PECL repository:

$ sudo pecl install redis

# restart PHP
$ sudo service php7.4-fpm restart

Create your new project folder and within this folder type:

$ composer create-project darkorsa/cordo-gateway ./

Then copy .env_example file and rename it to .env and complete it with your configuration data.


Api Key

First set your API_KEY in .env file, that will extort sending X-Api-Key header with API_KEY value on each request to the gateway.

This can disabled by commenting ApiKeyMiddleware middleware in public/index.php.

$router->addMiddleware(new ApiKeyMiddleware()); // comment this line

Note that X-Api-Key can be also used by rate limiting function.

Defining routes

Since the API gateway is a proxy for the target API you will need to register routes for handling the upcoming requests. This can be done in public/index.php:

(new App\UsersRoutes($router, $container, 'https://apiurladdress.com'))->register();

Place you routes class somewhere in app/ folder.

Example of routes class:



namespace App;

use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Cordo\Gateway\Core\Application\Service\Register\RoutesRegister;

class UsersRoutes extends RoutesRegister
    public function register(): void
            function (ServerRequestInterface $request, array $params): ResponseInterface {
                return $this->cacheRequest($request, '/users', 3600, []);

            function (ServerRequestInterface $request, array $params): ResponseInterface {
                return $this->sendRequest($request, '/users', []);

In the above example there are definitions of two endpoints. One for fetching users data (GET) and second for adding a new user (POST).

CacheRequest method will call target API and cache the result in memory (Redis) for the set amount of time. In this example for 1 hour (3600 seconds). Until cache invalidates no request will be made to the target API.

SendRequest method will simple call target API with all the query & form params as in the original request.

Rate Limiting

You can limit requests that can be made to you API in given amount of time in order to prevent from request flooding / API scraping. For that set appropriate config settings in config/los_rate_limit.php file.

Rate limiting config settings are explained here.

Still to come

  • Simple request logger for analytics


If you discover any security related issues, please email dkorsak@gmail.com instead of using the issue tracker.



The MIT License (MIT). Please see License File for more information.