# API Gateway



--------------------------------------------------------------------------------
title: "Introduction"
description: "Catalyst API Gateway enables you to create APIs to access the functions and web client end-points of your app, and perform advanced API management."
last_updated: "2026-03-18T07:41:08.533Z"
source: "https://docs.catalyst.zoho.com/en/cloud-scale/help/api-gateway/introduction/"
service: "Cloud Scale"
--------------------------------------------------------------------------------


# API Gateway

### Introduction

An API Gateway is an intermediate layer between the client and the server that acts as a reverse proxy, routing client requests to individual services. Catalyst Cloud Scale API Gateway is an advanced API management tool that enables you to create, maintain, and monitor HTTP requests generated from client applications and microservices. This component is powered by Catalyst, offering reliability, scalability, and seamless integration with other Catalyst components.

Catalyst API Gateway acts as a single entryway into accessing the following target components of your Catalyst application:

* {{%link href="/en/serverless/help/functions/basic-io/" %}}Basic I/O Functions{{%/link%}}
* {{%link href="/en/serverless/help/functions/advanced-io/" %}}Advanced I/O Functions{{%/link%}}
* {{%link href="/en/cloud-scale/help/web-client-hosting/introduction/" %}}Web Client{{%/link%}}

Once you enable API Gateway for your Catalyst project in the Catalyst web console, all client requests to access these targets will be handled by this gateway. This helps prevent these components from being directly exposed to the clients by decoupling the clients from services.

You can create customized individual APIs for every request type to access these targets. The API Gateway handles these functionalities of an API call and processes the request accordingly:

* Routing
* Authentication (optional)
* Throttling (optional)

Catalyst provides API Gateway as an optional, paid component, and as an enhancement to {{%link href="/en/serverless/help/security-rules/introduction/" %}}Security Rules{{%/link%}}. While Security Rules provides basic routing and authentication features for your functions, API Gateway provides more flexibility in customizing the functionalities mentioned above for your APIs. You can learn more from the {{%link href="/en/cloud-scale/help/api-gateway/key-concepts/#api-gateway-vs-security-rules" %}}Security Rules vs API Gateway section{{%/link%}}.

You can also work with API Gateway from the Catalyst CLI. You can enable or disable it, and check its status. You can learn about this from the {{%link href="/en/cli/v1/working-with-api-gateway/introduction/" %}}Working with API Gateway CLI help page{{%/link%}}. You can also {{%link href="/en/cli/v1/pull-resources/introduction/" %}}pull the JSON file{{%/link%}} that contains the definitions of the APIs you create in your remote console to your local environment, and work on it locally. You can then {{%link href="/en/cli/v1/deploy-resources/introduction/" %}}deploy it to the remote console{{%/link%}}.

<br />

--------------------------------------------------------------------------------
title: "Key Concepts"
description: "Catalyst API Gateway enables you to create APIs to access the functions and web client end-points of your app, and perform advanced API management."
last_updated: "2026-03-18T07:41:08.534Z"
source: "https://docs.catalyst.zoho.com/en/cloud-scale/help/api-gateway/key-concepts/"
service: "Cloud Scale"
--------------------------------------------------------------------------------


# Key Concepts

Before you learn about API Gateway's architecture and implementation, it's important to understand its fundamental concepts in detail.

### API Gateway vs Security Rules

Catalyst API Gateway is an enhancement to {{%link href="/en/serverless/help/security-rules/introduction" %}}Catalyst Security Rules{{%/link%}} as it provides additional features for API management.

Points to remember:

* You can enable or disable the API Gateway at any time.
* When the API Gateway is disabled, the configurations defined for a Catalyst function in Security Rules will be followed by default.
* When you enable API Gateway for your Catalyst application, Security Rules will be disabled automatically.
* After you enable API Gateway, the URLs of your functions and web client will immediately become inaccessible until you create APIs for them. Therefore, if you enable API Gateway, you must create APIs for all your functions and web client.
* You can migrate the configurations of your functions in Security Rules to API Gateway using {{%link href="#auto-created-apis-custom-apis-and-the-default-api" %}}auto-create{{%/link%}}.

The differences between Security Rules and API Gateway are specified below:

<table class="content-table">
<thead>
<tr>
<th><strong>Security Rules</strong></th>
<th><strong>API Gateway</strong></th>
</tr>
</thead>
<tbody>
<tr>
<td>Can configure access for <strong><span class="badge">GET</span></strong>, <strong><span class="badge">PUT</span></strong>, <strong><span class="badge">POST</span></strong>, <strong><span class="badge">DELETE</span></strong>, and <strong><span class="badge">PATCH</span></strong> HTTP methods</td>
<td>Can configure access for GET, <strong><span class="badge">GET</span></strong>, <strong><span class="badge">PUT</span></strong>, <strong><span class="badge">POST</span></strong>, <strong><span class="badge">DELETE</span></strong>, and <strong><span class="badge">PATCH</span></strong> HTTP methods. Can also aggregate all HTTP methods under <a href="#routing">ANY</a>, and create a single API for it.</td>
</tr>
<tr>
<td>Request URL and Target URL are the same</td>
<td>Can configure custom Request URL and Target URL separately. Can create individual APIs for each request method for every URL</td>
</tr>
<tr>
<td>Can enable or disable authentication and configure two types of authentication: Catalyst Users Authentication, and OAuth-based Authentication</td>
<td>Can enable or disable authentication and configure <a href="#authentication-request-processor">three types of authentication</a>: API Key, Catalyst Users Authentication, and OAuth-based Authentication</td>
</tr>
<tr>
<td>No throttling feature</td>
<td>Can configure <a href="#throttling">two types of throttling</a>: General Throttling and IP-based Throttling</td>
</tr>
<tr>
<td>Cannot configure rules for web clients</td>
<td>Can create APIs for web clients</td>
</tr>
</tbody>
</table>

### Routing

The primary purpose of an API Gateway is to route the client to the appropriate services. This is defined by two aspects of an API: Request and Target. If an API has not been configured for a particular request method or request URL, the client will not be able to access the target.

Let's learn about these in detail.

#### Request Methods

Catalyst API Gateway supports the following HTTP request methods:

* {{%bold%}}{{%badge%}}GET{{%/badge%}}{{%/bold%}}
* {{%bold%}}{{%badge%}}PUT{{%/badge%}}{{%/bold%}}
* {{%bold%}}{{%badge%}}POST{{%/badge%}}{{%/bold%}}
* {{%bold%}}{{%badge%}}DELETE{{%/badge%}}{{%/bold%}}
* {{%bold%}}{{%badge%}}PATCH{{%/badge%}}{{%/bold%}}

You can also aggregate all these HTTP methods under a custom defined method: {{%badge%}}ANY{{%/badge%}}. This enables you to create a single API for a function that supports all five methods, instead of creating five individual APIs, one for each method. {{%badge%}}ANY{{%/badge%}} can be used both in {{%link href="#auto-created-apis-custom-apis-and-the-default-api" %}}auto-create and creating custom APIs{{%/link%}}.

{{%note%}}{{%bold%}}Note:{{%/bold%}} Web client APIs do not support {{%badge%}}ANY{{%/badge%}}. You can only select the {{%badge%}}GET{{%/badge%}} method for a web client.{{%/note%}}

#### Request URL

The URL of your Catalyst application has the following structure: https://_project\_domain\_name_.catalystserverless.com. When you create an API, you can define the request path and it will be automatically appended to this URL. This will be the request URL.

For example, if the request path is _/CustomerPortal/create_, it will be appended to the application URL of that project, and the following request URL will be created: {{%bold%}}https://shipmenttracking-61317105.catalystserverless.com/CusomerPortal/create{{%/bold%}}.

You can then provide this intermediary request URL to the client, instead of the target function's or web client's default URL. The API that will then route this request URL to the configured target automatically.

#### Target and Target URL

As mentioned before, the target components of an API configured in API Gateway can be: Basic I/O functions, Advanced I/O functions, web client. You can set one target for every API that you create in API Gateway. You can create multiple APIs for each target for different request methods.

{{%note%}}{{%bold%}}Note:{{%/bold%}} API Gateway does not handle client requests for {{%link href="/en/serverless/help/functions/event-functions" %}}Cron Functions and Event Functions{{%/link%}} as they cannot be directly executed by end users.{{%/note%}}

The URL format of each target is as follows:

* {{%bold%}}Basic I/O:{{%/bold%}} https://_project\_domain\_name_.catalystserverless.com/baas/v1/
project/_project\_ID_/function/_function\_ID_/execute
* {{%bold%}}Advanced I/O:{{%/bold%}} https://_project\_domain\_name_.catalystserverless.com/server/_function\_name_/
* {{%bold%}}Web Client:{{%/bold%}} https://_project\_domain\_name_.catalystserverless.com/app/

You can append routes to an Advanced I/O function's or web client's target URL and create APIs for specific paths.

#### Using Regular Expressions (Regex) in the Request URL and Target URL

Catalyst offers support for regular expressions to hold dynamic values in the request URL. A {{%bold%}}regular expression (regex){{%/bold%}} is a sequence of characters that describes a search pattern. When you include a regex pattern in the request URL, pattern-matching, and search-and-replace algorithms are executed when the input value is provided during execution and the pattern is replaced with the dynamic value.

You can enter a regex pattern in the JSON format in the request URL and pass the key to the target URL like:<br /> {{%bold%}}Request url:{{%/bold%}} /route/{path:\[0-9\]+}<br /> {{%bold%}}Target url:{{%/bold%}} /route/{path}

For example, if the dynamic value of a request URL contains a string of numbers, you can use the expression _\[0-9\]+_. This indicates that the characters inside the brackets in the dynamic value can be any span of numbers from 0-9 and the {{%badge%}}{{%bold%}}+\*{{%/bold%}}{{%/badge%}} indicates one or more occurrences of the digits. Therefore, the request URL here could be configured as: _{{%bold%}}/CustomerPortal/{portalID:\[0-9\]+}{{%/bold%}}_. Now, if you append a route to the target URL of an Advanced I/O function as: _{{%bold%}}/server/adIOFunc/CustomerPortal/{portalID}{{%/bold%}}_, the ID provided by the user in the request URL while accessing it will be dynamically passed to the target Advanced I/O function.

You can also use a wildcard pattern in your regular expression, such as {{%badge%}}{{%bold%}}\.{{%/bold%}}{{%/badge%}} ,which indicates that any number of literal characters or an empty string can be accepted in the place of the wildcard pattern. For example, if you provide a wildcard pattern in the request URL like: {{%bold%}}/CustomerPortal/{path:(.\*)}{{%/bold%}}, the user will be able to enter any value dynamically in the URL such as: _/CustomerPortal/johndoe12_, _/CustomerPortal/premiumUser/12809021_, or _/CustomerPortal/xae89013_.

If you defined a regex pattern in the URL for an Advanced I/O function in {{%link href="/en/serverless/help/security-rules/introduction" %}}Security Rules{{%/link%}}, the same pattern will be added to both the request URL and target URL during {{%link href="#auto-created-apis-custom-apis-and-the-default-api" %}}auto-create{{%/link%}}.

### Authentication Request Processor

The Request Processor handles the authentication of the API. Authentication is an optional feature in API Gateway. If you select {{%badge%}}No Authentication{{%/badge%}} while creating the API, the target will be universally accessible to every client.

{{%note%}}{{%bold%}}Note:{{%/bold%}} The authentication feature is not available for web client APIs. It is only available for the Basic I/O and Advanced I/O functions.{{%/note%}}

API Gateway supports three authentication methods. You can enable any or all of these methods.

#### API Key

This authentication is handled by an API key that is generated by Catalyst automatically for your project. The API Key is the same for all projects in the development environment. When you {{%link href="/en/deployment-and-billing/environments/production-environment" %}}deploy a Catalyst project to the Production environment{{%/link%}}, Catalyst will provide you a different API key. You will therefore have individual API keys for each project in the Production environment.

You can obtain the API key after you {{%link href="/en/cloud-scale/help/api-gateway/implementation/#create-an-api" %}}create an API{{%/link%}} for a Basic I/O or Advanced I/O function in your project, with the API Key authentication option enabled. Click {{%bold%}}View API Key{{%/bold%}} in the API details section to access the key.



A pop-up window will open with the API key.



You can pass the API key in two ways:

* {{%bold%}}Request Header{{%/bold%}}<br /> You can pass the API key as a header in the request URL as shown in this example:<br />
{{%code class="language-bash"%}}curl -X POST \
https://shipmenttracking-61317105.catalystserverless.com/CustomerPortal/create \
-H "ZCFKEY: API_KEY"{{%/code%}}

* {{%bold%}}Query String{{%/bold%}}<br /> You can also pass the API key as a query parameter in the request URL as shown in this example:
<br />
{{%code class="language-bash"%}}POST https://shipmenttracking-61317105.catalystserverless.com/CustomerPortal/
create?ZCFKEY=API_KEY{{%/code%}}

Replace {{%badge%}}API\_KEY{{%/badge%}} with your API key in both places.

#### Catalyst Users Authentication

This authentication method enables access for all the users of your Catalyst application added in the _Users_ section of {{%link href="/en/cloud-scale/help/authentication/introduction" %}}Catalyst Authentication{{%/link%}}, by default. You can handle this authentication method by incorporating a user sign-in form in your Catalyst application, and enabling a login session. The {{%link href="/en/cloud-scale/help/authentication/user-management/users/introduction/" %}}app users{{%/link%}} will then be able to access the API's target automatically without needing to go through any additional user verification.

#### OAuth-Based Authentication

This authentication method enables access for the users with an OAuth access token.

You can pass the access token as a header in your in the request URL as shown in this example:

{{%code class="language-bash"%}}curl -X POST \
https://shipmenttracking-61317105.catalystserverless.com/CustomerPortal/create \
-H "Authorization: Zoho-oauthtoken Zoho-oauthtoken 1000.910*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*16.2f*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*57""
{{%/code%}}

To implement OAuth authentication in your Catalyst application, refer to our {{%link href="/en/api/oauth2/overview-and-terminology/#OverviewandTerminology" %}}OAuth Authentication help documentation{{%/link%}} for detailed steps.

### Throttling

Throttling enables you to set a rate limit to control the usage of an API by the clients. Throttling is an optional feature in Catalyst API Gateway. When you set throttling rate limits for an API, Catalyst will monitor the count of request hits made to that API. When the request submissions exceed the limits you have configured for the API, the API Gateway will return the HTTP error response: {{%badge%}}429 Too Many Requests{{%/badge%}}.

There are two types of throttling available in API Gateway. You can use either one or both methods.

#### General Throttling

General throttling defines the maximum hits allowed to the API for all users, per time unit. You can define the request limit, its rate, and the time unit while creating the API.

Catalyst implements a sliding window rate limiting algorithm where the window starts from the current element and shifts by a weighted value of the previous window's request rate. For example, if you set 50 requests in 2 minutes as the limit, Catalyst will check for API hits in the 2 minutes preceding the current second and determine the count, instead of checking in a 2 minute fixed window length.

#### IP-Based Throttling

IP-based throttling defines the maximum number of hits allowed to the API from a particular IP address, per time unit. This limits the number of API calls that can be made from a particular client address. You can define the request limit, its rate, and the time unit for this in a similar way as for general throttling.

### Auto-Created APIs, Custom APIs, and the Default API

You can {{%link href="/en/cloud-scale/help/api-gateway/implementation/#create-an-api" %}}create APIs for your Catalyst functions and web client{{%/link%}} in two ways: auto-create or custom.

Before we discuss auto-created APIs and custom APIs, you must learn about the default API.

#### The Default API

API Gateway creates a default API called {{%badge%}}{{%bold%}}Login Redirect{{%/bold%}}{{%/badge%}} for the web client hosted in your Catalyst project, in addition to the regular web client API.

The following rules apply for the {{%badge%}}Login Redirect{{%/badge%}} API:

* This API is created when you create APIs in the API Gateway for the first time after hosting a web client in your Catalyst project, using either auto-create or the custom method.
* The {{%badge%}}Login Redirect{{%/badge%}} API is created based on the configuration set in the {{%link href="/en/cli/v1/project-directory-structure/client-directory/" %}}client-package.json{{%/link%}} file for the web client. The URL configured as the {{%badge%}}login\_redirect{{%/badge%}} in that file will be set as the request URL and target URL of the API. The {{%badge%}}login\_redirect{{%/badge%}} key is optional. Therefore, if it is not configured, the URL provided as the {{%badge%}}homepage{{%/badge%}} will be set as the request URL and target URL.
* If the URL configured as {{%badge%}}login\_redirect{{%/badge%}} starts with a '/', Catalyst will consider it as an absolute path and will append it to the domain directly. For example, if {{%badge%}}login\_redirect{{%/badge%}} is '{{%bold%}}/home.html{{%/bold%}}', the request URL will be of the format: {{%bold%}}https://_project\_domain\_name.catalystserverless_.com/home.html{{%/bold%}}. However, if the {{%badge%}}login\_redirect{{%/badge%}} value does not start with a '/', such as '{{%bold%}}home.html{{%/bold%}}', then the request URL will be of the format: {{%bold%}}https://_project\_domain\_name_.catalystserverless.com/app/home.html{{%/bold%}}.
* The values for general throttling and IP-based throttling for this default API will be set to {{%badge%}}Not configured{{%/badge%}}, and the value for authentication will be set to {{%badge%}}No authentication{{%/badge%}}.
* You must give the default login redirect page of the Catalyst application as the request URL for the {{%badge%}}Login Redirect{{%/badge%}} API. You must not give any other URL as its value.
* If you change the value of {{%badge%}}login\_redirect{{%/badge%}} in the {{%badge%}}client-package.json{{%/badge%}} file after the {{%badge%}}Login Redirect{{%/badge%}} API was created, the target URL value will be automatically changed when you deploy the client package to the Catalyst console.
* You will not be able to edit any of these default values except the request URL. You will not be able to modify the target URL, API name, authentication, or throttling parameters.
* You will not be able to delete the {{%badge%}}Login Redirect{{%/badge%}} API.
* The difference between the default {{%badge%}}Login Redirect{{%/badge%}} API and the regular web client APIs is that, the {{%badge%}}Login Redirect API{{%/badge%}} is only meant for the default login redirect page of the application where the users are redirected to, after they login. However, you can append routes to a web client's target URL and create APIs for different routes for regular web client APIs.
* If you have not hosted a web client in your Catalyst project, this API will not be created.

#### Auto-Created APIs

You can enable Catalyst to automatically create APIs for the functions that you choose, or for the web client, using the auto-create method. Auto creating APIs is only available until you create your first API in API Gateway.

Auto-create can be used when you have a large number of functions configured in your Catalyst project, and creating individual APIs for each of them would be very time consuming.

When you use auto-create to create APIs, these protocols are followed:

* If you have configured definitions for your functions in {{%link href="/en/serverless/help/security-rules/introduction" %}}Security Rules{{%/link%}}, they will be migrated to API Gateway automatically during auto-create. If you have not configured any definitions, the default rules will be applied.
* The APIs created for a function during auto-create will contain the HTTP methods and authentication configured for it in the Security Rules.
* {{%bold%}}Request methods and URL:{{%/bold%}}<br />
   * If all five HTTP methods ({{%badge%}}GET{{%/badge%}}, {{%badge%}}PUT{{%/badge%}}, {{%badge%}}POST{{%/badge%}}, {{%badge%}}DELETE{{%/badge%}}, {{%badge%}}PATCH{{%/badge%}}) are enabled for a function in Security Rules, a single API will automatically be created with the request method '{{%link href="/en/cloud-scale/help/api-gateway/key-concepts/#routing" %}}ANY{{%/link%}}' for the function.
   * If one or more of the five HTTP methods is disabled for a function in Security Rules, individual APIs will be created for each of the other methods.
   * The request URL of a function will be the same as its default target URL or the {{%link href="/en/serverless/help/functions/introduction" %}}function URL{{%/link%}} in auto-create, since the request URL and target URL are the same in Security Rules.
   * If there is a {{%link href="/en/cloud-scale/help/api-gateway/key-concepts/#routing#" %}}regex pattern in the request URL{{%/link%}} of a function, the same pattern will be assigned to the target URL.
* {{%bold%}}Authentication:{{%/bold%}}<br />
   * If the authentication method for a function in Security Rules is {{%badge%}}optional{{%/badge%}}, the {{%link href="#authentication-request-processor" %}}request processor{{%/link%}} will automatically be set to {{%badge%}}No Authentication{{%/badge%}} for the function's APIs during auto-create.
   * If authentication for a function in Security Rules is enabled, Catalyst Users Authentication and OAuth-based Authentication will be automatically enabled for the function's APIs in API Gateway.
* {{%bold%}}Throttling:{{%/bold%}} The values for general throttling and IP-based throttling for a function's APIs will be set to {{%badge%}}Not configured{{%/badge%}} by default during auto-create.
* {{%bold%}}API name:{{%/bold%}} An API created using auto-create for a function will be named in the format: _FunctionName\_HTTPMethod_. An API created for a web client using auto-create will be named in the format: _WebclientName_.
* {{%bold%}}Web client API:{{%/bold%}} The values for general throttling and IP-based throttling for a web client will be set to {{%badge%}}Not configured{{%/badge%}}. As mentioned, earlier authentication is not available for web client APIs. The request URL of a web client will also be the same as its target {{%link href="/en/cloud-scale/help/web-client-hosting/implementation#host-a-web-application" %}}web app URL{{%/link%}}.
* {{%bold%}}Hard limits:{{%/bold%}} The hard limit for the number of APIs that can be created is 1000 APIs/project.

After the APIs are created for your functions and web client using auto-create, you can {{%link href="/en/cloud-scale/help/api-gateway/implementation/#edit-an-api" %}}edit individual APIs{{%/link%}} and modify the default values as required.

#### Custom API

You can create a custom API for your function or web client at any time and configure the parameters of the API. You can define the request method and URL, the target, authentication methods, throttling, and more based on your requirements. Creating a custom API does not migrate the configurations of a function from Security Rules.



--------------------------------------------------------------------------------
title: "Architecture"
description: "Catalyst API Gateway enables you to create APIs to access the functions and web client end-points of your app, and perform advanced API management."
last_updated: "2026-03-18T07:41:08.534Z"
source: "https://docs.catalyst.zoho.com/en/cloud-scale/help/api-gateway/architecture/"
service: "Cloud Scale"
--------------------------------------------------------------------------------


# Architecture

Catalyst API Gateway's architecture is shown below:

<br />

Catalyst API Gateway performs tasks in the following sequence:

1. Reading the request method and URL of the client request
2. Searching for an API that you have configured for the particular request method and URL
3. Initiating the API, if available, or denying the request if the API is unavailable
4. Checking the throttling configuration and verifying if the request is within the defined rate limits, if applicable
5. Checking the authentication configuration and initiating a handler to verify the credentials, if applicable
6. Enabling the API to redirect the client to the configured target URL, if all validations are passed
<br />


--------------------------------------------------------------------------------
title: "Benefits"
description: "Catalyst API Gateway enables you to create APIs to access the functions and web client end-points of your app, and perform advanced API management."
last_updated: "2026-03-18T07:41:08.534Z"
source: "https://docs.catalyst.zoho.com/en/cloud-scale/help/api-gateway/benefits/"
service: "Cloud Scale"
--------------------------------------------------------------------------------


### Benefits

1. {{%bold%}}Efficient API Management{{%/bold%}}<br /><br /> Catalyst API Gateway enables you to manage all your APIs in a single place. It provides a single endpoint for all your clients, and allows you to create custom APIs with flexible definitions for each request. The ability to aggregate all HTTP supported request methods into one method (ANY) increases efficiency and reduces manual efforts in creating and maintaining a large number of APIs. It also minimizes the number of round trips between the client and the application server, improving the end user experience.
2. {{%bold%}}Enhanced Security for the Application's Backend {{%/bold%}}<br /><br /> Catalyst API Gateway acts as an intermediate layer between the client and the server, and prevents direct communication between them. This insulates the application from the clients, and prevents public exposure of its backend architecture and endpoints. API Gateway decreases the risk of potential threats associated with vulnerable exposure by completely decoupling the clients from services. The authentication methods also act as additional security boosters, and ensure protection of the application and user data.
3. {{%bold%}}Offloading Functionalities from Individual Services{{%/bold%}}<br /><br /> API Gateway offloads functionalities such as authentication and throttling from individual microservices, and handles everything in a consolidated manner. This lessens the responsibilities of individual services, as they do not need to be designed to manage authentication or throttling by themselves. API Gateway acts as a cohesive unit to manage all your APIs centrally and streamlines your application's functionality.
4. {{%bold%}}High Performance at any Scale{{%/bold%}}<br /><br /> Throttling the rate limits of an API improves the application's performance and provides a rich user experience. It helps the backend systems withstand traffic spikes and prevents excessive use of resources. Throttling also ensures that a particular set of clients alone do not suffocate the backend resources, and distributes the application's efficiency evenly between all clients. You can design usage plans in your application based on the throttling limits that you configure. Catalyst API Gateway ensures that your application is fast, robust, reliable, and consistent.


<br />

--------------------------------------------------------------------------------
title: "Implementation"
description: "Catalyst API Gateway enables you to create APIs to access the functions and web client end-points of your app, and perform advanced API management."
last_updated: "2026-03-18T07:41:08.535Z"
source: "https://docs.catalyst.zoho.com/en/cloud-scale/help/api-gateway/implementation/"
service: "Cloud Scale"
--------------------------------------------------------------------------------


# Implementation

The implementation section is a step-by-step procedure guide to configure API Gateway from the Catalyst web console. You can learn about working with API Gateway from the CLI from the {{%link href="/en/cli/v1/working-with-api-gateway/introduction/" %}}CLI help documentation{{%/link%}}.

### Enable API Gateway

You must enable API Gateway for your project before you access it for the first time. As discussed earlier, when you enable the API Gateway for your Catalyst application, the configurations in {{%link href="/en/serverless/help/security-rules/introduction" %}}Security Rules{{%/link%}} are automatically disabled. The functions and the web client hosted in your Catalyst project will immediately become inaccessible until you create APIs for them. You should therefore proceed with caution.

Ensure that you create APIs for all your functions and web client immediately after enabling API Gateway. You must also ensure that the end users do not access them in the meantime. You can learn about disabling API Gateway from {{%link href="#disable-api-gateway" %}}this section{{%/link%}}.

To enable API Gateway for your Catalyst application from the console:

1. Navigate to {{%bold%}}API Gateway{{%/bold%}} under _Security & Identity_ in the Catalyst Cloud Scale console and Click {{%bold%}}Enable Now{{%/bold%}}.
<br />
2. Click {{%bold%}}Proceed{{%/bold%}} in the confirmation window.<br /> <br />

You will receive a notification in the console once API Gateway is enabled for your Catalyst project.

<br>

### Create an API

Before you begin, you must ensure that you have hosted at least one function or the web client in your Catalyst project, to create an API for it.

{{%note%}}{{%bold%}}Note:{{%/bold%}} You can create upto 1000 APIs in a project in the {{%link href="/en/deployment-and-billing/environments/development-environment" %}}development environment{{%/link%}}. There are no upper limits for rule creation in the production environment.{{%/note%}}

<br>

#### Auto-Create

You can only use auto-create to create APIs automatically when you enable API Gateway for your project for the first time. If you have already created a custom API, you will not be able to access auto-create.

Refer to {{%link href="/en/cloud-scale/help/api-gateway/key-concepts/#auto-created-apis-custom-apis-and-the-default-api" %}}this section{{%/link%}} for protocols to be followed when migrating definitions from Security Rules.

To create APIs for your functions or the web client using auto-create:

1. Click {{%bold%}}Create API{{%/bold%}} after you enable API Gateway in the Catalyst console.<br /> <br />
2. Select {{%bold%}}Auto-create API{{%/bold%}} and click {{%bold%}}Next{{%/bold%}}.<br /> <br />
3. All your Basic I/O and Advanced I/O functions, and the web client are selected by default.<br /> <br /> Unselect the services that you don't want to create APIs for and click {{%bold%}}Create{{%/bold%}}.<br /> <br /> Catalyst will initiate the API creation process.<br /> <br />

Once the APIs are created, you will receive a notification in your console. The APIs will be listed in the _API Gateway_ page.

<br />

You can edit the default values set for these APIs, and individually configure them based on your requirements.

As discussed in this section, the default {{%badge%}}Login Redirect API{{%/badge%}} is also created for the web client hosted in the project.



<br>


#### Create a Custom API

You can create a custom API either immediately after enabling API Gateway or at any time after using auto-create.

To create a custom API for your functions or the web client:

1. Click {{%bold%}}Create API{{%/bold%}} from the _API Gateway_ page.<br /> <br /> You can also create it by selecting {{%bold%}}Create a custom API{{%/bold%}} in the pop-up box after enabling API Gateway and clicking {{%bold%}}Next{{%/bold%}}.<br /> <br /> This will open the _Create API_ window.<br /> <br />
2. Enter a unique name for the API. Select a {{%link href="/en/cloud-scale/help/api-gateway/key-concepts/#routing" %}}request method{{%/link%}} and enter the request URL.<br /> <br />

{{%note%}}{{%bold%}}Notes:{{%/bold%}}<br />
   * You can only select the {{%badge%}}{{%bold%}}GET{{%/bold%}}{{%/badge%}} method for a web client. <br>
   * The combination of the request URL and the request method should be unique. You will not be able to create more than one API for a specific combination of request URL and request method.
{{%/note%}}

Select the target component and then select the specific function or web client.<br /> <br /> If you selected an Advanced I/O function or a web client, you can append a route to the default target URL. A preview of the request URL will also be displayed.<br /> <br /> Select the {{%link href="/en/cloud-scale/help/api-gateway/key-concepts/#authentication-request-processor" %}}authentication methods{{%/link%}} if you require authentication. You can select any or all of these methods, and implement any one of them while providing the request URL.<br /> <br /> Configure the throttling limits for the API. You can configure either or both of the {{%link href="/en/cloud-scale/help/api-gateway/key-concepts/#throttling" %}}throttling methods{{%/link%}}.<br /> <br />
3. Click {{%bold%}}Create{{%/bold%}}.

The API will be created and listed in the _API Gateway_ page.



<br>

### Edit an API

You can edit an auto-created or a custom API at any time and modify its definitions in the following way:

1. Click {{%bold%}}Edit{{%/bold%}} for the API.<br /> <br />
2. Modify the required values and click {{%bold%}}Update{{%/bold%}}.<br /> 

<br>

### Delete an API

You can delete an API in the following way:

1. Click {{%bold%}}Delete{{%/bold%}} for the API.<br /> <br />
2. Click {{%bold%}}Yes, Proceed{{%/bold%}} in the confirmation box.<br /> <br />

{{%note%}}{{%bold%}}Note:{{%/bold%}} Deleting an API will render its associated target URL inaccessible.{{%/note%}}

<br>

### Disable API Gateway

You can disable API Gateway at any time and switch to the definitions configured in the {{%link href="/en/serverless/help/security-rules/introduction" %}}Security Rules{{%/link%}}. If you re-enable API Gateway after disabling it, all the APIs that you had created will still be available and will immediately be re-enabled when API Gateway is re-enabled. You will not have to create the same APIs again.

To disable API Gateway:

1. Click the {{%bold%}}ellipsis icon{{%/bold%}} on the _API Gateway_ page and click {{%bold%}}Disable{{%/bold%}}.<br /> <br />
2. Type "DISABLE" in the text box and click {{%bold%}}Confirm{{%/bold%}}.<br /> 

The API Gateway will now be disabled and Security Rules will immediately be automatically enabled.

<br />