One of the projects I'm working on is to use it to connect a web form where end-users will enter in data. This data will go from API Gateway to a mainframe, and then the mainframe will take that data, combine it with other data sets, massage it, and send the answer back in the form of a PDF.
We're looking to do a couple of things with API Gateway. The first one is that we're moving from a 24-hour batch process using Managed File Transfer to API Gateway where our transactions are in minutes or less, rather than every 24 hours.
The other thing is that by using API Gateway, we are now enabled to institute some very strong security modes, not only for authentication but also for authorization. We're going to use a single sign-on product for authentication, and once that's done, API Gateway is a policy manual that will securely regulate what data sets people are actually able to see or query, or send data to. For example, in today's situation, someone can query the mainframe for information, even though they have no business asking for that info. It is a 15-year-old setup, and security wasn't in everybody's mind at the time, and the tools were very hard.
Because API Gateway is a policy engine, I can apply policies that can say, "All right, you have to be from a certain company or a certain zip code, or certainly from the state of California before we will even accept your query." After that, we're going to inspect that query to say, "Okay, you are somebody who is working with this type of data, so we are going to allow you to send in your information and query the system for the information that we know you're authorized to see." We can also say, "Are you coming from an appropriate IP address at an appropriate day and time of day?" In other words, if your IP address is coming from a foreign country and it is Saturday morning at 1:00 AM, we know that's not normal. So, we would block that.
I'm working with the most recent version. It is a cloud solution.