Skip to main content

core-api-gateway

The single entry point for all client requests. Handles routing, authentication, organization resolution, rate limiting, caching, and security headers. Injects the X-Internal-Key and X-Organization-Id headers that downstream services rely on for trust and authorization.

Worker name: crow-core-api-gateway Domain (prod): api.crowai.dev Domain (dev): dev.api.crowai.dev

Routing

The gateway routes requests based on the path segment after /api/v{n}/:

Path SegmentService NameInternal URL (dev)
authcore-auth-servicedev.internal.auth-api.crowai.dev
better-authcore-auth-servicedev.internal.auth-api.crowai.dev
userscore-user-servicedev.internal.users.crowai.dev
productscore-product-servicedev.internal.products.crowai.dev
crawler-jobscore-product-servicedev.internal.products.crowai.dev
organizationscore-organization-servicedev.internal.orgs.crowai.dev
analyticscore-analytics-servicedev.internal.analytics.crowai.dev
notificationscore-notification-servicedev.internal.notifications.crowai.dev
patternscore-pattern-servicedev.internal.patterns.crowai.dev
interactionscore-interaction-servicedev.internal.interactions.crowai.dev
chatbff-chat-servicedev.internal.chat.crowai.dev
qnabff-qna-servicedev.internal.qna.crowai.dev
mcpmcp-servicedev.mcp.crowai.dev
billingcore-billing-servicedev.internal.billing.crowai.dev
cctvcctv-ingest-servicedev.cctv.crowai.dev

Middleware Pipeline

For authenticated service routes (/api/v{n}/{service}/*):

  1. standardRateLimitMiddleware -- per-IP rate limiting
  2. authenticateRequestMiddleware -- session cookie or API key validation
  3. injectOrganizationContext -- resolves org UUID, sets context
  4. cacheMiddleware -- KV-backed response cache
  5. handleRequest -- forwards to internal service

For auth routes (/api/v{n}/auth/*):

  1. authenticationRateLimitMiddleware -- stricter rate limiting
  2. handleRequest -- forwards directly (no auth/org middleware)

Authentication Middleware

Three-tier token resolution:

  1. Session cookie -- reads better-auth.session_token cookie, calls auth service GET /get-session for JWT token and org
  2. API key -- detects crow_ prefix in X-API-Key, ApiKey header, or Bearer token; resolves via POST /api-key/verify
  3. Anonymous -- for non-auth-required services, creates an anonymous session JWT cached per client IP in KV (1-hour TTL)

Organization Resolution Middleware

  1. Session path: Calls GET /auth/get-session to get activeOrganizationId, then calls GET /organizations/by-auth-id/:id to resolve internal UUID
  2. API key path: Gets org from API key metadata, then verifies user membership via GET /users/by-auth-id/:id
  3. Strips client-supplied X-Organization-Id and X-User-Id headers before injecting gateway-resolved values

Cache Middleware

KV-backed response cache. Cache key includes the service name, API version, pathname, and organization ID to prevent cross-org data leakage:

cache:{service}:{version}:{pathname}:{orgId}

Request Forwarding

The forwardRequest function:

  • Builds the target URL from the service config and environment
  • Strips and re-injects X-Organization-Id, X-User-Id headers
  • Injects X-Internal-Key from env.INTERNAL_GATEWAY_KEY
  • Sets Authorization: Bearer <jwt> from the resolved token
  • Does not forward crow_ API keys as Bearer tokens (downstream services reject non-JWTs)

Public Path Overrides

These paths bypass authentication even on requiresAuth services:

  • POST /api/v{n}/billing/webhook -- Stripe webhook (signature-verified)
  • GET /api/v{n}/{service}/health -- health probes
  • GET /api/v{n}/{service}/ready -- readiness probes

Environment Variables

VariableExample
ENVIRONMENTdev
AUTH_SERVICE_URLhttps://dev.auth.crowai.dev

Secrets

SecretPurpose
INTERNAL_GATEWAY_KEYInjected into all forwarded requests
SERVICE_API_KEY_ORG_SERVICEUsed for by-auth-id lookups on org and user services
CRAWLER_SERVICE_SECRETForwarded to product service for crawl auth

Bindings

BindingTypeName
CACHEKVResponse cache + auth token cache

Dependencies

  • Outbound: auth service (session validation, JWT retrieval, API key verification), org service (by-auth-id lookup), user service (API key org membership verification), all downstream services (request forwarding)
  • Inbound: all clients (dashboard, auth-client, SDKs, MCP, API keys)

CORS

Allowed origins include all production and dev domains for the platform services and clients. Local development origins (localhost:3000-3002, localhost:8000-8012) are added when ENVIRONMENT=local.