Securing and Accessing API Endpoints (original) (raw)

A frontend application using the BFF pattern can call two types of APIs: embedded (local) APIs, and proxied remote APIs.

Choosing an API Approach

Section titled “Choosing an API Approach”

flowchart TD Q1{"Is the API only used
by this frontend?"} Q2{"Do you need load balancing,
service discovery, or
complex routing/transforms?"}

Local["✅ Embedded (Local) API<br/>Host the API inside the BFF itself"]
Remote["✅ Remote API — Direct Forwarding<br/>MapRemoteBffApiEndpoint()"]
Yarp["✅ YARP Integration<br/>Full YARP configuration with BFF extensions"]

Q1 -->|Yes| Local
Q1 -->|No| Q2
Q2 -->|Yes| Yarp
Q2 -->|No| Remote

Use the table below for additional guidance on token requirements:

Scenario Recommended approach
API is only used by this frontend Embedded (Local) API
API is shared by multiple clients or deployed separately Remote API — Direct Forwarding
Complex routing, load balancing, or transforms are needed YARP
API requires the logged-in user’s token Remote or YARP with RequiredTokenType.User
API uses machine-to-machine (client credentials) auth Remote or YARP with RequiredTokenType.Client
API is publicly accessible (no auth required) Remote with RequiredTokenType.None
API should use user token if logged in, anonymous otherwise Remote or YARP with RequiredTokenType.UserOrNone

Embedded (Local) APIs

Section titled “Embedded (Local) APIs”

These APIs are embedded inside the BFF and typically exist to support the BFF’s frontend; they are not shared with other frontends or services.

See Embedded APIs for more information.

Proxying Remote APIs

Section titled “Proxying Remote APIs”

These APIs are deployed on a different host than the BFF, which allows them to be shared between multiple frontends or (more generally speaking) multiple clients. These APIs can only be called via the BFF host acting as a proxy.

You can use Direct Forwarding for most scenarios. If you have more complex requirements, you can also directly interact with YARP.