Authentication is a solved problem. Authorization is where things get complicated. Once you know who is making a request, how do you decide what they're allowed to do ? At small scale, authorization is simple. An admin role gets full access, a viewer role gets read-only. You hardcode a few rules and move on. But enterprise APIs don't stay small. Teams multiply, services proliferate, and authorization logic becomes a tangled web of role hierarchies, resource ownership, temporal constraints, and regulatory requirements. This is where most gateway setups start to crack. The Authorization Gap Traditional API gateways handle authentication well. JWT validation, API key checks, OAuth2 introspection: these are table stakes.…