We're at the end of the series. Nine chapters of mechanism. One chapter of opinion. Building the Auth Gateway took roughly two years from "what if NGINX did the auth?" to "this thing handles every authenticated request in production." A lot of what's in the previous chapters wasn't obvious to us at the start. This is the post-mortem on our own architecture: what worked, what hurt, what we'd build earlier, and what we'd warn the next team about. What worked A few decisions held up cleanly. We'd make all of them again. auth_request as the primitive NGINX's auth_request directive is, with no exaggeration, the single most leveraged design choice in the platform. One directive, well-understood, supported across NGINX versions. We don't need a service mesh. We don't need a custom Envoy filter. We don't need a Lua module compiled into NGINX. If you can do your auth in HTTP-status terms (200/401/403), auth_request is the right tool.…