Cloudflare API Gateway has been a strong backbone for tightening out API security while simplifying how traffic flows through our edge, especially as our number of services and endpoints exploded. In day-to-day use, Cloudflare API Gateway feels like an extension of the broader Cloudflare stack rather than a standalone product, which is exactly what we needed for consistent policies across web and API traffic. Once we turned on discovery and schema validation, we finally had real visibility in to which APIs were actually exposed and how they were being used, instead of guessing from backend logs and developer notes. Our core problem was "shadow APIs" and inconsistent protections: teams would spin up new endpoints behind the CDN, but security rules and rate limiting didn't always follow, which left gaps we only noticed when something went wrong. With API discovery and central management those endpoints now show up automatically, so they can be brought under the same authentication, schema checks and abuse protections as the rest. The single-pane view changed our incident pattern: instead of chasing odd strikes in backend logs, we can see abusive or broken traffic at the edge, block or throttle it there, and keep downstream systems stable. It also saved a lot of developer time that previously wen t into custom nginx rules or ad-hoc gateways for each service.

Cloudflare API Gateway / API Shield is a good product but it really depends on your applications and infrastructure. It's not an all encompassing service but in certain cases it's the best alternative. If you have your services on Cloudflare then it's a no brainer to use it but it's available only on Enterprise plans. It's not a full life-cycle management tool, it's more of a security&routing service. It offers great protection and delivery network but there are some hard to customise parts especially in timeouts and transformation of requests.