i think the general rule is to not put business logic in an API gateway. if your gateway entities are simple and well-encapsulated enough, i could see an api gateway authz approach working. we aren't doing that in our system because our system isn't that clean 😛