We're starting something new from zero, so our system could be that clean. 😉 But the business logic would not really be in the gateway if the gateway is just asking SpiceDB is the permission is allowed. It would require that all requests have the same format, though. Maybe headers like "object", "permission", "subject" so those can just be used in a SpiceDB call. My idea was to take the "burden" of checking permissions away fom the micro service devs. But then everyone calling the API would have to know the permissions to check. I guess that's worse than every micro service knowing which permissions have to be checked.