I am designing a microservice architecture for a hobby project, mostly just for self-learning purposes. In my architecture, the API Gateway service verifies and decodes JWTs before sending requests to the proper upstream services. The Auth service has the primary data store for user names and passwords, and signs JWTs when a user logs in. My fear is that the API Gateway service and Auth service are too tightly coupled. In my design I attempt to decrease coupling be having the API Gateway verify the JWTs, so it doesn't need to reach out to the Auth service for every request. The coupling comes from the usage of public keys. Say the auth service automatically and periodically rotates its keys, and signs the JWTs with the new key id. Now the API Gateway needs some knowledge of the new public keys when they get rotated. Perhaps this can be done with a one time request - if a new key-id that the API Gateway hasn't seen before comes in the request, the API Gateway could make a request to the Auth service requesting the new public key. Does anyone have any comments on this design?

​

P.S. would anyone care to do a design review once I'm done with these design docs? I realize there is /r/codereview, but this seems like a better place for it.

​

THANKS!