Skip to content
Duende Software Docs
Trouble with OAuth 2.0 in the browser? Watch Web Security and BFF with Philippe De Ryck.

Securing and Accessing API Endpoints

A frontend application using the BFF pattern can call two types of APIs:

Embedded (Local) APIs

Section titled “Embedded (Local) APIs”

These APIs embedded inside the BFF and typically exist to support the BFF’s frontend; they are not shared with other frontends or services.

See Embedded APIs for more information.

Proxying Remote APIs

Section titled “Proxying Remote APIs”

These APIs are deployed on a different host than the BFF, which allows them to be shared between multiple frontends or (more generally speaking) multiple clients. These APIs can only be called via the BFF host acting as a proxy.

You can use Direct Forwarding for most scenarios. If you have more complex requirements, you can also directly interact with YARP