examples/gatekeeper-auth/docs/NOTES.md
With the proxy auth pattern, the proxy performs authorization logic on the shape request path. Performing this logic can be expensive. You may not want to query the database or call an external service every time you make a shape request [1]. It can also be a security concern. Do you want your database exposed to your edge worker?
The gatekeeper pattern avoids these concerns by separating the steps of:
Specifically, the gatekeeper endpoint is designed to perform authorization logic once when generating the shape-scoped token. The proxy endpoint can then authorize multiple shape requests by validating the token against the shape definition in the request, without needing to know or do anything else.
[1] Proxies can mitigate this in a number of ways, for example with some kind of local cache of client credentials against authorization state.