Job Description
The Senior API Gateway Engineer is responsible for designing, implementing, securing, and operating APIs using IBM API Connect and Kong. This role plays a critical part in enabling scalable, secure, and highly available integrations across internal systems and external partners.
You will work closely with application development teams, security, and networking to ensure APIs meet performance, reliability, and compliance standards.
Key Responsibilities
API Gateway Engineering
• Design, implement, and operate APIs on IBM API Connect (v10) and Kong gateways
• Build and maintain API assemblies, including policies, routing, transformations, and error handling
• Implement authentication and authorization using OAuth, JWT, and mTLS
• Configure rate limiting, throttling, and traffic control policies
Platform Configuration & Management
• Configure and manage catalogs, products, plans, and subscriptions
• Support developer portal integrations and API onboarding workflows
• Manage TLS configurations, certificates, keystores, and truststores
• Partner with networking teams on DNS, TLS, IP allowlists, and certificate management
CI/CD & Automation
• Implement CI/CD pipelines for API gateway configurations and deployments
• Enable GitOps based promotion across environments (dev, test, staging, prod)
• Automate validation and deployment of gateway artifacts
Observability & Reliability
• Implement and maintain logging, metrics, tracing, and analytics for APIs
• Define and monitor SLOs and error budgets
• Troubleshoot performance, capacity, and reliability issues
• Conduct load and stress testing to validate scalability
Security & Compliance
• Apply API security best practices including:
o WAF integration
o Threat protection policies
o Schema validation and zero trust principles
• Partner with security teams to ensure compliance and risk mitigation
• Implement secure secrets management practices
Migrations & Collaboration
• Support and execute API gateway migrations (Kong ↔ IBM API Connect)
• Modernize legacy APIs and proxies
• Collaborate with application, platform, security, and infrastructure teams
• Provide guidance on API standards and best practices
We are a company committed to creating diverse and inclusive environments where people can bring their full, authentic selves to work every day. We are an equal opportunity/affirmative action employer that believes everyone matters. Qualified candidates will receive consideration for employment regardless of their race, color, ethnicity, religion, sex (including pregnancy), sexual orientation, gender identity and expression, marital status, national origin, ancestry, genetic factors, age, disability, protected veteran status, military or uniformed service member status, or any other status or characteristic protected by applicable laws, regulations, and ordinances. If you need assistance and/or a reasonable accommodation due to a disability during the application or recruiting process, please send a request to HR@insightglobal.com.To learn more about how we collect, keep, and process your private information, please review Insight Global's Workforce Privacy Policy: https://insightglobal.com/workforce-privacy-policy/.
Required Skills & Experience
• 5+ years of hands on experience working with enterprise API gateways
• 2+ years of direct experience with IBM API Connect (v10)
• 2+ years of direct experience with Kong (OSS and/or Enterprise)
• Strong experience designing and supporting REST and SOAP APIs
• Proficient with OpenAPI (Swagger) specifications
• Deep understanding of API security patterns, including:
o OAuth 2.0 / OIDC
o JWT
o mTLS / TLS
• Strong experience managing certificates and key formats (PEM, PFX, P12)
• Hands on experience building and maintaining:
o API assemblies and policies
o GatewayScript and XSLT
o Products, plans, catalogs, and subscriptions
• Working knowledge of DataPower within APIC
• Experience configuring:
o Services, routes, plugins, and consumers
o Rate limiting, authentication, and traffic management
• Experience with both Kong OSS and/or Kong Enterprise
• Experience implementing CI/CD pipelines (GitHub Actions and/or Jenkins)
• Familiarity with Git based (GitOps) deployment workflows
• Hands on experience with observability tools:
o Splunk or ELK
o Prometheus and Grafana
Nice to Have Skills & Experience
SCREENING Q&A
1. Walk me through an API you’ve built or managed using an API gateway. What problems did the gateway solve?
Listen for:
• Clear ownership of design and implementation
• Use of routing, policies, auth, rate limiting
• Business or platform context (scale, partners, security)
🚩 Red flag: Very generic answers or only “configured existing APIs”
________________________________________
2. How do IBM API Connect and Kong differ in how they manage APIs and traffic?
Listen for:
• APIC: products, plans, catalogs, lifecycle
• Kong: services, routes, plugins, consumers
• Awareness of architectural differences, not just UI differences
3. Describe an API assembly you’ve built in APIC. What policies did you use and why?
Listen for:
• Real policy usage (OAuth, rate limit, invoke, switch, validate)
• GatewayScript or XSLT usage
• Conditional logic and error handling
🚩 Red flag: “I mostly just imported APIs”
________________________________________
4. When would you use GatewayScript vs XSLT in APIC?
Strong answer includes:
• GatewayScript for logic, JSON handling, dynamic behavior
• XSLT for XML transformations, SOAP use cases
• Performance or maintainability considerations
________________________________________
5. How do products, plans, and catalogs work together in APIC?
Listen for:
• Correct lifecycle explanation
• Understanding of consumer access, rate limits, and environments
• Subscription management
6. Explain how traffic flows through Kong from request to upstream service.
Listen for:
• Services → Routes → Plugins
• Plugin execution order
• Consumer or credential handling
________________________________________
7. What Kong plugins have you used most, and why?
Strong answers include:
• OAuth2, JWT, ACL, rate limiting, key auth, mTLS
• Custom or enterprise plugins (if applicable)
• Tradeoffs and limitations
________________________________________
8. How do you manage Kong configuration across environments?
Listen for:
• Declarative config (YAML), GitOps, CI/CD
• DecK or similar tools
• Promotion strategies (dev → prod)
9. How have you implemented OAuth2 or OIDC at the gateway layer?
Listen for:
• Token validation vs token issuance
• JWT claims usage
• Integration with IdPs
🚩 Red flag: Confusing OAuth flows or vague “we just turned it on”
________________________________________
10. Describe how you’ve implemented mTLS on an API gateway.
Strong answer includes:
• Client cert validation
• Truststores / keystores
• PEM / PFX / P12 handling
• Real world use cases (partners, zero trust)
________________________________________
11. What steps do you take to harden APIs at the gateway level?
Listen for:
• Schema validation
• Threat protection
• WAF integration
• Rate limiting and IP allowlists
• Secrets management
Benefit packages for this role will start on the 1st day of employment and include medical, dental, and vision insurance, as well as HSA, FSA, and DCFSA account options, and 401k retirement account access with employer matching. Employees in this role are also entitled to paid sick leave and/or other paid time off as provided by applicable law.