I was watching a developer give a demo recently, and part of it included a look at a dashboard of incoming requests and the response codes. I asked the developer how she was generating the request traffic.
The same is true of authorization, and handling authorization in your API gateway is like having a sidecar for your larger system.
In brief, a system uses https://www.getambassador.io/docs/edge-stack/latest/topics/running/services/auth-service and authorization processes to answer two questions for a given request: Who made this request?
Your API gateway should be able to send requests out to your authorization service and receive back instructions on what to do with them.