We are looking at a similar setup. In our case we are also considering having the gateway be responsible for obtaining permissions for the called API and caching them for a certain time, but that does not address your concern.
I would also be very interested in recommendations on this topic.