Research on API Security Gateway and Data Access Control Model for Multi-Tenant Full-Stack Systems

To address API abuse and unauthorized data access in multi-tenant systems, this paper proposes a full-stack security gateway framework based on zero-trust access and policy verification. The system integrates Envoy Gateway and the OPA (Open Policy Agent) policy engine at the API ingress layer, combining the OAuth 2.1 authorization protocol with JWT token authentication to achieve fine-grained tenant identity management. To support dynamic resource access, a policy inheritance mechanism based on GraphQL Schema injection is designed, enabling millisecond-level data access permission validation. Experiments demonstrate that under million-request-level testing, the model achieves an average authentication latency of 74.2 ms, with a 28% increase in security event detection rate and a false positive rate reduced to 1.9%. This research provides a highly scalable, auditable security baseline architecture for data security governance in multi-tenant web platforms.