I have a basic question on how Layer-7 API management product works. I believe all API URLs are protected in Layer-7 and all API requests goes through layer-7 gateway which authenticates the caller and forward the requests to API hosting server (based on URI/URL) which returns API response back to caller via gateway. Do we need to install any layer-7 plug-in or library on API hosting server ? How do we protect if some one call API directing by invoking hosting server (bypass layer-7 gateway) by setting required headers ? Basically, how does API hosting server ensure that request came via layer-7 ?