[samjs]

Nice!

Is the request composer responsible for checking the authorization data? Like what roles/permissions the user has?

[gedy]

Not the OP but we did similar and this front end gateway/"backend for front end" would do the roles checks, yes. Back end services could do course grained checks if needed.