dont get me wrong, this is a big question.

Hey everyone, I've been pondering where authentication logic ought to go in a microservices architecture. The API gateway really feels like a good spot for those first auth checks, you know, before requests even get to the other services. On the flip side, maybe each individual service should handle its own authentication to really lock things down tight? What are your thoughts and experiences? Do you keep auth all in one place at the gateway, or spread it out? What are the upsides and downsides?