How would you design a high-level architecture for an API gateway that handles rate limiting and token-based authentication?