This is a horrible idea for multiple reasons.

First, the API application can do internal redirects (aka FORWARDS). Its part of the HTTP standard. This means that it can bypass ALL SECURITY IN THE GATEWAY! (https://medium.com/@apiexpert/why-api-gateways-are-dead-7c9e324ff70a )

Second, if the API application does any kind of ROLE checks (RBAC/ABAC), this will cause privilege escalation in the cache at the gateway (https://medium.com/@apiexpert/api-gateways-not-securing-caches-ff042a399452)