API Gateway multiple client app authentication

Question

I'm just starting to learn micro services but there is something that I can't seem to grasp my mind around.

Let's say that I have multiple applications accessible to the clients. These apps all speak to multiple APIs (or services).

I then want to create an API Gateway that's going to route all of the requests from these apps to the APIs.

What I can't understand in this scenario is: How does the authentication work in this case ?

• Should all the applications be "known" to the API Gateway so that I am sure that the requests that my Gateway receives are all coming from valid apps ?
• Should the user authentication of the apps be performed on the API Gateway directly ? If so, how am I supposed to identify which app they are coming from ? Because, of course, even if a user is authenticated I don't want to give him access to the other apps's APIs..