What is the difference between GraphQL Server and API Gateway ? As it both can combine the response of multiple apis and can do authentication, input validation, metrics.
I would classify the roles a little like this:
In the days of on-premise hosting, an API gateway was hosted in a DMZ and exposed to the internet. An attacker who gained access to the gateway would not be able to access things like database connection strings. This type of layering is still a hosting best practice, though cloud providers may do it for you.
API gateways can deal with cross cutting concerns such as rate limiting. They can also run plugins to implement generic security such as translating cookies to tokens, or applying CSRF checks. This simplifies the code you need to write in APIs.
An interesting use case is legal requirements in some sectors, to keep a user's data within their home country. Gateways can manage this type of advanced routing also, eg if there is a region value in a cookie or token that can be read. This might ensure that all requests for a US user get routed to US servers, even if the user is currently in Asia.
Before GraphQL, an end-to-end flow from UIs to APIs might involve a 1000 mile HTTP request from the app to an entry point API. This might then call 3 other APIs hosted right next to it, to provide both good performance and good separation of concerns.
I would say a GraphQL server has this type of role. Whether you need both roles or just one is perhaps a judgment call, which depends upon requirements important to you, and which component does the job best.
A gateway can be very lightweight. In Kubernetes the ingress controller acts as a gateway and can receive requests from multiple internet URLs. So you might use a Kong or NGINX ingress, which can run plugins to apply custom logic when needed. That would route to the GraphQL server.