It depends.
An API gateway usually helps the clients, as all service is called through that gateway,
which can do the authentication, too.
Also it can provide some useful services to the upstream, too: registry, discovery, authentication, rate limiting and so on.
And the API gateway can provide such services by itself to the clients, too: list the registered services, with their .proto files, endpoints, rate limits …
The closest thing I’ve found is Ambassador (getambassador.io), but that’s just too heavyweight for me:
it needs Kubernetes and Envoy.
https://github.com/mwitkow/grpc-proxy is a gRPC proxy (library), but shows that such a high-level proxy is cumbersome: you have to go greate lengths to NOT know the underlying data types an proxy just the HTTP/2 bytes.
Which means that a HTTP/2 proxy with service registry would be the best, I think.