I've been reading about the Facade Pattern and I'm trying to get an idea on how to implement this. This is how I understand how it can be implemented:

-------------------------------------------------------------
|               (Facade layer) API Exposure                 |
-------------------------------------------------------------
|                           DMZ                             |
|              (Auth API)         (Application Web API)     |
-------------------------------------------------------------

So there are two layers. So basically two Web API end points. One that lives in the DMZ, which is not accessible to the outside world. It contains endpoints like:

internal/User Get/Put/Post/Del
internal/Order Get/Put/Post/Del
internal/Product Get/Put/Post/Del
internal/Address Get/Put/Post/Del
etc.

And then there is the public Web server that exposes a Web API endpoint to the outside world. That layer will have endpoints like:

api/user - POST

This accepts a JSON object like:

User: {
  username: 'john doe'
  addresses: [{
     street: 'something 1001'
  }, {
     straat: 'company 300'
  }]
}

Then the api/user endpoint will in return make two calls. One goes to internal/User and one to internal/Address.

So the consuming user only had to make one API call to save a user object with address information. But the Facade layer will make two separate calls.

Is my understanding correct of the Facade Pattern for Web APIs?

Second question I have is, where should I do the auth checking when a consumer tries to use an API? Should I do that on the DMZ layer, or the Facade layer?

I have the feeling that I miss some important things in this example. Any details are helpful.