In general, yes. For most companies, the API Gateway is where the SSL terminates for north-south calls. The user token is authenticated and a user baggage (resolved from the token) is added in the downstream calls.

For east-west, it usually isn't required as calls is assumed to be undertaken in a trusted network. Service-Service TLS is rarely done due to the performance implications as certificate expiry/revocation lookup is costly.

However, a service may choose to explicitly whitelist callers in which case its inbound middleware will drop all requests from untrusted sources. E.g User service, which may only whitelist calls from a fixed set of callers.

However, most teams starting up do not require the overhead and the auth token should not be passed around.