Open Source API Gateway

A gateway sits at the edge of everything you publish, so it reads every request before your services do, holds the auth, and becomes the single hop that can take all your APIs down at once - which makes the routing, rate-limit, and token logic too consequential to run as a black box. The open source gateways here let you read exactly how traffic is matched, throttled, and authenticated, and run that edge on your own infrastructure, so the layer fronting your backends isn't itself a cloud dependency you can't move.

12 API gatewaysUpdated July 2026
Showing 1-9 of 12

How to choose an open source API gateway

Start with where the gateway will sit in your traffic path. Some teams need a north-south edge gateway in front of public APIs, while others need an internal gateway for service-to-service calls, partner traffic, or platform routing across clusters. That choice affects latency budget, failure blast radius, TLS termination, DNS strategy, and whether the gateway must understand Kubernetes primitives or run cleanly on VMs. Be clear about whether it is replacing an ingress controller, sitting behind a cloud load balancer, or standardizing routing across several environments.

Treat policy as the main product surface, not an add-on. API gateways differ sharply in how they express authentication, authorization, rate limits, request transforms, schema validation, retries, circuit breaking, and version routing. Look for the policy model your team can review and test - declarative files, an admin API, a UI, or custom code. Also check how policies are scoped across routes, consumers, tenants, and environments. A gateway that makes one-off rules easy but global policy hard will become painful once more teams publish APIs through it.

Evaluate the operating model before the feature list. The hard parts are safe configuration rollout, zero-downtime reloads, metrics cardinality, log volume, plugin isolation, backups for control-plane state, and recovery when the data plane loses contact with the control plane. If you expect high request volume, benchmark with your own headers, authentication checks, and upstream behavior rather than synthetic hello-world routes. Finally, confirm the exit path - routes, certificates, consumers, and policies should be exportable in a format you can keep under version control.

Related categories

Frequently asked questions

What is an API gateway responsible for?+

An API gateway is the policy and routing layer in front of APIs. It usually handles request routing, TLS termination, authentication handoff, rate limits, request or response transformation, and observability hooks. It should not become the place where core business logic lives. Keep domain decisions in services, and use the gateway for cross-cutting controls that need consistent behavior across many APIs.

How is an API gateway different from a load balancer?+

A load balancer mainly distributes traffic across healthy backends. An API gateway understands API-level concerns such as routes, methods, consumers, tokens, quotas, headers, and versioned endpoints. Many deployments use both: a load balancer provides a stable network entry point, while the gateway applies API policy and forwards to upstream services. If you only need basic traffic distribution, a gateway may add unnecessary complexity.

Should an API gateway replace my ingress controller?+

Sometimes, but not always. In Kubernetes, ingress controllers are often good at exposing services and managing basic host or path routing. API gateways add richer API policy, consumer management, authentication integration, and traffic controls. Some teams run both, with ingress handling cluster entry and the gateway handling API rules. The right split depends on who owns routing, how policies are reviewed, and whether non-Kubernetes services must be included.

What deployment model works best for self-hosting an API gateway?+

For self-hosting, separate the control plane from the data plane if the gateway supports it. The data plane should keep serving traffic during a control-plane outage, using its last known configuration. Run multiple gateway instances across failure domains, automate certificate handling, and test reload behavior under traffic. Avoid designs where every request depends on a database lookup unless you have measured the latency and failure behavior.

How should I evaluate authentication support?+

Map your real identity flows before comparing features. Check support for OIDC, JWT validation, API keys, mTLS, opaque token introspection, service accounts, and partner credentials as needed. Pay attention to where authorization decisions happen. A gateway can validate identity and enforce coarse rules, but fine-grained business permissions often belong in the service. Also verify key rotation, clock skew handling, and failure behavior when the identity provider is unavailable.

What rate limiting features matter in an API gateway?+

Look beyond a simple requests-per-minute setting. Useful rate limiting usually needs scopes such as consumer, credential, IP, route, tenant, and plan. Distributed accuracy matters when you run multiple gateway replicas. Also check burst handling, quota reset behavior, headers returned to clients, and how limits behave when the backing store is slow or down. For paid APIs, auditability and predictable client feedback are as important as enforcement.

How much latency does an API gateway add?+

The base proxy overhead is often small, but real latency comes from enabled policies: token verification, external authorization calls, logging, transformations, rate-limit storage, and upstream retries. Benchmark with production-like headers, TLS, authentication, and route counts. Measure tail latency, not just averages. A gateway in the hot path also needs capacity headroom, because a saturated gateway can make healthy services look broken.

What should I look for in the configuration model?+

Prefer a configuration model that matches your release process. Teams that use Git-based change control usually want declarative config, validation, diffs, and promotion between environments. Platform teams with many API owners may need an admin API and role-based delegation. Watch for hidden state in a UI that cannot be exported cleanly. Every route, certificate reference, consumer, and policy should be reproducible after a rebuild.

Are plugins and custom extensions safe to rely on?+

Plugins are useful when you need custom authentication, header logic, logging, or integration with internal systems. The risk is operational: a bad plugin can add latency, leak data, crash workers, or make upgrades harder. Check the extension language, isolation model, test tooling, and compatibility guarantees. Keep custom code small, version it separately, and avoid turning the gateway into a general application runtime.

How do API gateways handle observability?+

A useful gateway should expose request metrics, structured access logs, upstream latency, policy decisions, response codes, and error reasons. Distributed tracing support helps connect gateway behavior to backend services. Be careful with high-cardinality labels such as full paths, user IDs, or tokens. Also decide where sensitive fields are redacted. Gateway logs often contain enough context to be useful and enough risk to require strict handling.

What security details are easy to miss?+

Check TLS defaults, cipher configuration, certificate rotation, mTLS support, request size limits, header normalization, and how the gateway handles malformed requests. Admin interfaces should be isolated from public traffic and protected with strong authentication. If the gateway supports dynamic configuration, audit who can change routes and policies. Also review how secrets are stored, referenced, logged, backed up, and exposed to plugins.

How hard is it to migrate from an existing gateway or reverse proxy?+

Migration is mostly policy translation, not route copying. Inventory hosts, paths, methods, upstreams, certificates, authentication rules, rate limits, transforms, redirects, and error behaviors. Then move a small set of APIs first and compare responses, headers, status codes, and latency. Expect cleanup around overlapping routes, implicit defaults, and client assumptions. A staged cutover with DNS or load-balancer weighting is safer than a single switch.

What happens if the API gateway project slows down or is abandoned?+

Plan for replacement before you need it. Keep gateway configuration in portable text where possible, document nonstandard plugins, and avoid embedding business logic in gateway-specific code. Make sure certificates, routes, consumers, and policies can be exported without manual screenshots. If a project stalls, your practical risk depends on how deeply it is tied to your deployment model, custom extensions, and identity stack.