6 Open-Source API Gateways

Posted in

As APIs have become more widespread and normalized, the need for standardization, security protocols, and scalability has grown exponentially. This is especially true with the explosion of interest in microservices, which rely on APIs for communication. An API gateway accomplishes these needs and more with a single solution that’s relatively easy to implement.

Perhaps most importantly, an API gateway serves as a mediator between your users and your data. An API gateway is an essential failsafe against improperly exposed endpoints, which are a favorite target for hackers. Considering that a compromised API can have spectacularly disastrous consequences in some circumstances, this alone makes API gateways worthy of exploration. Gateways also add a helpful abstraction layer, which helps to future-proof your API, preventing breakage and service outages due to API versioning or changes to the backend, among other things.

Unfortunately, many API gateways are proprietary and don’t come cheap! Thankfully, several open-source API gateways have come forward to meet this demand. We’ve reviewed six notable open-source API gateways that you can test for yourself without making a sizeable vendor commitment.

Kong Gateway (Open Source)

Kong Gateway (OSS) is a popular open-source API gateway due to its slick interface, vibrant community, cloud-native architecture, and extensive features. It’s also extremely fast and lightweight. Kong also has ready-made deployments for many popular container and cloud-based environments, from Docker to Kubernetes to AWS. This allows you to easily integrate Kong into your existing workflow, making the learning curve much less steep.

Kong supports logging, authentication, rate limiting, failure detection, and much more. Even better, it has its own CLI, so you can manage and interact with Kong directly from the command line. You can install the open-source community Kong Gateway on various distributions. Basically, Kong has everything you could want from an API gateway.

Tyk Open-Source API Gateway

Tyk has been called the “industry-best API gateway.” Unlike other API gateways on our list, Tyk is indeed open-source — not just open-core or freemium. It offers an impressive array of features and functions for an open-source solution. Like Kong, Tyk is also cloud-native and has many plugins available. Tyk can even be used to publish your own APIs in both REST and GraphQL formats.

Tyk has native support for many features, including various forms of authentication, quotas, rate limiting, and versioning. It can even generate API documentation. Most impressively of all, Tyk features an API developer portal that lets you publish managed APIs, so third parties can sign up for your APIs and even manage their API keys. It’s rather incredible how much Tyk offers with its open-source API gateway.

KrakenD Open-Source API Gateway

Written in Go, KrakenD’s open-source API gateway has several notable features, most specifically its optimization for working with microservices. Its portability and statelessness are other strong selling points, as it can run anywhere and requires no database. It’s more slick and approachable than some of the other API gateways on our list, thanks to the KrakenDesigner, a GUI that lets you visually design or manage your APIs. You can also easily edit your APIs by simply editing a JSON file.

KrakenD includes basic features like rate limiting, filtering, caching, and authorization and also offers more bells and whistles than some of the other API gateways we’ve mentioned. Numerous plugins and middlewares are available without modifying the source code. It’s also highly efficient — according to the maintainers, KrakenD’s throughput outperforms other API gateways from Tyk and Kong. It even features native GraphQL support. With all of this, KrakenD’s gateway is well worth checking out.

Gravitee OpenSource API Management

Gravitee.io is another API gateway with an impressive array of features, this time written in Java. Gravitee has three modules for publishing, monitoring, and documenting APIs:

  • API Management (APIM): APIM is an open-source module that gives you complete control over who accesses your APIs and when and where.
  • Access Management (AM): Gravitee features a native open-source authorization solution for identity and access management. It’s based on OAuth 2.0/OpenID protocols, with a centralized Authentication and Authorization service.
  • Alert Engine (AE): The alert engine is a module for monitoring your API, letting you customize multi-channel notifications to alert you of suspicious activities.

Gravitee also features an API designer, Cockpit, and a command line interface, graviteeio-cli. All of this makes Gravitee one of the most extensive open-source API gateways. You can view Gravitee.io OpenSource API Management on GitHub<, or download it directly for AWS, Docker, Kubernetes, Red Hat, or as a Zip File here.

Apinto Microservice Gateway

Clearly, Go is a popular language for writing API gateways. Written in Go, Apinto API gateway is designed for managing microservices, as well as providing all the tools you need for API management. It supports authentication, API security, as well as flow control.

Apinto supports HTTP forwarding, multi-tenant management, access control, and API access management, making it ideal for microservices or any development project with many types of users. Apinto can be easily customized for specific users, as well, with a versatile user-defined plugin system. It also has unique features like an API health check and a dashboard.

Apinto Microservice is optimized for performance, featuring dynamic routing and load balancing. According to the maintainers, Apinto is up to 50% faster than Nginx or Kong.

Apache APISIX API Gateway

We’ll round out our list of open-source API gateways with one from one of the world’s largest open-source groups, The Apache Software Foundation. Apache APISIX API Gateway is another cloud-native API gateway with all of the features you’ve come to recognize by this point — load balancing, authentication, rate limiting, and API security. There is some special functionality, however, including multi-protocol support and Kubernetes ingress control.

Final Thoughts on Open-Source API Gateways

The days of unfettered, unrestricted API access are over. With the widespread ubiquity of API usage, there are countless reasons to implement an API gateway for security, as an improperly exposed API endpoint can wreak much damage. An API gateway can help wrap rate limiting around your API to ensure safe usage. And, if you’re paying hefty prices to a third-party vendor, an open-source option could decrease your monthly IT budget.

In summary, API gateways add an important abstraction layer to your API environment, which may be their most helpful feature. Such abstraction layers are some of the best methods to prevent improper exposure of API endpoints and user data. Almost as important, though, is the flexibility it adds to your APIs.

Without an abstraction layer, even small changes to your backend could cause major breakage downstream. Adding an API gateway can benefit agile frameworks and help streamline your CI/CD pipeline.