DEV Community


Posted on • Updated on

Open Source API Gateways?

I've been reviewing the market recently for open source API Gateways. I'm looking to sit my gateway in-front of a number of API services provided by node.js express applications.

I'm looking for basic rate limiting, throttling and some form of API monitoring. Upon a quick Google search I've come across the following products but I'm completely clueless as to whether the community feels any one is better than the other or if anyone has any real world experience with these products and can offer some insights into good / bad points.

Top comments (27)

brasseld profile image
Brassely David

I'm one of the core commiter on API Platform.

The main difference between and all the other open-source solutions is that is fully open-source, and not only the API Gateway. The Management API, Analytics, Authorization server are freely available and all source code are available in our github organization. is already used in production by many major and business-critical companies all over-the-world. They like the performance of the gateway, the minimal overhead and the fact that they can very easily extend it by writing Java plugins.

You're looking for basic rate-limiting, throttling and API monitoring? Perfect! All of them are available in More, you may be able to create your own Kibana or Grafana dashboards since all the analytics are stores into Elasticsearch...

I can't tell you that Gravitee is better than the other solution, all of them have their own pros / cons, but I can tell you that, even if their some missing features, we can work on them very quickly. If you have a look to our releases, you can see that we are doing many releases: one major per month, and the next one is coming next tuesday:
An other point you have to know: many companies have subscribed to support... and all the bug fixes are directly in the next major version... Also, compagnies are sponsoring the company behind, GraviteeSource: they ask us to create and develop new features and they paid for that: and all of them are freely available in the next major release... We are doing open-source API Gateway / API Management, and we are doing it from 'A' to 'Z'...

See you!

cbndr profile image
Chris Binder

Hey David, I just took a look at Gravitee and like the highly abtracted and modularized approach a lot. Is the project still under active development? I would also be interested in controlling other gateways, e.g. CA API Gateway (which has an API) through Gravitee API-M front-end - is this possible?

Thanks & cheers, Chris

brasseld profile image
Brassely David

Hi Chris,

Yes, the project is still under highly active development, you can have a look to our github repositories :

For your other questions, I don't know well how the "other gateways" are running and how they are managed. What you can do from gravitee is to define your API, then export the API's definition in JSON and convert / import the file somewhere else.


Thread Thread
cbndr profile image
Chris Binder

Thanks for the quick reply - is there an abstraction for gateways already in Gravitee? Like an API managing the gateway, querying capabilities and apply configuration and service policies.
The common things (auth, throttling, logging, routing, etc) can be implemented on almost every gateway (and you probably know there are many), so I would be highly interested in finding (or contributing to) an API management solution (catalog, subscriptions, etc) which can be used to control different gateway types.

I believe this would be very interesting for many enterprises looking for a central dev portal, but needing to support different gateway technologies, like CA API Gateway, WSO2, Envoy (ingress to Istio), etc.

I was thinking that an abtracted interface to the gateway (like the one you built for storing repository data in Mongo, Redis or via JDBC) could be a way to achieve this.

Thread Thread
brasseld profile image
Brassely David

No there is no abstraction for gateways for now. And nothing about this in our roadmap.

Most of the stuff would be to look on what would be the best format to describe an API, before being able to deploy the API in different gateway technologies.

It is a very interesting feature but also time consuming...

We need a standard to describe an API (inherited from OAI ?) :-)
Ready ? Go !

jbguillois profile image

Hi Chris,
I am a bit late to the discussion but I am really intrigued by your message :-)
Would you be able to share more details on potential use cases you identify?
Why would a company use several gateways?

Feel free to PM me on twitter.

Thread Thread
cbndr profile image
Chris Binder

Hi Jean
All companies with API Management projects I have contributed to recently use different gateway vendors internally. This may be due to organizational reasons (lack of coordination between different departments) or technology evolution (central gateway vs micro gateway, advent of service meshes).
In addition I think this could be a door-opener for Gravitee in companies using CA, WSO2 or other vendors with weak developer portal solutions.

Since Gravitee is already highly modularized, the only thing needed is an abstracted API gateway interface (sounds simple, but might be a lot of effort). I'm in discussion with David about it.

Cheers, Chris

binhosemcrause profile image
su -

Hello guy,

I`m curius about Gravitee solution.
Does gravitee is cloud native?


brasseld profile image
Brassely David

Hello su,

Yes it is. Feel free to join our gitter channel to talk with the community.


billxinli profile image

Hi there:

I am curious, is there a more up to date documentation available for the gateway? a lot of information/pages seems to be empty from

brasseld profile image
Brassely David

Hi Bill,

Sorry for the delay, I was off last week.
You're right, some content are missing because of a lack of time from developers.
We were expecting more help from the community but nothing is coming :(
Sorry for I'm really sorry about it. Also, you may have to understand that we are providing an open-source platform so that, some companies need our help / our expertise because of this lack of documentation... But it's not a good reason and I'm sure we need more to start with Perhaps you can help us by indicating which parts are really missing from your pov.

Thanks a lot.

randimas profile image
Ranadima Somathilaka

Hi Brassely,

Does Gravitee has OpenID connect support? I couldn't find a clear documentation for that.


brasseld profile image
Brassely David

Hi Ranadima,

What are you looking for exactly ?

We have an aAccess Management module which is certified OIDC.

Thread Thread
randimas profile image
Ranadima Somathilaka

Thanks Brassley for the quick response. I'll have a look.


rhymes profile image

I've played with Kong a tiny bit out of curiosity in the past. It works and it's built on battle tested nginx. The open source community is active and there are many plugins for basically everything.

Rate limiting and throttling are supported out of the box.

Keep in mind that if you put all your APIs behind a gateway you need it to not become a single point of failure, so you might have to cluster at least two instances of the API gateway.

The great thing about the API gateway "pattern" is that you can work and evolve APIs in the backend keeping the same interface for the clients if you need to, or for example make it so that all APIs have the same authentication system and so on.

tmikaeld profile image
Mikael D

Kong is a great recommendation, It's the most straightforward of the choices above and the community is very much alive.

tmikaeld profile image
Mikael D

I should mention thought that it's a bit "crippleware", features you might need like advanced tranformations and OAUTH requires an enterprise license.

samuelcardoso profile image
Samuel Cardoso

Here in my company I use TreeGateway, which is completely free and opensource. It is built to run on Express (Node.js).

The has a number of features and can be customized using JavaScript. Here are a few:

  • Rate limiting
  • Throttling
  • Api monitoring
  • Cache
  • Circuit Breaker
  • Authentication
  • Routing
  • And others

The strengths are:

  • Implements all features that other gateways in the market have
  • It's completely free
  • It's easy to customize it
  • Has almost zero overhead when inserted into the infrastructure

The weaknesses are:

  • The Gateway seemed complete, but I have not seen some features like Portal and Building APIs (although they are outside the scope of a Gateway)

I believe that the choice depends on your needs. Basic functionality is common among Gateways, but you have to check for customization, ease of deployment and product support.

Good luck!

clun profile image
Cédrick Lunven

I consultant working in the domain those are the ones I saw:

Well my personal opinion is I don’t feel 100% confident with this kind of tools as OSS (even if I am an active OSS commiter myself) Those pieces are meant to protect and secure your IS in a way. If I got the source code of the tool protecting your IS it’s easier for me to forge an attack.

jamestyk profile image
james-tyk • Edited

Hey Cédrick, thanks for mentioning open source API Gateway

Our gateway is 100% open source, the same open source version is used by Cisco and Capital One, as is used by anyone taking the gateway from our package repositories or Github.

Precisely because it is open and transparent, it is trusted and loved by highly regulated industries. This is why Tyk has so many healthcare, financial service and telco customers - no "black boxes" or "systems calling home" from your network!

Enterprise customers can also purchase a support SLA and contract, to ensure ongoing maintenance and support for their deployment.

We believe that open and transparent code makes for better security, and our users agree.

Vive la Open Source!

kelseyevans profile image

Ambassador ( is an open source API Gateway specific to Kubernetes services that's built on the Envoy Proxy ( If you're using Kubernetes, definitely check it out!

xngwng profile image
Xing Wang

Check out also. It is probably the most popular free API gateway.

We at Moesif (, an API analytics platform is integrated with core codebase. Once your needs goes beyond basic rate limiting or monitoring, check it out.

marykrivokhat profile image
Mary Krivokhat

You may like the micro-services API gateway by Young App (Yap) that offers powerful, yet lightweight features that allow fine-grained control over your API ecosystem.

Young App open source project (Yap):

  • is different from Express, Koa or Hapi (with no API management) because Yap does use API management.
  • designed for serverless (event-driven) functions and for GraphQL protocol.
  • uses Node.js (without security handler) and all other NodeJS frameworks based on HTTP module.

To find out more, please visit
Community Edition:

Yap combines GraphQL with XML policies, OpenAPI v3, and strong functional testing on serverless architecture.

Key features:

🎉 Elegant XML policies
The powerful capability of the system that allows the publisher to change API behavior through configuration in elegant XML files.

🎉GraphQL as API gateway
GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data. Yap uses only GraphQL as API Gateway.

🎉 YAML functional testing
CI-ready tests for REST APIs configured in YAML.

🎉 Error handling with policies
Sentry provides self-hosted and cloud-based error monitoring that helps all software teams discover, triage, and prioritize errors in real time.

YAP is the only integration platform that was built from the ground to support a single design interface for developer/IT and for citizen integrators.

🎉Universal middleware design
The design conventions inspired by Express or KoaJS and adapted for serverless application and low-code approach.

🎉 Designed for serverless
Yap is designed for serverless event functions on AWS, GCP, or Azure functions.

🎉 NodeJS
YAP is written in Typescript NodeJS, which makes it fast and easy to set up.

apoorvkapil profile image
Apoorv Kapil

Most of the Node.js based API Management solution(that you listed above) comes with features limitation in the free version and require you to upgrade to an Enterprise solution.

However, I will recommend WSO2 if your team is comfortable with Java frameworks and Integration solution to an Enterprise scale. It's free and All the Basic and Enterprise features are OOTB (Rate Limiting, Throttling, caching LDAP Integration, and RBAC).If you looking for a more SAAS solution with minimum cost opt for APIGEE.

Above mentioned node.js solution are still amateur for a Enterprise level solution.
I hope to see more advanced features in these tools from company and communities to build.

nasasira profile image

This is a bit late but I hope it helps anyone reading this post and still looking for a reliable API Gateway.
Apache APISIX ( should be your straightforward choice out of the multiple API Gateways.

Apache APISIX is an open source, dynamic, scalable, and high-performance cloud native API gateway for all your APIs and microservices.
APISIX facilitates interface traffic handling for websites, mobile and IoT applications by providing services such as load balancing, dynamic upstream, canary release, fine-grained routing, rate limiting, and many more.


  1. Multi-platform support: APISIX can run from bare-metal machines to Kubernetes providing a vendor neutral, multi-platform solution. It also provides integration to cloud services like AWS Lambda, Azure Function, Lua functions and Apache OpenWhisk.
  2. Fully dynamic: APISIX supports hot-reloading, meaning you don't need to restart the service to reflect changes in the configuration.
  3. Fine-grained routing: APISIX supports using all built-in NGINX variables for routing. You can define custom matching functions to filter requests and match Route.
  4. Ops-friendly: APISIX is renowned for its ops-friendliness by DevOps teams. It integrates with tools and platforms like HashiCorp Vault, Zipkin, Apache SkyWalking, Consul, Nacos and Eureka. With APISIX Dashboard, operators can configure APISIX through an easy-to-use and intuitive UI.
  5. Multi-language Plugin support: APISIX supports multiple programming languages for Plugin development. Developers can choose a language-specific SDK to write custom Plugins.

I hope this gives a sneak peak why this Apache APISIX should be your straight forward choice.
Also to note, I came across an article that I found useful, comparing APISIX with most of the API Gateways in the market.

xngwng profile image
Xing Wang

kong and tyk are basically API gateways.

Moesif is an API analytics platform, it provides plugins for Kong and Tyk for easy integration.

btw, I am the co-founder of moesif.

andrewtyk profile image

You should also add Tyk to your list