API Gateways in 2026 — Kong 4 / Tyk / Apigee / KrakenD / Zuplo / Envoy Gateway / Traefik 3 Deep Dive (15 Options, 4 Categories)

Prologue — "Why not just use nginx?"

A conversation every microservices team has at least once in 2026.

Junior: "Why do we need an API gateway? Can't we just put nginx in front?" Senior: "Rate limiting? Auth? Key management? Logging? Schema validation? Canary deploys? OpenAPI auto-gen? Dev portal?" Junior: "...oh."

This intro scene still plays out in 2026. nginx and HAProxy are excellent reverse proxies, but an API gateway is a separate category sitting on top with business logic baked in. And that category got shaken up over the past two years.

Three changes happened.

First, Mashery disappeared. TIBCO formally sunset Mashery on January 31, 2024. Apigee, 3scale, and Mashery used to be the "Big 3 managed gateways" — now one seat is empty.

Second, LLM API gateways became a new category. Portkey, Helicone, and OpenRouter do things traditional gateways don't — model routing, token counting, fallback, semantic cache, prompt management. All three raised Series A between 2024 and 2025.

Third, programmable edge took off. Zuplo lets you write gateway logic in TypeScript, running on Cloudflare Workers. They raised a Series A in 2024 and differentiate through an OpenAPI-first workflow.

This piece maps 15 options across four categories — open-source self-hosted, managed cloud, programmable edge, and LLM gateways. Features, pricing, real-world cases, and when to pick each.

Chapter 1 · The 2026 API Gateway Map — Four Categories

First the big picture. 15 options on one screen.

Three key takeaways.

1) Control plane and data plane are splitting. Kong split Konnect (control) from data plane. Envoy Gateway separates naturally via xDS. Managed SaaS is trending toward a hybrid model where only the control plane is SaaS and the data plane runs in the customer's VPC.

2) Kubernetes Gateway API became the standard. Envoy Gateway, Kong, and Traefik all support Gateway API as first-class. No more learning Ingress, Gateway, and VirtualService separately.

3) LLM gateways are a distinct category. Traditional API gateways are bad at LLM token counting, streaming, fallback, and semantic cache. That's why Portkey and Helicone emerged separately, and Kong and Tyk are now bolting on LLM plugins.

Chapter 2 · Kong 4 + Konnect — The Open-Source Standard

The most widely used open-source API gateway. Kong 4 landed in 2025 with major changes.

Architecture. Kong started on nginx + Lua (OpenResty), but Kong Gateway 3 added Go plugin support, and 4 promoted the Rust plugin SDK to GA. The control plane can be Konnect (SaaS) or self-hosted; the data plane always runs in customer infrastructure.

Core features.

# Kong declarative config (Konnect or kong.conf)
_format_version: '3.0'
services:
  - name: user-service
    url: http://user-service.internal:8080
    routes:
      - name: user-route
        paths: ['/api/users']
        methods: ['GET', 'POST']
    plugins:
      - name: rate-limiting
        config:
          minute: 100
          policy: redis
      - name: jwt
        config:
          key_claim_name: kid
      - name: prometheus
        config:
          per_consumer: true
      - name: ai-proxy
        config:
          route_type: 'llm/v1/chat'
          model:
            provider: openai
            name: gpt-4o

KGateway (formerly Gloo). Solo.io built an Envoy-based gateway that Kong acquired in 2025 and rebranded as KGateway. Envoy data plane + Kong control plane combo, strong in Kubernetes Gateway API environments. The legacy Kong Gateway (nginx-based) and KGateway (Envoy-based) will coexist for the foreseeable future.

Konnect. Kong's managed control plane SaaS. Customers self-host the data plane and receive only control, analytics, and portal as SaaS. The biggest draw is managing multi-region gateways from a single console.

Plugin ecosystem. 100+ OSS plugins, 50+ Enterprise plugins. The AI Proxy plugin routes to OpenAI, Anthropic, Mistral, Cohere and counts tokens — added in 2024.

Pricing. Kong Gateway OSS is free. Konnect Plus starts around $250/month per gateway, Enterprise is negotiated.

When to pick it. The safest choice — ecosystem, docs, and talent pool are overwhelming. The downside, by some accounts, is that the nginx + Lua structure makes debugging harder.

Chapter 3 · Tyk — Open Core, From the UK

The open-core gateway most often compared to Kong. UK-based company headquartered in London.

Licensing. Tyk Gateway is MPL 2.0 open source; Tyk Dashboard, Multi Data Center Bridge, and parts of Pump are commercial. The open-core boundary is sharp, so "you can tell at a glance which parts are OSS," people say.

Architecture. Written in Go. Unlike Kong, no external dependencies (nginx, Lua runtime) — runs as a single binary. Redis is required for rate limit and analytics.

# Tyk API definition (excerpt from api_definition.json)
{
  "name": "User API",
  "api_id": "user-api",
  "use_keyless": false,
  "auth": { "auth_header_name": "Authorization" },
  "version_data": {
    "default_version": "v1",
    "versions": {
      "v1": {
        "name": "v1",
        "use_extended_paths": true,
        "extended_paths": {
          "validate_json": [
            { "method": "POST", "path": "/users", "schema_b64": "..." }
          ],
          "circuit_breaker": [
            { "path": "/users", "method": "GET", "threshold_percent": 0.5, "samples": 10 }
          ]
        }
      }
    }
  },
  "proxy": { "target_url": "http://user-service:8080" }
}

Tyk AI Studio. Added in 2025 as Tyk's LLM gateway — model routing, token counting, PII masking. Goes head-to-head with Kong AI Proxy.

Pricing. OSS is free. Cloud Starter starts at $600/month, Self-Managed is negotiated.

When to pick it. When Kong's nginx + Lua isn't appealing and you want a Go-based single binary. Popular with organizations that care about UK or EU data sovereignty.

Chapter 4 · Apigee X (Google) — The Enterprise Default

Google acquired Apigee in 2016, integrated it deeply into GCP, and relaunched it as Apigee X in 2021.

Architecture. Managed and hosted on GCP. Apigee Hybrid lets you keep the control plane on GCP while running the data plane on the customer's GKE, EKS, or on-prem. Multi-cloud enterprise is the core target.

Policy model. Apigee's strongest feature is its policy engine. You compose 60+ policies (XML/JSON transforms, OAuth, Spike Arrest, Quota, JavaCallout, etc.) in XML or JavaScript.

<!-- Apigee policy: Spike Arrest + OAuth + JSON to XML -->
<SpikeArrest name="SA-100ps">
  <Rate>100ps</Rate>
</SpikeArrest>

<OAuthV2 name="OAuth-Verify">
  <Operation>VerifyAccessToken</Operation>
</OAuthV2>

<JSONToXML name="JSON-to-XML">
  <Source>request</Source>
  <OutputVariable>request</OutputVariable>
</JSONToXML>

Apigee Hub. Added in 2024 — an API catalog and discovery service. Register every API across the company with metadata; enable search, classification, lifecycle management.

Pricing. The most expensive — Apigee X Standard starts around $30,000/year, Enterprise is in six figures. Apigee Pay-as-you-go (2023) made it possible for smaller teams to start.

When to pick it. When you're already deep in GCP and a large enterprise needs policy, governance, analytics, and portal in one place. Strong in telecom, finance, and healthcare.

Chapter 5 · KrakenD — The Lightest, Go-based

Open-source gateway based in Barcelona. Three differentiators — stateless + declarative + Go.

Core philosophy. All configuration in a single JSON file. No external DB or Redis at runtime (rate limit can be in-memory or use Redis optionally). "12-factor app" friendly.

{
  "version": 3,
  "name": "my-gateway",
  "port": 8080,
  "endpoints": [
    {
      "endpoint": "/api/users/{id}",
      "method": "GET",
      "output_encoding": "json",
      "backend": [
        {
          "host": ["http://user-service:8080"],
          "url_pattern": "/v1/users/{id}",
          "encoding": "json"
        },
        {
          "host": ["http://order-service:8080"],
          "url_pattern": "/v1/orders?user={id}",
          "encoding": "json",
          "group": "orders"
        }
      ],
      "extra_config": {
        "qos/ratelimit/router": {
          "max_rate": 100,
          "client_max_rate": 10
        }
      }
    }
  ]
}

That one config bundles two backend calls + response merging + rate limiting into a single endpoint — KrakenD's signature feature, response aggregation. The gateway solves the BFF pattern directly.

OSS vs Enterprise. OSS Community Edition is Apache 2.0. Enterprise adds multi-tenant, advanced OAuth, advanced caching, SSO.

Pricing. OSS is free. Enterprise is per-node annual licensing.

When to pick it. When operational simplicity is the top priority. When Kong and Apigee feel heavy, and you want to solve BFF and API composition at the gateway. Popular with startups, SMBs, and SaaS.

Chapter 6 · Zuplo — Programmable, Edge-first TypeScript

Founded 2022, raised a $9M Series A in 2024. The newest category — you write gateway logic in TypeScript.

Architecture. Runs on Cloudflare Workers — auto-deployed to 300+ edge PoPs worldwide. Users push TypeScript functions and OpenAPI specs to GitHub, and Zuplo deploys automatically.

// Zuplo policy: custom auth + transform
import { ZuploRequest, ZuploContext } from '@zuplo/runtime'

export default async function (
  request: ZuploRequest,
  context: ZuploContext
) {
  const token = request.headers.get('authorization')?.replace('Bearer ', '')

  if (!token) {
    return new Response('Unauthorized', { status: 401 })
  }

  const user = await context.invokeInboundPolicy('jwt-auth', request)
  request.headers.set('x-user-id', user.sub)
  request.headers.set('x-user-tier', user.tier ?? 'free')

  return request
}

OpenAPI-first. Zuplo's distinguishing trait — the route config is the OpenAPI 3.1 spec itself. Change the spec, and the gateway changes, the dev portal changes, and the mock server changes. Single source of truth.

Auto-generated developer portal. Portal, SDKs, docs, and an interactive console all spring from the OpenAPI spec. Competes with ReadMe and Stoplight.

Pricing. Free tier: 2M requests/month. Production starts at $200/month, Enterprise is negotiated.

When to pick it. When operating an external API for a B2B SaaS — OpenAPI-first, developer portal, and global edge distribution as one package. AI companies often pick it when exposing LLM APIs.

Chapter 7 · AWS API Gateway / Cloudflare API Gateway / Azure APIM — Cloud-Native

AWS API Gateway

Three flavors — REST API, HTTP API, WebSocket API.

• REST API: oldest, most expensive, most featureful. WAF, API Keys, Usage Plans, X-Ray, cache.
• HTTP API: added in 2019. 70% cheaper, 60% faster than REST. JWT built-in. Lambda Authorizer.
• WebSocket API: bidirectional connections — chat, real-time notifications.

# AWS SAM template — HTTP API
Resources:
  MyApi:
    Type: AWS::Serverless::HttpApi
    Properties:
      Auth:
        Authorizers:
          JwtAuth:
            JwtConfiguration:
              issuer: https://example.auth0.com/
              audience: ['https://api.example.com']
        DefaultAuthorizer: JwtAuth
      RouteSettings:
        '$default':
          ThrottlingBurstLimit: 100
          ThrottlingRateLimit: 50

Pricing. HTTP API is $1 per million requests, REST API is$3.50. On the expensive side versus Cloudflare API Gateway.

When to pick it. Deep in AWS, with Lambda, EventBridge, and Cognito as part of the stack. Lock-in becomes a concern for multi-cloud.

Cloudflare API Gateway

Launched as API Shield in 2022, rebranded to "API Gateway" in 2024. A gateway sitting on Cloudflare Workers + WAF.

Three core features.

1. Schema validation — upload an OpenAPI spec and every request is auto-validated.
2. Sequence Analytics — ML-based detection of abnormal API call sequences (blocks BOLA and BFLA attacks).
3. mTLS / JWT validation — auth at the edge.

// Cloudflare Worker as API gateway logic
export default {
  async fetch(request, env, ctx) {
    const url = new URL(request.url)

    // Rate limit per API key
    const apiKey = request.headers.get('x-api-key')
    const rateLimitKey = `ratelimit:${apiKey}`
    const count = await env.RATE_LIMIT_KV.get(rateLimitKey)

    if (count && parseInt(count) > 1000) {
      return new Response('Rate limit exceeded', { status: 429 })
    }

    await env.RATE_LIMIT_KV.put(
      rateLimitKey,
      String((parseInt(count) || 0) + 1),
      { expirationTtl: 60 }
    )

    // Proxy to origin
    return fetch(`https://api.internal.example.com${url.pathname}`, request)
  },
}

Pricing. Included in Enterprise plan. No separate pricing (negotiate with Cloudflare sales).

When to pick it. Already on Cloudflare and want auth, rate limit, and schema validation at the edge. Global distribution is the strength.

Azure API Management (APIM)

Azure-native gateway. The policy expression model is core — XML snippets injected at inbound, backend, outbound, and on-error stages.

<policies>
  <inbound>
    <base />
    <validate-jwt header-name="Authorization" failed-validation-httpcode="401">
      <openid-config url="https://login.microsoftonline.com/.../.well-known/openid-configuration" />
      <audiences>
        <audience>api://my-api</audience>
      </audiences>
    </validate-jwt>
    <rate-limit-by-key calls="100" renewal-period="60" counter-key="@(context.Subscription.Id)" />
    <set-header name="x-correlation-id" exists-action="skip">
      <value>@(Guid.NewGuid().ToString())</value>
    </set-header>
  </inbound>
  <backend>
    <forward-request />
  </backend>
  <outbound>
    <base />
    <set-header name="x-served-by" exists-action="override">
      <value>apim</value>
    </set-header>
  </outbound>
</policies>

Tiers. Consumption (serverless, pay-as-you-go) / Developer / Basic / Standard / Premium / Premium v2. Premium adds multi-region and VNet integration.

When to pick it. Deep Azure integration. When tied to .NET, Microsoft 365, or Office Add-in ecosystems. Strong in government and public sector.

Chapter 8 · Gravitee / MuleSoft / Hasura DDN — Other Notable Options

Gravitee.io

Headquartered in Paris and Laval, France. OSS Apache 2.0. Differentiator — API + Event API combined. Handles not just REST, gRPC, and GraphQL but also Kafka, MQTT, WebSocket, and SSE through one gateway. First-class AsyncAPI support.

Gravitee 5 launched in 2025 with LLM gateway features (prompt inspection, PII masking, token quota).

EU-based, GDPR-friendly, OSS-first — popular in European government, finance, and telecom.

MuleSoft Anypoint (Salesforce)

Strictly speaking not just an API gateway but an iPaaS — Integration Platform as a Service. You build data transformations and integration flows in Anypoint Studio, a visual IDE. Deeply tied to the Salesforce ecosystem.

The most expensive and heaviest. Fits large-enterprise SI and complex legacy-integration scenarios. Overkill for small teams.

Hasura DDN (Data Delivery Network)

A new product Hasura announced in 2024 — not a traditional "API gateway" in the strict sense but a GraphQL-first data API platform. Combines multiple data sources (Postgres, MySQL, MongoDB, Snowflake, REST APIs) into a single GraphQL schema with caching, auth, and rate limit at the edge.

Good choice when exposing GraphQL externally and backend data lives across many sources.

Chapter 9 · Envoy Gateway (CNCF) / Traefik 3 — Kubernetes-native

Envoy Gateway

CNCF Graduated (2024) project. Abstracts Envoy Proxy into the Kubernetes Gateway API. Envoy, built by Lyft, has long been the de facto data plane for Istio, Consul, and gRPC, but running it directly was complex. Envoy Gateway hides that complexity.

# Envoy Gateway — Kubernetes Gateway API
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
  name: eg
spec:
  controllerName: gateway.envoyproxy.io/gatewayclass-controller
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: eg
spec:
  gatewayClassName: eg
  listeners:
    - name: http
      protocol: HTTP
      port: 80
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: user-api
spec:
  parentRefs:
    - name: eg
  hostnames: ['api.example.com']
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /api/users
      backendRefs:
        - name: user-service
          port: 8080

When to pick it. Deep in Kubernetes and want to follow the Gateway API standard. When sharing a data plane with service meshes like Istio or Linkerd.

Traefik 3

v3 launched in 2024 with auto-discovery (Docker, Kubernetes, Consul) + Gateway API + HTTP/3 + WebAssembly middleware + OpenTelemetry built-in. A big jump over v2.

Traefik originally started as "a better Kubernetes Ingress option" but v3 evolves into a full API gateway — TraefikHub adds API catalog and portal on top.

# Traefik 3 — Kubernetes Ingress (or Gateway API)
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: user-api
spec:
  entryPoints: [websecure]
  routes:
    - match: Host(`api.example.com`) && PathPrefix(`/api/users`)
      kind: Rule
      services:
        - name: user-service
          port: 8080
      middlewares:
        - name: rate-limit
        - name: auth-jwt

When to pick it. When you want the same tool from Docker Compose to Kubernetes. Auto-discovery is the strength, so operational overhead is low.

Chapter 10 · LLM API Gateways — Portkey / Helicone / OpenRouter

Traditional API gateways are not great for LLMs. Token counting, streaming SSE, semantic cache, model routing, fallback — all missing. So in 2023 to 2024 a dedicated LLM-gateway category emerged.

Portkey

The most feature-rich LLM gateway. OSS core + paid SaaS. Exposes 200+ models through a single OpenAI-compatible API.

Core features — fallback (when model A fails, use B), load balancing (50/50 routing), semantic cache, prompt management (Git-style versioning), guardrails (PII, toxic, hallucination checks), token budgets (per team, per user).

from portkey_ai import Portkey

portkey = Portkey(
    api_key="YOUR_PORTKEY_API_KEY",
    config={
        "strategy": {"mode": "fallback"},
        "targets": [
            {
                "provider": "anthropic",
                "api_key": "ANTHROPIC_KEY",
                "override_params": {"model": "claude-opus-4"},
            },
            {
                "provider": "openai",
                "api_key": "OPENAI_KEY",
                "override_params": {"model": "gpt-4o"},
            },
        ],
    },
)

response = portkey.chat.completions.create(
    messages=[{"role": "user", "content": "Explain transformers."}]
)

Helicone

Observability-first LLM gateway. OSS Apache 2.0 + SaaS. Change just the base_url and every OpenAI call routes through Helicone — tokens, cost, latency, and errors recorded automatically.

from openai import OpenAI

client = OpenAI(
    base_url="https://oai.helicone.ai/v1",
    api_key="YOUR_OPENAI_KEY",
    default_headers={
        "Helicone-Auth": "Bearer YOUR_HELICONE_KEY",
        "Helicone-Cache-Enabled": "true",
        "Helicone-Property-User": "user-42",
    },
)

Self-hosting the data plane is a big draw — sensitive prompts never leave your network.

OpenRouter

Bills itself as the "Stripe of LLMs". 300+ models behind unified billing — pay once and use any model from OpenAI, Anthropic, Google, Mistral, DeepSeek, hosted Llama, etc.

Differentiator: auto-compare prices across models and route to the cheapest. SaaS-only, no OSS version. Popular with small teams, experiments, prototypes.

// OpenRouter — OpenAI SDK compatible
import OpenAI from 'openai'

const openai = new OpenAI({
  baseURL: 'https://openrouter.ai/api/v1',
  apiKey: process.env.OPENROUTER_API_KEY,
})

const completion = await openai.chat.completions.create({
  model: 'anthropic/claude-opus-4',
  messages: [{ role: 'user', content: 'Hello' }],
})

Chapter 11 · Rate Limiting / Auth / Schema Validation / Caching Patterns

The four classic patterns a gateway solves.

Rate limiting

Three algorithms are standard — token bucket, leaky bucket, sliding window. Most place a counter in Redis.

# Kong rate-limiting plugin
plugins:
  - name: rate-limiting-advanced
    config:
      limit: [100, 1000]
      window_size: [60, 3600]
      identifier: consumer
      sync_rate: 10
      strategy: redis
      redis:
        host: redis.internal
        port: 6379

Apply different limits by tier — anonymous IP at 10/min, free key at 100/min, paid key at 10,000/min.

Authentication

Auth methods the gateway handles.

• API Key — simplest, hard to rotate.
• JWT — self-signed, verifiable, short-lived. Most common.
• OAuth 2.0 / OIDC — standard auth, refresh tokens, user consent.
• mTLS — client certificates, strong for B2B.

Most gateways treat JWT validation as first-class. Issuer, audience, exp, and signature checks finish at the edge — the backend only sees authenticated requests.

Schema validation

The gateway reads an OpenAPI 3.1 spec and validates every request and response. Bad requests get rejected at the edge with a 400 — reduces backend load and improves security (fields outside the schema get refused).

# Cloudflare API Gateway — OpenAPI schema validation
apiVersion: api-gateway.cloudflare.com/v1
kind: Schema
metadata:
  name: users-api-v1
spec:
  openapi: 3.1.0
  enforcement: enforce
  source: file:openapi.yaml

Caching

GET responses cached at the edge — via Cache-Control headers or gateway rules. Apigee, Kong, Cloudflare, and KrakenD all support it as first-class. Designing cache keys matters — incorrectly caching per-user data leads to data leaks.

Chapter 12 · BFF (Backend For Frontend) Pattern

A pattern Sam Newman wrote up in 2015. Dedicate a backend API per frontend — web, iOS, and Android each need different data and different shapes.

[Web] ──▶ [Web BFF] ──▶ [User, Order, Product services]
[iOS] ──▶ [iOS BFF] ──▶ [User, Order, Product services]
[Android] ──▶ [Android BFF] ──▶ [User, Order, Product services]

Where does the BFF run? Two patterns.

Pattern A — separate BFF service. Write the BFF in Node.js or Go. Most flexible but operationally heavy — N frontends = N backend services.

Pattern B — API gateway plays the BFF role. Gateways like KrakenD, Zuplo, and Apigee do multi-backend calls + response merging directly. No separate code to write.

The 2026 trend is shifting toward B. Simple BFFs (call several APIs, merge, return) belong in the gateway; only complex BFFs (with state, cache, sessions) deserve a separate service.

GraphQL as a BFF is still a thing — Hasura DDN targets that slot.

Chapter 13 · OpenAPI 3.1 / AsyncAPI 2.6 · 3 / gRPC

API spec format status in 2026.

OpenAPI 3.1

The standard for REST/HTTP APIs. 3.1 (2021) achieved full compatibility with JSON Schema 2020-12 — now a single schema is shared by gateways, SDKs, docs, and tests.

Zuplo, Apigee, Cloudflare, and Kong all push an OpenAPI-first workflow. The spec is the gateway config.

AsyncAPI 2.6 / 3.0

OpenAPI for event-driven APIs (Kafka, MQTT, WebSocket, SSE). AsyncAPI 3.0 (2023) unified its structure with OpenAPI 3.1. Gravitee pushes it hardest, and Confluent has adopted it too.

# AsyncAPI 3.0 example
asyncapi: 3.0.0
info:
  title: Order events
  version: 1.0.0
channels:
  orderCreated:
    address: orders.created
    messages:
      orderCreated:
        payload:
          type: object
          properties:
            orderId: { type: string }
            userId: { type: string }
            total: { type: number }
operations:
  publishOrderCreated:
    action: send
    channel:
      $ref: '#/channels/orderCreated'

gRPC

The de facto standard for internal microservices communication. Envoy Gateway, Kong, and Traefik all support gRPC as first-class. gRPC-Web makes browser calls possible.

Exposing both REST and gRPC simultaneously is common — REST externally, gRPC internally.

Chapter 14 · Korea / Japan — Toss / Kakao / Mercari / ZOZO

Toss API Gateway

Toss built and runs its own gateway. According to the Toss tech blog, they started on Spring Cloud Gateway and added their own middleware layer to unify auth, rate limit, and anomaly detection. Hundreds of millions of API calls per day flow through one gateway.

Key lesson — "off-the-shelf solutions did not meet all our requirements; we built our own and tuned it to the business." Reasonable at Toss scale, not a pattern most companies should copy.

Kakao API Platform

Kakao runs an internal API Platform. The publicly known recipe is Kong + custom control plane + custom portal. The standard gateway for cross-affiliate API calls across KakaoTalk, KakaoPay, KakaoBank, and others.

Mercari

Microservices-based, Japan's biggest secondhand marketplace. Custom Envoy-based gateway + Istio service mesh. The Mercari engineering blog has multiple posts on operating Envoy. A canonical example of the Envoy data plane + custom control plane pattern.

ZOZO

ZOZOTOWN, the Japanese fashion EC. During the microservices migration they adopted Kong, and they have been transitioning to Envoy gradually — as documented on the ZOZO tech blog. A natural case of moving toward Kubernetes Gateway API.

Chapter 15 · Who Should Pick What — Four Scenarios

Small team (under 10, MVP)

• First pick: Cloudflare API Gateway — likely on Cloudflare already, zero additional infra.
• Second pick: Zuplo — fast OpenAPI-first workflow. SaaS means zero ops burden.
• Third pick: KrakenD OSS — if self-hosting is preferred.
• Avoid: Apigee, MuleSoft (overkill), Mashery (already sunset).

Mid-size team (50-200, multi-service)

• First pick: Kong OSS + Konnect — safest. Community, talent, and plugins are abundant.
• Second pick: Envoy Gateway + custom control plane — if Kubernetes-first.
• Third pick: AWS API Gateway HTTP API — if deep AWS integration.

Enterprise (1000+, policy and governance matter)

• First pick: Apigee X — when policy, analytics, portal, and SLA are all required.
• Second pick: Azure APIM — for the Microsoft ecosystem.
• Third pick: Kong Enterprise + Konnect — when cloud-neutrality matters.

LLM routing (AI company or LLM exposed externally)

• First pick: Portkey — feature-rich; fallback, load balancing, prompt management.
• Second pick: Helicone — observability-first, self-hostable.
• Third pick: OpenRouter — best for unified billing, experiments, prototyping.
• Supplement: Kong AI Proxy or Tyk AI Studio — add LLM features on top of a traditional gateway.

Epilogue — "The gateway is part of the product, not infrastructure"

The biggest 2026 shift is that the API gateway moved from "network infrastructure" to "part of the product". The OpenAPI spec is the product spec, the developer portal is the first impression, and rate limit and auth are the business model.

LLMs accelerate that move. Model routing, token budgets, and prompt management are not ops decisions — they are business decisions. Who sends which kind of request to which model is the P&L.

If you are a small team, start fast on Cloudflare or Zuplo. Mid-size teams: Kong is the safest. Enterprise: Apigee or Azure APIM. LLM: Portkey or Helicone. And Mashery is gone — existing users, plan your migration.

Possible next posts: OpenAPI 3.1 + Zod + tRPC — building a type-safe full-stack API, Operating Envoy — debugging, metrics, zone-aware load balancing, Building an LLM gateway yourself — fallback and cache in 100 lines.

"The gateway is not infrastructure. It is part of the product. The OpenAPI spec is the product spec, the developer portal is the first impression, and rate limit is the business model."

— API Gateways 2026, end.

References

• Kong Gateway — Konghq
• Kong Gateway GitHub — Kong/kong
• Konnect — Kong cloud control plane
• KGateway — Kong + Envoy
• Tyk — Open source API Gateway
• Tyk GitHub — TykTechnologies/tyk
• Apigee X — Google Cloud
• Apigee API Hub
• KrakenD — Apache 2.0
• KrakenD GitHub — krakendio/krakend-ce
• Zuplo — Programmable API Gateway
• AWS API Gateway
• AWS HTTP API vs REST API
• Cloudflare API Gateway
• Cloudflare API Shield (legacy)
• Azure API Management
• MuleSoft Anypoint Platform
• Mashery sunset announcement — TIBCO
• Gravitee.io — Open source API platform
• Gravitee GitHub — gravitee-io/gravitee-api-management
• Hasura DDN
• Envoy Gateway — CNCF project
• Envoy Proxy
• Kubernetes Gateway API
• Traefik 3 — Traefik Labs
• Traefik Hub
• Portkey — AI Gateway
• Helicone — LLM observability/gateway
• OpenRouter
• OpenAPI Specification 3.1
• AsyncAPI 3.0
• Toss tech blog
• Kakao tech blog
• Mercari engineering blog
• ZOZO tech blog
• Sam Newman — Backend For Frontend pattern