💡 왼쪽 원문을 읽으면서 오른쪽에 따라 써보세요. Tab 키로 힌트를 받을 수 있습니다.

원문 렌더가 준비되기 전까지 텍스트 가이드로 표시합니다.

Prologue — "Why not just use nginx?"

A conversation every microservices team has at least once in 2026.

Junior: "Why do we need an API gateway? Can't we just put nginx in front?"

Senior: "Rate limiting? Auth? Key management? Logging? Schema validation? Canary deploys? OpenAPI auto-gen? Dev portal?"

Junior: "...oh."

This intro scene still plays out in 2026. nginx and HAProxy are excellent reverse proxies, but **an API gateway is a separate category sitting on top with business logic baked in**. And that category got shaken up over the past two years.

Three changes happened.

**First, Mashery disappeared.** TIBCO formally sunset Mashery on January 31, 2024. Apigee, 3scale, and Mashery used to be the "Big 3 managed gateways" — now one seat is empty.

**Second, LLM API gateways became a new category.** Portkey, Helicone, and OpenRouter do things traditional gateways don't — model routing, token counting, fallback, semantic cache, prompt management. All three raised Series A between 2024 and 2025.

**Third, programmable edge took off.** Zuplo lets you write gateway logic in TypeScript, running on Cloudflare Workers. They raised a Series A in 2024 and differentiate through an OpenAPI-first workflow.

This piece maps 15 options across four categories — open-source self-hosted, managed cloud, programmable edge, and LLM gateways. Features, pricing, real-world cases, and when to pick each.

Chapter 1 · The 2026 API Gateway Map — Four Categories

First the big picture. 15 options on one screen.

| --- | --- | --- | --- |

Three key takeaways.

**1) Control plane and data plane are splitting.** Kong split Konnect (control) from data plane. Envoy Gateway separates naturally via xDS. Managed SaaS is trending toward a hybrid model where only the control plane is SaaS and the data plane runs in the customer's VPC.

**2) Kubernetes Gateway API became the standard.** Envoy Gateway, Kong, and Traefik all support Gateway API as first-class. No more learning Ingress, Gateway, and VirtualService separately.

**3) LLM gateways are a distinct category.** Traditional API gateways are bad at LLM token counting, streaming, fallback, and semantic cache. That's why Portkey and Helicone emerged separately, and Kong and Tyk are now bolting on LLM plugins.

Chapter 2 · Kong 4 + Konnect — The Open-Source Standard

The most widely used open-source API gateway. Kong 4 landed in 2025 with major changes.

**Architecture.** Kong started on nginx + Lua (OpenResty), but Kong Gateway 3 added Go plugin support, and 4 promoted the Rust plugin SDK to GA. The control plane can be Konnect (SaaS) or self-hosted; the data plane always runs in customer infrastructure.

**Core features.**

Kong declarative config (Konnect or kong.conf)

_format_version: '3.0'

services:

- name: user-service

url: http://user-service.internal:8080

routes:

- name: user-route

paths: ['/api/users']

methods: ['GET', 'POST']

plugins:

- name: rate-limiting

config:

minute: 100

policy: redis

- name: jwt

config:

key_claim_name: kid

- name: prometheus

config:

per_consumer: true

- name: ai-proxy

config:

route_type: 'llm/v1/chat'

model:

provider: openai

**KGateway (formerly Gloo).** Solo.io built an Envoy-based gateway that Kong acquired in 2025 and rebranded as KGateway. Envoy data plane + Kong control plane combo, strong in Kubernetes Gateway API environments. The legacy Kong Gateway (nginx-based) and KGateway (Envoy-based) will coexist for the foreseeable future.

**Konnect.** Kong's managed control plane SaaS. Customers self-host the data plane and receive only control, analytics, and portal as SaaS. The biggest draw is managing multi-region gateways from a single console.

**Plugin ecosystem.** 100+ OSS plugins, 50+ Enterprise plugins. The AI Proxy plugin routes to OpenAI, Anthropic, Mistral, Cohere and counts tokens — added in 2024.

**Pricing.** Kong Gateway OSS is free. Konnect Plus starts around $250/month per gateway, Enterprise is negotiated.

**When to pick it.** The safest choice — ecosystem, docs, and talent pool are overwhelming. The downside, by some accounts, is that the nginx + Lua structure makes debugging harder.

Chapter 3 · Tyk — Open Core, From the UK

The open-core gateway most often compared to Kong. UK-based company headquartered in London.

**Licensing.** Tyk Gateway is MPL 2.0 open source; Tyk Dashboard, Multi Data Center Bridge, and parts of Pump are commercial. The open-core boundary is sharp, so "you can tell at a glance which parts are OSS," people say.

**Architecture.** Written in Go. Unlike Kong, no external dependencies (nginx, Lua runtime) — runs as a single binary. Redis is required for rate limit and analytics.

Tyk API definition (excerpt from api_definition.json)

{

"name": "User API",

"api_id": "user-api",

"use_keyless": false,

"auth": { "auth_header_name": "Authorization" },

"version_data": {

"default_version": "v1",

"versions": {

"v1": {

"name": "v1",

"use_extended_paths": true,

"extended_paths": {

"validate_json": [

{ "method": "POST", "path": "/users", "schema_b64": "..." }

"circuit_breaker": [

{ "path": "/users", "method": "GET", "threshold_percent": 0.5, "samples": 10 }

]

}

"proxy": { "target_url": "http://user-service:8080" }

}

**Tyk AI Studio.** Added in 2025 as Tyk's LLM gateway — model routing, token counting, PII masking. Goes head-to-head with Kong AI Proxy.

**Pricing.** OSS is free. Cloud Starter starts at $600/month, Self-Managed is negotiated.

**When to pick it.** When Kong's nginx + Lua isn't appealing and you want a Go-based single binary. Popular with organizations that care about UK or EU data sovereignty.

Chapter 4 · Apigee X (Google) — The Enterprise Default

Google acquired Apigee in 2016, integrated it deeply into GCP, and relaunched it as Apigee X in 2021.

**Architecture.** Managed and hosted on GCP. Apigee Hybrid lets you keep the control plane on GCP while running the data plane on the customer's GKE, EKS, or on-prem. Multi-cloud enterprise is the core target.

**Policy model.** Apigee's strongest feature is its **policy engine**. You compose 60+ policies (XML/JSON transforms, OAuth, Spike Arrest, Quota, JavaCallout, etc.) in XML or JavaScript.

**Apigee Hub.** Added in 2024 — an API catalog and discovery service. Register every API across the company with metadata; enable search, classification, lifecycle management.

**Pricing.** The most expensive — Apigee X Standard starts around $30,000/year, Enterprise is in six figures. Apigee Pay-as-you-go (2023) made it possible for smaller teams to start.

**When to pick it.** When you're already deep in GCP and a large enterprise needs policy, governance, analytics, and portal in one place. Strong in telecom, finance, and healthcare.

Chapter 5 · KrakenD — The Lightest, Go-based

Open-source gateway based in Barcelona. Three differentiators — **stateless + declarative + Go**.

**Core philosophy.** All configuration in a single JSON file. No external DB or Redis at runtime (rate limit can be in-memory or use Redis optionally). "12-factor app" friendly.

{

"version": 3,

"name": "my-gateway",

"port": 8080,

"endpoints": [

{

"endpoint": "/api/users/{id}",

"method": "GET",

"output_encoding": "json",

"backend": [

{

"host": ["http://user-service:8080"],

"url_pattern": "/v1/users/{id}",

"encoding": "json"

{

"host": ["http://order-service:8080"],

"url_pattern": "/v1/orders?user={id}",

"encoding": "json",

"group": "orders"

}

"extra_config": {

"qos/ratelimit/router": {

"max_rate": 100,

"client_max_rate": 10

}

]

}

That one config bundles **two backend calls + response merging + rate limiting** into a single endpoint — KrakenD's signature feature, **response aggregation**. The gateway solves the BFF pattern directly.

**OSS vs Enterprise.** OSS Community Edition is Apache 2.0. Enterprise adds multi-tenant, advanced OAuth, advanced caching, SSO.

**Pricing.** OSS is free. Enterprise is per-node annual licensing.

**When to pick it.** When operational simplicity is the top priority. When Kong and Apigee feel heavy, and you want to solve BFF and API composition at the gateway. Popular with startups, SMBs, and SaaS.

Chapter 6 · Zuplo — Programmable, Edge-first TypeScript

Founded 2022, raised a $9M Series A in 2024. The newest category — **you write gateway logic in TypeScript.**

**Architecture.** Runs on Cloudflare Workers — auto-deployed to 300+ edge PoPs worldwide. Users push TypeScript functions and OpenAPI specs to GitHub, and Zuplo deploys automatically.

// Zuplo policy: custom auth + transform

export default async function (

request: ZuploRequest,

context: ZuploContext

) {

const token = request.headers.get('authorization')?.replace('Bearer ', '')

if (!token) {

return new Response('Unauthorized', { status: 401 })

}

const user = await context.invokeInboundPolicy('jwt-auth', request)

request.headers.set('x-user-id', user.sub)

request.headers.set('x-user-tier', user.tier ?? 'free')

return request

}

**OpenAPI-first.** Zuplo's distinguishing trait — the route config is the OpenAPI 3.1 spec itself. Change the spec, and the gateway changes, the dev portal changes, and the mock server changes. **Single source of truth.**

**Auto-generated developer portal.** Portal, SDKs, docs, and an interactive console all spring from the OpenAPI spec. Competes with ReadMe and Stoplight.

**Pricing.** Free tier: 2M requests/month. Production starts at $200/month, Enterprise is negotiated.

**When to pick it.** When operating an external API for a B2B SaaS — OpenAPI-first, developer portal, and global edge distribution as one package. AI companies often pick it when exposing LLM APIs.

Chapter 7 · AWS API Gateway / Cloudflare API Gateway / Azure APIM — Cloud-Native

AWS API Gateway

Three flavors — REST API, HTTP API, WebSocket API.

- **REST API**: oldest, most expensive, most featureful. WAF, API Keys, Usage Plans, X-Ray, cache.

- **HTTP API**: added in 2019. 70% cheaper, 60% faster than REST. JWT built-in. Lambda Authorizer.

- **WebSocket API**: bidirectional connections — chat, real-time notifications.

AWS SAM template — HTTP API

Resources:

MyApi:

Type: AWS::Serverless::HttpApi

Properties:

Auth:

Authorizers:

JwtAuth:

JwtConfiguration:

issuer: https://example.auth0.com/

audience: ['https://api.example.com']

DefaultAuthorizer: JwtAuth

RouteSettings:

'$default':

ThrottlingBurstLimit: 100

ThrottlingRateLimit: 50

**Pricing.** HTTP API is $1 per million requests, REST API is $3.50. On the expensive side versus Cloudflare API Gateway.

**When to pick it.** Deep in AWS, with Lambda, EventBridge, and Cognito as part of the stack. Lock-in becomes a concern for multi-cloud.

Cloudflare API Gateway

Launched as API Shield in 2022, rebranded to "API Gateway" in 2024. A gateway sitting on Cloudflare Workers + WAF.

Three core features.

1. **Schema validation** — upload an OpenAPI spec and every request is auto-validated.

2. **Sequence Analytics** — ML-based detection of abnormal API call sequences (blocks BOLA and BFLA attacks).

3. **mTLS / JWT validation** — auth at the edge.

// Cloudflare Worker as API gateway logic

export default {

async fetch(request, env, ctx) {

const url = new URL(request.url)

// Rate limit per API key

const apiKey = request.headers.get('x-api-key')

const rateLimitKey = `ratelimit:${apiKey}`

const count = await env.RATE_LIMIT_KV.get(rateLimitKey)

if (count && parseInt(count) > 1000) {

return new Response('Rate limit exceeded', { status: 429 })

}

await env.RATE_LIMIT_KV.put(

rateLimitKey,

String((parseInt(count) || 0) + 1),

{ expirationTtl: 60 }

)

// Proxy to origin

return fetch(`https://api.internal.example.com${url.pathname}`, request)

}

**Pricing.** Included in Enterprise plan. No separate pricing (negotiate with Cloudflare sales).

**When to pick it.** Already on Cloudflare and want auth, rate limit, and schema validation at the edge. Global distribution is the strength.

Azure API Management (APIM)

Azure-native gateway. The **policy expression** model is core — XML snippets injected at inbound, backend, outbound, and on-error stages.

**Tiers.** Consumption (serverless, pay-as-you-go) / Developer / Basic / Standard / Premium / Premium v2. Premium adds multi-region and VNet integration.

**When to pick it.** Deep Azure integration. When tied to .NET, Microsoft 365, or Office Add-in ecosystems. Strong in government and public sector.

Chapter 8 · Gravitee / MuleSoft / Hasura DDN — Other Notable Options

Gravitee.io

Headquartered in Paris and Laval, France. OSS Apache 2.0. Differentiator — **API + Event API combined**. Handles not just REST, gRPC, and GraphQL but also Kafka, MQTT, WebSocket, and SSE through one gateway. First-class AsyncAPI support.

Gravitee 5 launched in 2025 with LLM gateway features (prompt inspection, PII masking, token quota).

EU-based, GDPR-friendly, OSS-first — popular in European government, finance, and telecom.

MuleSoft Anypoint (Salesforce)

Strictly speaking not just an API gateway but an **iPaaS** — Integration Platform as a Service. You build data transformations and integration flows in Anypoint Studio, a visual IDE. Deeply tied to the Salesforce ecosystem.

The most expensive and heaviest. Fits large-enterprise SI and complex legacy-integration scenarios. Overkill for small teams.

Hasura DDN (Data Delivery Network)

A new product Hasura announced in 2024 — not a traditional "API gateway" in the strict sense but a **GraphQL-first data API platform**. Combines multiple data sources (Postgres, MySQL, MongoDB, Snowflake, REST APIs) into a single GraphQL schema with caching, auth, and rate limit at the edge.

Good choice when exposing GraphQL externally and backend data lives across many sources.

Chapter 9 · Envoy Gateway (CNCF) / Traefik 3 — Kubernetes-native

Envoy Gateway

CNCF Graduated (2024) project. Abstracts Envoy Proxy into the Kubernetes Gateway API. Envoy, built by Lyft, has long been the de facto data plane for Istio, Consul, and gRPC, but running it directly was complex. Envoy Gateway hides that complexity.

Envoy Gateway — Kubernetes Gateway API

apiVersion: gateway.networking.k8s.io/v1

kind: GatewayClass

metadata:

spec:

controllerName: gateway.envoyproxy.io/gatewayclass-controller

apiVersion: gateway.networking.k8s.io/v1

kind: Gateway

metadata:

spec:

gatewayClassName: eg

listeners:

- name: http

protocol: HTTP

port: 80

apiVersion: gateway.networking.k8s.io/v1

kind: HTTPRoute

metadata:

spec:

parentRefs:

- name: eg

hostnames: ['api.example.com']

rules:

- matches:

- path:

type: PathPrefix

value: /api/users

backendRefs:

- name: user-service

port: 8080

**When to pick it.** Deep in Kubernetes and want to follow the Gateway API standard. When sharing a data plane with service meshes like Istio or Linkerd.

Traefik 3

v3 launched in 2024 with auto-discovery (Docker, Kubernetes, Consul) + Gateway API + HTTP/3 + WebAssembly middleware + OpenTelemetry built-in. A big jump over v2.

Traefik originally started as "a better Kubernetes Ingress option" but v3 evolves into a full API gateway — TraefikHub adds API catalog and portal on top.

Traefik 3 — Kubernetes Ingress (or Gateway API)

apiVersion: traefik.io/v1alpha1

kind: IngressRoute

metadata:

spec:

entryPoints: [websecure]

routes:

- match: Host(`api.example.com`) && PathPrefix(`/api/users`)

kind: Rule

services:

- name: user-service

port: 8080

middlewares:

- name: rate-limit

- name: auth-jwt

**When to pick it.** When you want the same tool from Docker Compose to Kubernetes. Auto-discovery is the strength, so operational overhead is low.

Chapter 10 · LLM API Gateways — Portkey / Helicone / OpenRouter

Traditional API gateways are not great for LLMs. Token counting, streaming SSE, semantic cache, model routing, fallback — all missing. So in 2023 to 2024 a dedicated LLM-gateway category emerged.

Portkey

The most feature-rich LLM gateway. OSS core + paid SaaS. Exposes 200+ models through a single OpenAI-compatible API.

Core features — fallback (when model A fails, use B), load balancing (50/50 routing), semantic cache, prompt management (Git-style versioning), guardrails (PII, toxic, hallucination checks), token budgets (per team, per user).

from portkey_ai import Portkey

portkey = Portkey(

api_key="YOUR_PORTKEY_API_KEY",

config={

"strategy": {"mode": "fallback"},

"targets": [

{

"provider": "anthropic",

"api_key": "ANTHROPIC_KEY",

"override_params": {"model": "claude-opus-4"},

{

"provider": "openai",

"api_key": "OPENAI_KEY",

"override_params": {"model": "gpt-4o"},

)

response = portkey.chat.completions.create(

messages=[{"role": "user", "content": "Explain transformers."}]

)

Helicone

Observability-first LLM gateway. OSS Apache 2.0 + SaaS. Change just the base_url and every OpenAI call routes through Helicone — tokens, cost, latency, and errors recorded automatically.

from openai import OpenAI

client = OpenAI(

base_url="https://oai.helicone.ai/v1",

api_key="YOUR_OPENAI_KEY",

default_headers={

"Helicone-Auth": "Bearer YOUR_HELICONE_KEY",

"Helicone-Cache-Enabled": "true",

"Helicone-Property-User": "user-42",

)

Self-hosting the data plane is a big draw — sensitive prompts never leave your network.

OpenRouter

Bills itself as the "Stripe of LLMs". 300+ models behind unified billing — pay once and use any model from OpenAI, Anthropic, Google, Mistral, DeepSeek, hosted Llama, etc.

Differentiator: auto-compare prices across models and route to the cheapest. SaaS-only, no OSS version. Popular with small teams, experiments, prototypes.

// OpenRouter — OpenAI SDK compatible

const openai = new OpenAI({

baseURL: 'https://openrouter.ai/api/v1',

apiKey: process.env.OPENROUTER_API_KEY,

})

const completion = await openai.chat.completions.create({

model: 'anthropic/claude-opus-4',

messages: [{ role: 'user', content: 'Hello' }],

})

Chapter 11 · Rate Limiting / Auth / Schema Validation / Caching Patterns

The four classic patterns a gateway solves.

Rate limiting

Three algorithms are standard — token bucket, leaky bucket, sliding window. Most place a counter in Redis.

Kong rate-limiting plugin

plugins:

- name: rate-limiting-advanced

config:

limit: [100, 1000]

window_size: [60, 3600]

identifier: consumer

sync_rate: 10

strategy: redis

redis:

host: redis.internal

port: 6379

Apply different limits by tier — anonymous IP at 10/min, free key at 100/min, paid key at 10,000/min.

Authentication

Auth methods the gateway handles.

- **API Key** — simplest, hard to rotate.

- **JWT** — self-signed, verifiable, short-lived. Most common.

- **OAuth 2.0 / OIDC** — standard auth, refresh tokens, user consent.

- **mTLS** — client certificates, strong for B2B.

Most gateways treat JWT validation as first-class. Issuer, audience, exp, and signature checks finish at the edge — the backend only sees authenticated requests.

Schema validation

The gateway reads an OpenAPI 3.1 spec and validates every request and response. Bad requests get rejected at the edge with a 400 — reduces backend load and improves security (fields outside the schema get refused).

Cloudflare API Gateway — OpenAPI schema validation

apiVersion: api-gateway.cloudflare.com/v1

kind: Schema

metadata:

spec:

openapi: 3.1.0

enforcement: enforce

source: file:openapi.yaml

Caching

GET responses cached at the edge — via Cache-Control headers or gateway rules. Apigee, Kong, Cloudflare, and KrakenD all support it as first-class. Designing cache keys matters — incorrectly caching per-user data leads to data leaks.

Chapter 12 · BFF (Backend For Frontend) Pattern

A pattern Sam Newman wrote up in 2015. **Dedicate a backend API per frontend** — web, iOS, and Android each need different data and different shapes.

[Web] ──▶ [Web BFF] ──▶ [User, Order, Product services]

[iOS] ──▶ [iOS BFF] ──▶ [User, Order, Product services]

[Android] ──▶ [Android BFF] ──▶ [User, Order, Product services]

Where does the BFF run? Two patterns.

**Pattern A — separate BFF service.** Write the BFF in Node.js or Go. Most flexible but operationally heavy — N frontends = N backend services.

**Pattern B — API gateway plays the BFF role.** Gateways like KrakenD, Zuplo, and Apigee do multi-backend calls + response merging directly. No separate code to write.

The 2026 trend is **shifting toward B**. Simple BFFs (call several APIs, merge, return) belong in the gateway; only complex BFFs (with state, cache, sessions) deserve a separate service.

GraphQL as a BFF is still a thing — Hasura DDN targets that slot.

Chapter 13 · OpenAPI 3.1 / AsyncAPI 2.6 · 3 / gRPC

API spec format status in 2026.

OpenAPI 3.1

The standard for REST/HTTP APIs. 3.1 (2021) achieved full compatibility with JSON Schema 2020-12 — now a single schema is shared by gateways, SDKs, docs, and tests.

Zuplo, Apigee, Cloudflare, and Kong all push an OpenAPI-first workflow. **The spec is the gateway config.**

AsyncAPI 2.6 / 3.0

OpenAPI for event-driven APIs (Kafka, MQTT, WebSocket, SSE). AsyncAPI 3.0 (2023) unified its structure with OpenAPI 3.1. Gravitee pushes it hardest, and Confluent has adopted it too.

AsyncAPI 3.0 example

asyncapi: 3.0.0

info:

title: Order events

version: 1.0.0

channels:

orderCreated:

address: orders.created

messages:

orderCreated:

payload:

type: object

properties:

orderId: { type: string }

userId: { type: string }

total: { type: number }

operations:

publishOrderCreated:

action: send

channel:

$ref: '#/channels/orderCreated'

gRPC

The de facto standard for internal microservices communication. Envoy Gateway, Kong, and Traefik all support gRPC as first-class. gRPC-Web makes browser calls possible.

Exposing both REST and gRPC simultaneously is common — REST externally, gRPC internally.

Chapter 14 · Korea / Japan — Toss / Kakao / Mercari / ZOZO

Toss API Gateway

Toss built and runs its own gateway. According to the Toss tech blog, they started on Spring Cloud Gateway and added their own middleware layer to unify auth, rate limit, and anomaly detection. Hundreds of millions of API calls per day flow through one gateway.

Key lesson — "off-the-shelf solutions did not meet all our requirements; we built our own and tuned it to the business." Reasonable at Toss scale, not a pattern most companies should copy.

Kakao API Platform

Kakao runs an internal API Platform. The publicly known recipe is Kong + custom control plane + custom portal. The standard gateway for cross-affiliate API calls across KakaoTalk, KakaoPay, KakaoBank, and others.

Mercari

Microservices-based, Japan's biggest secondhand marketplace. Custom Envoy-based gateway + Istio service mesh. The Mercari engineering blog has multiple posts on operating Envoy. A canonical example of the **Envoy data plane + custom control plane** pattern.

ZOZO

ZOZOTOWN, the Japanese fashion EC. During the microservices migration they adopted Kong, and they have been transitioning to Envoy gradually — as documented on the ZOZO tech blog. A natural case of moving toward Kubernetes Gateway API.

Chapter 15 · Who Should Pick What — Four Scenarios

Small team (under 10, MVP)

- First pick: **Cloudflare API Gateway** — likely on Cloudflare already, zero additional infra.

- Second pick: **Zuplo** — fast OpenAPI-first workflow. SaaS means zero ops burden.

- Third pick: **KrakenD OSS** — if self-hosting is preferred.

- Avoid: Apigee, MuleSoft (overkill), Mashery (already sunset).

Mid-size team (50-200, multi-service)

- First pick: **Kong OSS + Konnect** — safest. Community, talent, and plugins are abundant.

- Second pick: **Envoy Gateway + custom control plane** — if Kubernetes-first.

- Third pick: **AWS API Gateway HTTP API** — if deep AWS integration.

Enterprise (1000+, policy and governance matter)

- First pick: **Apigee X** — when policy, analytics, portal, and SLA are all required.

- Second pick: **Azure APIM** — for the Microsoft ecosystem.

- Third pick: **Kong Enterprise + Konnect** — when cloud-neutrality matters.

LLM routing (AI company or LLM exposed externally)

- First pick: **Portkey** — feature-rich; fallback, load balancing, prompt management.

- Second pick: **Helicone** — observability-first, self-hostable.

- Third pick: **OpenRouter** — best for unified billing, experiments, prototyping.

- Supplement: **Kong AI Proxy** or **Tyk AI Studio** — add LLM features on top of a traditional gateway.

Epilogue — "The gateway is part of the product, not infrastructure"

The biggest 2026 shift is that the API gateway moved from "network infrastructure" to "part of the product". The OpenAPI spec is the product spec, the developer portal is the first impression, and rate limit and auth are the business model.

LLMs accelerate that move. Model routing, token budgets, and prompt management are not ops decisions — they are business decisions. Who sends which kind of request to which model is the P&L.

If you are a small team, start fast on Cloudflare or Zuplo. Mid-size teams: Kong is the safest. Enterprise: Apigee or Azure APIM. LLM: Portkey or Helicone. And **Mashery is gone** — existing users, plan your migration.

Possible next posts: **OpenAPI 3.1 + Zod + tRPC — building a type-safe full-stack API**, **Operating Envoy — debugging, metrics, zone-aware load balancing**, **Building an LLM gateway yourself — fallback and cache in 100 lines**.

> "The gateway is not infrastructure. It is part of the product. The OpenAPI spec is the product spec, the developer portal is the first impression, and rate limit is the business model."

— API Gateways 2026, end.

References

- [Kong Gateway — Konghq](https://konghq.com/products/kong-gateway)

- [Kong Gateway GitHub — Kong/kong](https://github.com/Kong/kong)

- [Konnect — Kong cloud control plane](https://konghq.com/products/kong-konnect)

- [KGateway — Kong + Envoy](https://kgateway.dev/)

- [Tyk — Open source API Gateway](https://tyk.io/)

- [Tyk GitHub — TykTechnologies/tyk](https://github.com/TykTechnologies/tyk)

- [Apigee X — Google Cloud](https://cloud.google.com/apigee)

- [Apigee API Hub](https://cloud.google.com/apigee/api-hub)

- [KrakenD — Apache 2.0](https://www.krakend.io/)

- [KrakenD GitHub — krakendio/krakend-ce](https://github.com/krakendio/krakend-ce)

- [Zuplo — Programmable API Gateway](https://zuplo.com/)

- [AWS API Gateway](https://aws.amazon.com/api-gateway/)

- [AWS HTTP API vs REST API](https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-vs-rest.html)

- [Cloudflare API Gateway](https://www.cloudflare.com/application-services/products/api-gateway/)

- [Cloudflare API Shield (legacy)](https://blog.cloudflare.com/api-shield-2022/)

- [Azure API Management](https://azure.microsoft.com/en-us/products/api-management)

- [MuleSoft Anypoint Platform](https://www.mulesoft.com/platform/anypoint-platform)

- [Mashery sunset announcement — TIBCO](https://www.tibco.com/products/mashery)

- [Gravitee.io — Open source API platform](https://www.gravitee.io/)

- [Gravitee GitHub — gravitee-io/gravitee-api-management](https://github.com/gravitee-io/gravitee-api-management)

- [Hasura DDN](https://hasura.io/ddn)

- [Envoy Gateway — CNCF project](https://gateway.envoyproxy.io/)

- [Envoy Proxy](https://www.envoyproxy.io/)

- [Kubernetes Gateway API](https://gateway-api.sigs.k8s.io/)

- [Traefik 3 — Traefik Labs](https://traefik.io/traefik/)

- [Traefik Hub](https://traefik.io/traefik-hub/)

- [Portkey — AI Gateway](https://portkey.ai/)

- [Helicone — LLM observability/gateway](https://www.helicone.ai/)

- [OpenRouter](https://openrouter.ai/)

- [OpenAPI Specification 3.1](https://spec.openapis.org/oas/v3.1.0)

- [AsyncAPI 3.0](https://www.asyncapi.com/blog/asyncapi-v3-release)

- [Toss tech blog](https://toss.tech/article)

- [Kakao tech blog](https://tech.kakao.com/)

- [Mercari engineering blog](https://engineering.mercari.com/en/)

- [ZOZO tech blog](https://techblog.zozo.com/)

- [Sam Newman — Backend For Frontend pattern](https://samnewman.io/patterns/architectural/bff/)