HTTP based APIs have long established themselves as a successful pattern for organizations. Increasingly these APIs are made available to the public or at least are leveraged more and more by disconnected development teams within organizations. Where the first APIs just drove the live search on a website, APIs these days provide extensive functionality for internal and external development. As such there is a need to centralize access to documentation, authentication and permissions so that users can easily discover and leverage those APIs in a way that prevents negative effects for other users.
As often when new patterns emerge, a new type of software solution emerges, in this case API gateways. Given our affinity towards open source here at Liip, we have studied the market a bit and want to present a very high level overview. We would very much appreciate additional first hand experience feedback in the comments below!
3scale was bought by RedHat in 2016 and subsequently open sourced at github.com/3scale. We have not tried to set it up ourselves but from past experience, previously proprietary software can tend to be tricky to get running. The product covers all the key pieces: API management, rate limiting, access control, analytics. There is a hosted option starting at $750 per month with 500k API calls per day and some other limitations.
Originally created at IBM, Wso2 has a close affinity to the Apache community. It can be self-hosted but the company behind this project also offers a hosted cloud solution. Setup for a quick proof of concept was simple and we had a proxy running within 10mins. We found the UI a bit complicated and limiting and ran into some errors when we tried to save our definitions.
Mashape build Kong on top of Nginx, which is the web server of choice for most of our projects these days. They originally required Cassandra for config management but since version 0.8 they also support PostgreSQL. The fact that they are not yet 1.0 makes me a bit nervous but we didn't find much complaints about backwards compatibility issues from a web search. Anyone have some practical experience to share here? Mashape of course also offer a hosted enterprise version but no word on pricing on their website. They do not seem to offer an admin GUI as part of their open source offering but there are quite a number of open source options available. There are quite a lot of available plugins and writing your own in Lua isn't too hard.
Another option that makes it easy to run locally or in the cloud is Tyk. The dashboard requires a commercial license but for on-premise its free for a one node setup. The hybrid setup is an interesting option as it allows you to keep the API calls in your datacenter while leaving the dashboard and management to the cloud. The current version assumes that the backend API is secured by IP whitelisting but they are looking to improve here. Setup was very easy and we were up and running within minutes. Tyk seems to focus on simplicity which is both good and bad.
We gained in depth first hand experience with Tyk by setting up the opentransportdata.swiss API gateway last year.
Update : We originally incorrectly claimed that the on-premise did not provide a dashboard. For on-premise a dashboard license can be bought, its free for 1 node setups. I remove pricing information since there are simply too many options to choose from given that they provide on-premise, cloud and hybrid. The good news is that for cloud there is a free tier to start with for upto 50k calls per day.
Take away thoughts
In general there seems to be quite a lot of solid choices for open source API gateways. They all check most of the boxes. They also all provide some sort of commercial/hosted option. So in the end it seems that the devil is in the details and as such from the point of view of an agency, it makes sense to standardize as much as possible. Given that we are running a large project already on Tyk, it makes sense for Liip and our customers to lean towards Tyk.