# API Gateway > The Apinizer API/AI Gateway is a stateless, high-concurrency runtime that handles every API call in your platform — REST, SOAP, gRPC, WebSocket, GraphQL, and AI traffic. Per-request context, async logging, and hot deploy without restarts. *Worker — data plane* ## One gateway. HTTP, gRPC, WebSocket, and AI. [Request a demo](https://calendly.com/apinizer/15min) · [Read the docs](https://apinizer.com/developers/docs) **Highlights** - **Runtime** — Undertow · Java 25 - **Protocols** — HTTP · gRPC · WS · SOAP · AI - **Policies** — 50+ shipped --- ## Capabilities ### 01 · Nine authentication methods. One policy surface. Apinizer enforces auth before routing — modern OAuth 2.0 / OIDC / JWT alongside enterprise mTLS, SAML, and the Basic / Digest flows still living in your legacy estate. Every method ships as a first-class policy with a UI, not a plugin you have to write. - OAuth 2.0 (client credentials, password, code, refresh) and OIDC validation - JWT — including third-party JWT — with rotating JWKS support - mTLS with PKI-backed client certificates and HSM integration - SAML, Basic, Digest, Base64 auth for the legacy partners that still need them - Per-policy variable resolution — never raw fields, no cross-request leaks **Concepts:** `oauth-2-auth` · `oidc-auth` · `jwt-auth` · `jwt-3rd-party-auth` · `policy-mtls-authentication` · `saml-validation` · `basic-auth` · `digest-auth` · `base64-auth` > Agent traffic uses the same Identity Manager — every LLM call carries an OAuth-scoped token bound to a Project, not a shared API key. ### 02 · WS-Security, JOSE, and digital signing — without bolt-ons. For banks fronting partner SOAP services and ministries running signed XML exchange, the gateway carries the full WS-Security suite plus JOSE encryption / signing for JSON. Sign, encrypt, and validate at the edge, with HSM-backed certificates the auditor can trace. - WS-Security: sign body, encrypt body, username token, timestamp, STS, sign validation - JOSE: JWS + JWE validation and implementation for modern JSON exchange - Standalone encryption / decryption + digital sign / verify policies - FIPS-compatible algorithms (RSA-SHA256/512, ECDSA, AES-256-GCM, AES-CBC) - Field-level redaction at egress — masked for tier<ADMIN, in plain in audit **Concepts:** `policy-ws-security-sign` · `policy-ws-security-encrypt` · `policy-ws-security-username` · `policy-ws-security-timestamp` · `policy-jose-validation` · `policy-jose-implementation` · `policy-encryption` · `policy-decryption` · `policy-digital-sign` · `redaction` > Same redaction policies sanitize PII out of LLM prompts and responses — no separate AI redaction stack to operate. ### 03 · Rate limit, throttle, quota — at the API, role, or subscriber level. Apinizer's RLCL (Rate Limit · Caching · Logging) policies give you granular control over every request. Per-API throttling, per-subscriber quotas, IP allow- and deny-lists, message-size caps, and an Allowed Hours policy for partners that should only call between 09:00–18:00. - API throttling and per-subscriber quota with burst windows - Endpoint rate limit policies on individual paths - Min and max message size enforcement (XXE / oversize-body protection) - IP white / black lists and content filtering for known bad patterns - Allowed Hours policy — partner contracts that only run during business hours **Concepts:** `api-based-throttling` · `api-based-quota` · `policy-endpoint-rate-limit` · `max-message-size` · `min-message-size` · `ip-white` · `ip-black` · `content-filter` · `allowed-hours` > Token-based rate limiting joins the same surface — limit by tokens-per-minute or cost-per-team, not just requests. ### 04 · HTTP, gRPC, WebSocket, SOAP, GraphQL — one Worker, one runtime. Three first-class routing handlers sit on a single Undertow loop: HttpRoutingHandler, GrpcRoutingHandler, WebSocketRoutingHandler. SOAP-as-REST, GraphQL proxy, Server-Sent Events, MQTT and Kafka bridges round out the protocol coverage. No second runtime, no second observability stack. - HTTP/1.1 and HTTP/2 with full streaming and content compression - Native gRPC — unary plus bidirectional streams, transcoding gRPC ↔ REST - WebSocket with sub-protocol negotiation and TLS (WSS) - SOAP / WSDL primed at deploy — exposed as REST or gRPC for modern consumers - GraphQL proxy, Server-Sent Events, MQTT and Kafka bridges **Concepts:** `HTTP/1.1` · `HTTP/2` · `gRPC` · `WebSocket (WSS)` · `SOAP / WSDL` · `GraphQL` · `SSE` · `MQTT` · `Kafka` · `LLM (AI)` > The OpenAI-compatible /ai/v1/chat/completions endpoint is just another route — same Worker, same audit, same RBAC. ### 05 · SOAP ↔ REST, XML ↔ JSON — visually, without the rewrite. Translate between contracts at the gateway: JOLT for JSON shape changes, XSLT for XML, Groovy and JavaScript when you need code, Message Builder for response synthesis, and standalone Redaction for the fields auditors care about. Every transform runs in milliseconds with variables resolved through a single API. - Protocol transformation request / response (SOAP ↔ REST, REST ↔ gRPC) - JOLT for JSON shape changes, XSLT for XML transforms - Groovy and JavaScript script policies for the cases that need code - Message Builder — synthesize responses from upstream calls - Redaction policy — mask fields at egress without losing them in audit **Concepts:** `protocol-transformation-request` · `protocol-transformation-response` · `policy-json-transformation` · `policy-xml-transformation` · `script (Groovy / JS)` · `message-builder` · `redaction` > Transformation policies also reshape LLM payloads — vendor-specific request bodies normalized to the OpenAI-compatible facade. ### 06 · Versioning, mocks, and schema validation — primed at deploy. Run multiple API versions in parallel with traffic-split routing — canary 8%, stable 87%, deprecated 5%. Mock APIs for partners testing v2.0-beta. JSON Schema and XML XSD validators are primed at deploy time, never on first request. - Run multiple API versions in parallel — traffic split, canary, blue-green - Mock API responses for partners and pre-prod testing - JSON Schema validation primed at deploy — no first-request penalty - XML XSD validation for SOAP routes — same warm-up guarantee - Hot deploy: routing tables, marshalled routes, and load balancer flush atomically **Concepts:** `json-schema-validation` · `xml-schema-validation` · `business-rule` · `Hot deploy` · `Canary release` · `Blue-green` · `Mock API` > AI Gateway routes ship through the same versioning — pin a model to v1.1 while v2.0-beta tests a cheaper provider. ### 07 · Async logging that never blocks the request path. Traffic logs are emitted via CompletableFuture.runAsync() onto a dedicated executor — the request path stays cold, the log path stays out of the way. Every request, header rewrite, policy execution, and routing decision lands in Elasticsearch, queryable side-by-side with your gRPC and LLM traffic. - Async traffic logging — request path never waits on the log writer - MessageContext per request — never shared, MDC cleared in finally{} - Real-time anomaly detection (EMA + Bollinger Band) with multi-channel alarms - Certificate watchdog — partner cert expiries surface 14 days ahead - Audit trail enforced by the persistence layer — bypass rejected at compile time **Concepts:** `policy-log` · `Elasticsearch` · `Anomaly detection` · `Certificate watchdog` · `Audit aspect` · `MDC per request` > Token usage, cost-per-team, and prompt-firewall hits land in the same Elasticsearch index — one query for API + AI behavior. ### 08 · Multi-LLM routing with token quotas and a prompt firewall. The same gateway that fronts your REST and gRPC APIs governs every LLM call. 17+ providers behind one OpenAI-compatible facade — switch on cost, latency, or per-prompt classification without rewriting the application. Token quotas, semantic caching, and prompt firewalls are policies, not external services. - OpenAI-compatible facade across 17+ providers (OpenAI, Anthropic, Bedrock, Azure, Gemini, Cohere, …) - Weighted multi-LLM routing — cost / latency / per-prompt classification - Token-based rate limiting — TPM and RPM per user / API key / team - Semantic caching for repeat prompts — drop spend on hot queries - Prompt firewall: jailbreak guard, PII redaction, off-topic / cost guards **Concepts:** `Multi-LLM routing` · `Token quotas` · `Semantic cache` · `Prompt firewall` · `PII sanitization` · `MCP servers` · `Agent-to-Agent (A2A)` > AI Gateway is a layer of policies on top of the same Worker — not a separate runtime to operate. --- ## Use cases ### Bank-grade API surface for payments and identity Run audit, encryption, and three-tier permissions on every request — without bolting them on as middleware. - Audit trail enforced by the persistence layer - @SecretData fields encrypted before save - System / Project / Team permission tiers ### Front legacy SOAP services with modern protocols Keep the WSDL contract while exposing JSON or gRPC to consumers. Validation runs at deploy time, not on first request. - WSDL primed at deploy - Schema validation as a first-class policy - Groovy script policy for envelope rewrites ### WebSocket and gRPC streams with the same operability Long-lived sessions get the same audit, permission, and logging surface as REST traffic. No second runtime to operate. - WebSocket sub-protocol negotiation - gRPC bidirectional streams - Per-message context, never shared across threads --- ## What ships in the box ### Runtime - Undertow with virtual-thread-friendly handlers - HTTP, gRPC, WebSocket on one process - MessageContext per request — never shared - MDC cleared in finally{} on every request ### Operability - Hot deploy and undeploy - Coordinated cache invalidation - Async traffic logging via CompletableFuture - Schema validator + WSDL primed at deploy time --- ## Resources - [Worker reference](https://apinizer.com/developers/docs) — The contract for PolicyProcessor, MessageContext, and the request lifecycle. - [Scripting recipes](https://apinizer.com/developers/docs/scripting) — Groovy snippets for header rewrites, envelope shaping, and async logging. - [Architecture overview](https://apinizer.com/products) — How Manager, Worker, Portal, and Cache fit together on Kubernetes. --- ## Next step *Ready when you are* **Run the gateway on your own Kubernetes.** A 30-minute walkthrough of the Apinizer API/AI Gateway — protocols, policies, and operability on a cluster of your choice. [Book a Demo](https://calendly.com/apinizer/15min) · [Read the docs](https://apinizer.com/developers/docs) --- ## Links - Products: https://apinizer.com/products - AI Gateway: https://apinizer.com/products/ai-gateway - Solutions: https://apinizer.com/solutions - Pricing: https://apinizer.com/pricing - Developers: https://apinizer.com/developers - Documentation: https://docs.apinizer.com/index-en - Blog: https://apinizer.com/blog - Contact: https://apinizer.com/company/contact © 2026 Apinizer. All rights reserved.