Developers · API Gateway
The Apinizer API Gateway is the single entry point for every request — mobile, web, partner, and AI. Authentication, rate limiting, routing, transformation, and logging run as policies, so you stop scattering that logic across services.
The problem
When each app talks straight to each backend, the cross-cutting concerns — who's calling, how often, in what shape, with what audit trail — get re-implemented in every codebase, in every language, slightly differently. An API Gateway moves them to one place: a reverse proxy that sits in front of your services and applies a consistent policy pipeline to every request before it reaches an upstream.
policies out of the box
auth · traffic · transform · logging
auth methods
OAuth2 · OIDC · JWT · mTLS · SAML …
runtime, every protocol
HTTP · gRPC · WS · SOAP · AI
Capabilities
An API Proxy is a front-facing endpoint you define on the gateway. It terminates the client request, runs the policy pipeline, and forwards to your upstream. REST, SOAP, gRPC, WebSocket, and GraphQL all share one proxy model.
Verify the caller before routing — OAuth 2.0 / OIDC / JWT for modern apps, mTLS / SAML / Basic for the enterprise and legacy estate. Each method is a first-class policy, not a plugin you have to write.
Protect upstreams with per-API throttling, per-subscriber quotas, burst windows, IP allow/deny lists, and message-size caps. Token-based limits (TPM) apply to AI traffic on the same surface.
Reshape payloads at the edge — SOAP↔REST, XML↔JSON, JOLT and XSLT, plus Groovy/JS scripts. Clients get a modern contract while the backend stays exactly as it is.
Every request, header rewrite, and routing decision is logged asynchronously to Elasticsearch — the request path never waits on the writer. The audit trail is enforced by the platform, not left optional.
A distributed response cache cuts upstream load; JSON Schema and XSD validation are primed at deploy time, so a malformed request is rejected at the edge — never on first request.
Use cases
The gateway terminates TLS, validates the OAuth token, throttles per device, and forwards to the right service. Rotate a backend or split traffic without shipping a new app build.
edge auth + throttle
CORS, token exchange, and response aggregation handled at the edge. The browser sees a single API; the frontend stops needing to know your internal service map.
one origin
Internal traffic gets the same auth, retries, routing, audit, and rate limits as north-south traffic — without a bespoke client library per service.
Per-partner quotas, IP allow-lists, and an Allowed-Hours policy. Front a 2008 SOAP service as clean REST without touching the legacy team.
per-partner quota
One OpenAI-compatible endpoint across 17+ providers, with token quotas, semantic caching, and a prompt firewall — the same gateway, one extra layer of policies.
17+ providers, one facade
The gateway exposes JSON or gRPC while the upstream stays SOAP/XML or a stored procedure. Validation and transformation run at the edge; the mainframe doesn't change.
Request lifecycle
Every call runs the same policy pipeline before it ever reaches a backend — and response policies run in reverse on the way out.
The gateway terminates the connection (HTTP/2, gRPC, WSS), matches the path to an API Proxy, and selects the upstream and load-balancing strategy.
Pre-flow policies verify the caller — token validation, mTLS, scope and tier checks — and reject anything unauthorized before any backend work happens.
Rate limit, quota, and size caps apply; request transforms (SOAP↔REST, JOLT/XSLT, scripts) and schema validation reshape and vet the payload.
The request is forwarded upstream, response policies run in reverse order, and the call is logged asynchronously to Elasticsearch and captured in audit.
Recommended products
The runtime itself — protocols, 50+ policies, hot deploy, and per-request context.
Open the Gateway pageThe identity surface behind the gateway's auth policies — OAuth2 / OIDC / JWT / LDAP / SAML.
Open the Identity pageWhere the gateway's async logs land — per-endpoint, per-consumer observability.
Open the Analytics pageThe distributed cache behind response caching and coordinated invalidation.
Open the Cache pageResources
The eight proxy types and how a request flows through the policy pipeline.
The runtime in depth — protocols, policies, and operability.
Step-by-step: client route, routing, and policies.
Deploy your first governed proxy end to end.
Per-endpoint, per-consumer telemetry for every proxy.
How the gateway sits in the platform topology on Kubernetes.
One entry point
A 30-minute walkthrough of the Apinizer API Gateway — proxies, policies, and placement — on a Kubernetes of your choice.