10 best API management tools

From simple open source solutions to end-to-end enterprise services, these are the top tools for creating, deploying, and managing APIs

10 best API management tools

The modern business world is software-powered and API-driven. Any application, whether public or private, needs powerful and convenient APIs to be truly useful. Building and maintaining APIs is hard work, so it’s no wonder that whole classes of software have sprung up around API management.

Most API management products provide a common clutch of features: routing and proxying, transformation of data and URLs, dashboards and analytics, policies and restrictions, and developer tools like documentation generators. Here we’ll look at 10 popular API management tools—open source projects, commercial products, cloud services, and mixes of same—that offer everything from a full-service suite for APIs to focused tools for specific scenarios.


Originally a closed-source product, 3scale was acquired by Red Hat and open sourced after about two years of work. The open source project can be used freely under the Apache license, while Red Hat offers a commercially supported SaaS implementation.

3scale’s features are in line with the other offerings in this roundup. You’ll find API versioning, access control and rate limiting, security controls, and analytics. 3scale also offers developer-friendly features such as a developer portal and CMS for creating documentation for one’s APIs. 3scale also offers native tooling for monetizing APIs, such as invoicing and integration with payment services.

If you intend to install 3scale yourself for production, you will need Oracle Database and OpenShift. Given that even a minimal 3scale install for testing requires Minishift, a single-node OpenShift cluster, you may be best served by using the free 90-day trial version of 3scale if you want to get started as quickly as possible.

The Pro version starts at $750 per month for 5,000 developer accounts, 500,000 API calls daily, and up to three APIs. The Enterprise version (price available on request) removes most of those restrictions.


Ambassador is an open source API management system built to work with Kubernetes. Ambassador is implemented on top of the Envoy proxy, which handles network abstraction for microservices, so most of the heavy lifting is done by Envoy and Kubernetes.

Ambassador’s feature set is in line with most of the other API management tools out there: URL rewriting and request routing, filtering, authentication and access control, rate limiting and timeouts, and integration with logging, troubleshooting, and visibility tools.

However, the majority of Ambassador’s features revolve around runtime management and integration with Kubernetes and other Kubernetes tools (e.g., Prometheus). Ambassador leaves the design and declarative configuration of APIs entirely to the user. Features like API versioning aren’t supported natively; you have to handle such things on your own. That makes Ambassador best suited for working with APIs as part of a Kubernetes deployment, rather than as a general API management solution.


Apiman—formerly “JBoss Apiman”—is a Red Hat open source project built in Java. Although it is still being maintained by Red Hat, most of Red Hat’s active development in API management appears to have moved to its 3Scale product.

Apiman concentrates on the basics—publishing and managing APIs, providing role-based access to those functions, setting policies around API use, gathering runtime and billing metrics, and creating top-down organizational structures for all of those elements.

Apiman can set policies for APIs around security, resources (e.g., rate limiting), transformations of data, caching, and logging. Policies are configured via JSON, so they can be read and edited by both humans and machines. Security policies can be applied by user identity or role, and APIs can be loosely or tightly controlled. You can publish APIs with the revision ID in the URL and no contract associated with their use; or you can require an API key and closely manage how they are versioned.

Most anything beyond the basics is your responsibility. For instance, while a number of plug-ins for Apiman are available, they generally amount to small extensions to Apiman functionality, provided by core project maintainers.


The DreamFactory API management platform is built with the Laravel framework in PHP. DreamFactory is available as a free open source offering, or with varying levels of commercial support (pricing not disclosed). It is a natural choice for developers already invested in PHP and who want to dig into the open source implementation. DreamFactory also offers server-side scripting integration with Node.js and Python.

DreamFactory’s “Datamesh” feature, available out-of-the-box in all its incarnations, lets you combine results from multiple, heterogenous database calls—including to different database products—and return the results as a single API call. Likewise, table updates across multiple databases can be combined into a single API call.

The DreamFactory documentation lacks a single, canonical, searchable list of all of the available services. The information is organized by category, so you need to perform some manual drilling down to find out what’s available. On the upside, the docs include many how-to videos for specific use cases, like setting up a simple application or connecting to various data sources.


Kong is one of the best known API management tools, originally created by Mashape (renamed Kong) to power its own API marketplace product. Kong is available in an open source edition or in an enterprise-grade, commercial offering (pricing not disclosed) with additional management, monitoring, and developer features. The enterprise edition can run on-prem or in a cloud service of choice. Documentation for both the open source and enterprise products is copious and detailed.

Kong provides an Ingress controller for Kubernetes integration, and a service mesh to allow Kong’s functionality to be “injected” into an existing deployment of services. The enterprise edition offers a developer’s portal aimed at easing the creation of new APIs and getting new developers familiar with your API code base.

Kong normally uses a database, but can also run in a database-less mode, using a JSON/YAML configuration file and in-memory storage. This is best if you’re only running a single, minimal node but want maximum performance.


KrakenD, written in Go, delivers only the bare essentials but touts high performance as a key feature. KrakenD is delivered as a single, self-contained binary, as is the case with most applications built in Go. Alternatively, it can be compiled from source, or used as a Go library if you want to build your own application around it.

KrakenD uses a configuration file, which can be hand-rolled or machine-generated. Rate limiting, manipulation of responses, forwarding, endpoint debugging, protocol security measures (e.g., protection against clickjacking), proxying, stubbing, and in-memory response caching are all supported out of the box.

KrakenD instances can be clustered for high availability. No additional software is needed to do this, just KrakenD itself. You can also deploy KrakenD across a Kubernetes cluster without much additional work. An assortment of third-party middleware can be obtained from the KrakenD GitHub repository.

Enterprise support, including consultancy and training, is available from KrakenD’s creators, although pricing is not disclosed.

MuleSoft Anypoint Platform

MuleSoft’s Anypoint Platform is meant to be a completist offering—it covers API design, construction, hosting, management, integration, and developer support in a single, commercial product. 

With Anypoint, you can develop APIs from scratch, or re-use existing connectors and integrations created by other MuleSoft customers and shared in Anypoint Exchange. Connectors are available for generic protocols (file access, HTTP, email), language modules for data transformations (Java, JavaScript), cloud services (Amazon AWS), commercial applications (Salesforce, SAP), and open source applications (MongoDB).

For those creating APIs that will be consumed by partners or the public, Anypoint provides the API Community Manager to create web UIs—what MuleSoft calls “portals”—for those APIs. Interactive documentation, personalization (including features like tailoring output based on the user’s geolocation), and API usage analytics are all included.

Anypoint offers three pricing plans, Gold, Platinum, and Titanium, which vary by level of customer support and enterprise features. All three plans include unlimited APIs and charge extra for “premium” connectors (e.g., the IBM AS/400 mainframe connector).

Netflix Zuul

Zuul, an open source project created by the engineers at Netflix, was built in-house to handle routing requests to Netflix’s video streaming services. There is no commercial Zuul offering—at least, not from Netflix—so you’ll have to spin Zuul up and manage it entirely on your own.

Zuul is written in Java, and it uses common Java tools—Gradle, Ivy, Maven—to get up and running. Zuul offers a relatively minimal feature set compared to other API management systems, focusing on filtering and dispatching inbound requests across services. Zuul does provide service discovery, load balancing, connection pooling, and debugging features (the ”request passport”), but lacks more sophisticated functions such as developer on-boarding and automatic documentation.

Zuul is an active project with many new features planned for future versions. The forthcoming “brownout filter,” for instance, will disable certain features to free up the CPU during periods of high activity.


Tyk includes a great deal by default: the API gateway, analytics tools, a dev portal, and a management dashboard. It also includes functionality for mocking APIs before they’re formally released, built-in request caching (which can be included directly in an API definition), and response templates for different HTTP error codes.

Tyk is available in four editions, each for different use cases. The community edition, Tyk’s open source release, includes only the gateway, which handles proxying, access control, transformations, and logging. You can roll your own functionality directly, or by tapping into Tyk’s plug-in ecosystem, with support for multiple languages.

The on-premises edition lets you use the full-featured commercial product behind your firewall. Single gateway licenses—developer editions, essentially—are available for free, with no API call limits, although the APIs cannot be used in commercial settings. Licenses for commercial use begin at $3000 per year.

The cloud and multi-cloud editions, available for a variety of popular cloud services, provide Tyk as a hosted service. A basic, single-cloud version that supports 1,000 API calls per day is available for free (apart from whatever your cloud service provider charges); pro-level plans start at $450 per month.

WSO2 API Manager

WSO2 API Manager is at core an open source product, built with Java. The product is available for on-prem or cloud-hosted deployment with commercial support, or as a cloud-managed service.

The various deployment options allow for a number of different management scenarios. For instance, an on-prem WSO2 deployment can have its policies and other configuration enforced by way of a cloud-hosted developer portal, with the changes either synchronized between cloud and premises, or pushed periodically from the cloud (for environments that need to be locked down).

WSO2 has some 200 connectors that can be used to hook together external services. Many are common developer staples: Slack, Splunk, Kafka, Redis, Amazon S3, and so on.

Another WSO2 feature, the “API microgateway,” ensures that certain kinds of calls receive additional security and lower latency. For instance, calls used to manage the gateway, or calls routed between microservices, can be handled this way.

A new add-on to WSO2 adds integration with the Istio service mesh for Kubernetes. Istio doesn’t manage the APIs exposed by the microservices it manages, so WSO2 integrates with the Envoy proxy used by Istio to do so.

Pricing for WSO2’s commercial offerings starts with a free two-week trial with up to one million API calls, continues at $550 per month for 20 million calls, and scales up from there to bespoke configurations.

Copyright © 2019 IDG Communications, Inc.

How to choose a low-code development platform