A complete API gateway system for managing, securing, and routing API traffic to your backend services.
For step-by-step instructions on setting up and running the gateway using Docker Compose, including verifying the Gateway Controller admin health endpoint and deploying a sample REST API via POST /rest-apis, see the Quick Start Guide.
| Component | Purpose |
|---|---|
| Gateway-Controller | Control plane that manages API configurations and dynamically configures the Router |
| Gateway-Runtime | Data plane (Envoy Proxy) that routes HTTP/HTTPS traffic to backend services and Processes requests/responses through configurable policies (authentication, rate limiting, etc.) |
| Policy Builder | Build-time tooling for compiling custom policy implementations |
The ap CLI provides a command-line interface for managing gateways, APIs, and MCP proxies. Key capabilities include:
- Gateway management (add, list, remove, health check)
- API lifecycle management (apply, list, get, delete)
- MCP proxy management (generate, list, get, delete)
For the complete list of CLI commands and usage examples, see the CLI Reference.
| Port | Service | Description |
|---|---|---|
| 8080 | Router | HTTP traffic |
| 8443 | Router | HTTPS traffic |
| 9090 | Gateway-Controller | REST API |
| 9094 | Gateway-Controller Admin | Health and admin endpoints |
User → Gateway-Controller (REST API)
↓
Gateway-Controller Admin (/health)
↓ (validates & persists config)
↓
Router (Envoy Proxy) → Backend Services
How it works:
- User verifies the Gateway-Controller admin health endpoint
- User submits API configuration (YAML/JSON) to the Gateway-Controller REST API
- Gateway-Controller validates and persists the configuration
- Router receives the updated configuration and starts routing traffic
Policies allow you to intercept and transform API traffic at the Gateway-Runtime (Envoy Proxy). They can be applied to request/response flows to handle concerns like authentication, rate limiting, header manipulation, and more.
The complete and up-to-date policy catalogue — with configuration references and examples — is maintained in the gateway-controllers repository: https://github.com/wso2/gateway-controllers/blob/main/docs/README.md
You can extend the gateway with your own policies or include specific policies from the catalogue by building a custom gateway image using the ap CLI. See Customizing the Gateway by Adding and Removing Policies.
| Section | Description |
|---|---|
| Kubernetes | Kubernetes Gateway Operator deployment |
| MCP | MCP proxy setup and policies |
| Observability | Logging, metrics, and tracing configuration |
| Resiliency | Gateway resiliency features (timeouts, failure handling) |
| Analytics | Analytics integrations (Moesif) |
| REST APIs | REST API authentication and usage |
| Policies and Guardrails | Gateway policies and guardrails for API traffic control |