API management, but easy. Easy to learn, easy to customize, easy to deploy.
Zuplo is API Management reinvented. 10x your API productivity, 10x your conversion, and bring your API sprawl under control. Save time and $$$ on the alternatives.
- 🚀 Routing Engine: Proxy to internal microservices with path-based rules
- 🔐 Authentication: API Key, OAuth2, JWT, and IP Whitelisting
- ⚡ Rate Limiting: Per-key, per-user, per-tenant (token bucket algorithm)
- 📋 OpenAPI Validation: Request/response validation with auto-generated docs
- 🏢 Multi-Tenant Support: Scoped rate limits, usage logs, and config
- 🌐 Developer Portal: Swagger UI with API Key generation and usage overview
- 🔒 Secret Management: Environment-based configuration with vault support
- 💰 Monetization Hooks: API usage metering with pricing plans
- 📊 Audit Logging: Comprehensive request/response logging
- 🔔 Webhooks: Event forwarding for errors, new users, over-usage
- 📈 Observability: Prometheus metrics with Grafana dashboards
-
Clone and setup:
git clone <repo> cd enterprise-api-gateway cp .env.example .env
-
Start with Docker:
docker-compose up -d
-
Access services:
- API Gateway: http://localhost:3000
- Developer Portal: http://localhost:3000/docs
- Admin Dashboard: http://localhost:3001
- Grafana: http://localhost:3002 (admin/admin)
- Prometheus: http://localhost:9090
-
Test the API:
# Public endpoint curl http://localhost:3000/hello # Protected endpoint (use demo API key) curl -H "X-API-Key: demo-key-123-hash" http://localhost:3000/secure-data # Admin endpoint curl -H "X-Admin-Key: admin-super-secret-key-change-in-production" http://localhost:3000/admin/stats
GET /hello- Public hello endpointGET /docs- Developer portal (Swagger UI)GET /health- Health check
GET /secure-data- Requires API keyPOST /api/keys- Generate API key (admin)
# Install dependencies
npm install
# Run in development mode
npm run dev
# Run tests
npm test
# Build for production
npm run buildThe gateway loads configuration from config/gateway.yaml. See the configuration section below for details.
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ Client App │───▶│ API Gateway │───▶│ Microservice │
└─────────────────┘ └─────────────────┘ └─────────────────┘
│
▼
┌─────────────────┐
│ Redis │
│ (Rate Limit) │
└─────────────────┘
│
▼
┌─────────────────┐
│ PostgreSQL │
│ (Users, Logs) │
└─────────────────┘
MIT
The gateway uses a YAML configuration file at config/gateway.yaml. Key sections include:
rate_limiting:
default_limit: 1000
window_seconds: 60
algorithm: "sliding_window"proxy:
routes:
- path: "/api/users/*"
target: "http://localhost:4001"
auth_required: true
rate_limit: 100monetization:
plans:
free:
requests_per_month: 10000
rate_limit: 100
price_cents: 0All protected endpoints require an API key in the X-API-Key header:
curl -H "X-API-Key: your-api-key" http://localhost:3000/secure-dataRate limits are enforced per API key with the following headers returned:
X-RateLimit-Limit: Maximum requests allowedX-RateLimit-Remaining: Requests remaining in current windowX-RateLimit-Reset: Unix timestamp when the rate limit resets
Configure webhooks to receive notifications for events:
curl -X POST http://localhost:3000/webhooks \
-H "X-API-Key: your-api-key" \
-H "Content-Type: application/json" \
-d '{
"url": "https://your-app.com/webhook",
"events": ["rate_limit_exceeded", "auth_failure"]
}'Prometheus metrics are available at /metrics endpoint:
http_requests_total: Total HTTP requestshttp_request_duration_seconds: Request duration histogramrate_limit_hits_total: Rate limit violationsauth_failures_total: Authentication failures
Pre-configured dashboards show:
- Request volume and latency
- Error rates by endpoint
- Rate limit violations
- Active API keys and tenants
Structured JSON logs include:
- Request/response details
- Authentication events
- Rate limit violations
- Proxy errors
- API Key Authentication: Secure key-based access control
- Rate Limiting: Prevent abuse with configurable limits
- IP Whitelisting: Restrict access by IP address
- Request Validation: OpenAPI schema validation
- Audit Logging: Complete request/response logging
- Secure Headers: Security headers added to all responses
# Build and deploy
docker-compose -f docker-compose.yml up -d
# Scale services
docker-compose up -d --scale api-gateway=3# Apply manifests
kubectl apply -f k8s/
# Check status
kubectl get pods -l app=api-gatewayKey environment variables for production:
DATABASE_URL: PostgreSQL connection stringREDIS_URL: Redis connection stringJWT_SECRET: JWT signing secretADMIN_API_KEY: Admin access key
Run the test suite:
npm testLoad test with sample data:
# Import Postman collection
# Use the provided collection in postman/ directory-
Database Connection Failed
- Check PostgreSQL is running
- Verify DATABASE_URL is correct
- Ensure database exists and user has permissions
-
Redis Connection Failed
- Check Redis is running
- Verify REDIS_URL is correct
- Check Redis memory usage
-
Rate Limiting Not Working
- Verify Redis connection
- Check rate limit configuration
- Ensure API key is valid
-
Proxy Requests Failing
- Check target service is running
- Verify proxy configuration
- Check network connectivity
Enable debug logging:
LOG_LEVEL=debug npm startMonitor service health:
curl http://localhost:3000/health
curl http://localhost:3000/status- Fork the repository
- Create a feature branch
- Make your changes
- Add tests
- Run linting:
npm run lint - Submit a pull request
- Documentation: See
/docsendpoint - Issues: GitHub Issues
- Community: Discord/Slack channel
- GraphQL support
- gRPC proxy support
- Advanced analytics
- Multi-region deployment
- Custom middleware plugins
- OAuth2 provider integration