Migrating from Broadcom Layer7 API Gateway™ to an open-source alternative is a structured process that can be completed in 4-6 months using a phased, zero-downtime approach. This guide covers feature mapping, a five-phase migration roadmap, and practical guidance on translating Layer7's assertion-based policy model to modern open-source equivalents.

Running an API gateway in production requires more than deploying with default settings. An insecure gateway exposes every backend service to attack, leaks sensitive data, and creates compliance nightmares. This 10-step security hardening checklist covers the critical controls you need before production deployment. Each step includes concrete configuration examples and verification commands.

STOA Platform is an open-source API gateway designed for the AI era. In this tutorial, you'll go from zero to a working API endpoint in 5 minutes. No complex configuration, no hours reading docs — just clone, run, and publish your first API.

By the end, you'll have STOA's full stack running locally: Control Plane API, MCP Gateway, Developer Portal, Keycloak, and observability. You'll create an API, expose it through the gateway, and discover MCP capabilities.

AI agents need programmatic API access, but traditional authentication patterns designed for human users — browser cookies, session tokens, OAuth2 authorization code flows — don't work. AI agents are autonomous services, not users. They operate without browsers, without human-in-the-loop interactions, and at machine speed. This article presents five authentication patterns that work for AI agents, from the simplest (API keys) to the most secure (mTLS certificate binding), with practical implementation examples for each.

This is part of the What is an MCP Gateway series. For the broader context on why AI agents need specialized infrastructure, see Connecting AI Agents to Enterprise APIs.

In 2024, HashiCorp switched Terraform from MPL to BSL. In 2023, Redis moved from BSD to SSPL. Elastic, MongoDB, CockroachDB — all followed the same playbook: build community with open source, then change the license when the business needs it.

We understand why they did it. We chose a different path anyway.

STOA Platform is licensed under Apache 2.0 — one of the most permissive open-source licenses that exists. No source-available tricks. No "open core" where the useful features are paywalled. No license change planned for when we hit a revenue target.

Here's why — and why this matters for every developer choosing an open-source API gateway today.

A single developer shipping 72 story points per day across 7 components, 22 PRs per week, with zero regressions on main. This is not a theoretical exercise — it is the measured output of STOA Platform's AI Factory during Cycle 7 (February 9-15, 2026). This article explains the architecture, the coordination protocols, and the hard lessons that make it work.

If you are building an MCP gateway or any complex open-source platform, the patterns described here are directly reusable. They are not tied to STOA — we extracted them into a reusable pattern library (HEGEMON) that any project can adopt.

Kong and STOA both support the Model Context Protocol, but they approach it from opposite directions. Kong added MCP via plugins on its proven Nginx/Lua stack. STOA built MCP into the gateway core from day one. This article compares the two specifically on MCP capabilities — tool discovery, transport, authentication, governance, and agent workflow support — so you can choose the right MCP gateway for your AI agent architecture.

Kubernetes-native API gateway patterns have evolved from simple Ingress controllers to sophisticated multi-mode architectures that support AI agents, service mesh integration, and GitOps workflows. This guide covers the four essential patterns — Ingress Controller, Gateway API, sidecar gateway, and MCP gateway — with architecture diagrams, implementation examples, and a decision framework for choosing the right pattern for your use case.

GitOps means your infrastructure is defined in Git and automatically deployed from it. This guide explains what GitOps is, why it matters for solo devs and small teams, and how to start — from versioning config files to full ArgoCD automation.

You know how to git push your code. But what about your infrastructure?

Your Nginx config, your firewall rules, your database credentials, your Kubernetes manifests — where do they live? If the answer involves SSH, a shared Wiki page, or "ask Jean-Michel, he set it up" — you have a problem.

GitOps means treating infrastructure the same way you treat code: versioned, reviewed, auditable, and automatically deployed from a Git repo. No more SSH. No more "works on my machine." No more mystery configs.

GitOps is a core principle of open-source API management — and one of the reasons STOA was designed GitOps-first from day one.

10 practical security steps that take less than a day and prevent 95% of API incidents. No enterprise budget, no complex tooling — just engineering discipline. Covers secrets, rate limiting, CORS, auth, TLS, logging, and dependency management.

You're a freelancer. You shipped an API for a client. It works. Tests pass. Invoice sent.

Six months later, the client calls: someone scraped their entire user database through your API. No rate limiting. No input validation. Default CORS headers. The API key was in the frontend JavaScript.

This happens more often than anyone admits. And it's almost always preventable with a simple checklist. This is part of our open-source API management philosophy: security should be accessible to everyone, not just enterprises.