SMB API Gateway Guide 2026: Find the Right Fit
Choosing an API gateway as a small or medium business in 2026 is harder than it should be. Most comparison articles assume you have a dedicated platform team, a six-figure infrastructure budget, and months to spare on evaluation. Most SaaS companies have none of those things.
This buying guide is written for SMB teams: typically 5-30 engineers, a product that is live (or nearly live), and a need for production-grade API management without enterprise complexity and enterprise pricing.
Feature comparisons in this guide are based on publicly available documentation as of February 2026. Product capabilities change frequently. Verify current features directly with each vendor. All trademarks belong to their respective owners. See our trademark notice for details.
Who This Guide Is Forβ
This guide targets API-first SaaS products at the SMB stage:
- You have an API (REST, GraphQL, or emerging MCP for AI agents)
- You need rate limiting, auth, and routing β possibly multi-tenancy
- You want something you can actually run and understand without a dedicated platform team
- You care about cost at your current scale, not hypothetical enterprise pricing
If you are an enterprise with 200+ services and a multi-cloud deployment, this guide is not for you β look at our API Gateway Migration Guide 2026 instead.
The SMB Decision Frameworkβ
Before evaluating any specific product, answer these four questions:
1. Do you need multi-tenancy? If your product serves multiple independent customers via your API, you need first-class multi-tenant support. This is a hard requirement that eliminates some options.
2. Are AI agents a current or near-term requirement? If you are building AI features (copilots, agents, MCP integrations), your gateway needs to handle Model Context Protocol traffic. Most traditional gateways added this as a plugin; some are built for it natively.
3. What is your team's operational capacity? A gateway you can run on Kubernetes versus a managed SaaS versus a Docker Compose setup are very different operational commitments. Be honest about your team's bandwidth.
4. What are your compliance requirements? If you handle EU data (GDPR), healthcare data (HIPAA), or financial data (PCI-DSS), your gateway needs audit logging, data residency controls, and access records. Not all options support this out of the box.
The Candidatesβ
We evaluate five categories of options commonly considered by SMB teams:
| Category | Representative Options | Best For |
|---|---|---|
| Open-source, self-hosted | STOA, Kong CE, Gravitee, Tyk | Control, cost, no vendor lock-in |
| Cloud-native managed | AWS API Gateway, Azure APIM, GCP Apigee | All-in cloud, simplicity |
| Reverse proxy + plugins | nginx + lua, Traefik, Caddy | Lightweight, custom needs |
| Commercial managed | Kong Konnect, MuleSoft | Enterprise with budget |
| Minimal/serverless | Cloudflare Workers, Vercel Edge | Stateless proxying, edge routing |
For SMB, the realistic field is typically: STOA, Kong CE, Gravitee, AWS API Gateway, and Cloudflare Workers. We focus on these five.
Feature Comparisonβ
| Feature | STOA | Kong CE | Gravitee | AWS API Gateway | Cloudflare Workers |
|---|---|---|---|---|---|
| License | Apache 2.0 | Apache 2.0 | Apache 2.0 | Proprietary | Proprietary |
| Self-hosted | Yes | Yes | Yes | No | Limited (Workers runtime) |
| Managed SaaS | Planned | Kong Konnect (paid) | Gravitee Cloud (paid) | Yes (native) | Yes (native) |
| Multi-tenancy | Native (namespace isolation) | Plugin-based | Plugin-based | Account-level only | No native multi-tenancy |
| MCP / AI agent support | Native | Enterprise plugin only | 4.8+ beta | No | No |
| Rate limiting | Per-tenant, per-tier, per-endpoint | Plugin (rate-limiting) | Plans/flows | Stage-level throttling | Service-level rate limiting |
| OAuth2 / OIDC | Native + Keycloak integration | Plugin | Plugin | Built-in (Cognito) | Custom implementation |
| Developer portal | Included (open-source) | Kong DevPortal (paid) | Gravitee Dev Portal | AWS Marketplace | Not included |
| Audit logs | Per-tenant, tamper-evident | Plugin (file/HTTP) | Audit logs | CloudTrail (extra cost) | Workers Logpush (paid) |
| OpenAPI / Swagger import | Yes | Yes | Yes | Yes | No |
| GitOps / CRD support | Yes (Kubernetes-native) | Deck (declarative) | Partial | No | No |
| Guardrails / content filtering | Yes (GuardrailPolicy CRD) | No | No | No | Custom code |
| Horizontal scaling | Yes (K8s or standalone) | Yes | Yes | Yes (managed) | Yes (edge-native) |
| Cold start latency | None | None | None | ~100ms cold starts | ~0ms (V8 isolates) |
| Free tier | Open-source (self-hosted) | Open-source (self-hosted) | Open-source (self-hosted) | 1M req/month free | 100K req/day free |
Deep Dive: The Four Critical Dimensions for SMBsβ
Dimension 1: Operational Complexityβ
The question is not which gateway has the most features β it is which gateway your team can actually operate.
STOA: Runs on Docker Compose for local dev, deploys to Kubernetes for production. The control plane (including the developer portal and admin UI) comes as a single Helm chart. For a team that already runs Kubernetes, this is familiar territory. For a team without K8s experience, there is a learning curve.
Kong CE: Mature, well-documented, large community. DB-less mode (declarative config via Kong Deck) is SMB-friendly β no database dependency. The plugin ecosystem is extensive. Enterprise features (developer portal, RBAC, audit logs) require Kong Konnect (paid SaaS).
Gravitee: Strong management UI out of the box. More complex initial setup than Kong β requires MongoDB and Elasticsearch alongside the gateway. Worth the investment if you need a polished developer portal included in the open-source tier.
AWS API Gateway: Zero operational overhead if you are already on AWS. No servers to manage. The trade-off is cost at scale (per-request pricing adds up quickly) and AWS lock-in. Limited multi-tenancy and no MCP support.
Cloudflare Workers: Excellent for stateless edge routing and simple API proxying. Not a full API gateway β no developer portal, no multi-tenancy, no audit logs. Best used as a CDN/edge layer in front of a real API gateway.
Dimension 2: Multi-Tenancyβ
If your SaaS serves multiple customers via a shared API infrastructure, multi-tenancy is a hard requirement. Test it before you commit.
STOA has native multi-tenancy at its core. Tenant namespaces, per-tenant UAC contracts, per-tenant Keycloak realms, and per-tenant GuardrailPolicies are the defaults, not add-ons. This makes it the strongest option in this dimension for SMBs building B2B SaaS.
Kong CE can implement multi-tenancy via the workspace plugin (Enterprise feature) or by carefully organizing services and routes per tenant. It is achievable but not the default β it requires deliberate architecture work.
Gravitee supports multi-tenancy through environment separation and API visibility rules. Better than Kong CE for multi-tenancy out of the box, though not as deep as STOA's namespace model.
AWS API Gateway has no native multi-tenancy concept below the AWS account level. You can implement tenant separation at the application layer, but the gateway itself is not tenant-aware.
Dimension 3: AI/MCP Supportβ
If you are building AI-powered features in 2026, your gateway needs to route, authenticate, and rate-limit MCP traffic. This is increasingly a non-negotiable requirement for developer-facing SaaS products.
STOA was built with MCP as a primary concern. MCP tool registration, per-tenant tool allowlists, AI guardrails (content filtering, PII redaction), and MCP-native rate limiting are all first-class features. For teams building AI-first products, this is the strongest option.
Kong CE added MCP support in Kong Gateway 3.12 (October 2025) via an ai-mcp-proxy plugin. As of early 2026, the plugin is Enterprise-only. The OSS Kong CE tier does not include MCP support.
Gravitee released MCP support in version 4.8 (early 2026, beta). Still maturing, but shows commitment from the Gravitee team.
AWS API Gateway and Cloudflare Workers have no native MCP support. Custom implementation is possible but requires significant engineering effort.
Dimension 4: Total Cost of Ownershipβ
"Free" open-source software is never actually free β you pay in engineering time and operational complexity. "Managed" SaaS appears simple but costs grow quickly with scale.
| Option | Cost Model | At 1M req/month | At 100M req/month |
|---|---|---|---|
| STOA (self-hosted) | Infrastructure cost only | ~β¬30-50 (small K8s node) | ~β¬200-500 (scaled deployment) |
| Kong CE (self-hosted) | Infrastructure cost only | ~β¬30-50 | ~β¬200-500 |
| Gravitee (self-hosted) | Infrastructure cost + Elasticsearch | ~β¬80-120 | ~β¬400-800 |
| AWS API Gateway | Per-request: $3.50/million (REST) | ~β¬3 | ~β¬350 |
| Kong Konnect | Subscription + usage | ~β¬500+/month | Contact sales |
| Cloudflare Workers | Per-request after free tier | Likely free tier | ~β¬50+ |
Cost estimates are illustrative ranges based on publicly available pricing as of February 2026. Actual costs depend on configuration and scale. Verify current pricing directly with each vendor.
The economics favor self-hosted open-source at scale. The break-even point where managed SaaS becomes more expensive than self-hosted is typically around 10-50M requests/month, depending on your infrastructure costs and team bandwidth.
Our Recommendation by Profileβ
Profile A: "B2B SaaS, multi-tenant, 5-15 engineers, Kubernetes already in use"β
Recommendation: STOA
You need multi-tenancy, you already operate Kubernetes, and you may be adding AI features to your product. STOA's native multi-tenancy, MCP support, and GitOps-first architecture align well with this profile. The Helm chart is the fastest path to production.
Start with the Docker Compose quickstart for local development, then deploy to K8s via the Helm chart.
Profile B: "Developer API product, no multi-tenancy needed, team already knows Kong"β
Recommendation: Kong CE
If your team already has Kong experience and multi-tenancy is not a requirement, Kong CE is the pragmatic choice. The ecosystem is mature, documentation is excellent, and you can always upgrade to Kong Konnect later. Use Kong Deck for declarative config management.
Profile C: "All-in on AWS, want zero ops, cost is not the primary concern"β
Recommendation: AWS API Gateway
The zero-operational-overhead argument is real. If your entire stack is on AWS and you are not hitting the point where per-request pricing becomes painful, AWS API Gateway's simplicity is worth the cost and the lock-in.
Profile D: "API product with a polished developer portal as a key differentiator"β
Recommendation: Gravitee
Gravitee's management UI and developer portal are notably polished for an open-source product. If the developer portal is a key part of your product experience and you do not need deep multi-tenancy or MCP support today, Gravitee is worth the additional Elasticsearch dependency.
Profile E: "Stateless edge proxying, no need for a full gateway stack"β
Recommendation: Cloudflare Workers
If your use case is primarily routing, edge caching, and basic auth β with no developer portal, no multi-tenancy, no audit logs β Cloudflare Workers is fast and cheap. Treat it as a CDN/edge layer, not a full API management platform.
Decision Checklistβ
Before committing, run through this checklist:
- Multi-tenancy required? If yes, evaluate STOA and Gravitee first
- MCP/AI agents in roadmap? If yes, STOA is currently the strongest OSS option
- Team has K8s experience? If yes, self-hosted OSS is viable; if no, evaluate managed options
- Developer portal needed? Factor in Gravitee and Kong Konnect (paid)
- Compliance requirements (GDPR, HIPAA)? Confirm audit log and data residency support
- Budget for 2 years at current scale? Run the TCO numbers β managed SaaS cost grows faster than self-hosted
- Migration path? If you might outgrow this choice, prefer OSS with a clear upgrade path
Getting Started with STOAβ
If STOA matches your profile, the fastest path to evaluation is:
# Clone the quickstart
git clone https://github.com/stoa-platform/stoa-quickstart.git
cd stoa-quickstart
# Start the full stack (gateway + control plane + portal + auth)
docker compose up -d
# Open the console
open http://localhost:3001
Full setup guide: Docker Compose Local Development.
For a comparison of STOA specifically against Kong: STOA vs Kong.
For the full SaaS Playbook series, start with Part 1: Multi-Tenancy 101.
FAQβ
Is STOA production-ready for SMBs?β
STOA reached its first production release (v0.1.0) in February 2026. It is running in production at early-adopter companies. As an Apache 2.0 open-source project, you can audit the code, fork it, and run it without vendor lock-in. That said, it is newer than Kong or Gravitee β evaluate based on your risk tolerance.
Can I migrate from AWS API Gateway to a self-hosted option later?β
Yes, but plan for it. AWS API Gateway uses AWS-specific features (Lambda integrations, Cognito auth, CloudWatch logging) that do not map directly to any other gateway. Budget for migration work proportional to how deeply you have used AWS-native features.
Which open-source API gateway has the largest community?β
Kong has the largest open-source community as of early 2026, followed by Gravitee and STOA. Community size matters for plugin availability, Stack Overflow answers, and ecosystem maturity. If this is a priority, Kong CE has a meaningful head start.
Does STOA work without Kubernetes?β
Yes. STOA Gateway can run in standalone mode via Docker Compose. The Kubernetes deployment is recommended for production (for HA and scaling), but is not required for evaluation or smaller deployments.
What happens to my data if I start with STOA and decide to switch later?β
STOA uses standard formats throughout: OpenAPI specs for API definitions, JWT/OAuth2 for auth, PostgreSQL for the control plane database. Your API definitions are portable. Your auth configuration can be exported from Keycloak. There is no proprietary data format lock-in.