Step-by-step guides and how-to articles
View All Tags
Run the complete STOA Platform stack on your local machine using Docker Compose. This tutorial shows you how to spin up the Control Plane API, Console UI, Developer Portal, MCP Gateway, Keycloak, and PostgreSQL — all configured and ready to use in under 10 minutes.
AI gateways require specialized rate limiting approaches that account for token consumption, streaming responses, and variable request costs. Traditional request-per-second limits fail to capture the true resource usage of AI workloads. This guide covers token-aware rate limiting strategies, per-tenant quota management, and implementation patterns for production AI gateways.
The OWASP API Security Top 10 (2023) lists the most critical API security risks. An API gateway like STOA helps address several of these at the infrastructure layer — but not all of them. This article maps each OWASP risk to STOA's controls, with an honest assessment of what requires application-level implementation.
STOA Platform secures AI agent API access through five independent layers: mTLS certificate binding, OAuth 2.1 with PKCE, OPA policy evaluation, AI guardrails, and immutable audit logging. Each layer addresses a distinct threat class. Compromise of any single layer does not grant unauthorized access. This article describes the security architecture, threat model, and design rationale for each layer.
stoactl is the command-line interface for STOA Platform that brings kubectl-style API management to your terminal. Install it with one command, authenticate to your Control Plane API, and manage APIs, subscriptions, and MCP tools without touching the web console—ideal for scripting, CI/CD pipelines, and developers who prefer the terminal.
You've installed STOA. The health check returns 200. Now what?
The gap between "it runs" and "it's production-ready" is where most setups fail. This runbook covers your first 7 days with STOA — the operational habits that prevent 3am surprises, the monitoring that catches issues before your users do, and the hardening steps that separate a demo from a real deployment.
Circuit breakers are critical resilience patterns that prevent cascading failures in distributed systems by temporarily blocking requests to unhealthy backends. In API gateways, they act as automatic safety switches that detect failures, stop forwarding traffic to failing services, and allow systems time to recover before resuming normal operations.
MCP clients like Claude Desktop and GPT are public clients. They cannot store client secrets. OAuth 2.1 with PKCE (Proof Key for Code Exchange) solves this by replacing the client secret with a cryptographic proof that only the original requester could produce. This article walks through the complete OAuth flow for MCP gateways, including the discovery chain, dynamic client registration, and the production pitfalls we encountered and solved.
You define an API once. STOA exposes it as both a REST endpoint and an MCP tool — same policies, same monitoring, zero duplication. That is the Universal API Contract (UAC), and this tutorial walks you through it in 5 minutes.
Most API platforms force you to maintain separate configurations for each protocol: one for REST consumers, another for AI agents via MCP. That means duplicated rate limits, duplicated auth rules, and twice the surface area for misconfiguration. UAC eliminates that.
Custom MCP tools let you expose any API as an AI-native interface that Claude and other AI agents can discover and invoke automatically. This tutorial walks you through creating, registering, and testing a custom MCP tool using the STOA gateway, from initial YAML definition to live invocation by an AI agent.