Frequently Asked Questions

Honest answers to skeptical questions about STOA's open source model.

Licensing & Protection

Why Apache 2.0 instead of BSL or SSPL?

Short answer: We chose community over control.

Long answer: BSL (Business Source License) and SSPL say "we trust you, but not that much." Result? OpenTofu forked HashiCorp in 3 months. ElasticSearch became OpenSearch.

We do Apache 2.0 with redistribution. Protection isn't the license — it's:

Trademark — "STOA" is registered with INPI
45% redistribution — Creates loyalty
Ecosystem — MCP bindings, UAC templates, community

You want a license that scares people, or a community that wants to stay?

What stops AWS from forking STOA tomorrow?

They can. But:

Trademark protection — They can't call it "STOA" (INPI registered ✅)
No certification access — Without certification, no partner program
Ecosystem stays here — MCP bindings, UAC templates, integrations
Contributors paid HERE — Why would they leave?

AWS forked Elasticsearch amid a licensing dispute. We aim to share value directly with contributors. Why would anyone leave?

Kubernetes had Google with $3M/year. What do you have?

Google gave $3M so K8s stays neutral and no one controls it.

We do the opposite: we keep control AND redistribute 45% to contributors and the foundation. That's more generous than Google proportionally.

The real comparison:

	Kubernetes	STOA
Initial investment	$3M from Google	Bootstrap
Control	CNCF (neutral)	HLFH (aligned)
Contributor rewards	Reputation only	15% revenue share
Foundation funding	Corporate sponsors	10% revenue

Business Model

How do you make money with Apache 2.0?

Same as Red Hat, Confluent, HashiCorp (before BSL):

Enterprise Support — SLAs, dedicated support, custom integrations
Managed Service — STOA Cloud (coming 2027)
Certification — Developer and architect certifications
Training — Workshops, onboarding, consulting
Partner Program — Revenue share with integrators

The code is free. The expertise, support, and convenience are not.

What if a competitor offers the same service cheaper?

They can try. But:

We know the code best — We wrote it
Upstream patches — Security fixes available from the source
Community trust — Contributors work with us, not against us
Roadmap influence — Enterprise customers shape the product

Red Hat has competitors offering "free" RHEL support. Red Hat still dominates. Same principle.

Is this sustainable long-term?

The model is designed to be self-sustaining: as enterprise revenue grows, all pools (foundation, maintainers, contributors, operations) grow proportionally. No VC dependency. No "pivot to enterprise" bait-and-switch.

Contributors

Where's the actual point schedule? Is this vaporware?

It's documented right here on docs.gostoa.dev/community/rewards.

Every quarter, we publish:

The available pool
Points for each contributor
Payments made

Full transparency. Want to see the spreadsheet? It's a Google Sheet for now, but the intention is clear.

How do you prevent gaming the system?

Three mechanisms:

Tier system — AI-easy contributions (typos, basic refactors) earn less
Automatic detection — Patterns like PR spam, unusual volume
Reputation multiplier — History of quality work earns more

Plus: 30% of contributors can veto any scoring change.

What about invisible work like mentoring and triage?

We track it explicitly:

Contribution	Points
Issue triage + reproduction	5
Community help (Discord)	2 per response
Mentoring (documented)	20 per session
RFC writing	100

Invisible work isn't invisible anymore.

Governance

Who decides what gets built?

Layered governance:

Constitution (immutable) — Core principles, requires 2/3 majority + 1 year notice to change
Laws (stable) — Value dimensions, weights, requires simple majority + 3 months notice
Regulations (adaptive) — Specific metrics, quarterly review by council

What's the Value Evolution Council?

7-seat governing body:

Seats	Term	Role
3 elected contributors	2 years	Community voice
2 domain experts	2 years	Technical + community
1 external advisor	1 year	Challenge assumptions
1 rotating newcomer	6 months	Fresh perspective

Constraints:

No organization > 2 seats
At least 2 non-EU members
At least 2 indie contributors

Can you just change the rules whenever you want?

No. The Constitution is designed to prevent that:

Principles require 2/3 majority + 1 year notice + ratification
Laws require simple majority + 3 months notice
Regulations require council + 2 weeks feedback

Plus: all changes go through gradual transition periods. No sudden rug pulls.

Technical

What is MCP and why does STOA support it?

MCP (Model Context Protocol) is an open standard by Anthropic that lets AI agents discover and call tools. STOA acts as an MCP gateway — it exposes your existing APIs as MCP tools so AI agents can use them securely, with authentication, rate limiting, and audit trails.

In short: MCP is how AI agents talk to APIs. STOA makes that conversation secure and governed.

See our MCP Gateway guide for more details.

What is UAC (Universal API Contract)?

UAC is STOA's "Define Once, Expose Everywhere" approach. You write one API contract and STOA automatically generates:

REST/OpenAPI bindings
MCP tool definitions
GraphQL schemas (planned)
gRPC service definitions (planned)

This means you define your API surface once and expose it through any protocol. See the UAC concept page.

Can I run STOA on-premises?

Yes. STOA is designed for hybrid deployment:

Control Plane can run in the cloud or on-premises
Data Plane (STOA Gateway) runs wherever your APIs are — on-prem, cloud, or edge
No phone-home — the gateway operates independently

See the deployment guide for architecture details.

What API gateways can STOA replace or complement?

STOA works alongside existing gateways (Kong, Gravitee, Apigee, webMethods, AWS API Gateway, Azure APIM) through its adapter system. You don't need to rip and replace — STOA orchestrates your existing gateways from a single control plane.

See our migration guides for specific gateway transitions.

What's the tech stack?

Component	Technology
Control Plane API	Python 3.11, FastAPI, SQLAlchemy
Console UI	React 18, TypeScript, Vite
Developer Portal	React 18, TypeScript, Vite
STOA Gateway	Rust (Tokio, axum)
Auth	Keycloak (OIDC/OAuth 2.1)
Observability	OpenTelemetry, Prometheus, Grafana

Still Skeptical?

Good. Skepticism is healthy.

Here's what we ask:

Watch us — Follow our quarterly reports
Challenge us — Ask hard questions in Discord
Verify us — The dashboard will be public
Judge us by results — First distributions when enterprise revenue arrives

We'd rather earn your trust than demand it.

Have a question not answered here? Ask in #questions on Discord or email hello@gostoa.dev

Licensing & Protection​

Why Apache 2.0 instead of BSL or SSPL?​

What stops AWS from forking STOA tomorrow?​

Kubernetes had Google with $3M/year. What do you have?​

Business Model​

How do you make money with Apache 2.0?​

What if a competitor offers the same service cheaper?​

Is this sustainable long-term?​

Contributors​

Where's the actual point schedule? Is this vaporware?​

How do you prevent gaming the system?​

What about invisible work like mentoring and triage?​

Governance​

Who decides what gets built?​

What's the Value Evolution Council?​

Can you just change the rules whenever you want?​

Technical​

What is MCP and why does STOA support it?​

What is UAC (Universal API Contract)?​

Can I run STOA on-premises?​

What API gateways can STOA replace or complement?​

What's the tech stack?​

Still Skeptical?​