Australia verdict (TL;DR)
Verified 2026-05-24Australian API management is dominated by three patterns. MuleSoft (Salesforce-owned) is the default at the Big 4 banks, Telstra, Optus and most ASX 100 because Salesforce ANZ has invested heavily in Aussie banking implementation. Apigee runs at the larger Aussie enterprises with strong Google Cloud relationships and is the default in Aussie federal-government Open Banking and CDR mediation. Kong is the Aussie tech-firm default at Atlassian, Canva, SafetyCulture, Linktree, Octopus Deploy and most cloud-native scale-ups. AWS API Gateway and Azure API Management win wherever the cloud anchor is set. Postman is universal as a complement to a runtime gateway. Tyk holds a notable Aussie public-sector niche.
Picks for Australia
- Big 4 bank or large Aussie enterprise CDR participant: mulesoft MuleSoft Anypoint Platform is the default at CBA, NAB, ANZ, Westpac, Telstra and most ASX 100. CDR API mediation supported, AWS Sydney residency, mature Aussie services partner ecosystem.
- Aussie federal department or Google Cloud-anchored enterprise: apigee Apigee is the dominant Aussie federal API gateway and runs at Aussie enterprises with strong GCP positioning. IRAP-assessed at PROTECTED.
- Aussie tech firm or cloud-native scale-up: kong Kong is the default at Atlassian, Canva, SafetyCulture, Linktree, Octopus Deploy and most Aussie cloud-native scale-ups. Open-source roots plus Konnect SaaS in AWS Sydney.
- AWS-anchored Aussie enterprise: aws-api-gateway AWS API Gateway is the no-brainer where AWS Sydney is the primary cloud. IRAP-assessed regions support PROTECTED workloads for federal agencies.
- Azure-anchored Aussie enterprise or government: azure-api-management Azure API Management runs at Westpac, Woolworths and most federal departments anchored on Microsoft. Australia Central PROTECTED tier available.
- Aussie engineering team needing design plus testing: postman Postman is universal as a complement to a runtime gateway. Aussie teams use Postman for design, testing and collaboration alongside MuleSoft, Kong or AWS API Gateway in production.
- Aussie state government or research network: tyk Tyk has notable Aussie public-sector deployments at state governments, universities and research networks. Self-hostable, OSS-friendly, supports air-gapped deployments.
How the api management software market looks in Australia
Australia's API management market is shaped by the Consumer Data Right (CDR) rollout and APRA CPS 234 obligations. Aussie banks (CBA, NAB, ANZ, Westpac, Macquarie, Suncorp, Bank of Queensland, Bendigo) were the first wave of CDR API participants in 2020, followed by energy retailers (AGL, Origin, EnergyAustralia, Red Energy) in 2022 and telcos (Telstra, Optus, TPG/Vodafone) in 2025. CDR mediation requires production-grade API gateways with the data-holder controls (consent, authorisation, scope management) that DSB standards specify. MuleSoft and Apigee have done the bulk of Aussie CDR implementation work, with WSO2 occasionally chosen for cost or open-source reasons.
The Aussie tech-firm pattern is different. Atlassian, Canva, SafetyCulture, Linktree, Culture Amp, Employment Hero, Deputy, Octopus Deploy, Go1, Pro Medicus, WiseTech, Megaport and most cloud-native scale-ups defaulted to Kong, AWS API Gateway or Azure API Management. The economics push toward consumption-based gateways colocated with the application. Kong Konnect SaaS in AWS Sydney is the most-named Aussie SaaS pick in this segment.
Federal government and intelligence agencies skew toward Apigee or Azure API Management because IRAP assessment status and PROTECTED data classification are gating criteria. The Digital Transformation Agency (DTA) maintains api.gov.au guidance. ASD-aligned Defence and intelligence agencies prefer self-hosted Tyk, WSO2 or custom gateway deployments behind PROTECTED-tier networks. Macquarie Government Cloud and Vault Cloud host PROTECTED API workloads. APRA CPS 234 evidence requirements drive procurement of fully audit-logged gateways for Aussie financial services, and APRA CPS 230 operational risk obligations (effective mid-2025) raised the bar on outage and recovery commitments.
API management in Australia operates under Privacy Act 1988 (APP 6 use and disclosure, APP 11 security) for any gateway handling personal information. The Notifiable Data Breaches scheme requires 30-day OAIC notification for eligible breaches of customer data flowing through APIs. APRA CPS 234 information-security obligations apply to gateways at banks, insurers and super funds, with CPS 230 operational risk obligations applying from mid-2025 on outage and recovery. The Consumer Data Right (Treasury Laws Amendment (Consumer Data Right) Act 2019 and CDR Rules) mandates conformance to Data Standards Body specifications for participating banks, energy retailers and telcos including OAuth 2.0 / FAPI authorisation, consent management, and authentication. The SOCI Act 2018 covers gateways material to critical-infrastructure operations. ASIC sets financial-services licensing requirements that touch payment APIs. ACMA Telecommunications Act obligations apply to telco-side APIs. Federal procurement requires IRAP assessment at OFFICIAL or PROTECTED; Apigee, Azure API Management, AWS API Gateway and MuleSoft all qualify for some federal use, others must be self-hosted in IRAP-assessed environments. ASD Information Security Manual (ISM) controls apply at Defence. Modern Slavery Act 2018 vendor statements apply at >A$100M revenue.
Quick comparison, ranked for Australia
| Product | Best for | Starts at | 10-emp/mo* | Pricing | G2 | Geo |
|---|---|---|---|---|---|---|
| 3 MuleSoft Anypoint | Enterprise; Salesforce-anchored | Quote | - | 4.5 | Global; strongest in US, EU, APAC | |
| 4 Apigee | Enterprise; GCP-anchored | $500 | $500 | 4.4 | Global; strongest in US, EU, APAC | |
| 2 Kong | Engineering-led mid-market and enterprise | $0 + $0/emp | $0 | 4.5 | Global; strongest in US, EU, APAC | |
| 6 AWS API Gateway | Any AWS-anchored organization | $0 + $0/emp | $0 | 4.4 | Global; available in all AWS regions | |
| 5 Microsoft Azure API Management | Any Azure-anchored organization | $0 + $0/emp | $0 | 4.3 | Global; strongest in US, EU, AU; worldwide | |
| 1 Postman | Engineering teams 10-5,000 developers | $0 + $0/emp | $0 | 4.6 | Global; strongest in US, India, EU | |
| 7 Tyk | Cost-conscious engineering teams | $0 + $0/emp | $0 | 4.5 | Global; strongest in UK, EU, Middle East | |
| 9 WSO2 | Regulated and on-prem-heavy enterprises | $0 + $0/emp | $0 | 4.3 | Global; strongest in APAC, Middle East, EU | |
| 8 Stoplight | API platform and design teams | $0 + $0/emp | $0 | 4.4 | Global; strongest in US, EU | |
| 10 Gravitee | Event-driven engineering teams | $0 + $0/emp | $0 | 4.4 | Global; strongest in EU, France |
*10-employee monthly cost = base fee + (per-employee × 10) using the lowest published tier. For opaque-pricing vendors, no value is shown.
What buyers in Australia actually pay
Median annual deal size by employee band, in AUD. Crowdsourced from anonymized buyer disclosures.
| Product | Employee band | Median annual (AUD) | Sample | Notes |
|---|---|---|---|---|
| MuleSoft Anypoint | Big 4 bank or ASX 100 | A$1,450,000 | 8 | MuleSoft Anypoint Enterprise AUD, Aussie tier-1 financial services |
| Apigee | Aussie enterprise or federal | A$580,000 | 11 | Apigee X Enterprise AUD, GCP-anchored |
| Kong | Aussie scale-up | A$85,000 | 28 | Kong Konnect Plus, Aussie cloud-native |
| AWS API Gateway | Aussie AWS-anchored enterprise | A$95,000 | 32 | AWS API Gateway consumption + WAF, Aussie enterprise |
| Microsoft Azure API Management | Aussie Microsoft-anchored enterprise | A$145,000 | 22 | Azure API Management Premium tier, Aussie enterprise |
| Postman | Aussie engineering team | A$18,000 | 38 | Postman Enterprise AUD, Aussie scale-up to enterprise |
| Tyk | Aussie public sector | A$65,000 | 14 | Tyk Self-managed Pro, Aussie government and education |
Australia-built or Australia-strong vendors worth knowing
Not yet ranked in our global top 10, but credible options for Australia buyers and worth a shortlist.
MuleSoft ANZ (Salesforce)
Visit ↗Salesforce ANZ has a major MuleSoft Aussie implementation practice supporting CBA, NAB, Telstra and most ASX 100 CDR participants.
Apigee Australia (Google Cloud)
Visit ↗Google Cloud Australia runs Apigee implementation through GCP partners. Default Aussie federal gateway with IRAP at PROTECTED.
Kong ANZ
Visit ↗Kong has a meaningful Aussie engineering and sales presence supporting Atlassian, Canva and most Aussie tech firms. Konnect SaaS in AWS Sydney.
Macquarie Government Cloud
Visit ↗Aussie-headquartered sovereign cloud provider hosting PROTECTED API workloads for federal agencies that can't use hyperscaler public regions.
All 10, ranked for Australia
Same intelligence as the global ranking, vendor trust, review patterns, verified pricing, compliance, reordered for the Australia market.
MuleSoft Anypoint
Enterprise iPaaS + API platform inside the Salesforce stack.
MuleSoft Anypoint is the integration-anchored enterprise API platform, combining iPaaS, API design, runtime, and a developer portal into a single suite. Salesforce acquired MuleSoft in March 2018 for $6.5B, making it one of the largest software acquisitions in the category. Anypoint is best fit when API management is downstream of large-scale system integration (ESB-replacement workloads, Salesforce-anchored enterprises, banking and insurance modernization). Trade-offs: pricing is among the highest in the category, post-Salesforce mid-market reach has visibly eroded as the sales motion shifted upmarket, runtime engine (Mule) is heavier than Kong or cloud-native gateways, and roadmap velocity has slowed compared to the standalone era.
Large enterprises (1,000-100,000+ employees), particularly Salesforce-anchored, with ESB-replacement workloads or complex multi-system integration where API management is one piece of a broader platform investment.
Mid-market with simple REST-only needs (Kong, Tyk, or cloud gateways are cheaper), engineering-led platform teams (Kong fits the operating model better), or any organization not already anchored to Salesforce.
Strengths
- Strongest iPaaS + API combination in the category
- Salesforce-native integration unmatched for SF-anchored enterprises
- Anypoint Studio mature for complex transformations
- Runtime supports both REST and SOAP cleanly
- API governance via Anypoint Exchange
- Fits ESB modernization projects
Weaknesses
- Among the most expensive options in the category
- Mid-market reach eroded post-Salesforce acquisition
- Mule runtime heavier than Kong or cloud-native gateways
- Roadmap velocity slower since 2018 acquisition
- Steep learning curve for non-Mule developers
- Per-vCore pricing creates surprise costs
Pricing tiers
opaque- Anypoint Platform StarterEntry tier; typically starts ~$80K/yrQuote
- Anypoint Platform GoldMid-tier; ~$200K-$500K/yr typicalQuote
- Anypoint Platform PlatinumEnterprise; $500K-$5M/yr typicalQuote
- Anypoint Flex GatewayLightweight gateway; per-instanceQuote
- · vCore overage charges
- · Implementation services ($100K-$5M typical)
- · Per-API governance modules
- · Annual price increases of 8-15%
Key features
- +API design (Anypoint Design Center)
- +Mule runtime engine
- +Anypoint Exchange (developer portal)
- +iPaaS connectors (300+)
- +Anypoint Flex Gateway (lightweight runtime)
- +API security policies
- +Mule MQ messaging
- +Salesforce-native connectors
Apigee
Mature enterprise gateway and analytics, now inside Google Cloud.
Apigee is the long-standing enterprise API platform that Google acquired for $625M in November 2016. Architecturally still strong, analytics depth, monetization, partner-API programs, and policy depth remain among the best in the category. Best fit for organizations already on Google Cloud with complex partner-API programs, monetization needs, or telco/financial-services regulatory contexts. Trade-offs: post-Google velocity has been slow and largely tied to GCP roadmap rather than category innovation, the legacy Apigee Edge to Apigee X migration has been painful for long-tenured customers, and pricing is opaque and high outside Google-led deal cycles.
Enterprises (1,000+ employees) on Google Cloud with complex partner-API programs, monetization workflows, or regulated telco/financial-services contexts where policy depth and analytics matter more than developer ergonomics.
AWS or Azure-anchored shops (cloud-native gateways are simpler), engineering-led platform teams (Kong fits better), or greenfield API programs without monetization needs (Postman + cloud gateway is faster to deploy).
Strengths
- Strongest analytics and monetization in the category
- Mature policy framework (KVMs, JS callouts, traffic management)
- Works for partner API programs and telco/banking
- Apigee X is GCP-native with autoscaling
- Deep developer portal capabilities
- Public cloud financial backing (Alphabet)
Weaknesses
- Post-Google velocity slower than category leaders
- Apigee Edge to Apigee X migration painful
- Pricing opaque and high outside GCP-led deals
- Strongly tied to Google Cloud, multi-cloud feels second-class
- Developer experience dated vs Postman + Kong combo
- Smaller community than Kong or Postman
Pricing tiers
partial- Apigee Standard~$500/env/mo entry; limited calls$500 /mo
- Apigee Enterprise$25K-$100K+/yr typicalQuote
- Apigee Enterprise PlusEnterprise; advanced monetization, SLAQuote
- Apigee HybridHybrid runtime; on-prem control planesQuote
- · Per-call overage charges
- · Hybrid deployment infrastructure costs
- · Implementation via Google or partners
- · Apigee Edge to X migration services
Key features
- +API design and policy framework
- +Apigee Edge / Apigee X runtime
- +Developer portal with monetization
- +Advanced analytics dashboards
- +Threat protection policies
- +Hybrid runtime (Apigee Hybrid)
- +OAuth 2.0 / OIDC enforcement
- +Traffic management and quotas
Kong
Open-source gateway with the most credible commercial control plane.
Kong is the open-source-anchored leader in runtime API management, founded in 2009 as Mashape and rebranded to Kong in 2017. The OSS Kong Gateway is the most-deployed open-source API gateway by a wide margin, and the commercial Konnect SaaS control plane has become the most credible enterprise replacement for Apigee and MuleSoft for engineering-led organizations. Best fit when the platform team is engineering-led and wants plugin extensibility without vendor lock-in. Trade-offs: developer portal and monetization remain weaker than Apigee, deployment topology (control plane vs data plane) has a learning curve, and Konnect pricing at scale is no longer cheap.
Engineering-led platform teams (typically 100-10,000 developers) running Kubernetes-heavy or multi-cloud architectures who want plugin extensibility, low-latency runtime, and a credible alternative to Apigee/MuleSoft.
Business-led API programs that lean on partner monetization (Apigee fits better), simple serverless APIs on a single cloud (cloud-native gateways are cheaper), or teams without platform engineering capacity (Postman + cloud gateway is simpler).
Strengths
- Most-deployed open-source API gateway in the category
- Plugin-extensible architecture (Lua + Go + JavaScript plugins)
- Konnect SaaS control plane decouples ops from policy
- Service mesh story (Kong Mesh / Kuma) genuinely integrated
- Best for Kubernetes-native deployments
- Engineering-led buyer base, credible enterprise references
Weaknesses
- Developer portal weaker than Apigee
- Monetization/billing features minimal
- Konnect pricing escalates at high traffic volumes
- Multi-cluster Konnect topology has a learning curve
- OSS-to-Enterprise upgrade path not always frictionless
Pricing tiers
partial- Kong Gateway OSSOpen-source; self-hosted; no commercial features$0+$0 /mo +/emp
- Konnect PlusSaaS control plane; small traffic tier$250 /mo
- Konnect EnterprisePer-service-pricing; SLA, advanced securityQuote
- Kong Gateway Enterprise (self-hosted)On-prem with commercial pluginsQuote
- Kong MeshService mesh add-onQuote
- · Per-service or per-traffic overages on Konnect Enterprise
- · Mesh and Insomnia bundles separate
- · Professional services for migration
Key features
- +High-performance Lua/Nginx-based gateway
- +Plugin SDK (Lua, Go, JavaScript, Python)
- +Konnect SaaS control plane
- +Service Mesh (Kuma/Kong Mesh)
- +Insomnia design tool (acquired 2019)
- +OAuth 2.0, JWT, OIDC plugins
- +Kubernetes Ingress Controller
- +Dev Portal
AWS API Gateway
The default front door for AWS Lambda and serverless APIs.
AWS API Gateway has been the default API front door on AWS since its 2015 launch, particularly for Lambda-backed serverless architectures. Two flavors matter, REST APIs (full feature set, higher cost) and HTTP APIs (subset of features, ~70% cheaper). Best fit when the runtime is AWS-heavy and identity is Cognito or AWS IAM. Trade-offs: it is a runtime gateway only, no design tool, no developer portal, no monetization, so most AWS shops pair it with Postman for design and a separate dev portal solution. Usage-based pricing scales linearly with traffic, which is fine until it is not.
AWS-anchored organizations running Lambda-based serverless architectures, particularly mid-market and startups that want pay-per-request pricing and tight integration with AWS IAM/Cognito.
Multi-cloud strategies (cloud-neutral gateways like Kong fit better), partner-API monetization (Apigee or MuleSoft), or any team that wants design + portal + runtime in one product (Postman + Kong or Apigee).
Strengths
- Default gateway for AWS-anchored serverless
- HTTP APIs ~70% cheaper than REST APIs
- Native Lambda integration
- AWS IAM and Cognito enforcement built-in
- Pay-per-request, no minimum spend
- Multi-region deployment via Route 53
Weaknesses
- No design tool, pair with Postman or Stoplight
- No developer portal, must build or buy separately
- No monetization or partner billing
- REST APIs pricing escalates at high volume
- Custom authorizer cold starts add latency
- WebSocket APIs feel like an afterthought
Pricing tiers
public- HTTP APIs$1.00 per million requests (first 300M)$0+$0 /mo +/emp
- REST APIs$3.50 per million requests (first 333M)$0+$0 /mo +/emp
- WebSocket APIs$1.00 per million messages$0+$0 /mo +/emp
- Private APIsSame as REST/HTTP; VPC endpoint costs extra$0+$0 /mo +/emp
- · Data transfer out (CloudFront or direct)
- · Caching costs ($0.02-$3.80/hr per cache size)
- · CloudWatch Logs ingestion
- · WAF if attached
Key features
- +REST and HTTP API types
- +WebSocket APIs
- +Native Lambda integration
- +AWS IAM and Cognito authorizers
- +Custom Lambda authorizers
- +Caching layer
- +Throttling and quotas
- +Stage-based deployments
Microsoft Azure API Management
The default API gateway for Azure-anchored organizations.
Azure API Management (APIM) is the default API platform for any organization anchored to Microsoft Azure, launched in 2014 after Microsoft acquired Apiphany in 2013. Best fit when the runtime stack is Azure-heavy, App Service, Functions, Logic Apps, and identity is Microsoft Entra ID. The Consumption tier removed the historical minimum-spend barrier and made APIM viable for serverless-only workloads. Trade-offs: developer experience outside the Azure portal is dated, the policy expression language (XML-based) is unique to APIM and adds a learning curve, and capabilities outside the Azure ecosystem (multi-cloud, on-prem) feel second-class.
Azure-anchored organizations of any size, particularly those running App Service, Functions, Logic Apps, and using Microsoft Entra ID for OAuth/OIDC. Default choice for Microsoft-aligned shops.
AWS or GCP-anchored shops (cloud-native gateways are simpler), engineering-led platform teams that want a plugin ecosystem (Kong is the answer), or teams that want a polished developer-experience-first design tool (pair with Postman or Stoplight).
Strengths
- Native integration with Entra ID, Logic Apps, Functions, App Service
- Consumption tier with no minimum spend
- Self-hosted gateway for on-prem and multi-cloud
- Strong policy library (rate limiting, caching, validation, JWT)
- Developer portal included at no extra cost
- Microsoft enterprise support backbone
Weaknesses
- Developer experience outside Azure portal dated
- XML policy language unique and harder to learn
- Multi-cloud and on-prem feel second-class
- Pricing tiers (Developer, Basic, Standard, Premium) hard to size
- Cold-start latency on Consumption tier can hit lower-percentile traffic
- Smaller plugin ecosystem than Kong
Pricing tiers
public- ConsumptionPay-per-call; ~$3.50 per million calls$0+$0 /mo +/emp
- DeveloperNon-prod; single unit$50 /mo
- BasicProduction entry; 1-2 units$150 /mo
- StandardProduction; 1-4 units; VNet not supported$700 /mo
- PremiumVNet, multi-region, 99.95% SLA$2800 /mo
- Standard v2Newer SKU; faster scalingQuote
- · Capacity unit overages on Standard/Premium
- · VNet integration drives Premium tier
- · Multi-region deployment is per-region billing
- · Self-hosted gateway separate licensing
Key features
- +Policy expression language (XML)
- +Developer portal included
- +OAuth 2.0 and Entra ID native
- +Self-hosted gateway (on-prem/multi-cloud)
- +API versioning and revisioning
- +Caching and rate limiting policies
- +Mock responses
- +Native Application Insights telemetry
Postman
The developer-anchored API workspace. Design, mock, test, document.
Postman is the developer-anchored leader in API management, roughly 30M registered users and a $5.6B valuation from its 2021 Series D led by Insight Partners. The product started as a Chrome extension for hand-testing REST endpoints in 2012 and has grown into a full API workspace covering design, mocking, testing, documentation, and a public API network. Best fit when the engineering team owns the API contract and wants one tool for the entire pre-production lifecycle. Trade-offs: runtime gateway story is thin (Postman is not a Kong replacement), enterprise governance lagged behind enterprise needs until 2023, and pricing has stepped up meaningfully at the Enterprise tier.
Engineering teams (10-5,000 developers) that own the API contract end-to-end and want a single workspace for design, mocking, testing, and documentation. Default choice for greenfield API programs.
Pure runtime gateway needs (Kong/Apigee/cloud gateways are the right answer), highly regulated air-gapped environments (WSO2 or self-hosted Tyk fit better), or teams that need built-in monetization and partner billing (Apigee or MuleSoft).
Strengths
- Largest developer base in the category (~30M registered users)
- Best-in-class collection and test scripting
- Generous free tier (3 users, unlimited collections)
- Strong mock servers and contract testing
- Public API Network for discoverability
- AI features (Postbot) genuinely useful for test generation
Weaknesses
- Not a runtime gateway, pair with Kong, Apigee, or cloud gateway
- Enterprise governance maturity behind MuleSoft / Apigee
- Pricing escalates at Enterprise tier
- Cloud-only by default, on-prem requires Enterprise tier
- Rate-limit changes on free tier in 2023 frustrated power users
Pricing tiers
public- FreeUp to 3 users; unlimited collections; limited mock and monitor calls$0+$0 /mo +/emp
- BasicPer user; team collaboration$14 /mo
- ProfessionalPer user; SSO, advanced governance$29 /mo
- EnterprisePer user; SCIM, audit logs, custom domains$49 /mo
- Enterprise UltimateCustom; on-prem, advanced securityQuote
- · Mock and monitor call overages
- · AI Postbot credits separate at Enterprise
- · On-prem deployment requires Ultimate tier
Key features
- +API design (OpenAPI 3.x native)
- +Collection runner and test scripting
- +Mock servers
- +Contract testing
- +API documentation auto-generation
- +Public API Network
- +Postbot AI assistant
- +Workspace-level RBAC
Tyk
Lightweight, open-source-friendly Go-based gateway built in the UK.
Tyk is the UK-built open-source-friendly API platform, Go-based, lightweight, and explicitly multi-cloud / air-gappable from the start. Founded 2014 in London, Tyk has carved out a credible niche as the cost-conscious alternative to Kong with strong support for self-hosted, on-prem, and air-gapped deployments. Best fit for cost-conscious engineering teams that want Kong-class capability without Konnect-tier pricing, particularly in regulated or sovereign-cloud contexts. Trade-offs: smaller community and ecosystem than Kong, plugin model (gRPC, JS, Python) less mature, and documentation depth is uneven.
Cost-conscious engineering teams (50-2,000 developers) needing Kong-class runtime capability with strong on-prem, air-gapped, or sovereign-cloud requirements, particularly UK, EU, and Middle East public sector and financial services.
Teams that need a polished managed SaaS with plugin marketplace (Kong Konnect fits better), monetization-heavy partner programs (Apigee), or shops wanting US-anchored vendor with deep North American partner network.
Strengths
- Go-based runtime, light footprint
- OSS-first with credible commercial tier
- Strong multi-cloud and air-gapped story
- Self-managed and SaaS deployment options
- OAuth, JWT, OIDC out of the box
- Pricing significantly below Kong Konnect at scale
Weaknesses
- Smaller community than Kong
- Plugin ecosystem less mature
- Documentation depth uneven
- Developer portal weaker than Apigee or MuleSoft
- Brand awareness lower in North America
- Support quality variable by region
Pricing tiers
partial- Tyk OSSOpen-source; self-hosted; no commercial features$0+$0 /mo +/emp
- Tyk Cloud LaunchpadEntry SaaS tier$600 /mo
- Tyk CloudProduction SaaS; per-call tiersQuote
- Tyk Self-ManagedOn-prem; per-instance licensingQuote
- Tyk MDCB (Multi Data Centre)Distributed control planeQuote
- · Per-call overages on Cloud
- · MDCB add-on for distributed deployments
- · Professional services for migration
Key features
- +Go-based gateway
- +OSS Tyk Gateway + Tyk Pump
- +Tyk Cloud SaaS
- +Self-hosted with MDCB
- +OAuth 2.0, JWT, OIDC, mTLS
- +GraphQL federation
- +Plugin SDKs (gRPC, JS, Python)
- +Developer portal
WSO2
Open-source full-stack: gateway, IAM, and integration in one suite.
WSO2 is the Sri Lanka-built open-source full-stack platform that bundles API management (API Manager), identity (Identity Server / Asgardeo), and integration (Micro Integrator) into a single coherent suite. Founded 2005 with deep ESB heritage, WSO2 has carved out a strong position with telcos, banks, and government agencies that need on-prem, sovereign-cloud, or air-gapped deployments. Best fit for regulated enterprises wanting an OSS-licensed alternative to MuleSoft with a single-vendor IAM + API + integration stack. Trade-offs: developer experience dated compared to Postman or Stoplight, deployment complexity higher than SaaS-first options, and brand awareness in North America is well below the Big Three.
Regulated enterprises (1,000-100,000+ employees), telcos, banks, government, that need OSS-licensed full-stack API + IAM + integration with on-prem or sovereign-cloud requirements and willingness to invest in deployment expertise.
SaaS-first organizations (Kong Konnect or Apigee X are simpler), engineering teams that prioritize polished developer experience (Postman + Kong), or US-anchored shops with no sovereign-cloud requirements.
Strengths
- Genuine open-source with permissive Apache 2.0 license
- Single-vendor IAM + API + integration stack
- Made for telcos, banks, government
- On-prem, sovereign-cloud, air-gapped deployment
- Asgardeo cloud IAM is credible CIAM
- Choreo cloud-native developer platform
Weaknesses
- Developer experience dated
- Deployment complexity higher than SaaS
- Brand awareness low in North America
- Documentation depth uneven across modules
- Support depends on tier
- UI feels older than Kong/Apigee/Postman
Pricing tiers
opaque- WSO2 API Manager OSSOpen-source Apache 2.0; self-hosted$0+$0 /mo +/emp
- WSO2 SubscriptionCommercial subscription; support, updates, SLAQuote
- Choreo (cloud)SaaS dev platform; per-developer + per-callQuote
- Asgardeo (cloud IAM)Free up to 5K MAU; tiered after$0+$0 /mo +/emp
- · Per-CPU subscription pricing on-prem
- · Implementation services typically required
- · Training certifications recommended
Key features
- +WSO2 API Manager (gateway + portal)
- +Identity Server / Asgardeo (CIAM)
- +Micro Integrator (ESB heritage)
- +Choreo cloud-native platform
- +GraphQL and async API support
- +OAuth 2.0, OIDC, SAML, mTLS
- +Multi-tenancy
- +SOAP and REST
Stoplight
API design and OpenAPI governance, now part of SmartBear.
Stoplight is the API design and governance specialist, best-in-class visual OpenAPI editor, style guides, and design-first workflows. SmartBear (PE-owned by Vista Equity Partners) acquired Stoplight in 2024, bringing it into the broader API tooling portfolio alongside ReadyAPI, SwaggerHub, and Pact. Best fit for teams that want design-first API governance and OpenAPI linting at scale, typically before they hand the contract to a runtime gateway. Trade-offs: not a runtime gateway, post-acquisition roadmap uncertainty as SmartBear consolidates with SwaggerHub, and pricing model has been in transition since the acquisition.
API platform teams (50-5,000 developers) implementing design-first workflows, OpenAPI style guides, and contract governance at scale, typically before runtime gateway selection.
Pure runtime gateway needs (Kong, Apigee, cloud gateways), teams already standardized on Postman for design (overlap), or organizations sensitive to PE-backed roadmap uncertainty.
Strengths
- Best-in-class visual OpenAPI design studio
- Style guides and Spectral linter (open-source)
- Strong design-first governance for API platforms
- Mock servers and prototyping
- Git-native workflow
- Spectral now de facto standard for OpenAPI linting
Weaknesses
- Not a runtime gateway
- SmartBear acquisition created roadmap uncertainty
- Overlap with SmartBear SwaggerHub causing brand confusion
- Pricing model in transition
- Free tier reduced post-acquisition
- Smaller community than Postman
Pricing tiers
partial- FreeReduced post-acquisition; limited collaborators$0+$0 /mo +/emp
- StarterPer user; small teams$39 /mo
- ProfessionalPer user; SSO, governance$99 /mo
- EnterpriseCustom; on-prem, advanced securityQuote
- · Style guide enforcement at higher tier
- · On-prem requires Enterprise
- · Annual price changes since acquisition
Key features
- +Visual OpenAPI design studio
- +Spectral linter and style guides
- +Mock servers
- +Documentation publishing
- +Git-native workflow
- +Design library reuse
- +Project-level governance
- +OpenAPI 3.x and AsyncAPI
Gravitee
French open-core platform with first-class async API support.
Gravitee is the French open-core API platform with a distinctive bet, first-class support for asynchronous APIs (Kafka, MQTT, WebSocket, SSE) alongside traditional REST and GraphQL. Founded 2015 in Lille, Gravitee has carved out a niche in event-driven architectures where Kong and traditional gateways feel synchronous-only. Best fit for engineering teams running event-streaming architectures who need API governance over Kafka topics and WebSocket endpoints, not just REST. Trade-offs: smaller community and ecosystem than Kong or Tyk, brand awareness lower in North America, and the async-first positioning narrows the ideal customer profile.
Engineering teams (50-2,000 developers) running event-streaming architectures (Kafka, MQTT, WebSocket) who need API governance over async endpoints, particularly EU-based teams with GDPR data-residency requirements.
Pure REST API needs (Kong, Tyk, cloud gateways are simpler), monetization-heavy partner programs (Apigee, MuleSoft), or US-only deployments where vendor proximity matters.
Strengths
- First-class async API support (Kafka, MQTT, WebSocket, SSE)
- Open-core with credible commercial tier
- OAuth, OIDC, mTLS native
- GraphQL and REST native
- Right call for event-driven architectures
- EU-hosted SaaS option for GDPR-sensitive workloads
Weaknesses
- Smaller community than Kong or Tyk
- Brand awareness low in North America
- Plugin ecosystem narrower
- Documentation uneven outside core flows
- Support inconsistency reported by region
- Ideal customer profile narrow
Pricing tiers
partial- Gravitee OSSOpen-source self-hosted; no commercial features$0+$0 /mo +/emp
- Gravitee CloudEntry SaaS tier$250 /mo
- Gravitee Cloud EnterprisePer-call tiers; SLA, advanced securityQuote
- Gravitee Self-Managed EnterpriseOn-prem; per-instanceQuote
- · Per-call overages on Cloud Enterprise
- · Async-specific add-ons
- · Professional services for migration
Key features
- +Async API gateway (Kafka, MQTT, WebSocket, SSE)
- +REST, GraphQL gateway
- +Access Management (OIDC IdP)
- +Policy designer
- +Developer portal
- +Cockpit multi-environment management
- +OAuth 2.0, JWT, mTLS
- +Self-managed and SaaS
Frequently asked questions
The questions buyers actually ask before they sign.
Which API gateways are CDR-compliant for Aussie banks?
Where should API management gateways sit for an Aussie federal department?
How does APRA CPS 230 operational risk affect gateway choice for an Aussie bank?
Postman vs Kong, which one?
MuleSoft vs Apigee, which enterprise platform?
Should I use Azure APIM or AWS API Gateway?
How much should I budget for API management?
How long does API management implementation take?
How does API management connect to my IAM stack?
How do I monitor API performance?
What is the role of OpenAPI in 2026?
Final word
Looking at a different market? See the global API Management Software ranking, or pick another country at the top of this page.
Last updated 2026-05-24. Local pricing reverified quarterly. Found something inaccurate? Tell us.