I’ve been a paying Kong customer, a Tyk-on-prem operator, a reluctant Apigee admin, and most recently the engineer who ripped APISIX in to replace a Kong cluster that had outgrown a mid-market budget. So when teams ask me “which API gateway should we pick in 2026,” my honest answer is that the question itself has changed. It’s not “which one has the most plugins” anymore. It’s “which one will I still be okay running in three years when our RPS is 5x and our budget hasn’t moved.”
That framing matters because every gateway on the shortlist below can route a request, validate a JWT, and enforce a rate limit. They diverge on what happens when you scale, when your CFO reads the invoice, or when your platform team has to extend the thing without writing a Lua module on a Friday night.
Why the gateway market shifted in 2025–2026
Three things actually changed.
Kong re-tiered Konnect in 2025. Most teams now hit either Konnect Plus (consumption-based, roughly $105/month per gateway service plus ~$34 per million requests at last published rates) or a custom Enterprise quote. Mid-sized deployments commonly land in the $50K–$120K/year range; large multi-region setups push $150K–$300K+. None of those numbers are scandalous on their own — they just expose the gap between Kong-the-OSS-project and Kong-the-vendor much more sharply than they used to.
Apigee bills kept doing what Apigee bills do, which is to creep into the $80K–$150K/year band even at fairly modest throughput once you turn on the analytics and lifecycle features that justify having Apigee in the first place. In a year where every CFO is auditing cloud spend, a lot of those renewals turned into evaluations.
And APISIX quietly stopped being a “promising challenger.” On independent benchmarks it now sits around 23K QPS per core at sub-millisecond latency, against roughly 16K RPS at ~3.5ms p99 for Kong on comparable hardware. Combine that with a fully open-source plugin set under Apache 2.0 (no enterprise paywall to unlock JWT-with-claims-mapping or whatever else used to be paid-only on the incumbent) and “let’s just use APISIX” stopped being a hot take.
There’s also a fourth thing nobody quite knows how to position yet: the MCP era. Every serious gateway is now shipping an “AI traffic” story — Kong’s AI Gateway plugin, Apigee’s MCP server integration, OSS bridges in front of APISIX. We’ll get to whether any of that is real or just marketing.
What an API gateway actually does in 2026
Strip the marketing away and the job is unchanged: front your services, do auth (OAuth/OIDC/JWT/mTLS), rate-limit by something more useful than IP, transform payloads at the edge, emit traces and metrics, and let you ship config without a redeploy. Optionally, mediate traffic to LLMs with per-model quotas and prompt-cache awareness.
If you’re picking a gateway because of routing or because somebody mentioned circuit breakers in a meeting, you’re picking for the wrong reasons. Routing is solved. The interesting question is who owns the control plane, where state lives, and what your day-2 operations look like at 6 AM.
Kong: the incumbent, with a pricing problem
Kong is still the safe pick on paper. Plugin ecosystem in the 300+ range, 15M+ Docker pulls, every consultancy on Earth knows it, and Konnect’s hosted control plane is genuinely pleasant to operate. If your auditors want vendor logos, Kong has them.
The catch isn’t technical — Kong on OpenResty is fast and battle-tested, and Konnect’s data-plane proxies stay in your VPC so you don’t trade away latency for SaaS convenience. The catch is what gets locked behind Enterprise. Mutual TLS for upstreams, advanced rate-limit algorithms, OIDC with claims-based access, key vault integration with HashiCorp Vault, Kong’s own AI Gateway — these are the things mid-market teams actually want, and the Enterprise quote is where the math gets ugly.
I’d still pick Kong if (a) you’re a 200+ engineer org with a real platform team, (b) you already pay Datadog and Snowflake without thinking, and (c) you want a vendor on the other end of a phone at 3 AM. For everyone else, I think Kong is the wrong default in 2026 — not because the product got worse, but because the alternatives got good enough that paying Kong’s premium needs an actual justification.
One specific gotcha if you self-host: the Postgres-or-Cassandra control plane is the single most common source of “why is our gateway flapping at 2 AM” tickets I’ve seen. The DB-less mode helps, but then you’re shipping declarative config and you’ve inherited GitOps homework. Konnect side-steps this, which is genuinely worth something.
Apigee: powerful, expensive, and harder to leave than you’d like
Apigee is the gateway that gets bought, not chosen. It usually shows up in environments where Google Cloud already owns the org chart, or where a previous procurement cycle bundled it with something else. The product itself is dense — full API lifecycle management, developer portal, monetization, analytics that real product managers actually use, and a security policy framework that an enterprise security team can sign off on without a fight.
The bill is the headline. Pay-as-you-go starts cheap and ends expensive, and Subscription tiers reward teams that can predict traffic 12 months out — which, in my experience, almost no API team can. Apigee X (the current generation) routinely runs $30K–$150K/year, and that’s before you start adding regions or the higher analytics tiers.
The Apigee MCP integration is the most interesting thing Google has shipped on the platform in a while. If your AI workloads will all flow through Vertex AI, having Apigee in front of them as the MCP control point is a coherent story. If your AI strategy is “whatever the latest model is, from whoever has it cheapest,” that story is much weaker — and you’re better off in a gateway that doesn’t take a position on which cloud you live in.
My honest read: if Apigee is already in your stack, the migration math rarely favors leaving. If it isn’t, in 2026 I wouldn’t bring it in unless you have a specific compliance or developer-portal requirement that the open-source contenders genuinely can’t meet.
Tyk: the underrated middle ground
Tyk gets less attention than it deserves. It has the full management suite — dashboard, developer portal, analytics, key management — that you’d otherwise have to assemble around Kong OSS or APISIX, and the licensing is friendlier than Kong’s. Their GraphQL support and universal data graph features are legitimately ahead of the Kong/APISIX pack if that’s part of your architecture.
The trade-off is community size. Tyk’s plugin ecosystem is real but smaller, and Stack Overflow answers run thinner when you hit weird edges. You’ll write more middleware yourself, in Go or via the gRPC plugin bridge, and you should price that engineering time into the comparison.
Tyk Cloud is reasonable, but the architectural sweet spot is self-hosted Tyk in a smaller org where you want a dashboard out of the box and don’t want to build one on top of APISIX. That’s a narrower band than the Tyk team would like, but it’s a real band, and the teams I know who picked Tyk three years ago aren’t regretting it.
APISIX: where I’d start a greenfield deployment today
If I were standing up a new API platform tomorrow, with no incumbent and no political pressure, I’d reach for APISIX and not look back.
The performance numbers aren’t a small edge — 23K QPS per core at 0.2ms p99 against Kong’s ~16K at ~3.5ms is the kind of gap that becomes a hardware-cost line item at scale. The control plane is etcd, not Postgres, which is one fewer stateful service to babysit and hot-reloads in milliseconds instead of restart cycles. Plugins cover gRPC, WebSocket, Dubbo, and traffic-split scenarios that Kong charges enterprise rates for.
The honest weaknesses: the admin UI (APISIX Dashboard) is functional but doesn’t have the polish of Konnect, the documentation has a real Chinese-to-English translation seam in places, and if your platform team’s Lua bench is shallow you’ll find writing custom plugins more friction than the OpenResty-via-Kong path. API7.ai sells a commercial support and managed product if you need a throat to choke, and they’re competent, but the relationship between the company and the Apache project has more nuance than the vendor pitch admits.
The thing nobody mentions: APISIX’s dynamic-via-etcd config is operationally different from “edit Kong config and SIGHUP.” It’s better — config changes propagate in single-digit milliseconds across the cluster — but your runbooks need to reflect that you can no longer “just restart it.” Most teams figure this out within the first week.
KrakenD: stop using a swiss army knife to make sandwiches
KrakenD is the gateway I recommend most often and the one teams most often dismiss too early. It’s a stateless Go binary with JSON config and no database. It does not have a fancy admin UI. It is not trying to be a full API management platform.
What it is, ridiculously well: a BFF and aggregation layer. If your API gateway’s actual job is “compose 4 backend calls into one mobile-friendly response, enforce auth and rate limits, ship metrics,” KrakenD will do it at roughly 18K RPS per node with single-digit-millisecond p99, deploy as a container with no sidecar dependencies, and never page you because etcd hiccuped.
I’ve moved two production workloads off Kong onto KrakenD specifically for this use case, and in both cases the gateway tier’s infra bill dropped by more than half because the per-node throughput went up and the control-plane services went away entirely. The cost was that we lost Kong’s plugin ecosystem — but we weren’t using most of it anyway, and the things we did use (JWT validation, rate limiting, request transformation) are first-class in KrakenD’s config language.
Pick KrakenD if your gateway is doing BFF / aggregation work and you don’t need dynamic per-tenant config. Don’t pick it if you need a developer portal, monetization, or 200 internal teams self-serving their own routes — that’s not what it’s for, and you’ll be unhappy.
The honorable mentions
Traefik is the right answer if you’re Kubernetes-native and your “API gateway” is mostly ingress with a few middlewares. Don’t overbuy.
Envoy is a proxy, not a gateway, but you’ll meet it as the data plane inside Istio, Consul, and most service meshes. If you’ve already adopted a mesh, the gateway question gets weirder — Istio’s IngressGateway covers a lot of what people use Kong for.
AWS API Gateway, Azure APIM, and Google Cloud’s API Gateway are all fine if you’ve fully committed to one cloud and don’t care about portability. The lock-in is real, the cost-per-request math gets ugly above ~50M requests/month, and the feature gap with the dedicated gateways above is wider than the cloud marketing pages suggest.
Zuplo is the interesting newcomer — programmable JavaScript gateway with deploy-from-Git ergonomics. Worth a look for teams whose platform engineers think in TypeScript, not Lua or Go.
Performance and pricing, side by side
Rough numbers I’d plan against for a 2026 evaluation (verify on your own workload — these are starting points, not commitments):
| Gateway | RPS/core (typical) | p99 latency | Self-hosted infra | Commercial reality |
|---|---|---|---|---|
| Kong OSS | ~16K | ~3.5ms | Postgres or DB-less + GitOps | Konnect Plus from ~$105/svc/mo; Enterprise $50K–$300K+/yr |
| Apigee X | Lower; API-mgmt-first | ~5–10ms typical | N/A (managed) | $30K–$150K+/yr |
| Tyk | ~14K–18K | ~2–4ms | Redis + Mongo (or Postgres) | OSS free; Cloud and self-managed licenses moderate |
| APISIX | ~23K | ~0.2ms | etcd | OSS free; API7 commercial support optional |
| KrakenD | ~18K | <2ms | None (stateless) | OSS free; Enterprise license modest |
Numbers vary hugely by workload, plugin chain, and hardware. Two things stay true across most benchmarks I’ve seen: APISIX wins per-core throughput by a meaningful margin, and KrakenD wins absolute latency on aggregation-shaped workloads because it doesn’t talk to a database in the hot path.
For pricing, the only universally-true statement is that self-hosted OSS is “free” the way a puppy is free. Budget at least 0.25–0.5 FTE for any of these in production, regardless of which one you pick.
The MCP / AI gateway angle
This is where the marketing has gotten ahead of the reality, but the use case is genuine. If you’re putting LLM calls behind a gateway, you want: per-model rate limits, prompt caching for repeated system prompts, token-cost observability, retry-with-fallback when your primary provider 429s, and a way to swap models without redeploying clients.
Kong’s AI Gateway plugin covers most of this and is improving fast. Apigee’s MCP integration is the most “complete” if you’re a Google Cloud shop. APISIX has community plugins and a few commercial ones from API7 that work but feel earlier. KrakenD can do model fan-out and aggregation natively, which is more interesting than it sounds for “ask 3 models, return the best answer” workloads.
Honestly, for most teams the right answer in 2026 is still a dedicated LLM gateway (Portkey, LiteLLM, OpenRouter) in front of your model providers, and your existing API gateway in front of that. The “one gateway to rule them all” pitch is appealing on a slide and brittle in production.
How I’d actually decide
For a 5-person startup building a product API: KrakenD if it’s aggregation-shaped, APISIX if it’s general-purpose. Skip Kong.
For a mid-market platform team (~50 engineers, ~10 services behind the gateway): APISIX with API7 support if you want a vendor, plain APISIX if your team has the bench. Kong only if you’ve already paid for it.
For a regulated enterprise where audit trails and vendor accountability matter more than per-request economics: Kong Enterprise or Apigee, depending on which cloud owns your data and whether your auditors care which logo is on the contract.
For a Kubernetes-native shop that’s mostly doing ingress: Traefik or the Envoy-based gateway your mesh ships with. You don’t need any of the above.
For an AI-product company building an LLM gateway: a dedicated LLM gateway in front of model providers, plus whichever above gateway you already use for your normal API. Don’t bolt it all together; it’ll bite you.
One last thing: whichever you pick, run it through your real workload before signing anything. The benchmarks above are useful for filtering, not for deciding. Spin up a 1-week proof of concept with your actual auth chain and your actual rate-limit rules, and you’ll learn more about fit than any comparison post (this one included) can tell you.