What's your rating of Mashape

Kong API Gateway

Of: Thomas Bayer
Date: May 9, 2018
Updated: January 25, 2019

Kong is a so-called API layer. The developers of Kong, the former company Mashape, which is now called Kong Inc., uses the term API Layer as a synonym for API Gateway or API Middleware. Kong was originally developed as an API gateway for Mashape's Marketplace and placed under an open source license in 2015. Kong is based on the open source web server and reverse proxy NGINX and extends its functionality via the programming language Lua.

Kong is available in the Community Edition as open source software and as Kong Enterprise. The Enterprise version also includes:

  • A graphical admin interface
  • Extended security and authentication
  • A developer portal
  • Analytics
  • Better scalability

Kong can be installed locally or in the cloud. The installation in the cloud can be done e.g. via the Amazon Marketplace or via images such as AMI or Docker. For a local installation there are Ubuntu, debian, CentOS and Red Hat packages.

Kong needs a Cassandra cluster or a Postgres database for operation. Installation via Docker is particularly convenient.


Most of the settings can be made via a configuration file. Since Kong is based on the NGINX server, there are some parameters that must be set on the NGINX server, such as the Retry Behavior with which the repetition of a request is controlled in the event of an error.

The open source version of Kong lacks a graphical user interface. There is a comprehensive and comfortable API for administration. Services, routes and consumers can be created using this API. The listing below shows how a service can be created:

curl -X POST http: // localhost: 8001 / services / \ -d 'name = fruitshop' \ -d 'url = https: //api.predic8.de/shop/'

The service connects the service name fruitshop with a backend that provides functions. Kong now knows the backend, but does not yet know which calls should be routed there. The routing information must be added with a route:

curl -X POST http: // localhost: 8001 / services / fruitshop / routes \ -d 'hosts [] = api.predic8.de:443'

A route can be configured with hosts, paths and methods. Kong compares incoming calls with the routes. If they match, the associated service is called. In the example above, a call must have a host header with the value api.predic8.de contain so that the route takes effect and the call is forwarded to the backend via the service:

curl http: // localhost: 8000 -H "Host: api.predic8.de" '


Kong can be expanded to include functionality using numerous plugins. A plugin can be linked either globally, for an API or for a route. Among other things, there are plugins for:

  • OAuth2
  • JWT
  • CORS
  • Basic authentication
  • API keys
  • Authentication via LDAP
  • Bot detection
  • Microsoft Azure
  • Amazon Lambda
  • Prometheus
  • Zipkin
  • Rate limiting
  • Logging
  • Correlation Ids
  • transformation

The Developer Guide describes how to create your own plugins.


Plugins for regular expressions and a dedicated configuration language are available for transforming messages. The example below shows how the JSON Properties partner and mail can be renamed:

config.rename.body = partner: contact, mail: email


Kong offers various plugins for logging, including for Prometheus, Syslog, Loggly, File and HTTP.


Several Kong Gateways that share the same database can be combined to form a cluster. Each node has the same configuration and thus the same services and routes. Since each node receives an individual IP address, a load balancer must be operated in front of the cluster.

The configuration of the cluster is stored in a Postgres or in a distributed Apache Cassandra database. Each Kong node has access to the configuration via the database.


Kong is one of the more mature products on the market and is already used for many installations.

The Management API enables the remote control of Kong and thus new possibilities that compensate for the missing UI for the administration. If you still want to use Kong with UI, you can use the commercial version or the API management solution Wicked from Haufe Verlag in Freiburg. Wicked relies on Kong and adds a convenient web console for administration.


  • Lean solution
  • Degree of ripeness of the product
  • Support for web sockets
  • Comprehensive API for the configuration and maintenance of APIs, consumers, plugins, ...


  • The web console is only available in the commercial version.
  • An Apache Cassandra or Postgres database is required for installation.
  • Many plugins such as Open ID Connect, Advanced LDAP or Rate Limiting are only available for the Enterprise Subscription.