Skip to main content

Features

Traffic Management

  • Can proxy any HTTP(s) service (APIs, webapps, websocket, etc) (routes, engine)
  • Can proxy any TCP service (app, database, etc) (TCP services)
  • Can proxy any gRPC service (using a netty listener), also gRPC-Web support (HTTP listeners)
  • Can proxy any GraphQL service (proxy, query composition, and schema-first backend) (GraphQL composer)
  • Full WebSocket support with message validation, transformation, and mirroring
  • End-to-end HTTP/1.1 support
  • End-to-end HTTP/2 support (including H2C cleartext) (Netty server)
  • End-to-end HTTP/3 support (QUIC) (HTTP/3)
  • Multiple load balancing options: (backends)
    • Round Robin
    • Random
    • Sticky (cookie-based session affinity)
    • IP Address Hash
    • Best Response Time
    • Weighted Best Response Time
    • Least Connections
    • Power of Two Random Choices
    • Header Hash (consistent hashing on a request header)
    • Cookie Hash (consistent hashing on a cookie value)
    • Query Hash (consistent hashing on a query parameter)
  • Backend Failover targets support (backends)
  • Distributed in-flight request limiting (built-in plugins)
  • Distributed rate limiting (built-in plugins)
  • Per-IP, per-API key, per-route, and custom throttling and quotas (built-in plugins)
  • Request and response bandwidth throttling
  • Request and response body size limiting
  • Traffic mirroring to secondary backends (built-in plugins)
  • Traffic capture (GoReplay format) (engine)
  • Canary deployments (percentage-based and time-controlled)
  • Relay routing across network zones (relay routing)
  • Tunnels for easier network exposition (TCP, UDP, WebSocket-based) (tunnels)
  • Custom error templates (error templates)

Routing

  • Router can support tens of thousands of concurrent routes (engine)
  • Router supports path parameter extraction (with regex validation) (engine)
  • Routing based on: (routes)
    • HTTP method
    • hostname (exact, wildcard)
    • path (exact, prefix, wildcard)
    • header values (exact, regex, wildcard)
    • query param values (exact, regex, wildcard)
    • cookie values
  • Full URL rewriting (backends)
  • Path stripping (routes)
  • Target predicates (route to specific backends based on geolocation, cloud region, datacenter, rack, etc) (backends)

API Management (APIs, tutorial)

Beyond low-level routing, Otoroshi exposes an API entity that covers the full API Management lifecycle -- design, secure, expose, monetize, document and govern an API as a single first-class object.

  • Design -- group all endpoints of an API (REST, GraphQL, gRPC, HTTP, WebSocket) under a shared domain and context path, with reusable backends, HTTP client settings and named plugin chains
  • Lifecycle -- staging / published / deprecated / removed states, multi-version support, drafts with a dedicated testing mode (test draft endpoints through a header without touching the published API), and immutable deployment snapshots for full publication traceability
  • Secure -- consumer plans with pluggable access modes: keyless, API key, JWT, mTLS, built-in OAuth2 client_credentials (local token endpoint) or remote OAuth2 introspection
  • Quotas and rate limiting -- per-plan throttling strategies applied automatically to every route of the API
  • Monetize -- attach pricing (price, currency, custom parameters) to plans
  • Subscribe -- self-service subscription flow that auto-generates the right credentials (API keys, certificates, JWTs) for the chosen plan and tracks the full subscription lifecycle (created / started / paused / ending / closed)
  • Govern -- owner and members per API, visibility modes (public, semi-public, private, custom), tags, metadata and groups for multi-team setups
  • Document -- built-in documentation entity (pages, sidebar navigation, search, logo, banner, footer, references, optional remote source) ready to power a developer portal
  • Bootstrap from OpenAPI -- generate a complete API entity from an OpenAPI specification (JSON or YAML)
  • Observe -- live stats, per-route stats, request capture, debug flows and reporting toggles per API
  • Operate -- dedicated API editor in the admin UI (dashboard, routes, backends, plans, subscriptions, clients, documentation, deployments, testing, version manager) and full admin API for everything above

Routes customization

Security

  • Coraza Web Application Firewall (WAF) with OWASP Core Rule Set support (WAF how-to)
    • For high-traffic deployments or configurations with many rules, Cloud APIM also publishes a WAF extension -- a native JVM implementation of the ModSecurity SecLang DSL with embedded OWASP CRS, blocking / monitoring modes, JVM-native SQLi and XSS detection (libinjection), per-route configuration entities, and a lightweight incoming-request-only variant for the highest-throughput routes
  • IP address allow and block lists (with CIDR support) (built-in plugins)
  • Domain name allow and block lists (built-in plugins)
  • Fail2Ban-style automatic IP banning (built-in plugins)
  • Geolocation-based access control (MaxMind, IPStack) (built-in plugins)
  • Time-restricted access control
  • Log4Shell and React2Shell vulnerability detection (built-in plugins)
  • Security headers injection (HSTS, CSP, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options)
  • security.txt endpoint (RFC 9116)
  • robots.txt handling

API security

  • Access management with API keys and quotas (API keys, how-to)
  • Multiple API key extraction methods (header, query param, cookie, bearer token, basic auth, JWT) (API keys)
  • Automatic API key secrets rotation (API keys)
  • Mandatory tags and metadata validation on API keys
  • HTTPS and TLS (TLS)
  • End-to-end mTLS calls (mTLS how-to)
  • Routing constraints and restrictions
  • Public/private path separation
  • JWT token validation and manipulation (JWT verifiers, how-to)
    • Multiple validators on the same route
    • JWE (encrypted JWT) support
    • JWT signing
  • HMAC request signing and validation (Otoroshi protocol)
  • OpenFGA fine-grained authorization (built-in plugins)
  • Role-based access control (RBAC) (built-in plugins)
  • Context validation (JSON path-based claims validation) (built-in plugins)

Monitoring and observability

  • Active health checks (with customizable healthy/unhealthy status codes and regex body checks) (backends)
  • Route state for the last 90 days
  • Calls tracing using W3C Trace Context (built-in plugins)
  • Real-time traffic metrics (monitoring)
  • Prometheus metrics export (monitoring)
  • OpenTelemetry metrics and logs export (OTLP) (OpenTelemetry)
  • Datadog, StatsD metrics export (monitoring)
  • Export alerts and events to external systems: (data exporters, events and analytics)
    • Elasticsearch (how-to)
    • Apache Kafka (how-to)
    • Apache Pulsar
    • Webhook (HTTP)
    • File
    • S3
    • PostgreSQL (with auto-created table, configurable schema/table, connection pool, SSL, and optional retention-based cleanup)
    • Mailer (Mailgun, Mailjet, Sendgrid, generic SMTP) (how-to)
    • Console / Logger
    • Splunk
    • Datadog
    • New Relic
    • GoReplay (file and S3)
    • TCP / UDP / Syslog
    • JMS
    • WASM-based custom exporter (WASM usage)
    • Workflow-based custom exporter (workflows)
  • GreenScore: ecological scoring of API routes based on efficiency rules (GreenScore)

Services discovery

  • Through DNS
  • Through Eureka (internal and external) (how-to)
  • Through Kubernetes API (namespace scanning) (Kubernetes)
  • Through custom Otoroshi protocol (self-registration) (Otoroshi protocol)
  • Through Tailscale network (how-to)

Authentication

Secret vaults support (secrets management)

  • Environment variables
  • Hashicorp Vault
  • Azure Key Vault
  • AWS Secrets Manager
  • Google Cloud Secret Manager
  • Alibaba Cloud Secret Manager
  • Kubernetes Secrets
  • Izanami (v1)
  • Infisical
  • Spring Cloud Config
  • HTTP (generic endpoint)
  • Local (file-based)
  • Extensible via admin extensions

Certificates management (PKI, certificates)

  • Dynamic TLS certificates store (TLS)
  • Dynamic TLS termination (TLS how-to)
  • Internal PKI (PKI)
    • generate self-signed certificates/CAs
    • generate/sign certificates/CAs/sub-CAs
    • AIA (Authority Information Access)
    • OCSP responder
    • import P12/certificate bundles
  • ACME / Let's Encrypt support (Let's Encrypt how-to)
  • On-the-fly certificate generation based on a CA certificate without request loss
  • JWKS exposition for public key pairs (PKI)
  • Default certificate
  • Customize mTLS trusted CAs in the TLS handshake (mTLS how-to)
  • Tailscale certificates integration (how-to)

Clustering (clustering)

  • Based on a control plane / data plane pattern
  • Encrypted communication between nodes
  • Backup capabilities allowing data planes to start without control plane (improved resilience)
  • Relay routing to forward traffic across network zones (relay routing)
  • Distributed web authentication across nodes (sessions management)

Static content and backends

Administration UI

  • Manage and organize all resources
  • Secured user access with authentication module (auth modules)
  • Audited user actions (events and analytics)
  • Dynamic changes at runtime without full reload
  • Test your routes without any external tools
  • Visual workflow designer with step-by-step debugger (workflow editor)
  • Extensible via admin extensions (custom entities, routes, frontend modules)

Kubernetes integration (Kubernetes)

  • Standard Ingress controller
  • Custom Ingress controller with CRD support
    • Manage Otoroshi resources from Kubernetes
  • Validation of resources via admission webhook
  • Kubernetes Gateway API support (Gateway API)
  • Sidecar injection for service mesh
  • Bidirectional TLS certificate synchronization (Kubernetes secrets <-> Otoroshi certificates)

Dynamic HTTP listeners (topic, entity)

  • Create and manage additional HTTP listeners on custom ports
  • Multi-protocol support (HTTP/1.1, HTTP/2, HTTP/3, H2C)
  • Dynamic configuration without restart
  • TLS and mTLS support per listener

Infrastructure as Code / GitOps

  • Remote Catalogs: declarative entity management from trusted external sources (topic, entity)
    • Supported sources:
      • GitHub (including GitHub Enterprise)
      • GitLab (including self-hosted)
      • Bitbucket Cloud
      • Generic Git repositories (HTTPS and SSH)
      • Amazon S3 (and S3-compatible storage)
      • HTTP endpoints
      • Consul KV
      • Local filesystem
        • with possible pre-deploy sync command
    • Full reconciliation engine (create, update, delete) with desired state convergence
    • Automatic deployment via scheduled polling (fixed interval or cron expression)
    • Webhook-triggered deployment from GitHub, GitLab, and Bitbucket push events
    • Dry-run mode to preview changes before applying
    • Undeploy to cleanly remove all entities managed by a catalog
    • Support for JSON and YAML entity definitions (including multi-document YAML)
    • Deploy listing files for fine-grained control over which files to import
    • Route plugins for programmatic deployment (single, batch, webhook)
  • otoroshictl CLI tool
    • Sync configuration with Otoroshi clusters
    • Push-based IaC, very similar to what kubectl apply can do

Storage backends (setup)

  • Redis (via Lettuce)
  • PostgreSQL (via Reactive PG)
  • Cassandra
  • In-memory (with file persistence)
  • S3
  • HTTP

Organize

Developers portal

AI / LLM Gateway (AI Gateway)

Available through the optional Otoroshi LLM Extension developed by Cloud APIM, Otoroshi can act as a full-featured AI Gateway in front of LLM providers.

  • Unified, OpenAI-compatible API in front of 50+ LLM providers (OpenAI, Anthropic, Azure OpenAI, Mistral, Groq, Cohere, Google Gemini, Ollama, DeepSeek, X.ai, Hugging Face, Cloudflare Workers AI, Scaleway, OVH, etc.)
  • Multi-modal endpoints: chat completions, embeddings, image generation, audio (TTS/STT), video generation, content moderation
  • Anthropic Messages API compatibility for Claude clients
  • Provider load balancing across multiple LLM backends (round robin, random, best response time, weighted)
  • Automatic provider fallback on failure
  • Cost tracking with a built-in pricing database covering 1000+ models
  • Budgets per API key, user, or service (USD or token-based, with time windows and alert thresholds)
  • Token-based rate limiting (per consumer, per provider, per model)
  • Caching strategies: TTL-based simple cache and semantic cache using embeddings
  • Persistent conversation memory with sliding window or full history, scoped by API key, user, header, etc.
  • Guardrails on prompts and responses:
    • regex allow/deny lists
    • LLM-based validation
    • moderation API (OpenAI moderation and similar)
    • webhook-based external validation
    • WASM / QuickJS custom logic
    • built-in detectors: prompt injection, PII, secrets leakage, toxic language, racial / gender bias, personal health information, gibberish, faithfulness
    • text constraints: word / sentence / character counts, contains / semantic-contains
  • Reusable prompts, prompt contexts (system messages), and prompt templates with variable substitution
  • Model Context Protocol (MCP) connectors (stdio, SSE, WebSocket, HTTP) for tool / function calling
  • Full audit trail of every LLM call (consumer, provider, model, tokens, cost, cache status, guardrail results, latency) exported through Otoroshi's standard data exporters

Biscuit Studio

Available through the optional Otoroshi Biscuit Studio extension developed by Cloud APIM (source), Otoroshi gains full Eclipse Biscuit token lifecycle management with first-class entities and plugins.

  • Entities to support the complete Biscuit lifecycle
  • Centralized administration of all Biscuit material from the Otoroshi UI and admin API
  • Integrates with Otoroshi's secret vaults for secure key material storage
  • Verious plugins to enforce biscuit authorizations and attenuate biscuit tokens on the fly, etc
  • Bridge with apikeys
  • Bridge with auth. modules