Create APIs and publish them to API Portal.

Expose a mocked API implementation to consumers before the actual API exists or is complete.

Define API policies. Policies can include data masking, request and response transformation, and cross-origin resource sharing (CORS).

Monetize a set of APIs by bundling them into a package, providing one or more plans that define pricing and quality of service terms for the package, and publishing the package and plans in API Portal. Consumers can subscribe to API packages, and then use access tokens issued by API Portal upon subscription to access the APIs within the package. When defining service plans for use with monetization, providers can separately define rate and quota limits. For quota limits, providers can warn consumers that approach a specified limit, and to block consumers that actually reach that limit.

Configure an approval workflow for creating or updating applications, registering applications to APIs, and managing subscriptions to API packages.

Gather information about gateway events and API events, as well as details about the popularity of individual APIs. API Portal displays this information in the form of dashboards.

Version SOAP and REST APIs. CentraSite allows versioning of virtual services and publishing of distinct versions to API Portal. API Gateway can host multiple versions of the same virtual service during run-time, and automatically routes requests to the appropriate version.

Define stages (for example, DEV, TEST, PROD) by supplying connection information to other API Gateways. Providers can define promotion sets and execute promotions across stages. If necessary, providers can roll back previously executed promotions.

Makes sure requests from and responses to consumer applications conform to policies you define.

Transforms requests from and responses to consumer applications as instructed by transformation steps you define.

Mediates between consumer applications and API providers. API Gateway receives requests from consumer applications and forwards them to back-end services, which could be on an Integration Server or any other system where services are executed, then returns responses from providers to consumer applications.

Uses request context or content to route requests from consumers to different service endpoints, or to load balance requests.

Allows event-enabling synchronous APIs by enabling protocol bridging between HTTP and JMS/AMQP in both incoming and outgoing calls.

Supports asynchronous APIs. When the native service has been implemented in an asynchronous way, API Gateway can receive calls to it and route responses back using the provided callback URL.

Provides an audit logging facility for functional modules such as API, approval, application, alias, access profile, analytics, group, policy, package, plan, promotion, and user management.

Supports runtime service registries, including discovery of back end services URLs and publishing of API endpoints. API Gateway comes with a Consul and a Eureka configuration.

Supports mashup APIs, which let you expose multiple APIs as one API. You can configure mashup APIs as chains that are invoked sequentially or as API compositions.

Filtering requests from and blacklisting specified IP addresses.

Detecting and filtering requests from mobile devices.

Avoiding additional inbound firewall holes.

Defining custom rules that call a Flow service to perform custom processing within the API Gateway (for example, authentication and authorization).

Defining trusted external JWT issuers, including their truststore, certificate and JWKS URI information.

Configuring multiple authorization servers that can be active concurrently.

Configuring external OAuth2 authorization servers that do not allow dynamic client registration. API Gateway can perform introspection on an authorization server or locally.