DEV.co
MCP Servers · Kong

kong

Kong is a cloud-native API and AI Gateway that routes, authenticates, and governs traffic across microservices, APIs, LLMs, and MCP systems. It runs on Kubernetes or traditional infrastructure and supports 60+ plugins for extensibility.

Source: GitHub — github.com/Kong/kong
43.8k
GitHub stars
5.2k
Forks
Lua
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryKong/kong
OwnerKong
Primary languageLua
LicenseApache-2.0 — OSI-approved
Stars43.8k
Forks5.2k
Open issues154
Latest release3.9.3 (2026-06-17)
Last updated2026-07-01
Sourcehttps://github.com/Kong/kong

What kong is

Lua-based gateway offering advanced routing, load balancing, SSL/TLS termination, and multi-LLM traffic management with support for OpenAI, Anthropic, Bedrock, and others. Deployable as database-backed, DB-less, or hybrid control/data plane architecture on Kubernetes or bare metal.

Quickstart

Get the kong source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/Kong/kong.gitcd kong# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Multi-LLM API Routing and Rate Limiting

Route AI traffic across multiple LLM providers (OpenAI, Anthropic, Azure AI, Bedrock) with centralized authentication, semantic routing, caching, and traffic controls—avoiding vendor lock-in.

Kubernetes-Native Microservices API Gateway

Serve as a cloud-native ingress controller with declarative configuration, supporting health checks, load balancing, and plugin-based request/response transformation across containerized workloads.

Enterprise API Management and Security

Centralize JWT, OAuth, basic auth, and ACL enforcement across all organization APIs; add observability, logging, and compliance via plugins without redeploying backend services.

Implementation considerations

  • Choose deployment model early: database-backed (PostgreSQL), DB-less/declarative (decK), or hybrid control/data plane. Each has different operational and scaling implications.
  • Plan for PostgreSQL infrastructure if using database mode; ensure high availability, backup, and replication strategy for the control plane.
  • Evaluate plugin architecture: Lua, Go, or JavaScript plugins extend functionality but require testing, versioning, and maintenance discipline.
  • Kubernetes users should leverage the official Ingress Controller for native integration; non-Kubernetes deployments need manual configuration or orchestration tooling.
  • Assess AI Gateway features (LLM routing, semantic security, MCP traffic) maturity level and compatibility with your LLM providers before committing to production.

When to avoid it — and what to weigh

  • Simple Single-Service Reverse Proxy Need — If you need only basic reverse proxying for a single service, Kong's feature breadth and operational overhead may not justify the complexity. Consider lighter alternatives.
  • Strict No-Vendor-Lock-In but Heavy Konnect Dependency — While Kong Gateway itself is open-source, the commercial Konnect Cloud platform adds SaaS lock-in for analytics, service catalogs, and managed control planes. Evaluate long-term vendor exposure.
  • Low-Latency, Ultra-High-Throughput L4 Only — Kong is primarily L7-focused with L4 support; if you require microsecond-level latency or pure layer-4 load balancing, specialized solutions may perform better.
  • Small Team With No DevOps Bandwidth — Kong requires operational expertise in Kubernetes, databases (or DB-less setup), plugin development, and troubleshooting. Minimal operational capacity may struggle with maintenance.

License & commercial use

Kong Gateway is licensed under Apache License 2.0, a permissive OSI-approved license allowing commercial use, modification, and distribution with minimal restrictions. Copyright held by Kong Inc. (2016–2026).

Apache 2.0 permits commercial use without explicit permission. However, Kong Inc. offers commercial Konnect Cloud subscriptions for managed control plane, analytics, and support. Ensure compliance with Apache 2.0 terms (preserve copyright/license notices) and evaluate whether managed services align with your procurement and vendor strategy.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityModerate
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

Kong provides authentication mechanisms (JWT, OAuth, basic auth, ACLs) and traffic controls; SSL/TLS termination and proxy capabilities enable encrypted end-to-end communication. Semantic security for AI traffic is claimed but requires review of implementation. No public security audit mentioned. Operators must manage secrets (LLM keys, credentials), database access, and plugin vetting. Evaluate threat model for control plane exposure (Admin API at :8001) and isolate accordingly.

Alternatives to consider

Nginx Ingress Controller + Nginx

Lighter, lower-latency reverse proxy; excellent for Kubernetes. Lacks native multi-LLM routing and advanced plugin extensibility; requires external tooling for authentication and rate limiting.

Traefik

Cloud-native, Kubernetes-first ingress with dynamic backend discovery. Simpler configuration model but fewer plugins, limited AI/LLM-specific features, and smaller ecosystem than Kong.

AWS API Gateway + Lambda / Azure API Management

Fully managed, vendor-hosted alternatives. Eliminates operational burden but introduces vendor lock-in, higher ongoing costs, and limited multi-provider LLM routing unless custom-built.

Software development agency

Build on kong with DEV.co software developers

Kong Gateway combines API management, LLM routing, and Kubernetes integration in one extensible platform. Start with the community edition or explore Kong Konnect for managed services.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

kong FAQ

Does Kong require a database?
No. Kong supports three modes: PostgreSQL-backed (recommended for clustering), DB-less declarative mode (decK + YAML), and hybrid (separate control/data planes). Choose based on scale and operational preference.
Can I use Kong for LLM API routing without Kubernetes?
Yes. Kong runs on Docker, VMs, or bare metal. Kubernetes is optional. For LLM routing, use Kong's Universal LLM API plugin and configure backend provider credentials; no Kubernetes dependency.
How do I manage plugins in production?
Plugins are configured via the Admin API (:8001) or declarative config (decK). Test plugins in staging, version control configuration, and use CI/CD to promote. Community and Kong-developed plugins vary in maturity; audit before production.
Is Kong suitable for small startups or only enterprises?
Kong is suitable for both. Small teams can start with the community edition on a single Docker container. As scale and AI traffic complexity grow, adopting HA database, Kubernetes, and plugins is incremental. Commercial Konnect Cloud is optional.

Software developers & web developers for hire

Adopting kong is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate mcp servers software in production.

Ready to centralize API and AI traffic management?

Kong Gateway combines API management, LLM routing, and Kubernetes integration in one extensible platform. Start with the community edition or explore Kong Konnect for managed services.