apisix
Apache APISIX is a cloud-native API gateway written in Lua that routes and manages traffic for APIs, microservices, and AI workloads. It supports dynamic configuration, multiple protocols (HTTP, gRPC, MQTT, TCP/UDP), and runs on any infrastructure from bare metal to Kubernetes.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | apache/apisix |
| Owner | apache |
| Primary language | Lua |
| License | Apache-2.0 — OSI-approved |
| Stars | 16.8k |
| Forks | 2.9k |
| Open issues | 269 |
| Latest release | 3.17.0 (2026-06-16) |
| Last updated | 2026-07-08 |
| Source | https://github.com/apache/apisix |
What apisix is
APISIX is a reverse proxy and API gateway built on OpenResty (Lua/LuaJIT) with hot-reload capabilities, offering load balancing, circuit breaking, authentication (JWT, key-auth, OAuth), rate limiting, observability (Zipkin), and pluggable middleware for traffic transformation and AI gateway use cases.
Get the apisix source
Clone the repository and explore it locally.
git clone https://github.com/apache/apisix.gitcd apisix# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- OpenResty runtime (Lua/LuaJIT) must be present on host or container; plan for image size and native dependency management (libpcre, libssl, etc.).
- Configuration is API-driven (REST/gRPC); decide on config store (etcd, Consul, Nacos) for distributed deployments; local file-based config simpler but not HA.
- Plugin ecosystem is large; audit which plugins match your tech stack (e.g., OIDC, Keycloak, Casbin) and validate compatibility with your release version.
- Hot-reload reduces downtime but requires careful testing of config syntax and plugin interactions before production pushes.
- Memory footprint and CPU profiling under peak load (especially with many routes, upstream nodes, or complex plugins) should be baselined in staging.
When to avoid it — and what to weigh
- Lua expertise unavailable — Custom plugin development and deep debugging require Lua/OpenResty knowledge. Teams without Lua proficiency may face maintenance friction.
- Simple reverse proxy only — If you need only basic HTTP reverse proxying without plugins or dynamic config, APISIX's feature richness adds operational overhead vs. simpler alternatives like Nginx or HAProxy.
- Strict zero-downtime mandate with frequent updates — While APISIX supports hot-reload, high-frequency plugin or core updates in production require careful rollout testing; not ideal for 'instant push' CI/CD workflows.
- Minimal observability/monitoring setup — APISIX integrates with external systems (Zipkin, Prometheus); if you lack centralized observability infrastructure, gap analysis and integration cost rises.
License & commercial use
Apache License 2.0 (Apache-2.0): permissive open-source license. Source must be disclosed; redistribution allowed with license/attribution; no patent grant from contributors.
Apache-2.0 is OSI-approved for commercial use. Derived works must retain Apache-2.0 headers and provide a copy of the license. APISIX itself imposes no commercial restrictions. Verify any proprietary plugin or integration licenses separately. No warranty stated in license; production use should follow standard OSS due diligence (code audit, testing, support planning).
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Strong |
| Assessment confidence | High |
APISIX provides built-in defenses: Anti-ReDoS (regex DoS), IP/referer whitelisting, CSRF (Double Submit Cookie), request validation, and multiple auth schemes (JWT, key-auth, OIDC, Casbin RBAC). TLS/mTLS and dynamic certificate loading supported. No published security audit linked in data. Deployment security depends on config store (etcd) and admin API hardening. Regular security patching via Apache release process; review CVE history and subscribe to dev mailing list for alerts.
Alternatives to consider
Nginx Ingress Controller / Kong
Kong is also Lua-based (OpenResty), simpler for API gateway-only use; Nginx Ingress lighter-weight but less dynamic. Choose Nginx if minimal plugins needed or strict operational simplicity required.
Envoy / Istio
Envoy is C++, larger ecosystem, deeper observability integration, and full service mesh. Choose if full mTLS mesh governance and sidecar model fit your architecture.
HAProxy
Lightweight, battle-tested reverse proxy with minimal dependencies. Choose if you need only basic TCP/HTTP proxying and want zero Lua/OpenResty complexity.
Build on apisix with DEV.co software developers
We can help you assess deployment requirements, plugin strategy, and operational readiness. Contact Devco to discuss your API gateway architecture.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
apisix FAQ
Can APISIX replace my Kubernetes ingress controller?
How do I update routes/plugins without restarting APISIX?
What is the performance overhead vs. raw Nginx?
Is Lua development/debugging a blocker?
Software development & web development with DEV.co
From first prototype to production, DEV.co delivers software development services around tools like apisix. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source devops and beyond.
Ready to evaluate APISIX for your infrastructure?
We can help you assess deployment requirements, plugin strategy, and operational readiness. Contact Devco to discuss your API gateway architecture.