Gatez vs
Kong Gateway
A detailed, honest comparison.
We show where Kong leads too.
At a Glance
Quick comparison across architecture, features, and pricing
| Kong Gateway | Gatez | |
|---|---|---|
| Architecture | Single-layer (NGINX/Lua) + AI plugins | Three-layer: L1 (APISIX) → L2 (Rust AI) → L3 (Rust Agent) |
| AI Gateway | Plugins on same NGINX core | Purpose-built Rust service |
| Agent Gateway | MCP proxy plugin (protocol bridge only) | Full agent governance (MCP + A2A + HITL) |
| Control Plane | Kong Manager or Konnect (SaaS) | Two portals: Operator + Developer (on-prem) |
| Best features require | Konnect SaaS ($200+/mo) or Enterprise ($50K+/yr) | Everything included, self-hosted |
| Per-service cost | ~$105/month per Gateway Service | None |
| Open source | OSS tier gutted (March 2025) | Apache 2.0, full stack |
Feature-by-Feature Breakdown
Click each section to expand detailed comparisons
| Feature | Kong | Gatez | Verdict |
|---|---|---|---|
| HTTP/HTTPS routing | Yes | Yes (APISIX) | Parity |
| gRPC proxying | Native | Yes (APISIX grpc-transcode) | Parity |
| WebSocket proxying | Native (NGINX) | Yes (APISIX native) | Parity |
| GraphQL proxying | Plugin | Not yet | Kong leads |
| Rate limiting (fixed window) | OSS | Yes | Parity |
| Rate limiting (sliding window) | Enterprise only | Yes (all tenants) | Gatez wins |
| Per-tenant rate limiting | Enterprise only (Workspaces) | Yes (all tenants, day one) | Gatez wins |
| JWT authentication | Yes | Yes (APISIX + Keycloak) | Parity |
| OAuth2/OIDC | Enterprise plugin | Yes (Keycloak) | Parity |
| Circuit breaker | Built-in | Yes (APISIX api-breaker) | Parity |
| Canary/traffic splitting | Built-in | Yes (APISIX traffic-split) | Parity |
| Service discovery (Consul/DNS) | Built-in | APISIX DNS SRV | Parity |
| RBAC/Workspaces | Enterprise only | Keycloak-based (3 roles) | Parity |
| Admin API | Kong Admin API | APISIX Admin API | Different schema |
| Declarative config | decK CLI | APISIX YAML + translator | Migration tool available |
| Plugin ecosystem | 400+ | ~80 APISIX + custom Lua | Kong leads |
| FIPS 140-2 | Enterprise | Not yet | Kong leads |
| SOC2 Type 2 | Konnect | Not yet | Kong leads |
| Feature | Kong | Gatez | Verdict |
|---|---|---|---|
| Multi-model routing | AI Proxy plugin | Dedicated Rust service | Gatez wins (purpose-built) |
| Fallback chains | Plugin config | Built-in with circuit breaker | Gatez wins |
| Semantic caching | AI Semantic Cache plugin | Two-tier: Redis exact + Qdrant similarity | Gatez wins |
| PII redaction | AI PII Sanitizer (20 categories) | Regex-based (SSN, email, CC, phone, IP) | Kong leads (more categories) |
| Token budgets | Enterprise only (AI Rate Limiting Advanced) | All tenants (Redis pre-request check) | Gatez wins |
| Streaming SSE | Plugin | Zero-copy Rust | Gatez wins (performance) |
| RAG injection | AI RAG Injector | Not yet | Kong leads |
| Cost tracking | Konnect Analytics (SaaS only) | ClickHouse (on-prem) | Gatez wins (on-prem) |
| Published latency SLA | None per-plugin | < 5ms cache, < 10ms PII, < 20ms P99 total | Gatez wins (transparency) |
| Feature | Kong | Gatez | Verdict |
|---|---|---|---|
| MCP protocol | Plugin (protocol bridge) | Native (Rust implementation) | Gatez wins |
| A2A protocol | Roadmap (not shipped) | Native (agent registry, task tracking) | Gatez wins |
| Agent session management | None | Full lifecycle (create, inspect, terminate) | Gatez wins |
| Per-session tool allowlist | None | CEL-based, deny by default | Gatez wins |
| Blast radius controls | None | Max duration, max tool calls, max sessions | Gatez wins |
| HITL approval gates | None | Configurable per tool, pending queue, approve/deny API | Gatez wins |
| Tool poisoning protection | None | Server fingerprinting, naming collision detection | Gatez wins |
| Agent audit trail | None | ClickHouse (every tool call, A2A hop, session event) | Gatez wins |
| Cross-layer tracing | Single-layer | L1→L2→L3 OTel span tree | Gatez wins |
| Feature | Kong | Gatez | Verdict |
|---|---|---|---|
| Admin UI | Kong Manager (on-prem) or Konnect | Operator Portal (on-prem) | Parity |
| Developer Portal | Dev Portal v3 (Konnect only) | Developer Portal (on-prem) | Gatez wins (on-prem) |
| Advanced Analytics | Konnect only (SaaS) | ClickHouse-backed (on-prem) | Gatez wins (on-prem) |
| Tenant onboarding | Manual (Workspace creation) | 3-step atomic wizard | Gatez wins |
| Rate limit visual editor | None | Override hierarchy (global→tenant→route) | Gatez wins |
| HITL approval queue | None | Real-time with risk badges and countdown | Gatez wins |
| A2A topology graph | None (roadmap) | Live delegation chain visualization | Gatez wins |
| Cross-layer trace explorer | None | L1 (blue) → L2 (violet) → L3 (emerald) waterfall | Gatez wins |
Pricing Comparison
How costs stack up between Kong and Gatez
| Kong Konnect Plus | Kong Enterprise | Gatez | |
|---|---|---|---|
| Base cost | $200/month | $50K+/year | Free (Apache 2.0) |
| Per Gateway Service | $105/month | Included | None |
| Per API request | $34.25/million | Included | None |
| AI models | $100/month per model (>5) | Included | None |
| Support | Email, 2-day SLA | 24/7 Diamond/Platinum | Community (enterprise support planned) |
Cost Example: 10 Gateway Services
Kong Konnect Plus: $200 base + (10 × $105) = $1,250/month
Kong Enterprise: $50,000/year = $4,167/month
Gatez Community: $0/month (Apache 2.0 license)
Gatez Pro: Per-tenant pricing, contact sales (no per-request or per-service fees)
Where Kong Leads Today
We believe in honest comparisons. Here's where Kong has the advantage.
Market Maturity
Kong has been in production for 10+ years with thousands of enterprise customers. Gatez is new (launched 2024).
Compliance Certifications
Kong Konnect has SOC2 Type 2. Kong Enterprise supports FIPS 140-2. Gatez has neither (yet).
Plugin Ecosystem
400+ plugins vs ~80. Depends on which plugins you need, but Kong's breadth is real.
Commercial Support with SLA
Kong has Diamond/Platinum/Business tiers. Gatez has community support only (enterprise support planned for Q3 2026).
GraphQL Proxying
Kong has a GraphQL plugin. Gatez doesn't yet (on roadmap for M5).
PII Detection Depth
Kong's AI PII Sanitizer covers 20 categories in 9 languages. Gatez covers 5 categories via regex (English only).
Ready to Migrate?
We've built migration tools to make switching from Kong to Gatez as smooth as possible.
Kong-to-Gatez Config Translator
Automated CLI tool to convert Kong declarative config (decK YAML) to APISIX YAML.
What it handles automatically
- Routes and services (1:1 mapping)
- Common plugins: rate-limiting, jwt-auth, cors, response-rewriting
- Upstreams and load balancing config
- Plugins unique to Kong → manual review required (reported in output)
Try Gatez Today
Self-hosted. Multi-tenant. Three layers. One platform.
Free forever with Apache 2.0 license.