Appearance
Gatez vs Kong Gateway — Feature Comparison
At a Glance
| Kong Gateway | Gatez | |
|---|---|---|
| Architecture | Single-layer (NGINX/Lua) + AI plugins bolted on | Three-layer: L1 (APISIX) → L2 (Rust AI Gateway) → L3 (Rust Agent Gateway) |
| AI Gateway | Plugins on same NGINX core | Purpose-built Rust service (axum + tokio) |
| Agent Gateway | MCP proxy plugin (protocol bridge only) | Full agent session governance (MCP + A2A + HITL + blast radius) |
| Control Plane | Kong Manager (on-prem) or Konnect (SaaS) | Two portals: Operator + Developer (both on-prem) |
| Best features require | Konnect SaaS ($200+/mo) or Enterprise license ($50K+/yr) | Everything included, self-hosted |
| Per-service cost | ~$105/month per Gateway Service | None |
| Licensing | OSS tier gutted (March 2025 — no Docker images, no free mode) | Commercial, fully self-hosted (on-prem, air-gap capable) |
Traditional API Gateway (L1)
| Feature | Kong | Gatez | Verdict |
|---|---|---|---|
| HTTP/HTTPS routing | Yes | Yes (APISIX) | Parity |
| gRPC proxying | Native | Yes (APISIX grpc-transcode) | Parity |
| WebSocket proxying | Native (NGINX) | Yes (APISIX native) | Parity |
| GraphQL proxying | Plugin | Not yet | Kong leads |
| Rate limiting (fixed window) | OSS | Yes | Parity |
| Rate limiting (sliding window) | Enterprise only | Yes (all tenants) | Gatez wins |
| Per-tenant rate limiting | Enterprise only (Workspaces) | Yes (all tenants, day one) | Gatez wins |
| JWT authentication | Yes | Yes (APISIX + Keycloak) | Parity |
| OAuth2/OIDC | Enterprise plugin | Yes (Keycloak) | Parity |
| Circuit breaker | Built-in | Yes (APISIX api-breaker) | Parity |
| Canary/traffic splitting | Built-in | Yes (APISIX traffic-split) | Parity |
| Service discovery (Consul/DNS) | Built-in | APISIX DNS SRV | Parity |
| RBAC/Workspaces | Enterprise only | Keycloak-based (3 roles) | Parity |
| Admin API | Kong Admin API | APISIX Admin API | Different schema |
| Declarative config | decK CLI | APISIX YAML + translator | Migration tool available |
| Plugin ecosystem | 400+ | ~80 APISIX + custom Lua | Kong leads |
| FIPS 140-2 | Enterprise | Not yet | Kong leads |
| SOC2 Type 2 | Konnect | Not yet | Kong leads |
AI Gateway (L2)
| Feature | Kong | Gatez | Verdict |
|---|---|---|---|
| Multi-model routing | AI Proxy plugin | Dedicated Rust service | Gatez wins (purpose-built) |
| Fallback chains | Plugin config | Built-in with circuit breaker | Gatez wins |
| Semantic caching | AI Semantic Cache plugin | Two-tier: Redis exact + Qdrant similarity | Gatez wins |
| PII redaction | AI PII Sanitizer (20 categories) | Regex-based (SSN, email, CC, phone, IP) | Kong leads (more categories) |
| Token budgets | Enterprise only (AI Rate Limiting Advanced) | All tenants (Redis pre-request check) | Gatez wins |
| Streaming SSE | Plugin | Zero-copy Rust | Gatez wins (performance) |
| RAG injection | AI RAG Injector | Not yet | Kong leads |
| Cost tracking | Konnect Analytics (SaaS only) | ClickHouse (on-prem) | Gatez wins (on-prem) |
| Published latency SLA | None per-plugin | < 5ms cache, < 10ms PII, < 20ms P99 total | Gatez wins (transparency) |
Agent Gateway (L3)
| Feature | Kong | Gatez | Verdict |
|---|---|---|---|
| MCP protocol | Plugin (protocol bridge) | Native (Rust implementation) | Gatez wins |
| A2A protocol | Roadmap (not shipped) | Native (agent registry, task tracking) | Gatez wins |
| Agent session management | None | Full lifecycle (create, inspect, terminate) | Gatez wins |
| Per-session tool allowlist | None | CEL-based, deny by default | Gatez wins |
| Blast radius controls | None | Max duration, max tool calls, max sessions | Gatez wins |
| HITL approval gates | None | Configurable per tool, pending queue, approve/deny API | Gatez wins |
| Tool poisoning protection | None | Server fingerprinting, naming collision detection | Gatez wins |
| Agent audit trail | None | ClickHouse (every tool call, A2A hop, session event) | Gatez wins |
| Cross-layer tracing | Single-layer | L1→L2→L3 OTel span tree | Gatez wins |
Control Plane
| Feature | Kong | Gatez | Verdict |
|---|---|---|---|
| Admin UI | Kong Manager (on-prem) or Konnect | Operator Portal (on-prem) | Parity |
| Developer Portal | Dev Portal v3 (Konnect only) | Developer Portal (on-prem) | Gatez wins (on-prem) |
| Advanced Analytics | Konnect only (SaaS) | ClickHouse-backed (on-prem) | Gatez wins (on-prem) |
| Tenant onboarding | Manual (Workspace creation) | 3-step atomic wizard | Gatez wins |
| Rate limit visual editor | None | Override hierarchy (global→tenant→route) | Gatez wins |
| HITL approval queue | None | Real-time with risk badges and countdown | Gatez wins |
| A2A topology graph | None (roadmap) | Live delegation chain visualization | Gatez wins |
| Cross-layer trace explorer | None | L1 (blue) → L2 (violet) → L3 (emerald) waterfall | Gatez wins |
Pricing
| Kong Konnect Plus | Kong Enterprise | Gatez | |
|---|---|---|---|
| Base cost | $200/month | $50K+/year | Self-hosted, no per-service fees |
| Per Gateway Service | $105/month | Included | None |
| Per API request | $34.25/million | Included | None |
| AI models | $100/month per model (>5) | Included | None |
| Support | Email, 2-day SLA | 24/7 Diamond/Platinum | Community (enterprise support planned) |
Honest Gaps (Where Kong Leads)
- Commercial support with SLA — Kong has Diamond/Platinum/Business tiers. Gatez has community support only (for now).
- Compliance certifications — Kong Konnect has SOC2 Type 2. Gatez has none (yet).
- Plugin ecosystem breadth — 400+ vs ~80. Depends on which plugins you use.
- GraphQL proxying — Kong has a plugin. Gatez doesn't (yet).
- PII detection depth — Kong's AI PII Sanitizer covers 20 categories in 9 languages. Gatez covers 5 categories via regex.
- RAG injection — Kong has AI RAG Injector. Gatez doesn't (yet).
- Market maturity — Kong has been in production for 10+ years with thousands of enterprise customers.