Sub-Millisecond Latency
Rust's zero-cost abstractions and Pingora's async architecture deliver routing decisions in microseconds. No garbage collector pauses, no runtime overhead.
The open-source enterprise API gateway and AI gateway powered by Rust and Cloudflare's Pingora reverse proxy. Self-host one binary to route, govern, and observe HTTP, gRPC, LLM, MCP, and A2A agent traffic — replacing an API gateway, an LLM proxy, and agent middleware like Kong, Apigee, LiteLLM, and Portkey with one fast data plane.
No spam. Get notified when Tygress launches. Unsubscribe anytime.
Features
Built on the same Pingora framework that powers Cloudflare's edge network serving trillions of requests daily. Everything Kong and NGINX charge for — included free in our open-source edition.
Rust's zero-cost abstractions and Pingora's async architecture deliver routing decisions in microseconds. No garbage collector pauses, no runtime overhead.
Rust's ownership model eliminates buffer overflows, use-after-free, and data races at compile time. Security without sacrificing speed.
Hot-reload configuration without dropping a single connection. Pingora's graceful upgrade mechanism ensures seamless deployments every time.
Direct kernel-to-kernel data transfer using Pingora's optimized I/O paths. Proxy traffic with minimal CPU overhead and maximum throughput.
Native HTTP/1.1, HTTP/2, gRPC, and WebSocket support built on Pingora's multi-protocol engine. Seamless protocol negotiation and upgrades.
Prometheus metrics, OpenTelemetry tracing, and structured logging out of the box. Full visibility into every request without external plugins.
Distributed rate limiting with sliding window, token bucket, and leaky bucket algorithms. Protect your APIs without adding latency.
Declarative YAML/JSON configuration that just works. Define routes, plugins, and upstreams in minutes, not hours. No Lua scripting required.
45+ built-in plugins, from JWT, OIDC, LDAP, and mTLS auth to bot detection and circuit breaking. Extend with Rust, sandboxed WebAssembly (proxy-wasm), or inline Rhai/JavaScript — no rebuild required.
AI Gateway
LLM proxies bolt AI onto Python; API gateways bolt AI onto plugins. Tygress is an enterprise AI gateway and self-hosted LLM gateway in one Rust data plane — natively routing, guarding, and metering LLM, MCP, and A2A agent traffic, with guardrails, cost controls, and human-in-the-loop approvals included at proxy speed.
One OpenAI-compatible endpoint for OpenAI, Anthropic, Google Gemini, Azure, AWS Bedrock, Mistral, and Groq. Switch or blend providers without changing a line of client code.
A self-tuning control loop continuously shifts traffic toward the cheapest model that meets your quality bar by adjusting routing weights from live cost and latency — automatic savings, no manual model juggling.
Prompt injection protection at the gateway: block injection and jailbreak attempts with fast built-in heuristics plus an optional external classifier — and flag completions that leak your system prompt.
Data-loss prevention for AI traffic. Scan prompts and responses for PII and secrets, then redact in place, block, or annotate — matched text never reaches the provider.
Ingest your documents and let the gateway retrieve and inject relevant context into prompts — retrieval-augmented generation as a managed plugin, no separate RAG service to run.
LLM caching by meaning, not just exact match. Similar prompts replay prior answers without ever contacting the provider — cutting cost and tail latency.
LLM cost tracking and enforcement: rate limit by token count, not just requests, and cap spend with per-route USD budgets and per-team LLM budgets priced per model. No more surprise LLM bills.
One embeddings endpoint across OpenAI, Azure, Mistral, Google, and Bedrock, with normalized token accounting — vectorize through the same gateway that serves your chat traffic.
Proxy Model Context Protocol servers with the full plugin chain in front — auth, rate limiting, audit logging — plus per-consumer tool allowlists on every tools/call.
Federate Agent2Agent (A2A) JSON-RPC agents behind one gateway. Route by skill affinity, round-robin, or fallback — the same data plane that serves your APIs.
Gate sensitive MCP and A2A calls behind an admin decision. A unified approval queue with audit log and webhooks keeps autonomous agents on a leash.
AI-specific Prometheus metrics on top of standard HTTP telemetry — token usage, provider latency, cache hit rates — with PromQL examples and recommended alerts.
Providers
Tygress speaks OpenAI, Anthropic, Google Gemini, Azure OpenAI, AWS Bedrock, Mistral, and Groq natively — and any OpenAI-compatible endpoint on top. One integration, every model, no lock-in.
Point your existing SDK at Tygress and reach every provider through one unified API — chat completions and embeddings included. Switch or blend models without touching client code.
Issue per-team virtual keys that map to your real provider keys server-side. Rotate, revoke, and meter access centrally — raw OpenAI and Anthropic keys never leave the gateway.
Pool multiple API keys per provider with round-robin rotation and 429 cooldowns, and fail over across providers the moment one is rate-limited or down — automatically.
Enterprise
An open-source enterprise API gateway your platform team can self-host, with the governance, identity, and high-availability controls security and compliance teams require to put AI and APIs into production.
A self-hosted AI gateway in your own VPC or on-prem — Docker, Compose, or Kubernetes, including fully air-gapped. Prompts, keys, and data never leave your network, so residency and sovereignty requirements are met by design.
OIDC login, LDAP/Active Directory, mutual TLS, OAuth2 introspection with required scopes, JWE, and HMAC — chain them per route and map any credential to a consumer.
A split control plane and data plane sync over NATS JetStream with last-known-good caching. Push config to fleets of nodes with zero-downtime reloads and binary upgrades — no dropped requests.
Immutable audit logging to Postgres, role-based admin access, and human-in-the-loop approvals for sensitive AI tool calls — a defensible record of who did what, when, ready for SOC 2, HIPAA, and GDPR audits.
Model consumers, groups, and tenants first-class. Scope rate limits, cost budgets, model access, and tool allowlists per team, then meter usage with a per-consumer analytics API.
Built-in incident response detects floods, abuse, and provider outages and auto-remediates — shedding load, tripping breakers, and failing over — while exporting Prometheus and OpenTelemetry signals.
Quantum-Safe
Adversaries are recording encrypted traffic today to decrypt it once quantum computers mature. Tygress is a quantum-safe API gateway that defends against these “harvest-now, decrypt-later” attacks with post-quantum TLS on every connection — no plugins, no sidecars.
Performance
Head-to-head against Kong, NGINX, Envoy, and Traefik on identical hardware (4 vCPU, 8 GB RAM). A Rust API gateway built on Pingora means no garbage collector pauses and zero-cost abstractions.
* Preliminary benchmarks. Final numbers will be published with the open-source release.
Rust's ownership model means deterministic performance with no GC pauses — ever.
Pingora's async runtime handles millions of concurrent connections on a single node.
Intelligent upstream connection reuse reduces TCP handshake overhead by up to 90%.
New binaries inherit the listening sockets while the old process drains in-flight requests — deploy and upgrade without dropping a single connection.
Compare
Enterprises run an API gateway, a separate LLM proxy, and custom agent middleware — and stitch governance across all three. Tygress is a self-hosted Kong alternative that also replaces Apigee, LiteLLM, and Portkey — every job in one Rust binary.
| Feature | Tygress | Kong | Apigee | LiteLLM | Portkey |
|---|---|---|---|---|---|
| Language | Rust | Lua/Go | Java | Python | Node/TS |
| API gateway | |||||
| AI / LLM gateway | Native | Plugin | Limited | Native | Native |
| Self-hosted / air-gapped | Hybrid | Partial | |||
| Multi-provider failover | |||||
| Semantic caching | Plugin | Yes | Via Redis | ||
| AI governance & DLP | Native | Partial | Partial | Partial | |
| Enterprise SSO (OIDC/LDAP/mTLS) | Enterprise | Partial | Partial | ||
| MCP gateway | Native | Enterprise | Managed | Native | |
| A2A agent gateway | |||||
| Human-in-the-loop approvals | Partial | ||||
| Post-quantum TLS (hybrid PQC) | Native | ||||
| Open source | Full-featured | Limited | Yes | Partial |
Based on publicly documented capabilities as of mid-2026. Competitor features evolve — verify before relying on this for procurement.
Pricing
Start free with open source. Scale to enterprise. No hidden fees, no per-request charges, no surprises.
Free Forever
Full-featured gateway for developers and small teams.
Fully Managed
Zero-ops gateway with a global edge network. Start in minutes.
Your Infrastructure
Run Tygress on your own cloud with our management plane.
Unlimited Scale
For organizations that need the highest scale, security, and support.
All prices are preliminary and may change before launch. Open source edition will always remain free.
FAQ
Everything about the gateway, the AI features, and how Tygress compares to what you run today.
Tygress is an open-source AI gateway and API gateway built on Rust and Cloudflare's Pingora framework. One gateway routes, guards, and observes traditional HTTP and gRPC APIs, LLM provider traffic, MCP tool servers, and A2A AI agents — with sub-millisecond latency and memory safety.
An enterprise API gateway is the single entry point that routes, secures, and observes all API traffic across an organization — adding authentication (SSO, OIDC, mTLS), rate limiting, high availability, audit logging, and governance on top of basic request routing. Tygress is an open-source enterprise API gateway that extends those same controls to AI traffic, governing LLM, MCP, and AI agent calls alongside REST and gRPC APIs in one Rust data plane.
An AI gateway sits between your applications and LLM providers, adding routing, failover, authentication, cost controls, guardrails, caching, and observability to AI traffic. Tygress is an enterprise AI gateway that combines those AI features with a full API gateway: one self-hosted Rust binary governs LLM, MCP, and AI agent traffic alongside your REST and gRPC APIs.
An LLM gateway (sometimes called an LLM proxy) routes requests to large language model providers through one unified API, handling provider failover, key management, token-aware rate limiting, cost budgets, and response caching. Tygress is a self-hosted LLM gateway written in Rust — the same capabilities LLM-only proxies offer, at reverse-proxy speed, plus the API gateway features they lack.
No — that's the point of Tygress. Most stacks run an API gateway (Kong, Apigee) for REST and gRPC plus a separate AI gateway or LLM proxy (LiteLLM, Portkey) for model traffic, then duplicate auth, rate limiting, and audit across both. Tygress is one data plane that does both jobs, so a single set of policies governs every API call, LLM request, MCP tool call, and agent interaction.
In preliminary benchmarks on identical hardware (4 vCPU, 8 GB RAM), Tygress achieves 98K requests/sec with 0.12ms p99 latency and 18 MB memory usage, compared to NGINX at 65K rps / 0.45ms / 38 MB, Envoy at 72K rps / 0.31ms / 52 MB, and Kong at 34K rps / 1.2ms / 128 MB. Beyond speed, AI gateway features are native in Tygress rather than bolted on as plugins.
LiteLLM and Portkey focus on AI traffic only; Tygress is a full production gateway where AI features are native. You get Rust proxy performance plus auth (JWT, OIDC, HMAC, API keys), distributed rate limiting, circuit breaking, and observability on the same routes that serve your LLM, MCP, and A2A traffic — one binary instead of an API gateway plus a separate Python proxy.
Yes. The open source edition includes the full proxy engine, the 45+ plugin suite, the AI gateway, load balancing, and the plugin SDK — free forever. Cloud, self-managed cloud, and enterprise editions are also available for teams that need managed infrastructure and premium support.
Yes. Tygress runs as a fully air-gapped API gateway when needed: self-host on Docker, Docker Compose, or Kubernetes, entirely inside your own VPC or on-premises. Prompts, API keys, and data never leave your network, so data residency and sovereignty requirements are met by design. A split control plane and data plane sync configuration over NATS JetStream with last-known-good caching for high availability.
Yes. Tygress ships a full enterprise authentication stack: OIDC single sign-on, LDAP and Active Directory, mutual TLS client certificates, OAuth2 introspection with required scopes, JWE decryption, HMAC, and API keys. Auth plugins can be chained per route, and any verified credential maps to a consumer for multi-tenant policy enforcement.
Tygress supports OpenAI, Anthropic, Google Gemini, Azure OpenAI, AWS Bedrock, Mistral, and Groq natively, plus any OpenAI-compatible endpoint. All are reachable through one unified, OpenAI-compatible API for both chat completions and embeddings, with virtual keys, quota-aware key pooling, and automatic cross-provider failover.
Tygress centralizes AI governance at the gateway: PII and secret redaction (AI DLP), prompt-injection and jailbreak guardrails, per-consumer model and tool allowlists, human-in-the-loop approvals for sensitive calls, immutable audit logging to Postgres, and role-based admin access — giving security and compliance teams a single, defensible control point for all AI and API traffic.
Yes. Tygress is an AI-native gateway: a unified multi-provider API for OpenAI, Anthropic, AWS Bedrock, and others with automatic provider failover; prompt-injection and jailbreak guardrails; PII and secret redaction (AI DLP); semantic caching for LLM responses; token-aware rate limiting; and per-route USD cost budgets.
Yes. Tygress natively proxies Model Context Protocol (MCP) servers — JSON-RPC 2.0 over HTTP and SSE — with the full plugin chain in front: authentication, rate limiting, and audit logging, plus a dedicated mcp-guard plugin that enforces per-consumer tool allowlists on tools/call invocations.
Yes. Tygress includes an A2A (Agent2Agent) gateway that federates JSON-RPC agents with skill-affinity, round-robin, or fallback routing, and a unified human-in-the-loop approval system that can gate any MCP or A2A call behind an admin decision with a shared queue, audit log, and webhooks.
Four layers: semantic caching replays answers to similar prompts without contacting the provider; token-aware rate limiting meters usage by tokens instead of requests; per-route USD cost budgets cap spend in dollars using a per-model price table; and automatic failover routes around degraded providers.
Yes. Tygress ships with post-quantum cryptography out of the box. Every TLS connection can negotiate a NIST-standardized hybrid key exchange (X25519 + ML-KEM-768, FIPS 203), defending your traffic against harvest-now, decrypt-later attacks where adversaries store encrypted data today to break it once quantum computers mature. You can enforce post-quantum handshakes per-route or fleet-wide, and generate an on-demand crypto-posture report to prove your quantum-readiness for audits.
Pingora is Cloudflare's open-source Rust framework for building fast, reliable, and programmable network services. It powers Cloudflare's global edge network handling trillions of requests daily. Tygress uses Pingora for its async-first architecture, intelligent connection pooling, and battle-tested reliability at scale.
Join the waitlist to get early access, development updates, and exclusive launch-day pricing. We'll only email you when it matters.