Zuplo
API Gateway Comparisons

Zuplo vs
Portkey

  • SOC 2 Type II
  • 99.999% SLA
  • 300+ edge locations

The Independent MCP Gateway for Teams Re-Evaluating After the Palo Alto Networks Acquisition

Talk to an Architect Compare with AI
Feature
Zuplo
Portkey
Independence and Roadmap Sovereignty
Programmable Policies (TypeScript vs Configuration)
GitOps and CI/CD
Observability and Audit Retention
Pricing Transparency
AccuWeather
Read the Case Study
Blockdaemon
Read the Case Study
Lake Michigan Credit Union
Read the Case Study
Finsolutia
Read the Case Study
VNDR
Read the Case Study
Mews
Read the Case Study
Yext
Read the Case Study
Zumiez
Read the Case Study

What's wrong with Portkey

Portkey's key limitations for modern engineering teams

The forces driving enterprises off Portkey in 2026 — operational tax, plugin sprawl, retrofitted AI, and pricing that doesn't predict.

Independence and Roadmap Sovereignty

Portkey is now a feature inside Prisma AIRS, Palo Alto Networks' AI security platform. The product roadmap belongs to PANW. Cross-vendor neutrality, developer-first DX, and self-serve pricing are all subject to the integration plan. There is a real 12–18 month window where the value drift between independent Portkey and integrated-PANW Portkey becomes visible.

Log-Cap Observability Blind Spots

Portkey's pricing meters logs, not requests. Once you exceed the log cap, the gateway keeps routing requests to LLMs and MCP servers but new logs are no longer recorded in the observability dashboard. For a governance product, silently losing visibility under load is the wrong failure mode.

Short Audit Retention on Pro

Portkey's Production tier retains 30 days of logs. Regulated workloads (HIPAA, SOX, FedRAMP) generally require multi-year retention. Long-term audit retention sits behind Enterprise sales — now a Palo Alto Networks enterprise sale.

Governance Behind an Enterprise Call

SSO, advanced RBAC, VPC deployment, and EU data residency are Enterprise-tier features at Portkey. Mid-market teams that need real governance for MCP traffic — without a six-figure ELA — are increasingly pushed up-market.

Why Zuplo

Built for teams replatforming off Portkey

Managed, modern API management with predictable economics across procurement cycles — no operator overhead, no plugin sprawl, no consumption-pricing surprises.

Independence and Roadmap Sovereignty

Independent product roadmap vs. Palo Alto Networks security-suite consolidation.

Per-User OAuth Brokering to Upstream MCP Servers

Per-user OAuth brokering across many upstreams vs. static third-party auth flow.

Virtual MCP Servers (Multi-Upstream Composition)

First-class virtual MCP servers vs. registry-style cataloging of individual upstreams.

A solutions architect can walk you through your current Portkey setup, surface the biggest operational tax, and map a migration path — no slide deck required.

Talk to an Architect Evaluate your migration

Enterprise ready

Production-ready for regulated and high-volume workloads

Compliance & Audit

  • SOC 2 Type II audited annually
  • Third-party penetration test reports available under NDA
  • GDPR-aligned data processing
  • Audit logs across the control plane
  • API governance with policy enforcement

Identity & Access

  • SAML SSO and SCIM provisioning
  • Role-based access control across organizations, projects, and environments
  • Service-account credentials with scoped permissions
  • API key metadata for downstream authorization

Deployment Flexibility

  • Managed edge across 300+ locations — global by default
  • Managed dedicated single-tenant on AWS, Azure, GCP, Akamai, or any major cloud
  • Self-hosted on Kubernetes with full control plane
  • Bring-your-own-cloud for data residency requirements

Support & Success

  • Up to 30-minute response SLA on Enterprise
  • 24/7/365 emergency hotline for critical incidents
  • Named technical account manager
  • Architecture and migration professional services

Built for the AI era

Built for governing MCP traffic, not just routing LLM tokens

Portkey's MCP Gateway shipped on January 21, 2026 — less than four months before the Palo Alto Networks acquisition was announced. The MCP product line has not yet had a full year of independent product velocity. Future capability lands inside Prisma AIRS.

Virtual MCP servers

Compose multiple upstream MCP servers (Linear, GitHub, Stripe, Atlassian, Slack, internal) behind a single gateway URL. Curate the exact tool list each team or role can call. Add or remove upstreams without redeploying agents.

Per-user OAuth brokering

End-users complete the upstream's OAuth flow themselves; the Gateway brokers and refreshes their tokens per session with per-user revocation. Refresh tokens are sealed in the gateway vault with AES- GCM and never returned to the MCP client.

Tool-level authorization

Toggle individual tools on or off without forking the upstream. Curate per-role tool catalogs — Finance gets read-only Stripe and QuickBooks; Engineering gets GitHub and deployment tools. RFC 8707 resource indicators bind every token to its virtual MCP server, so a token minted for one is rejected at another.

Composable AI guardrails

Prompt-injection detection inherited from the gateway policy stack. Automatic redaction of tokens and customer payloads in logs. Compose with the AI Gateway's guardrail policies — including the Akamai AI Firewall partnership — or drop in your own TypeScript policy. Zuplo orchestrates, you choose the vendor.

See it in action

See Zuplo running on your stack

A 30-minute working session with a Zuplo solutions engineer. Bring an OpenAPI spec or a Kong route definition and walk away with a working preview.

Talk to Sales Compare features

Side by side

Feature-by-feature comparison

Feature
Zuplo
Portkey
Independence and Roadmap Sovereignty
Independent, venture-backed company focused on the developer-first API and MCP gateway category. Roadmap driven by customers, not by an acquirer's enterprise security suite integration plan.
Acquired by Palo Alto Networks on April 30, 2026. Future MCP Gateway capability lands inside Prisma AIRS. Roadmap and pricing are subject to the integration with PANW's broader security platform.
MCP Gateway Maturity
Shipping the MCP gateway category through 2025 and 2026 — open-source @zuplo/mcp primitives, OpenAPI-to-MCP, virtual MCP server composition, and a full OAuth 2.0 authorization server implementing the 2025-06-18 MCP spec over streamable HTTP.
MCP Gateway shipped on January 21, 2026. Less than four months of independent product life before the Palo Alto Networks acquisition was announced.
Per-User OAuth Brokering to Upstream MCP Servers
Each end-user completes the upstream's OAuth flow themselves; the Gateway brokers and refreshes their tokens per session with per-user revocation. Works with Linear, GitHub, Stripe, Atlassian, Slack, and any OAuth-compliant MCP server. Refresh tokens sealed in the gateway vault with AES-GCM, never returned to the MCP client.
Static Third-Party Authorization Flow. Works well for a single upstream; design strain shows when many MCP servers are added or removed dynamically across an org.
Virtual MCP Servers (Multi-Upstream Composition)
Compose multiple upstream MCP servers behind a single virtual MCP URL with a curated tool list. Finance gets a read-only view of Stripe and QuickBooks. Engineering gets GitHub and deployment tools. Same governance, different exposure.
MCP Registry catalogs servers. RBAC available at server, workspace, team, and tool level. Composing multiple servers behind one virtual endpoint with curated tool exposure is not a first-class concept.
Programmable Policies (TypeScript vs Configuration)
Every policy is TypeScript code. Pre and post-request hooks at every stage of the MCP request lifecycle. Full npm ecosystem, full type safety, real CI tests. Custom auth, custom guardrails, custom routing — not a configuration UI.
Configuration-driven gateway. Programmable behavior happens via published guardrail vendors and in the prompt-management studio. Custom logic outside the supported policy set requires going outside the platform.
GitOps and CI/CD
Git is the source of truth. Every push deploys, every PR gets a live preview environment. Same code-first deployment model as the rest of the Zuplo platform. Branches, environments, and rollbacks for MCP gateway configuration.
Configuration is managed in the Portkey UI and API. Promotion across environments and version control of governance rules is the customer's responsibility.
Prompt-Injection and Payload Guardrails
Prompt-injection detection on every MCP request, inherited from the Zuplo policy stack. Automatic redaction of tokens and customer payloads in logs. Composable with the AI Gateway's guardrail policies — including the Akamai AI Firewall partnership — or your own TypeScript policy. Block, redact, or flag — your choice.
60+ guardrails advertised, including prompt injection, PII, content classification, and a Palo Alto Networks AIRS plugin. Action types include deny, route, retry, and switch model. Vendor selection is configured in the Portkey console.
Observability and Audit Retention
Typed analytics events fire across the MCP request lifecycle, capability invocations, and upstream OAuth flow. Trace-ready structured logs (tenant, session, capability, latency, failure origin) pipe straight into Datadog, Honeycomb, or BigQuery. 90-day default account- level audit-log retention, exportable to your SIEM. No log caps that silently drop observability under load.
Production tier retains 30 days of logs. Long-term retention is an Enterprise add-on. Critically, exceeding the log allotment causes new logs to silently stop being recorded — gateway routing continues, but observability does not.
Identity Provider Integration
First-class presets for Auth0 and any OIDC provider — drop in your issuer URL and your customers click Connect. Per-user JWT claims drive per-team and per-tenant authorization at the gateway edge. SAML SSO is also available across the broader Zuplo platform.
SSO with Okta and Microsoft Entra ID supported. SSO availability and advanced RBAC live on the Enterprise tier.
Deployment Model
Managed multi-tenant on 300+ edge POPs by default, managed dedicated single-tenant on AWS, Azure, GCP, Akamai, or Equinix, and self-hosted Kubernetes. Data residency via region pinning on dedicated deployments.
SaaS, Private Cloud, VPC, and self-hosted options. Open-source gateway runs on Node, Docker, Cloudflare Workers, or Replit. VPC and on-prem deployment are Enterprise-tier.
Compliance Posture
SOC 2 Type II audited annually, GDPR-aligned data processing, annual third-party penetration tests under NDA, audit logs across the control plane.
Enterprise tier holds SOC 2 Type II, HIPAA, GDPR. Production and Developer tiers do not include the same compliance posture without upgrading.
LLM Provider Routing
Model routing, retries, fallbacks, and budget controls available as first-class TypeScript policies. Provider coverage focused on the enterprise short list (OpenAI, Anthropic, Google, AWS Bedrock, Azure OpenAI) — depth over breadth.
Universal API across 1,600+ models from 60+ providers. Smart routing, load balancing, semantic caching, fallbacks, retries, multimodal, virtual keys with vault-backed rotation.
Pricing Transparency
Predictable Enterprise pricing that includes the developer portal, managed dedicated tier, SOC 2 controls, SSO, audit logs, and the MCP Gateway at one tier. PayGo for self-serve teams.
Open Source ($0), Developer ($0), Production ($49/mo with $9 per 100K log overage up to 3M cap), Enterprise (custom — third-party estimates $2K–$10K+/mo). MCP Gateway has no dedicated SKU. SSO, VPC, and EU residency live on Enterprise.
Open Source Footprint
@zuplo/mcp open-source MCP client and server primitives, MIT licensed. Zuplo runtime and policies are source-available with TypeScript escape hatches.
Portkey-AI/gateway is MIT-licensed (~11.5K GitHub stars) and runs the core LLM router and 50+ guardrails. The MCP registry, RBAC, and observability UI are proprietary and SaaS-first.

Migration path

Re-evaluating Portkey for MCP traffic

Most teams using Portkey today are using it for LLM routing first and MCP governance second. The MCP Gateway product is less than four months old. Migrating MCP traffic to Zuplo is a low-disruption change because MCP clients (Claude Desktop, Claude Code, Cursor, ChatGPT, VS Code, MCP Inspector) point at a gateway URL — swap the URL, repoint OAuth to Zuplo, keep your existing IDP. LLM routing can stay on Portkey or move incrementally.

Migration phases

Typical MCP cut-over in 1–4 weeks for governed deployments

  1. Inventory MCP servers in use

    Catalog the third-party MCP servers your employees are connecting to from Claude Desktop, Claude Code, Cursor, and ChatGPT today (Linear, GitHub, Stripe, Atlassian, Slack, internal). Capture which require per-user OAuth and which use shared service accounts.

    2 wksPlan locked

  2. Stand up Zuplo MCP Gateway

    Configure your IDP (Auth0 preset or any OIDC provider), import each upstream MCP server, and define virtual MCP servers per role or team. Bind a credential model per route — per-user OAuth where the upstream supports it, shared API key from the encrypted vault where it doesn't.

    2 wksFoundation live

  3. Apply guardrails and tool-level RBAC

    Add prompt-injection and PII policies to the inbound MCP request path. Define which tools each team can call and which parameters are constrained or redacted. Test against your Claude or Cursor clients.

    4 wksSide-by-side

  4. Repoint MCP clients

    Move Claude Desktop, Claude Code, Cursor, ChatGPT, and VS Code from individual third-party MCP server URLs to your single Zuplo gateway URL. Keep Portkey on LLM routing duty until that contract renewal makes the broader decision.

    2 wksCut-over done
Read the full migration guide

What our customers say

Trusted by engineering teams at scale

Blockdaemon

90%

Hardware footprint reduction at scale

Read the Blockdaemon case study →

"The move to Zuplo from our existing API Management vendor was easy, taking just over 2 months to switch mission critical systems, and we're saving over 70% on costs."

Ryan Waites

Senior Director, Blockdaemon

Case study →

"Zuplo gives us the flexibility to scale efficiently, ensures security and compliance, and reduces operational complexity so we can focus on building new capabilities."

Daryl Benzel

Staff Software Engineer, Yext

Case study →
AccuWeather

1B+

End users served via Zuplo APIs

Read the AccuWeather case study →

Finsolutia

Hours

To launch MCP server on regulated APIs

Read the Finsolutia case study →

"We didn't touch a line of code, it's just plug and play. The results were very surprising, in just a couple of hours we had a great result and a fully working MCP Server."

Miguel Madeira

CTO & Co-Founder, Finsolutia

Case study →

Trusted for regulated and high-volume workloads

SOC 2 Type II Third-party penetration testing GDPR-aligned 24/7/365 emergency hotline
300+ Global edge locations
Billions API requests served / month
Up to 99.999% Enterprise uptime SLA
<20s Global deploy time

Frequently Asked Questions

Common questions about Zuplo vs Portkey.

Ready to talk to an expert?

Book a call with a solutions architect for a tailored walkthrough — SOC 2 controls, dedicated deployment, AI Gateway, and enterprise support. Or start free and explore the platform yourself.

Book a Call Start for Free