Zuplo
API Gateway Comparisons

Zuplo vs
TrueFoundry

  • SOC 2 Type II
  • 99.999% SLA
  • 300+ edge locations

One Programmable Gateway for REST, LLM, and MCP Traffic

Feature
Zuplo
TrueFoundry
Gateway Scope
Model Routing and Provider Support
Rate Limiting and Spend Controls
MCP Gateway
Programmable Policies

What's wrong with TrueFoundry

TrueFoundry's key limitations for modern engineering teams

The forces driving enterprises off TrueFoundry in 2026 — operational tax, plugin sprawl, retrofitted AI, and pricing that doesn't predict.

AI-only gateway scope

TrueFoundry governs AI and LLM traffic only. REST API management, developer portals, and API key lifecycle are out of scope, so platform teams run a separate API gateway alongside it — doubling the governance surface.

Self-hosted operational burden

Managed SaaS is available, but TrueFoundry's enterprise and regulated deployments run on customer-managed Kubernetes. The self-hosted gateway plane costs roughly $600–$1,000/month in infrastructure, plus ongoing Helm charts, autoscaling, and cluster upgrades — all on your platform team.

Output guardrails skip streaming

TrueFoundry's output guardrails do not run when streaming is enabled; its own docs recommend setting stream:false for them to apply. Since streaming is the default for real-time chat, output protection is off in the most common LLM pattern.

Configuration, not code

Policies are set via YAML, the UI, or per-request headers (x-tfy-cache-config, X-TFY-GUARDRAILS). Custom guardrails require Python functions or a Guardrails.AI integration, and logic beyond the supported options lives outside the platform.

Why Zuplo

Built for teams replatforming off TrueFoundry

Managed, modern API management with predictable economics across procurement cycles — no operator overhead, no plugin sprawl, no consumption-pricing surprises.

Gateway Scope

Unified REST + LLM + MCP gateway vs. AI-only gateway requiring a separate API management layer.

Model Routing and Provider Support

Enterprise-focused provider routing vs. broader multi-provider coverage with advanced routing strategies.

Rate Limiting and Spend Controls

Hierarchical org-to-app dollar budgets on one gateway vs. flexible multi-dimensional limits on an AI-only gateway.

A solutions architect can walk you through your current TrueFoundry setup, surface the biggest operational tax, and map a migration path — no slide deck required.

Enterprise ready

Production-ready for regulated and high-volume workloads

Compliance & Audit

  • SOC 2 Type II audited annually
  • Third-party penetration test reports available under NDA
  • GDPR-aligned data processing
  • Audit logs across the control plane
  • API governance with policy enforcement

Identity & Access

  • SAML SSO and SCIM provisioning
  • Role-based access control across organizations, projects, and environments
  • Service-account credentials with scoped permissions
  • API key metadata for downstream authorization

Deployment Flexibility

  • Managed edge across 300+ locations — global by default
  • Managed dedicated single-tenant on AWS, Azure, GCP, Akamai, or any major cloud
  • Self-hosted on Kubernetes with full control plane
  • Bring-your-own-cloud for data residency requirements

Support & Success

  • Up to 30-minute response SLA on Enterprise
  • 24/7/365 emergency hotline for critical incidents
  • Named technical account manager
  • Architecture and migration professional services

Built for the AI era

Built for AI agents, MCP, and token-aware traffic

TrueFoundry provides a capable, proprietary LLM gateway with model routing, caching, and a broad guardrails ecosystem. But it is an AI-only product — REST API governance, developer portals, and API key management require a separate platform — and its MCP Gateway is a separate component within the same platform.

Unified policy engine

REST APIs, LLM traffic, and MCP servers share the same authentication, rate limiting, validation, and observability policies. One deployment, one audit trail, one bill.

MCP Gateway with OAuth

Built-in OAuth authorization server with Dynamic Client Registration, PKCE S256, and per-user upstream credential brokering. Virtual MCP servers compose multiple upstreams behind one URL with curated tool lists per team.

Token-aware rate limiting and spend caps

Rate limit LLM endpoints by actual tokens consumed, not request count. Set hierarchical dollar budgets at the organization, team, and application level with real-time enforcement.

Managed edge deployment

Deploy AI gateway policies across 300+ edge locations with zero Kubernetes operations. Or choose managed dedicated or self-hosted Kubernetes for data residency requirements.

See it in action

See Zuplo running on your stack

A 30-minute working session with a Zuplo solutions engineer. Bring an OpenAPI spec or a Kong route definition and walk away with a working preview.

Side by side

Feature-by-feature comparison

Feature
Zuplo
TrueFoundry
Gateway Scope
One programmable gateway for REST APIs, LLM traffic, and MCP servers. Authentication, rate limiting, validation, and observability policies apply uniformly across all traffic. One deployment, one audit trail, one bill.
AI-only gateway focused on LLM routing, caching, and guardrails. REST API management, developer portals, and API key lifecycle are out of scope, so platform teams need a separate API gateway for non-AI traffic.
Model Routing and Provider Support
Multi-provider routing across OpenAI, Anthropic, Google Gemini, and Mistral with declarative provider mapping, per-route model selection, and auto-failover. Drop-in OpenAI SDK compatibility via a baseURL swap. Coverage focused on the enterprise short list — depth over breadth.
Routing across 1,000+ models from 15+ providers including OpenAI, Anthropic, Google, AWS Bedrock, Azure OpenAI, Cohere, Mistral, Groq, and self-hosted models. Weighted load balancing, latency-based routing, priority fallback, and geo-aware routing. Broader coverage, more routing strategies.
Semantic Caching
Semantic Cache Inbound policy uses LLM embeddings and vector similarity to match requests expressing the same intent. Configurable similarity threshold, TTL expiration, and custom cache-key extraction via property path or function.
Both exact-match and semantic caching. Semantic mode uses embeddings and cosine similarity with a configurable threshold, plus per-user isolation and namespace partitioning. Only the last message is compared semantically — all other parameters must match exactly.
Rate Limiting and Spend Controls
Token-aware rate limits via setIncrements — one LLM call does not equal one unit of budget. Hierarchical dollar budgets cascade from organization to team to application with daily and monthly enforcement; sub-team budgets cannot exceed the parent ceiling, and requests halt when a budget is hit.
Token-based and request-based rate limiting with per-minute, per-hour, and per-day windows, scoped by user, team, model, and metadata. Dollar- denominated budget enforcement at the user, team, model, and environment level.
Guardrails and Prompt Injection
Prompt Injection Detection policy uses a tool-calling LLM to detect poisoned prompts. Secret Masking policy redacts API keys, tokens, and sensitive values from responses. Compose custom guardrails as TypeScript code.
Extensive guardrails ecosystem — prompt injection (powered by Azure Prompt Shield), PII/PHI detection, code safety, SQL sanitization, and Cedar/OPA policy enforcement. Integrates with AWS Bedrock Guardrails, Azure Content Safety, Palo Alto Prisma AIRS, CrowdStrike, and Patronus AI. Output guardrails are skipped when streaming is enabled.
MCP Gateway
Built-in OAuth authorization server with Dynamic Client Registration and PKCE S256. Per-user upstream OAuth brokering with encrypted token storage. Virtual MCP servers compose multiple upstreams behind one URL with curated tool lists per team. RFC 8707 resource indicators bind tokens to their virtual server. Same policy engine as REST and LLM traffic.
MCP Gateway component within the same platform, with OAuth authentication and RBAC. Pre-tool and post-tool guardrails for SQL injection, prompt injection, secrets, PII, and custom Cedar/OPA policies. Configured as a separate surface alongside the AI Gateway.
Programmable Policies
Every policy is TypeScript code running in V8 isolates, with pre- and post-request hooks at every stage. Full npm ecosystem, type safety, CI tests, and Web Standard APIs (fetch, Request, Response). Custom auth, guardrails, and routing — not limited to a configuration UI.
Configuration-driven gateway managed via YAML, CLI, or UI. Custom guardrails require Python functions or a Guardrails.AI integration, and per-request behavior is controlled through headers (x-tfy-cache-config, X-TFY-GUARDRAILS). Logic beyond supported options goes outside the platform.
GitOps and Deployment Pipeline
Git is the source of truth. Every push deploys, every PR gets a live preview environment on the same 300+ edge POPs as production. Rollback via git revert. CODEOWNERS for sensitive changes. Supports GitHub, GitLab, Bitbucket, and Azure DevOps.
Declarative YAML applied via the tfy CLI (tfy apply -f config.yaml), supporting GitOps workflows where config lives alongside application code. UI dashboard for visual management. No automatic PR preview environments.
Deployment Model
Managed multi-tenant on 300+ edge POPs by default, managed dedicated single-tenant on AWS, Azure, GCP, Akamai, or Equinix, and self-hosted on Kubernetes. No infrastructure to operate on the managed tiers. Deploys in seconds via git push.
Fully managed SaaS, SaaS with customer data storage, self-hosted gateway plane (~$600–$1,000/month infrastructure), and fully self-hosted including air-gapped. Enterprise and regulated deployments target Kubernetes in the customer VPC.
Compliance and Certifications
SOC 2 Type II audited annually. GDPR-aligned data processing. Annual third-party penetration tests under NDA. Audit logs across the control plane. 99.999% enterprise uptime SLA.
SOC 2 Type II, HIPAA, and ITAR certified — broader coverage for regulated industries such as healthcare, defense, and aerospace. Full VPC and air-gapped deployment for strict data residency.
Observability
Every LLM request logged with latency, tokens, and cost per call. Stream request data to Galileo, Comet Opik, or custom collectors. For MCP, typed analytics events fire across the request lifecycle, capability invocations, and upstream OAuth flow. Structured logs pipe to Datadog, New Relic, or Splunk.
OpenTelemetry-compliant metrics, traces, and request logs. Latency graphs, token-level traces, and centralized error logs. Real-time dashboards track blocked requests and top consumers. Integrated prompt management with versioned prompts and a playground.
Pricing
Free tier for development. Predictable Enterprise pricing that bundles the developer portal, managed dedicated deployments, SOC 2 controls, SSO, audit logs, AI Gateway, and MCP Gateway. No per-log billing or silent observability caps.
Transparent published tiers — Developer at $0/month (50K requests, 3 users), Pro at $499/month (1M requests, 10 users), Pro Plus at $2,999/month, and Enterprise custom for 10M+ requests with VPC and air-gapped options. Self-hosted gateway infrastructure adds ~$600–$1,000/month.

Migration path

Migrating from TrueFoundry to Zuplo

Most teams using TrueFoundry route LLM traffic through the AI Gateway and may be exploring MCP governance separately. Migrating to Zuplo consolidates both onto one platform. Since both gateways use OpenAI-compatible APIs, the application-side change is a baseURL swap.

Migration phases

Typical production cut-over in 2–4 weeks

  1. Audit current LLM routes and policies

    Catalog the providers, models, rate limits, spend caps, and guardrails configured in TrueFoundry, and map each to the equivalent Zuplo policy (model routing, semantic caching, complex rate limiting, prompt- injection detection, secret masking).

    2 wksPlan locked
  2. Configure Zuplo AI Gateway

    Create a Zuplo project, add your LLM providers (OpenAI, Anthropic, Gemini, Mistral), configure teams and dollar budgets, and apply guardrail policies. Test with the OpenAI SDK by swapping the baseURL to your Zuplo endpoint.

    2 wksFoundation live
  3. Consolidate MCP governance

    If you run TrueFoundry's MCP Gateway separately, stand up Zuplo's MCP Gateway in the same project. Configure your IdP, import upstream MCP servers, define virtual MCP servers per team, and apply prompt-injection and credential-brokering policies.

    4 wksSide-by-side
  4. Cut over traffic and decommission

    Repoint application baseURLs and MCP client configs to Zuplo, run both gateways in parallel during validation, then decommission the TrueFoundry Kubernetes deployment and recover the infrastructure cost.

    2 wksCut-over done

What our customers say

Trusted by engineering teams at scale

Blockdaemon

90%

Hardware footprint reduction at scale

Read the Blockdaemon case study →

"The move to Zuplo from our existing API Management vendor was easy, taking just over 2 months to switch mission critical systems, and we're saving over 70% on costs."

Ryan Waites

Senior Director, Blockdaemon

Case study →

"Zuplo gives us the flexibility to scale efficiently, ensures security and compliance, and reduces operational complexity so we can focus on building new capabilities."

Daryl Benzel

Staff Software Engineer, Yext

Case study →
AccuWeather

1B+

End users served via Zuplo APIs

Read the AccuWeather case study →

Finsolutia

Hours

To launch MCP server on regulated APIs

Read the Finsolutia case study →

"We didn't touch a line of code, it's just plug and play. The results were very surprising, in just a couple of hours we had a great result and a fully working MCP Server."

Miguel Madeira

CTO & Co-Founder, Finsolutia

Case study →

Trusted for regulated and high-volume workloads

SOC 2 Type II Third-party penetration testing GDPR-aligned 24/7/365 emergency hotline
300+ Global edge locations
Billions API requests served / month
Up to 99.999% Enterprise uptime SLA
<20s Global deploy time

Frequently Asked Questions

Common questions about Zuplo vs TrueFoundry.

Ready to talk to an expert?

Book a call with a solutions architect for a tailored walkthrough — SOC 2 controls, dedicated deployment, AI Gateway, and enterprise support. Or start free and explore the platform yourself.