Zuplo
API Management

Programmable API Management

Stop stitching together a gateway, a portal, auth, and billing. Everything it takes to run an API in production on one platform — and fully programmable in TypeScript when the defaults don't fit.

Start for Free Talk to an API Expert
API Gateway

Inbound Policies

API Key Auth Active
Rate Limit · 100/min Active
Request Validation Active
CORS Policy Active

Everything you need to manage APIs at scale.

Authentication, rate limiting, developer portals, monetization, and full programmability — in one platform.

Programmable

Never limited by your gateway's config.

The same built-in policies every gateway ships — rate limiting, auth, and more — configured without code. When the out-of-the-box options can't match your exact rules, drop into TypeScript to customize. Code is the escape hatch, not the starting point.

Learn more
Dev Portal

Developer portals that don't suck.

An auto-generated portal tied directly to your API. Customers subscribe, manage keys, and view usage analytics — always in sync with your routes and policies.

Learn more
MCP Server

Turn your API into an MCP server.

Auto-generate a fully compliant Model Context Protocol server from your OpenAPI spec. Endpoints become MCP tools that AI agents can discover and call safely.

Learn more
Rate Limit

Rate limiting, your way.

Throttle by endpoint, key, user, or any custom condition. Start with simple limits, evolve to programmable logic that reads payloads, headers, or custom metrics.

Learn more
Authentication

Authentication, without the pain.

API keys, JWT, OAuth, Basic Auth, mTLS, and secure tunnels — production-grade out of the box. GitHub secret scanning catches leaks before they ship.

Learn more
Open API

One standard through the lifecycle.

Built on OpenAPI from day one. Releases ship via git commit. Linting and CI pipelines give you developer-friendly governance without slowing teams down.

Learn more

Programmable

When presets aren't enough, drop into code.

Most of the time the built-in policies are all you need. When they're not, every policy is also just a TypeScript function — customize roles, quotas, dynamic rate limits, or transformations, then ship via git. Here's custom role-based access in practice.

custom-rbac-policy.ts
export default async function policy(
  request: ZuploRequest,
  context: ZuploContext,
  options: { role: string }
) {
  if (request.user.data.roles.includes(options.role)) {
    return request;
  }
  return new Response("User does not have the correct permissions", {
    status: 403,
  });
}

Need a hand writing your first policy?

Spend 30 minutes with a Zuplo architect — we'll map your APIs and sketch the policy you need, in TypeScript.

Talk to an Architect

Frequently Asked Questions

Learn about API management and how Zuplo helps your team build better APIs.

Want a demo of Zuplo? Talk to an API expert

Ship API management your way.

Free to start. Production-ready on day one. Built for teams that don't want to write XML.

Start for Free Talk to an API Expert