Kong and Zuplo both solve the API gateway problem, but they come from fundamentally different starting points. Kong is an open-source gateway built on NGINX and Lua, designed for teams that want full control over their infrastructure. Zuplo is an edge-native, fully managed platform designed for teams that want API management without the operational burden.
If you are comparing these two platforms, the core question is usually: do you want to manage your API gateway infrastructure, or do you want someone else to handle that while you focus on your APIs?
Here’s what sets them apart:
- Architecture: Kong runs on NGINX/OpenResty with a PostgreSQL or Cassandra database for configuration storage. Zuplo deploys to 300+ global edge locations with zero infrastructure to manage.
- Developer experience: Kong uses Lua plugins and an Admin API with the decK CLI for configuration management. Zuplo uses TypeScript policies with native GitOps workflows.
- Pricing model: Kong OSS is free but requires significant ops investment. Kong Konnect uses consumption-based pricing that can escalate quickly. Zuplo offers transparent, usage-based pricing with all infrastructure included.
- Developer portal: Kong’s developer portal is an enterprise-only feature. Zuplo includes an auto-generated developer portal on every plan.
- Deployment speed: Kong configuration changes propagate via database polling with a 5–10 second window. Zuplo deploys globally in under 20 seconds via Git push.
Feature comparison at a glance
| Feature | Kong | Zuplo |
|---|---|---|
| Deployment model | Self-hosted or hybrid managed | 300+ global edge locations |
| Configuration | Lua plugins + Admin API / decK CLI | TypeScript + JSON |
| Deployment speed | 5–10 second propagation window | Under 20 seconds globally |
| Developer portal | Enterprise only | Auto-generated from OpenAPI, all plans |
| Git integration | Requires custom CI/CD + decK | Native GitOps |
| Rate limiting | OSS + Advanced (enterprise) | Built-in with sliding window, per-user or per-key |
| API key management | Manual via Admin API | Built-in self-serve with developer portal |
| Pricing | OSS free + high ops cost; Konnect $$ | Transparent pricing, infrastructure included |
| Custom logic | Lua (Go/Python/JS via ext. process) | Standard TypeScript with npm ecosystem |
Architecture
Kong
Kong is built on NGINX and OpenResty, which combines NGINX with the LuaJIT compiler. This gives Kong high throughput and the ability to extend request processing through Lua scripts that hook into the NGINX request lifecycle.
A typical Kong deployment involves:
- A control plane running the Admin API and Kong Manager UI
- One or more data plane nodes running NGINX workers that proxy traffic
- A PostgreSQL or Cassandra database storing routes, services, plugins, and consumers
- The decK CLI for declarative configuration management
- Plugins written in Lua (with newer support for Go, Python, and JavaScript via external process execution)
Kong offers three deployment models:
- Self-hosted (database-backed) — You manage everything: the database, control plane, data plane nodes, clustering, and upgrades.
- Kong Konnect — Kong hosts the control plane, but you still run your own data plane nodes on your infrastructure.
- Kong Konnect Dedicated Cloud — Fully managed data planes, but at enterprise pricing.
The control plane / data plane separation provides flexibility, but it also means configuration changes must propagate from the database to each data plane node. By default, Kong nodes poll for changes every 5–10 seconds, creating a window where different nodes may serve different configurations.
Zuplo
Zuplo takes a fundamentally different architectural approach. Instead of running a centralized proxy, Zuplo deploys your gateway logic to 300+ edge data centers worldwide using a serverless runtime based on Web Worker technology.
Zuplo offers three deployment models, all providing the same features and APIs:
- Managed Edge (default): Your gateway runs across 300+ global points of presence. Requests are automatically routed to the nearest location. Zero infrastructure to manage. Deployments go live globally in under 20 seconds.
- Managed Dedicated: Zuplo runs a dedicated, isolated instance on the cloud provider of your choice — AWS, Azure, GCP, Akamai, Equinix, and others. You choose the regions. Private networking (AWS PrivateLink, Azure Private Link, GCP Private Service Connect) is supported for both inbound and outbound connections. Still fully managed by Zuplo.
- Self-Hosted: Run Zuplo on your own Kubernetes cluster for complete control over your infrastructure. Available in hybrid and full self-hosted models.
There is no database to maintain, no clustering to configure, and no NGINX tuning to optimize. Rate limiting is enforced globally across all edge locations as a single zone, so consumers cannot bypass limits by routing through different regions.
Developer experience
Configuration and extensibility
Kong’s configuration lives in its database (or YAML files in DB-less mode) and is managed through the Admin API, Kong Manager UI, or the decK CLI. When you need custom behavior, you write a Lua plugin that hooks into specific NGINX request lifecycle phases.
Here is a simple Kong Lua plugin that adds a custom header:
Lua is a capable language, but most development teams do not use it. Finding engineers with Lua expertise is difficult, and debugging Lua plugins running inside NGINX worker processes requires specialized knowledge.
Zuplo uses TypeScript for all custom logic. The same header-injection policy in Zuplo:
Zuplo policies use standard Web APIs (Request, Response, Headers, fetch)
and have access to the full npm ecosystem. You get type safety, autocomplete,
and inline documentation in any TypeScript-capable editor.
GitOps and deployment workflows
Achieving GitOps with Kong requires custom work: external scripting, custom CI/CD pipelines, and the decK CLI to sync declarative config files to the Admin API. Teams frequently encounter drift between their decK files and the actual Admin API state, especially in environments that mix declarative and imperative management.
Zuplo is GitOps-native. All configuration — routes, policies, environment variables, developer portal settings — lives as files in your Git repository. Push to a branch to create a preview environment automatically. Merge to main and the gateway deploys globally. Every deployment is immutable and versioned. Roll back by reverting a commit.
There is no Admin API to manage, no database state to keep in sync, and no decK equivalent to install.
API gateway features
Rate limiting
Kong provides rate-limiting (open source) and rate-limiting-advanced
(enterprise only) plugins. The open-source plugin supports local, cluster, and
Redis-backed strategies. The advanced plugin adds sliding window algorithms and
more granular controls but requires an enterprise license.
Zuplo’s rate limiting policy supports per-user, per-IP, or custom function-based limits with sliding window algorithms out of the box. You can write a custom TypeScript function to define dynamic rate limit grouping logic — for example, rate limiting by customer tier. No Redis or separate database is needed.
Authentication
Both platforms support API key authentication, JWT validation, OAuth token validation, basic authentication, and mTLS. Key differences:
Kong offers a broad set of authentication plugins including key-auth,
jwt, basic-auth, oauth2, hmac-auth, ldap-auth, and mtls-auth. The
oauth2 plugin can act as a full authorization server (issuing tokens, not just
validating). LDAP and HMAC support are built in.
Zuplo offers API key authentication with a managed key service that includes self-serve key management through the developer portal. The JWT auth policy works with any OpenID-compliant provider, and Zuplo ships pre-built JWT policies for Auth0, Cognito, Clerk, Firebase, and Supabase. API key leak detection via GitHub secret scanning integration, managed WAF with OWASP Core Ruleset, built-in DDoS protection, and bot detection (enterprise) round out the security story.
Request and response transformation
Kong’s request-transformer and response-transformer plugins modify headers,
query parameters, and body content using declarative configuration.
Zuplo provides built-in policies for setting request headers, transforming request bodies, setting response headers, and transforming response bodies. For complex transformations, you write a custom TypeScript policy with full access to the request/response objects and npm packages.
OpenAPI support
Kong does not use OpenAPI as its native configuration format. Routes are defined through the Admin API or in Kong’s own YAML schema. You can import an OpenAPI spec using third-party tools, but it is not the primary workflow.
Zuplo is OpenAPI-native. Routes are
defined in a routes.oas.json file that is a valid OpenAPI 3.1 document
extended with x-zuplo-route for gateway behavior. You can import an existing
OpenAPI spec directly and add gateway configuration on top of it. The developer
portal, request validation, and API documentation all derive from this single
source of truth.
Developer portal
Kong’s developer portal is available only with Kong Enterprise or Kong Konnect paid plans. It requires setup, manual documentation writing, and ongoing maintenance. The community edition of Kong does not include a developer portal.
Zuplo’s developer portal is included on every plan, including free. It is auto-generated from your OpenAPI spec and updates automatically every time you deploy. Features include interactive API documentation, a built-in API explorer for testing endpoints, self-serve API key management, and authentication with any OIDC provider. The portal is built on Zudoku, an open-source framework, and can be customized with CSS, Markdown, and React components.
Performance and latency
Kong’s performance is strong — NGINX and LuaJIT deliver high throughput for single-node deployments. However, Kong operates as a centralized proxy. Traffic routes through the region where your Kong nodes are deployed, which means latency increases for users far from that region. Multi-region deployments require manually provisioning and syncing clusters in each region.
Zuplo’s edge-native architecture means requests are processed at the data center closest to the user. With 300+ global locations, most requests are served within 50ms of the end user. The edge runtime uses V8 isolates that provide near-zero cold starts (milliseconds, not seconds), and deployments propagate globally in under 20 seconds. Multi-region is the default behavior, not an add-on.
Pricing and total cost of ownership
Kong
Kong Gateway OSS is free to download, but the total cost of ownership includes:
- Infrastructure: PostgreSQL or Cassandra database, compute for control plane and data plane nodes, load balancers, monitoring
- Staffing: Engineers skilled in NGINX, Lua, and database administration. Kong-specialized DevOps engineers command premium salaries.
- Kong Konnect Plus: Consumption-based pricing with ~$34 per million requests, ~$105/month per gateway service, and ~$720/month for dedicated cloud instances. Overage charges can add up quickly at high volumes.
- Kong Enterprise: Custom pricing with annual contracts, typically exceeding $50,000/year for mid-sized deployments
Zuplo
Zuplo’s pricing is transparent:
- Free plan: 100K requests/month, unlimited API keys and environments, developer portal included
- Builder plan: $25/month, 100K requests included, scales to 1M requests/month
- Enterprise plan: Custom pricing starting at $1,000/month on annual contracts, with SLAs up to 99.999%
All plans include deployment to 300+ edge locations, unlimited environments, API key management, and the developer portal. There are no per-environment charges, no database to maintain, and no infrastructure to staff.
For many teams, the total cost of running Kong — even the open-source version — exceeds what they would pay for Zuplo’s fully managed platform.
API monetization
Kong offers monetization capabilities through enterprise-tier plugins and third-party integrations, but native monetization is not a core focus of the platform.
Zuplo has built-in API monetization with native metering, real-time quota enforcement, and Stripe billing integration. You define meters (request counts, tokens, bytes, or custom dimensions), create plans with rate cards (flat fee, per-unit, tiered, volume, or package pricing), and publish them to your developer portal. Customers subscribe through Stripe Checkout, get plan-scoped API keys, and usage is metered and enforced at the gateway in real time.
AI capabilities
Zuplo has invested heavily in AI gateway features:
- Auto-generated MCP server from OpenAPI specs, making your APIs discoverable by AI agents
- Centralized MCP Gateway for managing all MCP servers
- AI Gateway with model routing to OpenAI, Anthropic, Google, and other LLM providers
- Real-time token usage and cost tracking
Kong has introduced AI-specific plugins including AI Proxy and AI Prompt Decorator (open source) and AI Rate Limiting Advanced and AI Proxy Advanced (enterprise only), but the MCP ecosystem and AI-native gateway features are less developed.
Plugin ecosystem
Kong’s plugin ecosystem is one of its strongest features. With 100+ plugins available (a mix of open source, enterprise, and community-contributed), Kong covers a wide range of use cases out of the box. However, writing custom plugins requires Lua expertise, and community plugins vary in quality and maintenance.
Zuplo takes a different approach. Instead of a traditional plugin marketplace, Zuplo provides a catalog of built-in policies (authentication, rate limiting, transformation, validation, and more) combined with the ability to write custom TypeScript policies for anything not covered. Because policies are standard TypeScript, any developer on your team can write and maintain them — no specialized language knowledge required.
When to choose Kong
Kong may be the better choice if:
- You need a Kubernetes ingress controller tightly integrated with your cluster’s networking
- Your team has existing expertise in NGINX, Lua, and Kong’s ecosystem and wants to continue leveraging that investment
- You require on-premises deployment in environments with no internet connectivity (air-gapped)
- You need Kong to act as a full OAuth 2.0 authorization server (issuing tokens, not just validating)
- You rely on a specific Kong community or enterprise plugin that has no equivalent elsewhere
When to choose Zuplo
Zuplo is the better choice if:
- You want edge-native performance without managing infrastructure — your gateway is distributed globally by default
- Your team prefers TypeScript over Lua and wants access to the npm ecosystem for custom logic
- You value GitOps workflows with instant preview environments on every pull request
- You need a developer portal included out of the box, not locked behind an enterprise license
- You want transparent pricing without consumption-based surprises or enterprise-minimum contracts
- You need API monetization with native metering and Stripe billing integration
- You are building AI-powered applications and want native MCP server and AI gateway capabilities
- You run multi-cloud backends and need a single gateway that fronts AWS, Azure, GCP, and on-premises services from one configuration
Migration path
If you are currently running Kong and considering a move to Zuplo, the Kong to Zuplo migration guide covers plugin-to-policy mapping, configuration translation, and a phased migration plan. Most teams complete the migration in two to four weeks.
For a structured feature comparison, see the Kong vs Zuplo comparison page.
Get started with Zuplo
Sign up for free and set up your first gateway in minutes with the getting started guide.