NapiGate Config-driven API gateway

Small runtime. Clear edges. Better operator ergonomics.

Run your API edge without buying into a platform.

NapiGate gives teams a clean gateway layer for routing, scoped client authentication, trusted inline hooks, OAuth client credentials, and built-in monitoring, all with a straightforward YAML contract.

Start deploying Explore the config
6 supported auth types
3 runtime dependencies
1 gateway contract to reason about
/__admin Live

Gateway overview

NapiGate operations

Healthy

Services

12 Public and protected routes

Clients

31 Scoped by service or endpoint

Latency

42ms Median upstream roundtrip
protected_headers OAuth client credentials 200
public_ip Public route 200
external_service Custom validation 401
Show log table

Authentication surface

Multiple ways in, one clean client model

Scoped clients
api_key bearer basic header_key oauth_client_credentials external_service
Client scopes

Authenticate against all services, selected services, or exact endpoints.

Credential hygiene

Consumed secrets are stripped before upstream forwarding.

Readable config

Review gateway behavior directly from YAML

Validated 
clients:
  - code: demo_portal
    title: Demo Portal
    access:
      mode: services
      services: [protected_httpbin]
    auth_methods:
      - code: portal_api_key
        type: api_key

services:
  protected_httpbin:
    auth: { required: true }

Product overview

Everything important stays visible.

NapiGate keeps the moving pieces small enough to understand: route matching, client access scope, auth methods, trusted hooks, upstream forwarding, and operational logs.

Scoped clients

Attach multiple auth methods to each client and scope access to all services, selected services, or selected endpoints.

Trusted hooks

Use pre_call and external_service for downstream preparation and custom validation flows.

Built-in operations

Admin UI, monitor table, JSON logs, live stream, and rotating file logs are part of the default product surface.

Operational control

Keep admin and monitor features close to the runtime.

  • File-backed users and roles with explicit permissions
  • Bootstrap admin support through environment variables
  • Live request visibility through HTML, JSON, and SSE endpoints
  • Daily file log rotation with SQLite-backed request history

Request lifecycle

  1. Match the incoming method and path.
  2. Resolve client scope and authenticate the request.
  3. Run trusted hook code when configured.
  4. Render templates, proxy upstream, and record monitoring data.

Config model

Readable enough to review in a pull request.

clients:
  - code: partner_ops
    title: Partner Operations
    enabled: true
    access:
      mode: endpoints
      endpoints:
        - service: protected_httpbin
          endpoint: protected_headers
    auth_methods:
      - code: partner_oauth
        type: oauth_client_credentials
        client_id: demo-client-id
        client_secret: demo-client-secret

What stays simple

One top-level client model

No service-local client blocks to track down later.

Service auth is binary

Protected or public, with scope handled by client access rules.

Config validation is strict

Deprecated shapes and broken access references are rejected early.

Deployment

Publish the product site anywhere. Run the gateway wherever you already operate.

Local

cp config/services.example.yaml config/services.yaml
cp config/security.example.yaml config/security.yaml
python3 -m gateway.main --host 0.0.0.0 --port 8000

Docker

cp .env.example .env
cp config/services.example.yaml config/services.yaml
cp config/security.example.yaml config/security.yaml
docker compose up -d --build

Static landing

This site is plain HTML, CSS, and JS, so it can go directly to GitHub Pages or a custom domain without a build pipeline.

Back to the top

For teams that still read their own infrastructure

NapiGate keeps the gateway understandable.

Deploy NapiGate