Apiman logo

Extensible Open Source API Management

Apiman makes managing your APIs easy.

With just a few clicks you can get Apiman running, putting a platform at your fingertips that covers the whole API Management lifecycle. Whether you want to offer existing APIs to external consumers in a secure way, or have a centralised location to discover and govern APIs, Apiman has you covered.

But that's not all. Apiman is designed to be easy to customise, and you can implement your own functionality by writing simple Java plugins.

The latest stable Apiman version is 3.1.3.Final, released on 13th Nov 2023.

Just a few of Apiman's features

Real Open Source

Permissively licensed under Apache License, 2.0.

No artificial limitations or restrictions.

No features hidden behind paywalls.

No lock-in.

Govern Your APIs

Flexible, policy-based runtime governance for your APIs.

Offer the same API through multiple plans, allowing different levels of service to different API consumers.

Insight into your traffic with support for a wide array of metrics stores & analytics.

Rich Management Layer

A full REST API, Apiman Manager UI, and standalone Apiman Developer Portal.

Apiman Manager has a breadth and depth of features spanning the API Management Lifecycle: multi-tenancy, events, notifications, permissions, approvals, and so much more.

Extensible & Flexible

A comprehensive plugin system that allows developers to easily create, test, and deploy custom policies and components.

That means you can extend Apiman to do almost anything you need with some simple Java code.

Refer to our developer's guide for more.

Key API Management Use Cases

Covers a range of classic API Management use cases, and so much more.

  • Throttling & Quotas: Limit the number of requests consumers of your APIs can make within a given time period (per API contract or per end-user).
  • Centralised Security: Add authentication and IP filtering capabilities in a central location, freeing your back-end APIs to focus on functionality.
  • Billing & Metrics: Easily get metrics for all your APIs so you can see what's popular or charge your consumers for their usage.

Run Anywhere, At Scale

There are no limitations on where or how you can run Apiman.

Whether you need to run on air-gapped bare metal or in the cloud, Apiman has been deployed to run critical API Management workloads.

Apiman Gateways are decoupled from the Apiman Manager, so even if a manager goes down, your gateways continue running.

The latest from the Apiman Blog

Apiman 3.1.2 released!

I’m delighted to announce that I have released Apiman 3.1.2.Final.

One particularly useful change I’d like to highlight is that the Vert.x Gateway’s API, when secured by Keycloak, now accepts a list of additionally accepted issuers using allowed-issuers, which is useful for users with more complex auth setups.

apiman, release

Apiman 3.1.0 released!

I’m delighted to announce that I have released Apiman 3.1.0.Final.

Aside from numerous bug fixes and a few interesting new features, this includes a security fix for CVE-2023-28640.

Due to an issue with the release pipeline, we ended up having to cut a 3.1.1.Final release also, but it’s identical to 3.1.0.Final.

apiman, release

Potential permissions bypass in Apiman 3.0.0.Final (CVE-2023-28640)

A vulnerability in Apiman has been disclosed that you need to be aware of and respond to. It has CVE ID CVE-2023-28640.


Get Involved


A place to discuss all things Apiman.

We'd particularly like to hear your success stories and how you use Apiman in the wild.

Found an Issue?

If you find a problem with Apiman, please open a ticket on Apiman's GitHub Issues bug tracker.

Apiman Developer Portal

Apiman's standalone developer portal UI, written in modern Angular. This is an easy place to get started if you want to contribute.


Assuming Twitter still exists by the time you read this, you can follow the Apiman team at @apiman_io.

Apiman Plugins

Curated repository of policy plugins for Apiman. Helpful as examples if you want to develop your own.

Migration Guide

If you're moving to a new version of Apiman, please refer to our migration guide before upgrading.

Code of Conduct

Apiman's code of conduct for contributors. Basically, be nice. Adhere to the golden rule, and you won't go far wrong.

Security Reporting Policy

You find a security issue and wish to responsibly report it, you can find who to contact here.