Apiman 3.1.0 released!

· apiman, release
Avatar for Marc Savy
Co-founder & maintainer of Apiman. Founded Black Parrot Labs to support enterprise Apiman users.
/ Black Parrot Labs /

I’m delighted to announce that I have released Apiman 3.1.0.Final.

Aside from numerous bug fixes and a few interesting new features, this includes a security fix for CVE-2023-28640.

Due to an issue with the release pipeline, we ended up having to cut a 3.1.1.Final release also, but it’s identical to 3.1.0.Final.

Need help? Support is available from Apiman’s developers, and helps the project be sustainable. Please be a good open source citizen!

What’s new?



  • [metrics-es]: allow logging metrics to file with write-to option. To facilitate scrape-based metrics patterns, this commit allows Apiman’s ES metrics to be written to a log file as JSON via whichever logging framework you are using (asynchronously). You can set any combination of remote (ES server) or/and log (local). By Marc Savy (@msavy).


  • A variety of dependencies have been updated across the Apiman codebase to keep users secure. If you don’t want to upgrade, speak to your long-term support provider.

  • [manager-api-rest]: Apiman Manager API now has an OpenAPI v3 schema! You can access this at /openapi.json or /openapi.yml. For example, http://localhost:8080/apiman/openapi.json. By Marc Savy (@msavy).

  • Default plugin registry and API catalogue JSON files are now in the GitHub release, rather than directly in the repository. By Marc Savy (@msavy).

  • Converted Apiman into a monorepo (as far as possible). Apiman plugins, default API catalogue, default plugin registry, developer portal, docker images, amongst others, have been painstakingly merged in. CI pipelines have also been updated to reflect this. Multi-repository releases are difficult with GitHub CI, so this will hopefully make more frequent releases much easier. By Marc Savy (@msavy).


  • [manager-api-rest]: Removed obsolete Qmino API documentation generator. I would like to thank the Qmino team for their support over the years. By Marc Savy (@msavy).


  • fix[gateway-vertx]: in Keycloak discovery code getAllowedIssuers check was mistakenly inverted. By ronimhd.

  • fix[manager-api]: register subtypes for deserializing policy probe response, this step was inadvertently removed during refactoring. By Florian Volk (@volkflo).

  • fix[ui]: move validation function for IP list into validate function to ensure list valid when switching between IP policies. By Florian Volk (@volkflo).

  • fix[gateway-engine-es]: throw ClientNotFoundException if client not found when unregistering. By Florian Volk (@volkflo).

  • [manager-api]: Perform unregister only if client is in correct state. By Florian Volk (@volkflo).