Open Source · AGPLv3

Your spec is your gateway

Stop maintaining two sources of truth. Barbacane uses your OpenAPI and AsyncAPI specifications as the single source of truth for routing, validation, authentication, authorization, and event bridging.

Get Started View on GitHub

The problem with traditional API gateways

Two sources of truth

Your OpenAPI spec defines your API, but your gateway has its own configuration. They inevitably diverge, causing bugs and security issues.

Wasted time reconciling

Teams spend hours syncing gateway config with API specs, debugging mismatches, and fixing inconsistencies that shouldn't exist.

The Barbacane approach

One spec. Zero configuration drift. Automatic enforcement.

1

Write your API spec

Use OpenAPI or AsyncAPI with x-barbacane-* extensions for auth, rate limiting, and routing.

2

Compile to an artifact

Run barbacane compile to generate an optimized binary artifact. Validation happens at compile time.

3

Deploy and run

Deploy the artifact to your gateway. Routing, validation, auth — everything works exactly as specified.

Everything you need in an API gateway

Built in Rust for speed and safety. Extended with WebAssembly for flexibility.

Request Validation

Automatic JSON Schema validation for bodies, parameters, and headers with built-in $ref resolution. Invalid requests never reach your backend.

Authentication

Five built-in auth plugins: JWT, OIDC, OAuth2, API Key, and Basic Auth. Configured directly in your OpenAPI security schemes.

Blazing Fast

Sub-microsecond routing and validation. Built on Rust, Tokio, and Hyper for maximum performance.

24 WASM Plugins

24 official plugins covering auth, security, traffic control, transformations, and observability. Sandboxed WebAssembly execution means plugins can't crash your gateway.

Observability

Prometheus metrics, OpenTelemetry traces, and structured logging. Full visibility into your API traffic.

AsyncAPI & Event Bridging

Bridge HTTP to event-driven systems. Route requests to Kafka, NATS, or AWS Lambda using AsyncAPI specs.

Control & Data Plane Split

Autonomous data planes that run independently. Zero-downtime deployments with hot-reload updates pushed from the control plane.

Web UI

Visual control plane with syntax-highlighted spec viewer, drag-and-drop uploads, build logs, data plane health monitoring, and one-click deployments.

Edge Ready

Service planes are lightweight compiled artifacts. Deploy anywhere — cloud, on-prem, edge locations, or embedded devices.

Authorization

Policy-driven access control with inline CEL expressions, Open Policy Agent integration, and consumer-based ACLs. Zero-trust at the gateway.

Request Transformation

Declarative transformations for headers, query params, paths, and JSON bodies before reaching your upstream. Variable interpolation with capture groups.

S3 Storage Proxy

Proxy requests to AWS S3 or S3-compatible storage (MinIO, RustFS, Ceph) with SigV4 signing. Single-bucket CDN or multi-bucket routing.

FIPS 140-3 Ready

Built on rustls with AWS-LC, a NIST-certified FIPS 140-3 cryptographic module. Enable FIPS mode with a single feature flag — no OpenSSL dependency.

Bot Detection

Block scrapers and unwanted bots by User-Agent pattern matching. Allow/deny lists with configurable responses.

Config Provenance

Every artifact embeds a SHA-256 fingerprint and Git commit provenance. Continuous drift detection flags data planes running stale configurations.

Enterprise-grade architecture

Separate control plane and data plane for maximum resilience and flexibility.

Control Plane

The management layer for your API gateway fleet. Handles configuration, compilation, and deployment orchestration.

  • Web UI for visual management
  • Plugin registry with schema validation
  • Spec compilation and artifact builds
  • Push deployments to data planes
  • Artifact provenance and drift detection

Data Plane(s)

The runtime layer that handles actual API traffic. Fully autonomous — keeps running even if the control plane is down.

  • Hot-reload without restarts
  • Zero-downtime deployments
  • TLS termination, mTLS, and FIPS 140-3
  • Resilient to control plane outages
  • Dedicated admin API for health and provenance

Built for teams who take APIs seriously

Platform Teams

Building an internal developer platform? Barbacane enforces consistent API standards and policies automatically.

  • Self-service API publishing
  • Automatic policy enforcement
  • Centralized observability

API Product Companies

Exposing public APIs? Barbacane ensures your contracts are strictly enforced and your documentation is always accurate.

  • Contract-first development
  • Always-accurate documentation
  • Version and lifecycle management

Enterprises Modernizing

Migrating from legacy gateways? Barbacane's spec-first approach brings order to complex API landscapes.

  • Gradual migration path
  • Compliance-ready logging
  • Hybrid cloud support
Open Source Core

No feature gating. No hidden enterprise tier.

Barbacane is open source under the AGPLv3. Every feature is available to everyone. Small teams and non-profits get a free commercial license. Larger organisations can purchase a commercial license — see pricing for details.

Star on GitHub

Ready to simplify your API gateway?

Get started in minutes. Write your spec, compile, and deploy.

# Try the playground with Docker
git clone https://github.com/barbacane-dev/playground
cd playground && docker-compose up -d

# Or install from source
cargo install barbacane
barbacane compile --spec api.yaml --manifest barbacane.yaml --output api.bca
barbacane serve --artifact api.bca
Read the docs Need help? Talk to us