Oracle API Gateway Overview


Oracle API Gateway is a comprehensive platform for managing, delivering, and securing Web APIs. It provides integration, acceleration, governance, and security for API and SOA-based systems. Oracle API Gateway is available on Windows, Linux, and Solaris (for more details, see the Oracle API Gateway Installation and Configuration Guide). This topic describes the high-level functionality available in the Oracle API Gateway.


Oracle API Gateway provides the following integration features:

Identity Management

Oracle API Gateway integrates with existing third-party Identity Management (IM) infrastructures to perform authentication and authorization of message traffic. For example, integration is provided with LDAP, Microsoft Active Directory, Oracle Access Manager, CA SiteMinder, Entrust GetAccess, IBM Tivoli Access Manager, RSA Access Manager, and other IM products. The API Gateway also interoperates with leading integration products and platforms (for example, Microsoft .NET, Oracle WebLogic, IBM WebSphere, and SAP NetWeaver).


The API Gateway is designed to offer a highly flexible and scalable solution architecture. Administrators can deploy new API Gateway instances as needed, and deploy the same or different policies across a group of API Gateway instances as required. This enables administrators to apply polices at any point in their system. Policy enforcement points can be distributed around the network, anywhere traffic is being passed.

Pluggable Pipeline

The API Gateway’s internal message-handling pipeline is extensible, enabling extra access control and content-filtering rules to be added with ease. Customers do not have to wait for a full product release before receiving updates of support for emerging standards and for additional adapters.


The API Gateway’s REST support enables you to make enterprise application data and operations available using Web APIs. For example, you can convert a legacy SOAP service, and deploy it as a REST API to be consumed by mobile apps. REST-to-SOAP conversion is easy to achieve using the API Gateway. It can expose REST APIs that map to SOAP services, dynamically creating a SOAP request based on the REST API call.


The API Gateway includes support for multi-byte message data and a wide range of international languages and character sets. For example, this includes requests in languages such as Chinese, German, French, Spanish, Danish, Serbian, Russian, Japanese, Korean, Greek, Arabic, Hebrew, and so on. The API Gateway supports character sets such as UTF-8, KO-I8, UTF-16, UTF-32, ISO-8859-1, EUC-JP, US-ASCII, ISO-8859-7, and so on.


Oracle API Gateway accelerates performance as follows:

Processing Offload

You can use the API Gateway to offload the heavy lifting of XML from application servers, and on to the network. This frees up resources on application servers and enables applications to run faster. The patented high-performance core XML Acceleration engine (VXA), coupled with hardware acceleration ensures wirespeed network performance.

VXA Platform

The core VXA engine is integrated into the API Gateway to accelerate the essential XML security primitives. This engine provides XML processing at faster levels than those performed by common JAXP implementations in application servers and other applications that sit downstream from the API Gateway. The VXA engine performs Document Object Model (DOM) processing, XPath, JSON Path, XSLT conversion, and validation of XML and JSON.

Data Enrichment

The API Gateway can automatically populate content in XML and JSON documents from sources such as databases. By putting this functionality on to the network infrastructure, data is automatically populated in messages before they reach the consuming services. This simplifies and accelerates applications in ESBs and application servers.


Oracle API Gateway provides the following governance features:

Ease of Deployment

The API Gateway includes many features that speed up deployment. For example, certificates and private keys, necessary for XML security functions, are issued on board. The API Gateway has a deny-by-default defense posture, to detect and block unauthorized deployments of services. Policies can be re-applied across multiple endpoints using simple menus. Policies can also be imported and exported as XML files. This minimizes time needed to replicate policies across multiple API Gateways, or to move from a staging system to production environment.

Centralized Management

A web-based system management dashboard provides centralized control of API Gateways in your domain. API Gateway Manager provides quick and easy access to enable you to manage your API Gateways and services. For example, you can use monitoring and a traffic log to monitor messages sent through API Gateways in your domain. All monitoring data can be aggregated across multiple API Gateway instances in a group or domain.

The Oracle Policy Studio tool enables administrators to add security and management policies to the API Gateway, and to manage policy versions across multiple API Gateways. This enables enterprise policy management to be brought under centralized control, rather than be managed separately on each API Gateway.


The Oracle API Gateway Analytics tool provides auditing and reporting on usage across all entry points and creates comprehensive reports to meet operational and compliance requirements. Oracle API Gateway Analytics also provides root cause analysis by identifying common failure points in multi-service transactions. If a service fails, and impacts the transaction as a whole, API Gateway Analytics can detect this and generate alerts.

Traffic Throttling

The Oracle API Gateway protects services from unanticipated traffic spikes by smoothing out traffic. It also limits clients to agreed service consumption levels in accordance with service usage agreements. This enables Oracle customers to charge their clients for different levels of service usage.


Oracle API Gateway includes the following security features:

Identity Mediation

Through its support for a wide range of security standards, Oracle API Gateway enables identity mediation between different identity schemes. For example, the API Gateway can authenticate external clients by username and password, but then issue SAML tokens that are used for identity propagation to application servers.

API Management

The API Gateway enables you to secure Web APIs against attack and abuse. It also enables you to govern and meter access to and usage of Web APIs. The API Gateway provides support for API management security standards such as OAuth. This enables you to share private resources with third-party websites without needing to provide credentials.

Application-level Networking

The API Gateway routes data based on sender identity, content, and type. This enables messages to be sent to the appropriate application in a secure manner. It also enables service virtualization, where services are exposed to clients with virtual addresses to mask their actual addresses for security and application delivery. In this way, the API Gateway acts as an important control point for network traffic by shielding endpoint services from direct access.

Audit Trail

The API Gateway satisfies audit requirements by enabling service transactions to be archived in a tamper-proof store for subsequent audit. Oracle also facilitates privacy compliance support by allowing sensitive information, such as customer names, to be encrypted or stripped out of message traffic.