By API7.ai Team
Last updated: July 2026
Apache APISIX and API7 Enterprise share the same high-performance core — API7.ai created and donated APISIX to the Apache Software Foundation, and API7 Enterprise is built on it. This guide explains what the commercial edition adds on top of the open-source gateway, and when each is the right choice.
Same engine, different operating model. Apache APISIX is the free, Apache-2.0 gateway API7.ai created and donated to the Apache Software Foundation — 100+ plugins, a built-in dashboard, and AI plugins, all self-managed. API7 Enterprise is built on that exact core and adds a governed operating layer: console RBAC and audit, gateway groups, multi-cluster management, a developer portal, compliance attestations (SOC 2 Type II, ISO 27001, HIPAA, GDPR), and SLA support. Run APISIX to self-operate; choose API7 Enterprise for governance, compliance, and support.
They run the same APISIX core. Apache APISIX is free and self-managed; API7 Enterprise adds a governed control plane (RBAC, gateway groups, audit), compliance attestations, a developer portal, and an SLA.
| Dimension | Apache APISIX | API7 Enterprise |
|---|---|---|
| Best for | A free, self-managed, Apache-2.0 gateway | The same APISIX core with managed governance + SLA |
| License & cost | ✓ Apache-2.0 — free & open source | Commercial; CPU-core pricing (cloud pay-as-you-go or on-prem subscription) |
| Core engine | NGINX/OpenResty + etcd; 100+ plugins; ~18,000 QPS/core | Same APISIX core — contains all APISIX features |
| Control plane | Community control plane (no console RBAC/workspaces/audit) | ✓ Enterprise control plane: RBAC/IAM, gateway groups, audit |
| Operations | You install, upgrade, patch, and monitor it yourself | ✓ Managed by API7 with an SLA; APISIX-maintainer support |
| Compliance | Self-attest on your own infrastructure | ✓ SOC 2 Type II, ISO 27001:2022, HIPAA, GDPR; FIPS 140-2 L1 |
Apache APISIX is a top-level Apache Software Foundation project (Apache-2.0), created and donated by API7.ai — a dynamic, etcd-based API gateway on NGINX/OpenResty with 100+ plugins, a built-in dashboard, and AI plugins, all open source.
Apache APISIX is a top-level Apache Software Foundation project (Apache-2.0), created and donated by API7.ai. It’s a dynamic, high-performance API gateway on NGINX/OpenResty with an etcd store, 100+ built-in plugins, multi-language plugin support, a built-in dashboard, service discovery, observability, and AI/LLM plugins — all free and open source.
License
Apache-2.0 (ASF top-level project)
Core
NGINX/OpenResty + etcd
Best for
A free, self-managed gateway
API7 Enterprise is API7.ai’s commercial edition built on Apache APISIX. It contains all of APISIX’s features and adds a governed control plane, developer portal, compliance attestations, and SLA support from the APISIX core maintainers.
API7 Enterprise is API7.ai’s commercial edition built on Apache APISIX. It contains all of APISIX’s features and adds a governed operating layer: an enterprise control plane with console RBAC and audit, gateway groups, multi-cluster management, a developer portal and full API lifecycle, compliance attestations, and SLA support from the APISIX core maintainers. Same engine, managed operating model.
License
Commercial (built on Apache-2.0 APISIX)
Core
Same APISIX data plane
Best for
Governed APISIX with an SLA
The data plane is identical. The difference is everything around it — who operates it, how it’s governed, what’s attested for compliance, and what support you get.
API7.ai created Apache APISIX and donated it to the Apache Software Foundation in 2019. API7 Enterprise runs the same APISIX data plane and contains all of its features, so the question is not “which gateway is faster” — they share a core that self-reports about 18,000 QPS per core at 0.2 ms — but which operating model fits your team.
With open-source APISIX you install, upgrade, patch, and monitor everything yourself, backed by the community. API7 Enterprise adds a managed operating layer on top: a console-level RBAC/IAM model, gateway groups for multi-tenancy, audit logging, multi-cluster management, a developer portal and full API lifecycle, compliance attestations, and a support SLA from the APISIX core maintainers. Migration between the two is straightforward because the core is the same.
Both share the APISIX core, plugins, and performance. API7 Enterprise layers on governance (RBAC, gateway groups, audit), lifecycle and portal, compliance attestations, and managed support.
| Feature | Apache APISIX | API7 Enterprise |
|---|---|---|
| License & distribution | Apache-2.0, free & open source (ASF top-level project) | Commercial; pay-as-you-go cloud or CPU-based on-prem subscription |
| Core engine & plugins | NGINX/OpenResty + etcd; 100+ built-in plugins; custom plugins in Lua, Go, Java, Python, Wasm | Same APISIX core and plugins, plus enterprise add-ons (GraphQL rate-limit/cache, SOAP, traffic labeling, oas-validator) |
| Installation & maintenance | Install, upgrade, patch, and fix vulnerabilities yourself | A professional team handles deployment, upgrades, and fixes |
| Control plane & RBAC | Community control plane — no console RBAC, workspaces, or audit | ✓ Console RBAC/IAM (Keycloak, Okta, OIDC/OAuth, 2FA), gateway groups, audit logging |
| Multi-tenancy & multi-cluster | Single-instance / community management | ✓ Gateway groups (dev/staging/prod) + multi-cluster/region from one dashboard; multilayer-network routing |
| Dashboard & lifecycle | Built-in open-source dashboard (routes, plugins, upstreams) | ✓ Enterprise dashboard + full API lifecycle: design, docs, mock, developer portal, monetization |
| Identity & secrets | Auth plugins (JWT, OAuth2/OIDC, key-auth) for request traffic | Built-in Keycloak + Okta/OIDC SSO for the console; secrets via env vars + HashiCorp Vault |
| Compliance | Ensure compliance yourself | ✓ SOC 2 Type II, ISO 27001:2022, HIPAA, GDPR; FIPS 140-2 Level 1 (FIPS-validated OpenSSL) |
| Support & SLA | Community support | ✓ Support from APISIX core maintainers; up to 30-min SLA, 99.9% uptime, first-priority security fixes |
| Training & best practices | Self-serve docs and community | Onboarding, developer certification, and industry best practices (banking, fintech, manufacturing) |
| AI / LLM gateway | AI/LLM plugins in the open-source core | Managed, governed AI gateway (multi-LLM routing, token limits, guardrails, budgets) |
| Deployment | Bare metal, VM, Kubernetes, cloud (self-run) | Same targets, run anywhere, with dynamic DP/CP scaling and managed operations |
Choose Apache APISIX to self-operate a free, open-source gateway; choose API7 Enterprise when you need the same core plus a governed control plane, compliance attestations, and an SLA.
Bottom line: it’s the same engine with a different operating model. Run Apache APISIX if you want a free, open-source gateway and have the team to operate it; choose API7 Enterprise for a governed control plane (RBAC, gateway groups, audit), compliance attestations, a developer portal, and maintainer-backed SLA support. Explore API7 Enterprise or start a free trial.
API7 Enterprise vs Kong · Apache APISIX vs Kong · All gateway comparisons
Ready to get started?
For more information about full API lifecycle management, please contact us to Meet with our API Experts.

