Art2link ESB is an API management runtime built into the integration platform -
one gateway for REST, GraphQL, gRPC, and
webhooks. JWT and OAuth 2.1 authentication, per-client rate limiting, OpenAPI 3.1
validation, request and response transformation, circuit breaking, and
OpenTelemetry-compatible traces, configured per route. No second product. No
per-message pricing.
Different teams, different conventions, different auth, different SLA assumptions. One per-team-API-platform inventory question usually reveals four shared problems.
Each team shipped their own API. Nobody can answer how many APIs the company has, who owns them, or which are deprecated. Auditors notice.
Team A uses API keys, B uses bearer tokens, C uses mTLS, D never finished implementing auth at all. The least-secure API sets the company's risk profile.
v1 and v2 of the same API run in parallel forever because no one has the courage to deprecate v1. Backend code carries every version's branching logic.
When an API consumer reports a problem, the team can't answer "did the request even reach us?" without three engineers correlating logs across five systems.
A representative production request flowing through the Art2link gateway. Hover any stage to expand its policy detail underneath. Status, timing, and the request payload at every stop - the same view your operators see when investigating a real incident.
cipher=TLS_AES_256_GCM_SHA384, ALPN h2.
iss, aud, exp, nbf checked. Token cached 5 minutes by kid.
customer.read present in token. Tenant in tid matches API's allow-list. Role claims evaluated against the route's RBAC policy.
mob-prod-001 tier=premium · 60,000 req/min cap, 49,830 in the current window (83%). Soft-throttle headers attached to response: X-RateLimit-Remaining: 10170.
getCustomerOrders. Query parameters validated against schema; status must be one of open|closed|pending. Body schema not required for GET.
v3:customer:12345:orders:open - miss. Backend call proceeds. Hit rate for this route last hour: 74.2%.
orders-svc.internal:8443. Circuit breaker state: CLOSED. Backend p99 last 5 min: 22ms. Network round-trip included in stage timing.
internal_status_code, cost_basis) before client return. Fields preserved in cache untouched for warm-path consumers.
vary on Authorization. TTL 60s per route policy. Stale-while-revalidate enabled.
5f3a-201c.
Policies compose in sequence. Reorder them per API. Hover any policy to see a representative configuration snippet.
iss, aud, exp, nbf, kid rotation. Audience claim binding to the route's API ID.response_type=code, code_challenge_method=S256.X-API-Key or query parameter.X-RateLimit-* response headers. Soft and hard throttle.vary). TTL per route. Stale-while-revalidate. Cache invalidation via tag-based purge API.open_threshold, cool_off_seconds per route.Real APIs run several versions at once. Art2link runs every active version simultaneously behind one gateway, with per-version policy chains, deprecation headers, and sunset scheduling - so v1 consumers keep working while v3 launches and v4 gets prototyped.
Deprecation
and Sunset
response headers. Per-version traffic dashboards surface adoption curves. Deprecation
policies trigger when consumer traffic drops below a configurable threshold.
A retail bank consolidated 134 internal APIs across 18 teams onto a single Art2link gateway - standardizing OAuth 2.1, mTLS for partner connections, and per-tier rate limiting. p99 gateway overhead under 8ms across the portfolio.
A digital-health platform shipped three API versions in parallel through Art2link - v1 sunset, v2 deprecated, v3 recommended - with zero breaking changes for clinical consumers during a two-year evolution.
An Art2link senior API architect reviews up to 20 of your APIs and returns a written audit covering: authentication consistency, rate-limit hygiene, OpenAPI spec coverage, version-deprecation exposure, and the routes most at risk of compliance or SLA penalties. Deliverable is yours regardless of next steps.
The other gateways are good products. Three real differences for an enterprise: pricing scales with infrastructure rather than message count (Apigee/MuleSoft become punitive past 100M req/month); the gateway is co-resident with the integration runtime (no extra hop, no extra product to govern); and there’s no separate "developer portal" SKU - it’s included. If you’re happy on your current platform, the migration story is a parallel-run with a wave-based cutover.
Yes. The gateway speaks REST (OpenAPI 3.1), GraphQL (producer and consumer), and gRPC (with HTTP/2). The same policy chain applies regardless of protocol - auth, rate limit, validation, transform - with protocol-specific extensions for GraphQL query complexity limiting and gRPC streaming flow control.
WebSocket connections terminate at the gateway with auth and per-connection rate limiting. Webhook callbacks register against named subscribers with HMAC signing, retry-on-failure, and dead-letter when subscribers are persistently down. Both flows show up in the same operator UI as REST traffic.
API products are bundles of APIs published under a name (e.g., "Partner Orders Suite") with tier-based access. The developer portal is included - spec-driven docs, interactive try-it console, key provisioning, and analytics. Branded subdomain supported. No separate SKU.
Yes for regulated environments. The control plane (config, analytics, portal) runs in Azure. The data plane (the actual gateway processing requests) can be deployed to a customer VPC or on-premises via container, with the control plane managing it remotely. Config syncs over a control channel; traffic stays local.
Install the free Starter Plan from Azure Marketplace and front one of your existing APIs through the Art2link gateway. Compare overhead, policies, and observability against your current platform before scoping a move.