Release Notes
Release notes for the AISIX AI Gateway. Each version is a coordinated release of the gateway (data plane) and the control plane, distributed as container images (docker.io/api7/aisix and docker.io/api7/aisix-cp-*), an offline installation package, and the aisix-cp Helm chart. Versions are listed newest first.
0.3.1
A maintenance release that rolls up the 0.3.0 quality-assurance findings and adds directory-based user provisioning.
New Features
- SCIM 2.0 directory sync — provision and deprovision members automatically from your identity provider (any SCIM 2.0 provider, such as Okta or Microsoft Entra ID) through the new
/scim/v2endpoints.
Improvements and Fixes
- The gateway image now self-reports its release version — in the
Serverresponse header, inaisix --version, and as the data-plane version shown in the dashboard — instead of a static build version. - Anthropic prompt-cache tokens are now counted toward rate-limit token budgets on the native
/v1/messagesand/v1/responsesendpoints. - Added a cache-inclusive
totalseries to the per-client token metric. - In self-hosted installs, the dashboard playground can now reach LLM endpoints on private or internal networks (opt-in via the
AISIX_PLAYGROUND_ALLOW_PRIVATE_IPSenvironment variable). - Sign-in now trusts the deployment's own origin (and its loopback twin) and shows clearer messages for rate-limited or untrusted-origin attempts.
- The guardrail management API is now part of the Cloud Admin API contract.
- Every proxied response now carries an
x-aisix-request-idheader for correlation. - Deployment cooldown metrics are emitted on health-state transitions.
- A single malformed telemetry event no longer discards an entire usage-flush batch.
- The control plane no longer logs benign "constraint already exists" errors on restart.
0.3.0
A large feature release that introduces the MCP and A2A gateways, several new API surfaces, an expanded guardrail catalog, and metric-based routing.
MCP Gateway
- New aggregating
/mcpendpoint that fronts multiple upstream MCP servers behind a single AISIX API key. - Manage upstream MCP servers as a first-class resource (registration and full CRUD) from the control plane and dashboard, including an enable/disable toggle and a configurable upstream timeout.
- Per-key, per-tool access control — govern which MCP tools each API key may call.
- Upstream authentication to MCP servers via API key or OAuth2 client credentials.
- MCP tool calls are governed by the same rate-limit, budget, and guardrail (input and output) policies as LLM traffic, and emit usage events and access logs.
A2A Gateway
- New Agent-to-Agent (A2A) gateway with org-scoped agents managed in the control plane and dashboard.
- Per-key
allowed_agentscontrols which agents each API key may reach.
New API Surfaces
/v1/realtimeWebSocket relay for the OpenAI realtime API (OpenAI-family and Azure), with browser subprotocol authentication and per-session usage accounting.- First-class
/v1/files,/v1/batches, and/v1/fine_tuningendpoints (OpenAI-family and Azure), with cost attribution for batch jobs. - Native (non-OpenAI) embeddings for Vertex/Gemini and Bedrock (Titan and Cohere).
- Cross-provider content blocks — image, tool use, tool result, and document — on
/v1/messages.
Guardrails
- New guardrail kinds: Lakera, Presidio, and OpenAI Moderation.
- PII detection and redaction (mask or block) over request and response bodies, including streamed responses and non-chat endpoints.
- Monitor-mode guardrail hits are surfaced on usage events and in the dashboard Logs view.
Routing
- New metric-based target-selection strategies: least cost, least latency, and least busy.
- Tag / metadata conditional routing and wildcard model-name routing (
provider/*aliases). - Sticky weighted routing for A/B testing and canary releases.
Traffic Controls and Authentication
- API key lifecycle — set an expiration, disable a key, and rotate a key in a single operation.
- Cluster rate limiting over a shared Redis, adding per-second (
rps) and per-hour (rph) request limits alongside the existing per-minute (rpm) and per-day (rpd) limits. - Cache and rate-limit keys are scoped by environment so a shared Redis cannot leak state across environments.
Observability
- Request and response content capture extended to embeddings, rerank, images, and audio.
- Usage events are emitted for passthrough endpoints (success and failure) with API-key attribution.
Deployment
- The container image runs as a non-root user and can still bind privileged ports (
:80and:443) via theCAP_NET_BIND_SERVICEfile capability.
Dashboard
- Unified, filterable models page and a single "Create model" kind picker.
- MCP servers management page, with MCP governance surfaced across the rate-limit, budget, and guardrail views.
- Drag-to-reorder routing targets and a per-target cost badge under the least-cost strategy.
- Per-organization usage-log retention.
- Paginated member and team lists.