Release Notes
These release notes summarize user-visible changes to the AISIX gateway, control plane, dashboard, and deployment packages. Releases are listed newest first.
Release artifacts include the gateway image at docker.io/api7/aisix, control-plane images under docker.io/api7/aisix-cp-*, the aisix-cp Helm chart, and an offline installation package.
0.3.1
Release date: July 9, 2026
This maintenance release adds SCIM directory sync and improves observability, accounting, self-hosted playground access, and control-plane reliability.
New Features
- SCIM 2.0 directory sync can provision and deprovision organization members from any SCIM 2.0 identity provider, including Okta and Microsoft Entra ID, through the new
/scim/v2endpoints.
Improvements
- Gateway builds now report their release version in the
Serverresponse header, the output ofaisix --version, and the data-plane version shown in the dashboard, rather than reporting a static build version. - The per-client token metric now includes a cache-inclusive
totalseries. See Metrics for the current metric catalog. - Deployment cooldown metrics are emitted when health state changes.
- The guardrail management API is now included in the AISIX Cloud Admin API contract.
Fixes
- Every proxied response now includes an
x-aisix-request-idheader for correlation with logs and usage events. - Anthropic prompt-cache tokens now count toward token rate limits on the native
/v1/messagesand/v1/responsesendpoints. - One malformed telemetry event no longer prevents the remaining events in the usage batch from being delivered.
- The self-hosted dashboard playground can now reach private or internal LLM endpoints when
AISIX_PLAYGROUND_ALLOW_PRIVATE_IPSis enabled. - Sign-in now accepts the deployment's own origin and corresponding loopback origin, and returns clearer messages for rate-limited or untrusted-origin attempts.
- Member list pagination no longer returns to the first page shortly after the view loads.
- Control-plane restarts no longer produce harmless duplicate-constraint error logs.
0.3.0
Release date: July 9, 2026
This release introduces the MCP Gateway and Agent Gateway, expands the proxy API and guardrail catalog, and adds metric-based routing.
New Features
MCP Gateway
- The new aggregating
/mcpendpoint fronts multiple upstream MCP servers behind one AISIX caller API key. - Upstream MCP servers are first-class resources with registration and full CRUD in the control plane and dashboard, along with enable and disable controls and a configurable upstream timeout.
- Tool access control limits each caller API key to specific MCP tools.
- Upstream authentication supports API keys and OAuth 2.0 client credentials.
- MCP tool calls use the same rate limits, budgets, and input and output guardrails as model traffic. Calls also emit usage events and access logs.
Agent Gateway
- The new Agent Gateway fronts organization-scoped Agent-to-Agent (A2A) agents managed through the control plane and dashboard.
- The
allowed_agentsfield limits each caller API key to specific agents.
APIs
- The
/v1/realtimeWebSocket relay supports OpenAI-family and Azure providers, browser subprotocol authentication, and per-session usage accounting. - The new
/v1/files,/v1/batches, and/v1/fine_tuningendpoints support OpenAI-family and Azure providers, with cost attribution for batch jobs. - Embeddings support native Vertex AI, Gemini, and Bedrock Titan and Cohere requests.
- Anthropic Messages supports cross-provider image, tool-use, tool-result, and document content blocks.
Guardrails
- New guardrail integrations support Lakera Guard, Presidio, and OpenAI Moderation.
- PII detection and redaction can mask or block sensitive data in request and response bodies, including streamed responses and non-chat endpoints.
- Monitor-mode guardrail matches appear in usage events and the dashboard Logs view.
Routing
- Multi-target models support least-cost, least-latency, and least-busy target selection.
- Conditional routing can select targets by tags or metadata, and wildcard aliases can route model names such as
provider/*. - Sticky weighted routing supports A/B testing and canary releases.
Traffic Controls and API Keys
- Caller API key lifecycle controls can set an expiration, disable a key, or rotate it in one operation.
- Cluster rate limiting can use shared Redis storage and adds per-second (
rps) and per-hour (rph) request limits to the existing per-minute (rpm) and per-day (rpd) limits.
Observability
- Request and response content capture now covers embeddings, rerank, images, and audio.
Dashboard
- MCP servers can be managed from the dashboard, with MCP governance available in the rate-limit, budget, and guardrail views.
- Usage-log retention can be configured by organization.
Improvements
- The container image runs as a non-root user and can bind ports
80and443through theCAP_NET_BIND_SERVICEfile capability. - The dashboard provides a unified, filterable models view and a single model-kind picker when creating a model.
- Routing targets can be reordered by dragging, and least-cost targets display per-target cost badges.
- Member and team lists are paginated.
Fixes
- Cache and rate-limit keys are scoped by environment so shared Redis storage cannot mix state between environments.
- Passthrough endpoints now emit usage events for successful and failed requests, with caller API key attribution.