API7 Enterprise Release Notes

3.9.13

Release Date: 2026-05-22

Breaking Changes

Plugins

• CAS Auth

  Upgrade note

  The cas-auth plugin now requires a cookie.secret value of at least 32 characters. The plugin uses this secret to sign and verify the CAS_REQUEST_URI cookie, preventing a client-controlled cookie from changing the post-login redirect target.

  Before upgrading, update every existing cas-auth configuration with a shared cookie.secret across all gateway nodes.

Upgrade Notes

Upgrade note — proxy cache behavior

The proxy-cache and graphql-proxy-cache plugins now use safer cache behavior by default.

For proxy-cache, responses are isolated by consumer when the request has an authenticated consumer or remote user, unless the configured cache_key already contains an identity-bearing variable. The in-memory strategy also no longer caches responses whose upstream Cache-Control contains private, no-store, or no-cache, and both in-memory and on-disk strategies skip responses with Set-Cookie unless cache_set_cookie is set to true.

For graphql-proxy-cache, cache keys now include host, route, service, and consumer identity by default, and responses with Set-Cookie are skipped unless cache_set_cookie is set to true.

If you intentionally share cached responses across consumers, set consumer_isolation: false. If you intentionally cache responses with Set-Cookie, set cache_set_cookie: true.

Features

Plugins

• AI Proxy
  • Improved OpenAI-compatible streaming response throughput by reducing per-token flush and SSE parsing overhead. In internal single-worker benchmarks with a mock OpenAI upstream, peak streaming throughput increased from 44,102.6 tokens/s to 138,158.7 tokens/s, about 3.13x higher.
  • Improved large JSON request body handling for AI requests that use post_arg.* route variables. In internal benchmarks with 1 MB, 5 MB, and 10 MB OpenAI Chat Completions-compatible request bodies, throughput improved by 5.15x-5.35x when the gateway forwarded the original body, and by 2.47x-2.67x when the gateway rewrote the body before forwarding.
  • Added streaming_flush_interval_ms to control periodic flushing for streaming responses. The default is 10 ms, which reduces per-chunk flush overhead while keeping streaming latency bounded.
• OpenAPI to MCP
  • Added allowed_hosts to restrict which hosts a dynamically resolved base_url may target. When allowed_hosts is not configured, existing behavior is unchanged. The plugin also rejects malformed resolved URLs and non-HTTP(S) schemes with HTTP 400.
• Proxy Cache and GraphQL Proxy Cache
  • Added consumer_isolation and cache_set_cookie options to control the new safer cache behavior described in the upgrade note.

Control Plane

• Alert policies can now automatically create Debug Sessions when alert conditions are triggered. Alert history records whether debug session creation succeeded and includes the created session IDs or error details.
• Fallback Control Plane storage now supports S3-compatible path-style endpoints, which enables integrations with providers such as MinIO that require bucket names in the URL path.

Console (Dashboard)

• Added Debug Sessions UI under Gateway Groups, including session list, create, stop, delete, trace list, trace waterfall detail, search and filtering, minimap, URL state sync, field formatting, and keyboard navigation.
• Added a copy button to delete/disable confirmation dialogs so users can copy the resource identifier before confirming destructive operations.
• Added search support to the service and route selector on the monitoring page.

Developer Portal

• Added a Helm chart for deploying the Developer Portal on Kubernetes.

Fixes

Plugins

• OpenID Connect
  • Fixed issue: Client-supplied identity headers (X-Access-Token, X-Userinfo, X-ID-Token, X-Refresh-Token) could be forwarded upstream instead of values validated by the plugin. These headers are now cleared or overwritten so upstream services only receive plugin-controlled identity values.
• Data Mask
  • Fixed issue: The plugin could crash or produce incorrect masked output for multi-value query parameters, valueless query parameters, non-string JSON values, regex failures, and form parsing errors. It also no longer logs original sensitive values when regex substitution fails.
• ACL
  • Fixed issue: external_user_label_field_parser and external_user_label_field_separator could be applied to consumer labels, causing incorrect allow or deny decisions. They now apply only to external-user label extraction.
• Chaitin WAF and Wolf RBAC
  • Fixed issue: The plugins used raw client-supplied IP headers when sending client IP information to their backend services. They now use the trusted real client IP resolved by the gateway.
• Client Control
  • Fixed issue: When a Global Rule plugin read the request body in the access phase, client-control on a route or service could not apply its body size override first, causing large requests to be rejected unexpectedly.

Control Plane

• Fixed issue: Deleting a Secret that was still referenced by other resources could leave dangling references and cause gateway runtime errors. Secret deletion is now rejected while references exist.
• Fixed issue: Data Plane Manager certificates could fail hostname verification for older Data Planes when dp_manager_address contained both domain names and IP addresses.
• Fixed issue: Malformed gateway version strings in heartbeat payloads could crash compatibility validation. They are now handled as incompatible versions instead of causing a panic.
• Fixed issue: Invalid stream route CIDR/IP values and invalid post_arg.* JSON path expressions could be accepted by the Control Plane and later rejected or dropped by the Data Plane. These configurations are now rejected at the API level.
• Fixed issue: Sensitive encrypted field values could appear in logs when decrypting AesEncrypt fields failed. Logs now include only the value length.

Data Plane

• Fixed issue: Stream routes that referenced a service could keep using stale service-level plugin configuration until the route changed or the worker restarted.
• Fixed issue: Gateway workers could crash during startup when the etcd or DP Manager response was missing expected revision headers. The gateway now logs the problem and retries.
• Fixed issue: Stream workers could crash during config sync when status reporting was enabled.
• Fixed issue: The standard gateway runtime image did not honor the TZ environment variable for IANA timezone names because timezone data was missing.
• Fixed issue: The tracer could crash on HTTPS or HTTP/2 keepalive connections when tracing was enabled.
• Fixed issue: The gateway CLI wrote Control Plane mTLS client certificate files to the system temporary directory with overly broad permissions. These files are now written under the gateway config certificate directory with restricted permissions.

Console (Dashboard)

• Fixed issue: The OpenID Connect plugin code editor could collapse or become unreachable on small or highly zoomed viewports.
• Fixed issue: Deleting a published service from the service list could show a misleading "service not found" error toast after deletion succeeded.
• Fixed issue: List table defaults could be mutated by one page and leak invalid sorting parameters into the Gateway Instances page.
• Fixed issue: The plugin view drawer could show stale or incorrect JSON when switching between local, global, and metadata tabs.
• Fixed issue: Cached gateway group or portal IDs that no longer existed could lead to blank pages or 404 error toasts instead of redirecting to a valid fallback.

3.9.12

Release Date: 2026-05-08

Features

Plugins

• AI Proxy
  • Added support for the AWS Bedrock provider using the Converse API. Configure with "provider": "bedrock", AWS IAM credentials in auth.aws, and an AWS region in provider_conf.region. Both non-streaming and streaming (ConverseStream) modes are supported — set "stream": true in the request body for streaming responses.
• OAS Validator
  • Added spec_url field that loads the OpenAPI specification from a remote HTTP(S) URL instead of embedding the full JSON inline in the plugin configuration. This is useful when the spec exceeds the 2 MB inline size limit of the spec field. The fetched spec is cached with a configurable TTL (default 1 hour, set via plugin metadata spec_url_ttl), and stale entries continue serving requests while the spec refreshes in the background. Additional fields spec_url_request_headers (custom HTTP headers, e.g. for authentication) and timeout (request timeout in milliseconds, default 10000) are available. spec and spec_url are mutually exclusive.

Fixes

Plugins

• File Logger
  • Fixed issue: When both the gzip plugin and file-logger (with include_resp_body enabled) were configured on a route, file-logger incorrectly attempted to decompress the response body. Because APISIX itself performed the gzip encoding, the body available to the logger was still plaintext, causing spurious inflate gzip err: INFLATE: data error log entries and the response body being lost from the log output.
• Elasticsearch Logger
  • Fixed issue: Dynamic index patterns using date-time placeholders (such as gateway-{%Y.%m.%d}) stopped rotating after the first request. The resolved date string was written back to the shared configuration object, permanently overwriting the template until the worker process restarted.
• OAS Validator
  • Fixed issue: Header parameter validation was case-sensitive, causing requests to be rejected when the header name casing did not exactly match the OpenAPI specification (for example, sending X-Request-Id when the spec defined x-request-id). Header matching is now case-insensitive per RFC 7230 §3.2.

3.9.11

Release Date: 2026-04-30

Upgrade Notes

Upgrade note — Secret references CP→DP compatibility

This version extends secret references ($secret://, $env://) to work with all plugins centrally. After upgrading the Control Plane to 3.9.11, if you configure secret references in plugin fields that previously did not support them, a Data Plane still running 3.9.10 or earlier will not resolve those references — it will pass the literal $secret://... string to the plugin.

Recommended upgrade path: Upgrade all Data Planes to 3.9.11 before configuring secret references in newly-supported plugin fields. Plugins that already supported secrets in previous versions (jwt-auth, openid-connect, limit-count, authz-keycloak, csrf, limit-req, limit-conn) are not affected.

Features

Plugins

• AI Proxy
  • Added a passthrough protocol adapter that proxies unrecognized API formats (such as /v1/images/generations) through to the upstream without transformation. Previously, requests that did not match a known protocol (OpenAI Chat, Completions, Embeddings, etc.) were rejected.
  • Rewrote the Anthropic-to-OpenAI protocol converter using a whitelist body construction approach. This prevents Anthropic-specific fields (such as metadata, top_k, thinking, and output_config) from leaking through to OpenAI-compatible upstream providers, and improves conversion accuracy for tool use, system prompts, and multimodal content.
  • Upstream nginx variables ($upstream_status, $upstream_addr, $upstream_response_time, $upstream_header_time, $upstream_connect_time, $upstream_response_length) are now populated in access logs when ai-proxy uses cosocket transport to call LLM backends. Previously, these variables were empty because nginx's upstream module was bypassed.
• OAS Validator
  • Replaced the Go FFI-based OpenAPI validator with a pure-Lua implementation (lua-resty-openapi-validator). Internal benchmarks on a real-world large-scale OpenAPI specification (Stripe, ~414 endpoints) show the new validator is 2–7x faster per-request and compiles the spec 20x faster, while also reducing gateway image size by eliminating the Go shared library. The new validator additionally fixes correctness issues with path parameter routing, nullable schemas, allOf/anyOf merging, and adds support for validating form-encoded request bodies that the previous implementation could not handle.
• All plugins now support $secret:// and $env:// references in any configuration field automatically. Previously, only a handful of plugins (jwt-auth, openid-connect, limit-count, authz-keycloak, csrf, limit-req, limit-conn) had explicit secret reference support. This removes the need for each plugin to implement secret resolution individually.

Data Plane

• A new distroless gateway image variant (api7-ee-3-gateway-distroless) is now available. Built from scratch with only the shared libraries, CA certificates, and timezone data needed to run the gateway, it eliminates OS packages that carry CVEs but are unused at runtime.

Console (Dashboard)

• Configuration compatibility warnings and errors are now displayed in a separate clickable badge on Data Plane instance cards. Clicking the badge opens a modal with a detailed table of all configuration issues (resource type, ID, severity level, and message), making it easier to identify and resolve config schema problems without confusing them with version compatibility status.

Fixes

Plugins

• AI Proxy Multi
  • Fixed issue: After the Control Plane pushed a config update, health check validation logged noisy warnings (unable to construct upstream for plugin: ai-proxy-multi) because DNS resolution state was lost during the config table replacement.
• AI Rate Limiting
  • Fixed issue: AI instance names containing dots (such as Qwen3.5-397B-10.249.238.157) caused HTTP 500 errors because the name was incorrectly interpreted as a ctx.var path expression instead of a constant key.
• AI Request Rewrite
  • Fixed issue: Requests with no body produced a vague upstream error instead of returning a clear HTTP 400 Bad Request.
• AI Prompt Template
  • Fixed issue: JSON parse error messages were garbled Lua table references (such as table: 0x...) instead of readable error strings.
• OpenTelemetry
  • Fixed issue: Non-string values in additional_attributes (such as numbers or booleans from nginx variables) were silently dropped by the OpenTelemetry SDK. They are now coerced to strings before being added to spans.
• Limit Count
  • Fixed issue: Redis credentials (redis_password, redis_username, sentinel_password) were embedded in rate-limiting group keys, exposing sensitive information in Redis keyspace and APISIX logs.
• Traffic Split (Stream)
  • Fixed issue: ctx.var.route_id always returned nil in stream (L4) context, causing match conditions based on route_id in traffic-split rules to never match.
  • Fixed issue: When traffic-split selected an upstream via upstream_id in stream context, the selection was ignored and the route's original upstream was always used.

Control Plane

• Fixed issue: Warning-level entries in the configuration compatibility report incorrectly caused Data Plane instances to display "Upgrade Recommended" even when the Control Plane and Data Plane versions matched.

Data Plane

• Fixed issue: The batch processor entered an infinite timer loop during nginx worker shutdown, preventing graceful shutdown and flooding logs with [alert] messages.
• Fixed issue: The batch processor's processed_entries counter was reset when stale buffers were cleaned up, breaking delivery metrics for batch-processing plugins (such as http-logger, kafka-logger).
• Fixed issue: Active health check request_body configuration was silently ignored because the underlying healthcheck library expects the field to be named http_req_body. The schema field has been renamed to match.
• Fixed issue: Sensitive field values were exposed in error logs when encrypt/decrypt operations failed. Error messages no longer include the raw value.
• Fixed issue: During upgrades with newly added encrypt_fields, expected decrypt failures of pre-existing plaintext data generated noisy warn-level log entries. These are now logged at info level with an explanatory message.

3.9.10

Release Date: 2026-04-22

Breaking Changes

Plugins

• OpenAPI to MCP

  Upgrade note

  The OpenAPI2MCP service is no longer bundled inside the gateway image. It now runs as a separate sidecar container (api7/openapi-to-mcp), reducing the gateway image size by approximately 150 MB. If you use the openapi-to-mcp or mcp-tools-acl plugins, you must deploy the OpenAPI2MCP sidecar alongside the gateway. In Kubernetes, enable openapiToMcp.enabled=true in the gateway Helm chart. In Docker Compose, run the api7/openapi-to-mcp container in the same network namespace as the gateway.

Upgrade Notes

encrypt_fields compatibility

This version adds encrypt_fields to several plugins: AI Proxy (auth.header, auth.query, auth.gcp.service_account_json), AI Proxy Multi (same fields under instances.*), AI RAG (embeddings_provider.azure_openai.api_key, vector_search_provider.azure_ai_search.api_key), AWS Lambda (authorization.apikey, authorization.iam.accesskey, authorization.iam.secretkey), OpenID Connect (added client_rsa_private_key), and SAML Auth (added secret_fallbacks).

Once the Control Plane is upgraded to 3.9.10, it encrypts these newly declared fields when writing route/service configurations to etcd. If a Data Plane is still running an older version (3.9.9 or earlier), it does not know about these new encrypt_fields and will skip decryption, causing the encrypted ciphertext to be used as-is — for example, an AI Proxy route will send the AES ciphertext instead of the real API key, resulting in silent authentication failures (HTTP 401 from the LLM provider).

Recommended upgrade path: Follow the standard upgrade sequence — upgrade the Control Plane first, then the Data Planes. However, after upgrading the Control Plane, do not modify configurations for the affected plugins listed above until all Data Planes have been upgraded to 3.9.10. Any configuration edit or re-publish on these plugins will cause the Control Plane to encrypt the newly declared fields, which older Data Planes cannot decrypt. Upgrade Data Planes to 3.9.10 as soon as possible after the Control Plane upgrade to restore full encrypt/decrypt parity.

Features

Plugins

• AI Proxy
  • Added override.request_body for per-protocol deep-merge request body overrides and override.llm_options for provider-aware max_tokens mapping. Operators can set protocol-specific parameters (such as max_tokens, stop_sequences) as defaults or enforced settings using the request_body_force_override flag. Precedence order: model options → LLM options (always force) → request body (per-protocol deep merge).
  • Added max_stream_duration_ms and max_response_bytes safeguards to prevent unbounded LLM streaming responses from pinning a worker process at high CPU. When either limit is exceeded, the stream is terminated gracefully with appropriate error signaling.
  • The gateway now detects client disconnection during streaming and immediately stops reading from the LLM upstream, freeing worker resources and avoiding unnecessary API quota consumption.
• Prometheus, OpenTelemetry, Zipkin
  • Added a new response_source label (Prometheus) and apisix.response_source span attribute (OpenTelemetry, Zipkin) that classifies each response as "apisix" (generated by APISIX, such as plugin rejections or route-not-found), "nginx" (NGINX proxy errors such as connection refused or upstream timeout), or "upstream" (real response from the upstream service). This enables more precise error attribution in dashboards and alerts.

Control Plane

• Added Consul as a service discovery source. Gateways can now discover upstream services registered in Consul, with support for metadata-based filtering and health-check-aware node selection.
• The Control Plane can now dynamically push telemetry configuration (such as trace sampling ratio and export endpoints) to Data Planes via heartbeat, without requiring a gateway restart.
• Added skip_mtls_uri_regex to SSL/SNI configuration, allowing specific URI patterns to bypass mTLS client certificate verification while keeping mTLS enforced for all other URIs.
• Added POST /apisix/admin/configs/validate endpoint for batch configuration validation. Operators can validate route, service, upstream, and plugin configurations before applying them, catching schema errors without affecting live traffic.
• DP Manager now supports native gRPC etcd protocol on port 7943 via cmux, providing Data Planes with an additional connectivity option alongside the existing HTTP-based etcd protocol.
• The encrypt_fields mechanism now supports nested and complex field structures, including arbitrary-depth dotted paths, arrays, and maps. Plugin configurations with deeply nested sensitive fields (such as auth.gcp.service_account_json) are now encrypted at rest correctly.

Console (Dashboard)

• Added form-based configuration modes for the Key Auth and Basic Auth plugins, enabling visual credential setup without manual JSON editing.
• Added OpenID Connect quick start presets with pre-filled configuration templates for common identity providers, simplifying initial OIDC plugin setup.
• Added Consul as a selectable service discovery type in the upstream configuration UI.
• Supported specifying the SNI when configuring skip_mtls_uri_regex.

Fixes

Plugins

• AI Proxy
  • Fixed issue: When an LLM provider emitted many small SSE chunks per second (such as single-character reasoning tokens), a single streaming request could monopolize a worker process at 100% CPU, degrading availability for all other traffic on that worker.
  • Fixed issue: When a protocol converter was active (for example, Anthropic-to-OpenAI) and the upstream returned SSE events in an unexpected format, the gateway returned a 500 error instead of 502. The gateway now correctly returns 502 Bad Gateway when the upstream response format is incompatible with the configured protocol conversion.
  • Fixed issue: When LLM providers returned JSON null for nullable response fields (such as prompt_tokens_details or usage), the gateway crashed because the JSON null sentinel value passed Lua truthiness checks but could not be indexed as a table.
• AI Rate Limiting
  • Fixed issue: Upstream-provided usage keys (from LLM response usage data) that collided with reserved expression environment names (such as math or abs) could shadow built-in functions, potentially breaking rate limiting expression evaluation or bypassing limits.

Control Plane

• Fixed issue: Creating OAuth credentials via Developer Portal with an OIDC-type DCR Provider failed on identity providers (such as Keycloak) that require the client_name field. The client_name is now included in both DCR register and update requests, using the Application name as the value.

Ingress Controller

• Fixed issue: The Ingress Controller set hosts on both Route and Service when translating ApisixRoute resources. For backends that do not support route-level hosts, this caused a false diff every sync cycle, triggering unnecessary PUT requests and generating massive audit log growth. In one production environment, this resulted in 8 GB / 4.2 million redundant UpdateService audit log entries.

Console (Dashboard)

• Fixed issue: The service discovery loading indicator remained visible indefinitely when the discovery request failed.
• Fixed issue: Nacos service metadata was not refreshed when switching between services in the upstream configuration.
• Fixed issue: Switching login option provider types did not clean up configuration fields from the previous provider, leaving stale values in the form.
• Fixed issue: The IAM policy statements editor crashed with a null reference error when policies data was not yet loaded.
• Fixed issue: The InviteUser and ResetPassword actions did not display error messages when the API call failed, making it unclear why the operation did not succeed.
• Fixed issue: The login option name uniqueness check loaded the full list of login options unnecessarily. It now uses a lightweight API call.
• Fixed issue: The IAM delete role operation used the wrong permission action (iam:UpdateRole instead of iam:DeleteRole).

3.9.9

Release Date: 2026-04-10

Features

Control Plane

• Upstream labels are now persisted and returned correctly via the API. Previously, labels set on upstreams (e.g., by ADC or Ingress Controller) were silently dropped during persistence, causing false diffs on every sync cycle and unnecessary audit log growth.
• The file server address can now be dynamically configured through the System Settings page in the Dashboard, following the same dual-source pattern as the DP Manager address and Admin API address.

Fixes

Plugins

• AI Proxy
  • Fixed issue: When using AI Proxy with protocol conversion (e.g., Anthropic client to OpenAI provider), stream_options.include_usage=true was injected into the pre-conversion request body instead of the post-conversion OpenAI body, so usage statistics were missing from streaming responses for converted protocols.
• Forward Auth
  • Fixed issue: When the auth service responded with HTTP 200 but omitted a header listed in upstream_headers, the original client-supplied value was forwarded to the upstream instead of being cleared. This could allow clients to spoof upstream headers by including them in the original request.
• JWT Auth
  • Fixed issue: The JWT Auth plugin did not verify that the JWT token's alg header matched the consumer's configured algorithm before signature verification, which could allow algorithm confusion attacks.

Data Plane

• Fixed issue: The Data Plane compatibility report showed spurious warnings for valid plugin configurations. Plugins using patternProperties, conditional schemas (if/then/else), allOf, dependencies, or additionalProperties=true incorrectly reported "unrecognized fields" warnings. Affected plugins included ai-proxy, ai-proxy-multi, openapi-to-mcp, acl, http-logger, limit-count-advanced, portal-auth, jwt-auth, proxy-rewrite, and grpc-transcode.

3.9.8

Release Date: 2026-04-07

Breaking Changes

Plugins

• Limit Count

  Upgrade note

  The sync_interval (Redis delayed sync) feature has been removed from the limit-count plugin and is now available exclusively in the Limit Count Advanced plugin. If you are using limit-count with sync_interval configured, migrate your configuration to the limit-count-advanced plugin before upgrading.

• OpenID Connect

  Upgrade note

  The default value of ssl_verify has been changed from false to true. If you have OpenID Connect plugin configurations that do not explicitly set ssl_verify and your identity provider uses a self-signed certificate or a certificate issued by an internal CA, TLS verification will now fail after upgrading. Explicitly set ssl_verify to false in affected configurations before upgrading, or ensure the IdP certificate is trusted by the gateway's CA store.

Features

Plugins

• MCP Tools ACL (New Plugin)
  • Added a new plugin for per-tool access control on MCP services exposed via the OpenAPI-to-MCP plugin. Supports allowlist (allow_tools) and denylist (deny_tools) modes with expression-based matching conditions for route-level or service-level tool access policies. Consumers and consumer groups are supported with priority-based rule evaluation. SSE responses are automatically filtered to remove denied tools from tools/list results.
• AI Proxy
  • Added native Anthropic Messages API support. Requests to /v1/messages using the Anthropic SDK format are now passed through directly to Anthropic-compatible backends without protocol conversion, preserving Anthropic-specific fields such as cache token usage.
  • Added full support for the OpenAI Responses API (POST /v1/responses). Both streaming and non-streaming responses are handled, and all downstream plugins (RAG, content moderation, prompt decorator, prompt guard, logging) work correctly with the Responses API format.
• AI Rate Limiting
  • Added a new expression limit strategy with the cost_expr field, allowing dynamic token cost calculation using custom Lua arithmetic expressions. For example, input_tokens + cache_creation_input_tokens enables cache-aware input token per minute (ITPM) rate limiting for Anthropic Claude.
• OAS Validator
  • Added support for OpenAPI 3.1 specification validation, including features such as exclusiveMinimum/exclusiveMaximum as numbers, if/then/else conditional schemas, nullable types via ["string", "null"], const, patternProperties, prefixItems, and JSON Schema $dynamicRef/$dynamicAnchor.
  • Added a configurable rejection_status_code option (400–599, default 400). This allows distinguishing semantic validation errors (e.g., 422 Unprocessable Entity) from malformed request syntax (400 Bad Request).
• Request ID
  • Added uuidv7 as a new algorithm option. UUID v7 generates time-ordered, lexicographically sortable unique identifiers, making them more suitable for distributed tracing and log correlation than random UUID v4.
• OpenAPI to MCP
  • Added support for OpenAPI in: header parameters. Header parameters defined in OpenAPI specs are now correctly included in MCP tool schemas and forwarded as HTTP headers when invoking the upstream API.

Control Plane

• Added support for Vault dynamic roles for database credential rotation. Dynamic roles create temporary database users with a configurable lease TTL, improving security compared to static roles. Dynamic role is now the default mode, with automatic startup retry using exponential backoff.
• Added a standalone file-server component for hosting files accessible by MCP servers. Files can be uploaded via the Dashboard API and served through a dedicated port. The file server is disabled by default and can be enabled in the system settings.
• Added HTTP Bridge as a new Dynamic Client Registration (DCR) provider type. HTTP Bridge proxies DCR operations (register, update, delete, rotate secret) to an external identity provider via configurable HTTP endpoints.
• Added Data Plane compatibility reporting. When Control Plane and Data Plane versions differ, the Data Plane now reports incompatible resource details (schema validation failures, unknown plugin fields, missing plugins) via heartbeat. Compatibility status is viewable through the runtime instance API.
• Services can now be published without upstream configuration, enabling AI Proxy and other plugin-only scenarios where no backend upstream is needed.
• Optimized custom plugin synchronization with incremental cache refresh. The periodic sync job now queries only for changes instead of performing a full table scan, significantly reducing database load.

Data Plane

• Improved Redis Sentinel connection performance. Master node addresses are now cached with a configurable TTL, reducing Sentinel round-trip queries on each new connection. Additionally, pooled connections skip redundant AUTH and SELECT DB commands, lowering latency for high-throughput Redis operations.

Developer Portal

• Added admin impersonation. Portal administrators can impersonate organization owners to troubleshoot issues, with a 1-hour time-to-live and a persistent warning banner during impersonation.
• Added OAuth client secret regeneration for HTTP Bridge credentials. Organization owners can regenerate secrets through a confirmation modal in the credential management UI.
• Added configurable TOTP-based two-factor authentication (2FA) for Developer Portal login.
• Added role-based access control (RBAC) with three roles: Owner (full control, including organization deletion), Admin (all permissions except organization deletion), and Member (view-only access).
• Organization settings now use slug-prefixed URLs. Page URLs update automatically when switching organizations or renaming the organization slug.
• Application detail pages now display configuration based on portal settings.
• Added an optional signup notice HTML slot for displaying trusted custom content before the sign-up button on the authentication page.

Fixes

Plugins

• AI Aliyun Content Moderation
  • Fixed issue: Empty or whitespace-only content caused a 400 error from the Alibaba Cloud moderation API. Additionally, LLM error responses (status ≥ 400) triggered a 500 error during response moderation, and multimodal content arrays crashed text extraction.
• AI Proxy
  • Fixed issue: The apisix_llm_active_connections Prometheus gauge was never decremented when a plugin exited early via ngx.exit(), causing the metric to grow indefinitely and report incorrect active connection counts.
• AI Rate Limiting, Limit Conn, Limit Req
  • Fixed issue: $env:// and $secret:// references in Redis host configuration were passed as literal strings instead of being resolved to their actual values, causing Redis connection failures.
• Fixed issue: API keys, authentication tokens, OAuth credentials, and full plugin configuration payloads were logged in plaintext across multiple plugin and agent log outputs. Sensitive data is now redacted.

Control Plane

• Fixed issue: Updating service runtime configuration (e.g., toggling service status) via PATCH failed with a schema validation error when the service had no upstream configured.
• Fixed issue: HTTP and stream subsystem plugins sharing the same name used a single cache entry, causing the wrong plugin schema to be used for validation when both subsystems were active.
• Fixed issue: Subscriptions could be deleted across API products without validating that the subscription belonged to the target product.
• Fixed issue: Services without upstream configuration showed phantom empty upstream records in the upstream list API.
• Fixed issue: Control Plane crashed with a nil pointer dereference during upgrade migration when processing services with no upstream configured.
• Fixed issue: Multiple API Products within the same Developer Portal could link to the same gateway service (same service ID and gateway group), causing configuration conflicts.
• Fixed issue: Updating an SSL certificate allowed SNI collisions when adding new domains that conflicted with existing certificates.
• Fixed issue: Deleting an API Product that shared a gateway service with another product incorrectly removed all system plugins from the shared service, breaking the other product's authentication configuration.
• Fixed issue: DCR provider authentication headers (such as Bearer tokens) were stored in the database without encryption.
• Fixed issue: Consumer credential secrets were not masked in audit logs due to a value/pointer receiver mismatch.
• Fixed issue: Approval handlers (accept/reject subscription) continued execution after returning a 403 status, bypassing the permission check and processing the request.
• Fixed issue: Read-only Developer Portal users could cancel API Product subscriptions because the endpoint used a read permission check instead of write.
• Fixed issue: PATCH operations on route and stream route runtime configurations used read-only or view-only permission checks, allowing users without write access to modify configurations.
• Fixed issue: Upstream resources were not validated against the requested service, allowing access to upstreams belonging to other services.
• Fixed issue: The CAS SSLVerify configuration flag was inverted, causing TLS certificate verification to be disabled when it was configured as enabled. This could expose CAS authentication connections to man-in-the-middle attacks.
• Fixed issue: Concurrent requests from ADC caused a fatal crash (concurrent map writes) in the route validator due to unsynchronized access to lazy-initialized schema cache maps.
• Fixed issue: API call statistics flush held a database lock during IO operations, causing performance degradation under high traffic. The flush mechanism now uses swap-and-release with batch writes.

Console (Dashboard)

• Fixed issue: The Service Hub page and related modals crashed when a service had an empty or missing name.
• Fixed issue: Adding the same service published to different gateway groups as linked services, was incorrectly blocked by frontend validation.

Data Plane

• Fixed issue: DNS resolution intermittently returned incorrect IP addresses. When the gateway operated in cache-only mode, DNS Additional section records (nameserver glue records) were incorrectly included in resolution results and their domain names overwritten with the queried domain. This caused random upstream connection failures, as the gateway occasionally selected a nameserver IP instead of the actual service IP.
• Fixed issue: Stream routes with service_id silently failed if the referenced service arrived after the route via etcd sync. Service status changes (enable/disable) and deletions also did not trigger stream router rebuild.

Developer Portal

• Fixed issue: Every unauthenticated request to the Developer Portal generated a "No developer ID in session" log entry, flooding production logs and obscuring real errors.
• Fixed issue: The "Regenerate Secret" option was shown (as disabled) for OIDC provider credentials, instead of being hidden. It is now only visible for HTTP Bridge credentials.
• Fixed issue: After re-signing in without logging out, the owner role was not properly restored, causing role-gated UI buttons to appear disabled until a manual page refresh.

3.9.7

Release Date: 2026-03-25

Upgrade Notes

encrypt_fields compatibility

This version adds encrypt_fields to the CSRF plugin (key) and the Kafka Proxy plugin (sasl.password). When the Control Plane is upgraded to 3.9.7 but Data Planes remain on 3.9.6 or earlier, the Control Plane encrypts the newly declared encrypt_fields for CSRF and Kafka Proxy when publishing configurations to etcd. Older Data Planes do not recognize these fields and will skip decryption, causing the AES ciphertext to be used as the actual configuration value. This results in silent failures — for example, CSRF token validation will fail because the key is garbled, and Kafka Proxy will fail to authenticate with the broker.

Recommended upgrade path: Follow the standard upgrade sequence — upgrade the Control Plane first, then the Data Planes. However, after upgrading the Control Plane, do not modify CSRF or Kafka Proxy plugin configurations until all Data Planes have been upgraded to 3.9.7. Upgrade Data Planes as soon as possible after the Control Plane upgrade.

Features

Plugins

• AI Proxy
  • Added bidirectional protocol conversion between Anthropic and OpenAI formats. Users can send requests in Anthropic SDK format to OpenAI-compatible backends (such as DeepSeek or OpenRouter), with the gateway automatically converting request and response formats, including SSE streaming.
• OpenAPI to MCP
  • Added MCP Tool Annotations support. Tools generated from OpenAPI specs can now carry behavioral metadata (read-only, destructive, idempotent) via the x-mcp-annotations vendor extension, enabling AI agents to better understand and invoke APIs.

Control Plane

• Added a form-based UI for the Limit Count plugin in Dashboard, supporting visual configuration of Local, Redis, and Redis Cluster policies without manually editing JSON/YAML.
• Added custom menu groups in the Dashboard sidebar. External links such as internal documentation or wiki pages can be configured via a YAML config file.
• Improved performance under high API traffic by reducing database write frequency for hot-path operations (such as token last-used timestamps and gateway heartbeat timestamps) through write debouncing and in-memory caching. Also optimized distributed lock acquisition latency.

Data Plane

• Added port range support for stream_proxy TCP and UDP listeners (e.g., 2000-2100), eliminating the need to list each port individually when configuring a large number of proxy ports.
• Added encrypt_fields to the CSRF plugin (key) and the Kafka Proxy plugin (sasl.password).

Fixes

Plugins

• AI Proxy
  • Fixed issue: AI request token usage statistics (prompt_tokens, completion_tokens) were inaccurate when HTTP chunk boundaries did not align with SSE event boundaries in upstream responses.
• Prometheus
  • Fixed issue: apisix_llm_* metrics were exported for all API routes, even those without AI plugins enabled, causing unnecessary metric cardinality and storage overhead. Also added disabled_labels support for LLM metrics, allowing operators to selectively disable high-cardinality labels.

Control Plane

• Fixed issue: When multiple concurrent API requests modified Global Rules simultaneously, only the last write took effect in the gateway, even though Dashboard showed all modifications as successful.
• Fixed issue: Syncing service configurations with non-HTTPS active health checks via ADC failed with the error Unrecognized key: "https_verify_certificate".
• Updated the default worker count to 1 when adding Kubernetes gateway instances in Dashboard.

Data Plane

• Fixed issue: API call count statistics became inaccurate after a gateway worker process restart (e.g., an unexpected crash).

3.9.6

Release Date: 2026-03-09

Features

Plugins

• Error Log Collect
  • Added a new plugin to support centralized error log collection.
• Oas Validator
  • Added a new parameter reject_if_not_match. When set to false, it allows requests to pass to upstream services even if they fail OAS validation.
• Limit Count Advanced
  • Added more log information for easier debugging.

Control Plane

• Supported published Services and Routes in Resource name APIs.
• Added support for Services and Routes as alert conditions in alert policies.
• Supports dynamic rotation of Postgres credentials via Vault.

Data Plane

• Added the rate-limiting-info variable to retrieve detailed status information of rate-limiting plugins.
• Enhanced Docker images: switched to distroless base images and upgraded busybox to fix security vulnerabilities.

Fixes

Plugins

• Limit Count Advanced
  • Fixed issue: A panic in the synchronization function could cause the shared dictionary lock to not be released, leading to synchronization interruptions.

3.9.5

Release Date: 2026-02-14

Features

Plugins

• Feishu Auth
  • Added a new Feishu authentication plugin based on the OAuth 2.0 Authorization Code flow, supporting integration with internal business services in the workbench.
• Dingtalk Auth
  • Added a new Dingtalk authentication plugin that logs key information during the authentication process for easier tracking.

Control Plane

• Daily License Information Logging: The control plane now records daily license information, including CPU limits, expiration time, and current core usage. It starts logging reminders 3 months before the license expires. Users can directly view CPU usage through the logs.

• OpenTelemetry Data Collection and Visualization: The control plane can now dispatch debug and sampling tasks to data planes, receive reported data, and support data export via API along with frontend visualization.

  Note

  This feature introduces Jaeger as an additional component. If deploying with Helm, note that the control plane's values file enables Jaeger by default. The official Helm chart is available at https://charts.api7.ai.

Fixes

Data Plane

• Fixed issue: When plugins with encrypt_fields had schema fields with maxLength constraints (e.g., hmac-auth secret_key max 32 chars), the encrypted ciphertext exceeded the length limit because schema validation ran before decryption.

3.9.4

Release Date: 2026-02-03

Features

Control Plane

• After disabling SCIM, users can delete historical SCIM accounts synchronized from the IdP in API7.
• Supports uploading OpenAPI 3.1.0 and 3.1.1 files.

Fixes

Plugins

• Limit Count
  • Fixed issue: The counter data could be inaccurate if the Gateway crashed unexpectedly.

Data Plane

• Fixed issue: The heartbeat and metrics reporting would only use the first control plane address when multiple addresses were configured.

Control Plane

• Fixed issue: A route URL not starting with / would cause the conflict detection API to return a 500 error.
• Fixed issue: The code hints in the plugin configuration editor would sometimes stop working.

3.9.3

Release Date: 2026-01-26

Features

Plugins

• AI Request Rewrite
  • Supported two new providers: Gemini, Vertex AI.
• SAML Auth
  • Added auth_protocol_binding_method parameter to support configuring SAML protocol binding methods, including HTTP-POST and HTTP-Redirect. The default value is HTTP-Redirect (backward compatible with previous versions). HTTP-POST must be used when Azure AD is the identity provider.

Fixes

Plugins

• SAML Auth

  • Fixed issue: SAML sessions could not be shared across multiple gateway instances. Added the mandatory secret field for configuring the key to encrypt session data.

    Upgrade note

    The saml-auth plugin upgraded from older versions can work normally but cannot share sessions across multiple gateway instances. This issue can be resolved by configuring the secret field.

  • Fixed issue: Missing NameID field in the SAML request when processing logout requests. The absence of the NameID field will cause logout failure when Azure AD is the identity provider.

3.9.2

Release Date: 2026-01-19

Features

Plugins

• AI Proxy/AI Proxy Multi
  • Supported four new providers: Gemini, Vertex AI, OpenRouter, and Anthropic.
• Basic Auth/JWT Auth/Key Auth/HMAC Auth/LDAP Auth
  • Added a realm configuration option to set the Realm value in the WWW-Authenticate response header for 401 authentication failures.
• OpenID Connect
  • Supported validating claims by configuring claim_schema.

Control Plane

• Rejected gateway nodes with a version higher than the Control Plane.
• Supported querying node health status in multi-upstream scenarios.

Fixes

Plugins

• Limit Count
  • Fixed issue: The rate limiting counter was shared when the same rate-limiting configuration was applied across multiple consumers (introduced in 3.8.5).
• Limit Count Advanced
  • Fixed issue: Incorrect data appeared when resetting request headers (introduced in 3.8.19).
  • Fixed issue: Rate limiting data was not correctly submitted after enabling Redis delayed synchronization (introduced in 3.8.19).
  • Fixed issue: Redis password could not be specified in Redis Sentinel mode.
  • Fixed issue: Keepalive was not enabled for Redis connections in Redis Sentinel mode.
• Syslog
  • Fixed issue: After sending an excessively long log in UDP mode, subsequent logs could not be sent.
• Request ID
  • Fixed issue: The system failed to generate a new request ID when the request-id provided by the client was empty.

Data Plane

• Fixed issue: A deepcopy table overflow error could occur during the startup process.
• Fixed issue: The server header still returned "APISIX" when enable_server_tokens was disabled.
• Fixed issue: The health checker caused the gateway to continuously output error logs after an update to the ai-proxy-multi plugin.

Control Plane

• Fixed issue: The default client.depth for SSL resources was too small, causing mTLS migration failure for Cloud v2 users.
• Fixed issue: Data duplication could occur during concurrent calls to the SSL API.
• Fixed issue: The health status of frontend components on the Console (Dashboard) was not reflected in the /healthz API response.

3.9.1

Release Date: 2026-01-08

Fixes

Developer Portal

• Fixed issue: "Developers" created in older versions of the Developer Portal could not be deleted.

3.9.0

Release Date: 2026-01-06

Breaking Changes

Developer Portal

• Newly Redesigned Developer Portal

  Upgrade note

  The Developer Portal has been completely redesigned. This release introduces breaking changes that require action before upgrading:

  • The built-in Portal SSO feature has been removed. Configure authentication through the new Portal-level authentication mechanism instead.
  • The Portal frontend is now open-source. Existing Portal customizations must be migrated to the new SDK-based architecture.

Features

• All API7 Enterprise Docker images are now signed using Cosign, enhancing image security.

Developer Portal

• Provides open-source SDKs and a frontend scaffolding project to facilitate user customization and development.
• Introduces a new Portal-level authentication mechanism for API integration.

Plugins

• Limit Conn/Limit Req

  • Supported using Redis and Redis Cluster as the rate limiting data storage backend.

    Upgrade note

    Added a new required field policy. Existing configurations do not require modification and will continue to function in the data plane. However, when updating a configuration, this field must be supplied (e.g., policy=local), otherwise the update will be rejected.

• Request ID

  • Added a new algorithm ksuid for ID generation.

• Loki Logger

  • Supported customizing HTTP headers sent to the Loki server.

• File Logger

  • Supported conditional request logging using the match field.

• Workflow

  • The rules field is now required.

Control Plane

• Allowed to completely disable built-in username/password login after enabling SSO login.
• Supported configuring the maximum execution time for database statements.
• Observability Enhancements
  • Enabled the pprof performance profiling by default.
  • Added database connection pool metrics to the metrics endpoint.
  • Supported separate logging for access and error logs.
  • Added the request_id field to access and error logs.

Fixes

Plugins

• OpenAPI to MCP
  • Fixed issue: Passing authentication credentials via query parameters could lead to sensitive information leakage.

Data Plane

• Optimized caching behavior for resolution chains that involve CNAME and A records.

Control Plane

• Removed the display of IP and Port from the gateway instance list to avoid misleading users.
• Fixed issue: Database deadlocks could occur during concurrent batch inserts into the API call statistics table.
• Fixed issue: Dashboard failed to start when using a non-public schema in PostgreSQL.

3.8.23

Release Date: 2026-02-03

Features

Control Plane

• Supports uploading OpenAPI 3.1.0 and 3.1.1 files.

Fixes

Data Plane

• Fixed issue: Heartbeat and metrics would only be reported to the first control plane address when multiple addresses were configured.

Control Plane

• Fixed issue: A route URL not starting with / would cause the conflict detection API to return a 500 error.

3.8.22

Release Date: 2026-01-19

Fixes

Plugins

• Limit Count
  • Fixed issue: The rate limiting counter was shared when the same rate-limiting configuration was applied across multiple consumers (introduced in 3.8.5).
• Limit Count Advanced
  • Fixed issue: Incorrect data appeared when resetting request headers (introduced in 3.8.19).
  • Fixed issue: Rate limiting data was not correctly submitted after enabling Redis delayed synchronization (introduced in 3.8.19).
  • Fixed issue: Redis password could not be specified in Redis Sentinel mode.
  • Fixed issue: Keepalive was not enabled for Redis connections in Redis Sentinel mode.
• Syslog
  • Fixed issue: After sending an excessively long log in UDP mode, subsequent logs could not be sent.
• Request ID
  • Fixed issue: The system failed to generate a new request ID when the request-id provided by the client was empty.

Data Plane

• Fixed issue: A deepcopy table overflow error could occur during the startup process.

Control Plane

• Fixed issue: The default client.depth for SSL resources was too small, causing mTLS migration failure for Cloud v2 users.
• Fixed issue: Data duplication could occur during concurrent calls to the SSL API.
• Fixed issue: The health status of frontend components on the Console (Dashboard) was not reflected in the /healthz API response.

3.8.21

Release Date: 2025-12-23

Features

Plugins

• gRPC Web
  • Supported enabling the plugin on routes that use non-wildcard paths.
• OpenAPI to MCP
  • Provided the flatten_parameters parameter to control whether path and query parameters from the OpenAPI specification are placed at the top level of the tools input schema.

Data Plane

• Fallback CP
  • Supported using the gateway as a backup node to sync data to AWS S3 and Azure Blob. Note that backup nodes do not provide HTTP/HTTPS services and are not counted towards the license quota.
  • Supported authentication using AWS IAM Role and Azure Managed Identity.

Control Plane

• Supported using MSSQL Server 2022 as the database for the control plane.
• Provided script generation for deploying gateway instances using Docker Compose.
• Improved the text prompts for each parameter when deploying gateway instances in Kubernetes.

Fixes

Plugins

• AI Proxy/AI Proxy Multi
  • Fixed issue: Headers configured in the plugin could not override downstream headers with the same name due to case-insensitivity.
• Limit Conn/Limit Count Advanced/AI Rate Limiting
  • Fixed issue: The rules.key field did not support the variable default value syntax.
• OpenAPI to MCP
  • Fixed issue: Errors or perpetual loading occurred when configuring the MCP Server in AI clients such as Cursor and Cline.

Data Plane

• Fixed issue: The gateway continued its startup process even after failing to connect to the control plane during initialization.
• Fixed issue: Heartbeat failed when the gateway listened on the same port using different IP addresses.
• Fixed issue: The Fallback CP feature failed to load credential data correctly.
• Fixed issue: Optimized the performance after enabling the Prometheus plugin.

Control Plane

• Fixed issue: For services created via the Admin API, their routes could not be selected on the console's monitoring page to view monitoring data.
• Fixed issue: Incorrect "Unhealthy Ratio" data displayed on the console's upstream page after configuring active health checks for an upstream.

3.8.20

Release Date: 2025-12-11

Fixes

Plugins

• OpenAPI to MCP
  • Fixed issue: Variables in base_url were not resolved correctly.

3.8.19

Release Date: 2025-12-09

Features

Plugins

• OpenAPI to MCP
  • Supported using variable syntax in base_url.
• AI Rate Limiting
  • Supported using Redis, Redis Cluster, and Redis Sentinel as storage backends.

Upgrade note

The ai-rate-limiting plugin now requires a new policy field. Existing configurations continue to function on the data plane, but any updates must include policy: local; otherwise, the update will be rejected.

Data Plane

• Added support for the ${external_user.*} built-in variable to retrieve values from external user information. The variable is injected by the openid-connect plugin and developer portal OAuth authentication.

Fixes

Plugins

• AI Proxy/AI Proxy Multi
  • Fixed issue: Request headers generated by the client or other plugins were not forwarded to the upstream.
• AI Rate Limiting/Limit Count Advanced
  • Fixed issue: When multiple rules were matched simultaneously, the rate-limiting headers could not be distinguished. By default, they are now distinguished by the index of the matched rule. The header_prefix configuration is also supported for custom prefixes.
  • Fixed issue: When variables were used in the limit field, the rate-limiting status was not updated in real-time after the variable's value changed.

Control Plane

• Fixed issue: Users' access tokens could still be used to access APIs after expiration.
• Fixed issue: The "Labels" section in the Dashboard displayed a large number of duplicate input fields when creating a route.
• Fixed issue: Disabled plugins on a route could not override enabled plugins of the same name on the associated service.
• Fixed issue: Dropdown option values in the Portal Dashboard changed frequently.
• Fixed issue: Plugin configurations in the Dashboard did not automatically populate default values.

3.8.18

Release Date: 2025-11-25

important

To support creating multiple Portal instances, the portal-auth plugin of the data plane has been upgraded. After upgrading the control plane, users should upgrade the data plane as soon as possible. During the period between the control plane upgrade and the data plane upgrade completion, please do not update existing API products, as such changes will not take effect.

Features

Data Plane

• Supported specifying the backlog configuration for listening ports.
• Supported Azure Blob storage type in fallback_cp.

Control Plane

• Supported Dynamic Client Registration (DCR) provider management.
• Supported DCR authentication type in API products.
• Supported OAuth authentication type (obtaining client ID and client secret based on DCR) in Developer credentials.
• Supported creating multiple Portal instances. Existing Portal usage data will be assigned to the automatically created default Portal instance.
• API7 Dashboard supported specifying the license storage path in the configuration file.

Fixes

Plugins

• All Logger Plugins
  • Fixed issue: Logger plugins failed to obtain request bodies when client request bodies were too large to generate temporary files.
• AI Proxy Multi
  • Fixed issue: Health checkers were rebuilt when requests hit different consumers.

Control Plane

• Fixed issue: The Helm Chart version was not locked in the Ingress Controller installation script.
• Fixed issue: Offline gateway instances were still displaying compatibility tags.
• Fixed issue: When creating/updating upstreams, the system did not check if upstream_host was empty when pass_host was set to rewrite.
• Fixed issue: In the Developer Portal, when OpenAPI documents contained multiple server_urls, developers could not select a server_url when initiating test requests.
• Fixed issue: Developers with subscriptions under the "pending approval" state can still make requests to the gateway.

3.8.17

Release Date: 2025-11-10

Features

Plugins

• Limit Conn
  • Supported variable syntax in the conn and burst fields.
  • Added a rules field for configuring multiple rate-limiting rules simultaneously.
• Limit Count Advanced
  • Supported variable syntax in the count and time_window fields.
  • Added a rules field for configuring multiple rate-limiting rules simultaneously.
• AI Rate Limiting
  • Supported variable syntax in the limit and time_window fields.
  • Added a rules field for configuring multiple rate-limiting rules simultaneously.
• AI Proxy/AI Proxy Multi/AI Request Rewrite
  • Supported the aimlapi provider.
• OpenAPI to MCP
  • Considered the default values of query parameters defined in OpenAPI when sending requests to the upstream service.
• All Access Log Logging Plugins
  • Supported configuring each plugin's batch processor max_pending_entries in the plugin metadata, for the the maximum number of pending entries in the batch processor.
  • Flushed the pending logs to the logging service before the worker process exited.

Control Plane

• Supported configuring IP whitelist and blacklist for accessing the dashboard.

Fixes

Plugins

• AI Proxy Multi
  • Fixed issue: Multiple worker processes cannot share the health checker of an AI instance.

Control Plane

• Fixed issue: Cannot upload license when the browser lacks permissions.
• Fixed issue: Bad performance of the gateway when the number of upstream.nodes is very large.
• Fixed issue: The policy field of plugins, such as limit-count and limit-count-advanced, is optional (should be required).
• Fixed issue: When creating a new SSO page and clicking "Back", the page redirected to the SMTP Server page.

3.8.16

Release Date: 2025-10-28

Features

Plugins

• Kafka Logger
  • Supported SCRAM-SHA-512 in SASL mechanism.

Data Plane

• Supported wildcard SNI matching for SSL certificates, allowing a single certificate to cover multiple subdomains.

Control Plane

• Added support for specifying host when publishing Gateway service in API Portal.
• Added cache configuration support for query failure scenarios in the Gateway secret module.
• Updated Ingress Controller installation form to support configuring namespace and name.
• Specified supported versions when importing OpenAPI in the Dashboard UI.
• Removed the bare metal tab from the Gateway deployment page.

Fixes

Plugins

• OpenAPI to MCP
  • Fixed issue: SSE mode does not work when path_prefix and strip_path_prefix were both configured in the service.
  • Fixed issue: MCP tool names were generated from the OpenAPI paths, which could exceed the length limit for tool names. Now MCP tool names are generated from OpenAPI operation IDs.
  • Fixed issue: A 500 status code was thrown when the headers field was not configured.

Control Plane

• Fixed issue: ADC Sync could synchronize to the wrong gateway group when group names were similar.
• Fixed issue: Login option role mapping retained previous roles even when no rules were matched.
• Fixed issue: The Request Scope field of the OIDC Login Option included an unnecessary “Add” button.
• Fixed issue: Old configurations were sometimes not displayed in the Edit Login Option form.
• Fixed issue: Unnecessary changes occurred during ADC diff due to overly complex core resource schema.
• Fixed issue: User’s updated_at timestamp was not refreshed when updating user roles.

3.8.15

Release Date: 2025-10-13

Features

Plugins

• Lago
  • Introduced new plugin.
• Traffic Split
  • Now available for Stream service.
• OpenAPI to MCP
  • Supported streamable HTTP as a transport method for MCP.

Data Plane

• Supported GCP Secret Manager as a secret management backend.

Control Plane

• Supported configuring the Prometheus query path prefix in Dashboard.

Fixes

Data Plane

• Fixed issue: Creating multiple GatewayProxy/IngressClass for the same gateway group will cause resource conflicts and route overwrites.
• Fixed issue: Error logs contain sensitive information.
• Fixed issue: grpc-web responses lost trailers when the response body was empty.

3.8.14

Release Date: 2025-09-25

Fixes

Data Plane

• Fixed issue: Upstream reference error when configuring multiple services with duplicate backends in Ingress Controller v2.0.6.
• Fixed issue: Gateway instance status calculation error when using PostgreSQL databases with non-UTC timezones.

3.8.13

Release Date: 2025-09-23

Features

Plugins

• OpenAPI to MCP
  • Introduced new plugin.

Console (Dashboard)

• Supported Admin API and DPM Address in API7 Helm Chart.

Data Plane

• Supported configuring the Prometheus remote write endpoint URLs in DP Manager.
• Aligned the certificate usage API response fields with the OpenAPI specification.

Fixes

Console (Dashboard)

• Fixed issue: Prompt message handling for internal login email integration on the API7 Dashboard.
• Fixed issue: Error messages for invalid custom plugin schemas, previously only visible in the browser console, are now displayed on the API7 Dashboard.
• Fixed issue: Configuration interference between include_resp_body settings across logging plugins.
• Fixed issue: Warnings appeared during the frontend console build process.

Data Plane

• Fixed issue: Secrets could not be dynamically updated.

Developer Portal

• Fixed issue: OAS could not be queried when creating products in Provider Portal for services created using ADC.
• Fixed issue: Hierarchy issues when downloading OpenAPI documentation in Provider Portal.

3.8.12

Release Date: 2025-09-17

Fixes

Console (Dashboard)

• Fixed issue: Users with policies scoped by service_label could not edit the corresponding services or service templates.
• Fixed issue: Authorization by label on service templates incorrectly reused the label of a published service with the same ID during list API authorization.

3.8.11

Release Date: 2025-08-25

Features

Plugins

• AI Request Rewrite
  • Introduced new plugin.
• AI RAG
  • Introduced new plugin.
• AI AWS Content Moderation
  • Introduced new plugin.

Console (Dashboard)

• Improved guidance when the root user generates a token. The UI now clearly instructs users to create a new user and generate tokens under that account.
• Supported enabling pprof in the Enterprise control plane with a configuration switch. It listens on 127.0.0.1 and is disabled by default.

Dependencies

• Included the latest version of ADC in the Enterprise offline release package.

Fixes

Plugins

• Custom Plugins
  • Fixed issue: Uploading a custom plugin without a schema returned 500.
• Basic Auth
  • Fixed issue: Made the scheme part ("Basic") case-insensitive.
• AI Proxy Multi
  • Fixed issue: Abnormal traffic distribution.
• AI Prompt Decorator
  • Fixed issue: User historical messages were incorrectly appended to messages in logs/configurations. The plugin now only inserts system prompts as expected.

Data Plane

• Fixed issue: With the EWMA load balancing algorithm, historical statistics were not cleaned up, which could exhaust the allocated shared memory and cause errors.

Console (Dashboard)

• Fixed issue: Users logging in on multiple devices could get stuck on the license activation page.
• Fixed issue: The /plugins key was only written during custom plugin operations or at dashboard startup. As a result, creating a new gateway under a newly created gateway group could not synchronize the list of enabled plugins from the control plane. The key is now created correctly.
• Fixed issue: When creating Services via ADC, duplicate Routes across different Services were not detected by the route conflict checker.
• Fixed issue: Long labels were not fully displayed in the UI.
• Fixed issue: Concurrently creating a Service with the same ID could result in duplicate creation.
• Fixed issue: Creating two Routes simultaneously could report that the Routes' Service already exists.
• Fixed issue: On the login page, when there were too many login options, the header overlapped and the page could not scroll.

3.8.10

Release Date: 2025-08-25

Features

Plugins

• SOAP
  • Introduced new plugin.

Data Plane

• Supported configuring the addresses for DP Manager and the Admin API via an API7 Dashboard configuration file.

Console (Dashboard)

• Supported specifying the Admin API address in the gateway deployment configuration, which will be used to populate the GatewayProxy Endpoint address in the API7 Ingress Controller deployment script.
• Consolidated allow_access API calls in the API7 Dashboard frontend to reduce redundant requests.
• Added hash_on configuration item to upstream connection configuration.

Fixes

Plugins

• AI Proxy Multi
  • Fixed issue: A panic was triggered by connection timeouts to the upstream service.
• Removed the ext-plugin-pre-req, ext-plugin-post-req, and ext-plugin-post-resp plugins from the Enterprise Edition.

Data Plane

• Fixed issue: A deadlock could occur when the Control Plane updates the service API due to insufficient database connections.
• Fixed issue: Upon restarting, worker processes could load stale data from the master process. This could cause temporary request failures (e.g., 404 errors) for recently created or modified routes before the worker process synchronized the latest data from etcd.
• Fixed issue: Etcd history compaction could trigger a full data load in APISIX, causing a significant performance impact on the etcd service, especially in environments with a large number of gateway nodes.

Console (Dashboard)

• Fixed issue: A consumer could not be created when its permission policy was configured to grant all permissions based on labels.
• Fixed issue: In the consumer list page, pagination would occasionally fail. Attempting to navigate to another page would result in a brief loading state, but the view would remain on the current page.

3.8.9

Release Date: 2025-08-11

Features

Plugins

• JWT Auth
  • Added store_in_ctx parameter to store validated JWT object in request context. When set to true (default is false), the plugin stores the validated JWT object in the request context, useful for custom plugins that need to parse JWT to extract permissions.
• Workflow
  • Added support for limit-conn plugin integration, allowing dynamic connection limit strategies based on user requests and current APISIX load pressure.

Data Plane

• Supported Kubernetes 1.18 in API7 Enterprise Ingress Controller.
• Backported Chaitin WAF plugin from APISIX to API7 Enterprise.

Console (Dashboard)

• Added audit log record TTL configuration option, allowing users to set automatic deletion time for audit log table data. Default value is 60 days.
• Optimized Dataplane manager SQL statements when updating cached Consumer data.

Developer Portal

• Added support for CAS login.

Fixes

Plugins

• OAS Validator
  • Fixed issue: Adjusted error level for detailed response errors from error to warn when verbose_errors is enabled.
• JWT Auth
  • Fixed issue: Plugin failed to validate exp claim when claims_to_verify: ["exp"] is set.
• Consumer Restriction
  • Fixed issue: Improved error messages when using consumer-restriction with basic-auth plugin. When type is set to consumer_group_id with blacklist configuration, non-blacklisted consumers now receive appropriate error messages.
• Kafka Logger
  • Fixed issue: Performance degradation when max_pending_entries is enabled in service configuration with many routes. The issue was caused by each route creating separate batch processor buffers due to plugin conf deepcopy during service and route merging.
• Limit Count Advanced
  • Fixed issue: Plugin panic triggering shared memory deadlock.

Data Plane

• Fixed issue: Error information could not be properly recorded when reading request body in ctx variables.

Console (Dashboard)

• Fixed issue: Chinese labels imported from OpenAPI files were displayed as Chinese pinyin instead of original Chinese characters.
• Fixed issue: Route information occasionally stuck in loading state after frequent route switching.
• Fixed issue: PUT API could create credentials for non-existent consumers.
• Fixed issue: Language switching inconsistency where switching to English on login page would revert to Chinese after login.

Developer Portal

• Fixed issue: SAML/OIDC logout did not properly sign out from IDP login state. After SSO logout, only Control Plane login state was cleared while IDP login state remained, causing automatic login success when clicking SSO login button again.

3.8.8

Release Date: 2025-07-28

Features

Data Plane

• Supported Consul service discovery deduplication and node sorting.
• Supported accessing uri_param_* variables when using radixtree_uri_with_parameter router.
• Upgraded the base image for the API7-EE-3-Gateway to Ubuntu 24.04.

Developer Portal

• Supported viewing current API usage statistics for developers in applications.
• Upgraded Scalar to version 0.7.25.

Dependencies

• Upgraded Casbin to version 1.41.9.

Console (Dashboard)

• Optimized Ingress gateway group deployment scripts by adding config.controllerName.

Fixes

Data Plane

• Fixed issue: Corrupt data in routes() response due to health checker data.
• Fixed issue: grpc-web responses could contain duplicate trailer chunks.
• Fixed issue: Inconsistent response headers for different strategies in the proxy-cache plugin.

Plugins

• API Breaker
  • Fixed issue: The api-breaker plugin failed to trigger correctly due to an inaccurate time point (breaker_time) in the implementation.
• AI Proxy
  • Fixed issue: Fix upstream_response_time being empty by adding apisix_upstream_response_time variable to measure the time APISIX takes to communicate with the upstream and receive the response.

Console (Dashboard)

• Fixed issue: Concurrent requests to generate deployment scripts for a new gateway group could result in duplicate keys.
• Fixed issue: Repeatedly clicking "View ID" across different routes would accumulate route IDs.
• Fixed issue: Creation and update timestamps were incorrectly positioned in the resource details.
• Fixed issue: Audit logs were not recorded for plugin operations (create/delete/edit) in published services.
• Fixed issue: Infinite redirect during CAS login caused by an abnormal server timestamp.
• Fixed issue: Resource selector on the monitoring page was too narrow, causing text truncation.

3.8.7

Release Date: 2025-07-17

Features

Plugins

• Limit Count Advanced
  • Added support for Redis Sentinel mode.

Data Plane

• Supported component upgrade sequence control to ensure dp-manager waits for database migration before startup.

Console (Dashboard)

• Supported OpenAPI editor pre-fills previous data for service OpenAPI specifications, avoiding full re-entry for simple modifications.
• Supported configuring and enabling Content Security Policy (CSP) by default.
• Supported displaying both Gateway API and Ingress deployment scripts for Ingress Controller gateway groups.

Developer Portal

• Supported deleting developers in the Provider Portal.
• Introduced an "Application" resource to manage API product subscriptions and credentials at the application level.

Fixes

Plugins

• Zipkin
  • Fixed issue: zipkin_trace_id appeared garbled in access.log.
• Forward Auth
  • Fixed issue: Forwarding POST requests with forward-auth plugin may result in 504 errors caused by the request body being lost. Resolved by introducing extra_headers.

Data Plane

• Fixed issue: Some Control Plane APIs (/api/license, /api/system_infos, /api/developer-portal-url) could be accessed without authorization.
• Fixed issue: delay_encode could only be used once per log line.
• Fixed issue: Metrics failed to report after startup due to certificate issues.

Console (Dashboard)

• Fixed issue: Deleting source code while editing a custom plugin cleared the entire form.

Developer Portal

• Fixed issue: Unauthenticated users could see non-subscribable products after filtering for subscribed API products.
• Fixed issue: The "Clear All" button has been removed for API products with a single filter, as its function overlaps with selecting "All" conditions.

3.8.6

Release Date: 2025-06-27

Features

Plugins

• Elasticsearch Logger
  • Added support for Elasticsearch 9.0.2.

Fixes

Plugins

• OpenID Connect
  • Fixed issue: Sessions not properly closed on errors, leading to resource leaks.

Data Plane

• Fixed issue: Worker process not exiting when executing quit or reload command.
• Fixed issue: Port values greater than 65535 were incorrectly accepted.
• Fixed issue: etcd data sync failure when keys contain special characters.
• Fixed issue: Kubernetes service discovery performance degradation due to watch progress re-listing all data.
• Fixed issue: Memory leak in Kafka Logger causing nginx worker crashes.

Console (Dashboard)

• Fixed issue: Clicking "Delete" on plugins only disabled them instead of removing them.
• Fixed issue: Incorrect or missing namespace/service data in upstream when using Kubernetes service discovery.

Security

• Fixed issue: TLSv1.3 cross-SNI session resumption vulnerability (backported HTTP fixes from nginx 1.21.4).

3.8.5

Release Date: 2025-06-16

Features

Console (Dashboard)

• Added route URI information to alert messages for status code-related alert events.

Fixes

Dependencies

• Upgraded OpenSSL from version 3.2.3 to 3.2.4.
• Upgraded Debian base image to Bookworm.

Data Plane

• Fixed issue: Severe performance impact occurred when OAS plugin spec files are too large.
• Fixed issue: post_arg matching fails when content-type contains charset.
• Fixed issue: Consumers did not share the same counter in the limit-count plugin.
• Fixed issue: Missing etcd init_dir prevents listing resources.
• Fixed issue: real_payload can be overridden by malicious payload in the jwt-auth plugin.
• Fixed issue: Incorrect variables and redundant TLS configs in upstream_schema.

Console (Dashboard)

• Fixed issue: Route plugin updates in services mistakenly override existing plugins.

3.8.4

Release Date: 2025-06-11

Fixes

Data Plane

• Optimized the performance of large table data migration during control plane upgrades.
• Added caching logic to post_arg to optimize performance and prevent repeated inefficient parsing.
• Fixed issue: The cache for ctx variables prefixed with http_ and graph_ is not effective.
• Fixed issue: Prometheus metrics are not properly retained after degradation and recovery.

Console (Dashboard)

• Fixed issue: The plugin's editing method (form or code) is not displayed correctly.
• Fixed issue: Error in the code suggestions in the Response Rewrite plugin editor.

3.8.3

Release Date: 2025-06-04

Features

Plugins

• Automatically inserted _meta into the schemas of custom plugins.

Data Plane

• Supported the configuration of apisix.disable_upstream_healthcheck in conf/config.yaml to disable all health checks with a single switch.
• Optimized Prometheus performance by mitigating high memory consumption.
• Released API7 Ingress Controller 2.0.

Console (Dashboard)

• Optimized the deployment process for ingress controller type of gateway groups.
• Added alert policy event trigger "license will expire".

Fixes

Data Plane

• Fixed issue: Occasional route matching error when reading body for GraphQL requests with post_arg.

Console (Dashboard)

• Fixed issue: Upgrade dependencies ramda to 0.30.1 and cross-spawn to 7.0.5 to avoid high-risk vulnerabilities.
• Fixed issue: The max-age field is displayed incorrectly when configuring the cors plugin details using the dashboard form.
• Fixed issue: After upgrading ADC from version 17.x to 19.x, the Dashboard continues displaying outdated configurations when multiple routes under the same service are updated simultaneously.
• Fixed issue: Unable to view plugin configurations within a service with the gateway:GetPublishedService or gateway:GetServiceTemplate permissions in the dashboard.
• Fixed issue: API7 Enterprise built-in plugins do not work properly when two custom plugins contain faulty code.
• Fixed issue: Kubernetes service discovery experiences performance issues with a high number of upstream nodes.
• Fixed issue: Headers have inconsistent casing. They are standardized to title case.

3.8.2

Release Date: 2025-05-19

Features

Plugins

• AI Proxy Multi
  • Added retry logic for 429/5xx response codes to improve request success rate.

Data Plane

• Added support for reverse proxying AzureAI services.

Console (Dashboard)

• Supported CAS as an SSO login option for API7 Enterprise.

Fixes

Console (Dashboard)

• Fixed issue: Failed to update basic information of published services.
• Fixed issue: retry_timeout and retries cannot be edited in the stream service upstream.
• Fixed issue: Page crash when gateway instance is missing compatibility field.

Data Plane

• Fixed issue: Long startup time for standalone mode with large configuration files.
• Fixed issue: OAS Validator plugin incorrectly rejecting numbers between 1.11-1.19 with multipleOf: 0.01 rule.
• Fixed issue: AI Proxy plugin would accept invalid endpoint URLs (e.g. missing colon in "http//localhost").

3.8.1

Release Date: 2025-05-07

Features

Plugins

• Limit Count Advanced
  • Added automatic fallback to local shared dict when Redis is unavailable, preventing request failures during Redis outages.

Data Plane

• Supported active and passive health checks for Stream (Layer 4) routes.

Console (Dashboard)

• Specified the validity period of the gateway instance certificate when adding a gateway instance.
• Added a warning in the gateway instance list when the certificate is about to expire.
• Supported viewing the certificate renew method for gateway instances in the dashboard and generating new gateway instance certificates.

Fixes

Data Plane

• Fixed issue: Health checks do not work as expected when using TCP services, and requests are still forwarded to unhealthy upstream nodes.
• Fixed issue: High latency in gateway requests due to Redis service failures.
• Fixed issue: Error in determining the default value of llm_time_to_first_token in AI Gateway.

Plugins

• Removed the snowflake algorithm from the request-id plugin due to potential risks.

Console (Dashboard)

• Fixed issue: The total bandwidth chart data on the monitoring page was inconsistent with Prometheus.
• Fixed issue: When forced publishing is enabled, modifications to the Route’s timeout and plugin configurations are not allowed in the published service.

3.8.0

Release Date: 2025-04-22

Features

Plugins

• AI Proxy
  • Implemented new identifier fields logging and summaries for collecting LLM request and response content.
• AI Proxy Multi
  • Supported HTTP POST method for health checks.
  • Displayed a record at the warning log level if the fallback was triggered.
  • Implemented a new identifier field for collecting LLM request and response content.
• AI Aliyun Content Moderation
  • Added support for streaming (HTTP SSE) scenarios.
• AI Prompt Guard
  • Introduced new plugin.
• Kafka Logger
  • Supported reading the user request and response body content cached in ctx and pushing it to the specified Kafka service.

Data Plane

• Supported using values from an array object within the user request body in routing conditions. While post_arg was already permitted in routing conditions, this update introduces support for array scenarios for the type field's location.
• Supported the recording of additional AI request context information within access logs.
• Supported adding a request type identifier to Prometheus metrics to collect more granular data on AI requests.

Console (Dashboard)

• Added detailed statistics for service name and route name in status code alert messages.
• Optimized plugin configuration: When configuring Traffic Split plugin on a service or route, verify that the upstream_id configured indeed belongs to the current service's upstreams.
• Aligned the upstream connection configuration field names with the API in published services.
• Introduced a form-based UI for CORS plugin configuration.

Fixes

Data Plane

• Fixed issue: When the upstream type was Kubernetes service discovery, nodes in health checks were not updated after node changes, resulting in many health check failure logs.
• Fixed issue: An error occurred when the shared_size parameter for Kubernetes service discovery was adjusted to 100m.#11857
• Fixed issue: APISIX/API7 Enterprise with Kubernetes discovery will fail after token file expires. #11779
• Fixed issue: After updating the prefix of Vault secret provider, the data plane continued to use the old configuration.

Console (Dashboard)

• Fixed issue: The retries field in the upstream was incorrectly set as required.
• Fixed issue: An error occurred on the published service page due to lack of service template permissions.
• Fixed issue: Updating the service discovery service name in published services did not take effect.
• Fixed issue: Creating multiple records with rapid clicks.
• Fixed issue: High database CPU utilization when using large scale of consumers.
• Optimized the wildcard configuration method for Permission Policy:
  • Wildcard configuration using * is now supported in authorization statements, with the same meaning as the current <.*>；
  • The asterisk * is restricted and not allowed in any resource ID fields to prevent authorization failures.

3.7.8

Release Date: 2025-06-16

Fixes

Console (Dashboard)

• Fixed issue: Route plugin updates in services mistakenly override existing plugins.

3.7.7

Release Date: 2025-06-11

Fixes

Console (Dashboard)

• Optimized the performance of large table data migration during control plane upgrades.

3.7.6

Release Date: 2025-06-02

Fixes

Data Plane

• Fixed issue: Kubernetes service discovery experiences performance issues with a high number of upstream nodes.

Console (Dashboard)

• Fixed issue: API7 Enterprise built-in plugins do not work properly when two custom plugins contain faulty code.
• Fixed issue: After upgrading ADC from version 17.x to 19.x, the Dashboard continues displaying outdated configurations when multiple routes under the same service are updated simultaneously.

3.7.5

Release Date: 2025-05-19

Fixes

Console (Dashboard)

• Fixed issue: Failed to update basic information of published services.

Data Plane

• Fixed issue: Long startup time for standalone mode with large configuration files.
• Fixed issue: OAS Validator plugin incorrectly rejecting numbers between 1.11-1.19 with multipleOf: 0.01 rule.

3.7.4

Release Date: 2025-04-30

Features

Console (Dashboard)

• Specified the validity period of the gateway instance certificate when adding a gateway instance.
• Added a warning in the gateway instance list when the certificate is about to expire.
• Supported viewing the certificate renew method for gateway instances in the dashboard and generating new gateway instance certificates.

Fixes

Data Plane

• Fixed issue: Health checks do not work as expected when using TCP services, and requests are still forwarded to unhealthy upstream nodes.
• Fixed issue: High latency in gateway requests due to Redis service failures.
• Fixed issue: Error in determining the default value of llm_time_to_first_token in AI Gateway.

Plugins

• Removed the snowflake algorithm from the request-id plugin due to potential risks.

Console (Dashboard)

• Fixed issue: The total bandwidth chart data on the monitoring page was inconsistent with Prometheus.
• Fixed issue: When forced publishing is enabled, modifications to the Route’s timeout and plugin configurations are not allowed in the published service.

3.7.3

Release Date: 2025-04-22

Fixes

Console (Dashboard)

• Fixed issue: High database CPU utilization when using large scale of consumers.
• Optimized the wildcard configuration method for Permission Policy:
  • Wildcard configuration using * is now supported in authorization statements, with the same meaning as the current <.*>；
  • The asterisk * is restricted and not allowed in any resource ID fields to prevent authorization failures.

3.7.2

Release Date: 2025-03-24

Fixes

Plugins

• OpenTelemetry
  • Fixed issue: A 404 response on the dynamic route /v2/:customerNumber results in an empty reported path.

Admin APIs

• Fixed issue: Resources lack consistent name and desc length enforcement up to 65535 characters, causing errors when users input valid long strings.

Console (Dashboard)

• Fixed issue: Users observe encrypted ciphertext, not their original plaintext input, for sensitive service and route fields after database storage.
• Fixed issue: Upon dashboard restart, the previously deleted default gateway group is erroneously regenerated.
• Fixed issue: Token name updates are not reflected in the notification area.

Dependencies

• Upgraded to Go 1.23.
• Upgraded to Next.js 14.2.25 to resolve CVE-2025-29927.

3.7.1

Release Date: 2025-03-14

Fixes

Plugins

• OpenID Connect
  • Fixed issue: Cannot configuring verify issuer.
  • Fixed issue: Unable to validate audience claim. #11018.

3.7.0

Release Date: 2025-03-10

Features

Data Plane

• Reference Secrets in Kubernetes Secret: The secret provider now supports Kubernetes secrets. This allows you to reference sensitive values from Kubernetes secrets for use in SSL certificates, SSL private keys, consumer credentials, and various plugin configurations.

Plugins

• AI Rate Limiting
  • Introduced new AI plugin which enforces token-based rate limiting for requests sent to LLM services. It helps manage API usage by controlling the number of tokens consumed within a specified time frame, ensuring fair resource allocation and preventing excessive load on the service. It is often used with AI Proxy Multi plugin.
• AI Proxy
  • Supported openai-compatible provider.
  • Supported proxying embedding model APIs.
• AI Proxy Multi
  • Supported openai-compatible provider.
  • Supported bypassing upstream configuration when using the plugin.
  • Supported active health check.
  • Supported proxying embedding model APIs.

Console (Dashboard)

• Supported *referencing a specific secret from Kubernetes Secrets: See Reference a secret in Kubernetes Secrets for details.
• Added page size selector for all tables.
• Displayed the service ID and service template ID on the service page header, and the route ID and route template ID on the route page header.

Admin APIs

• Added Reference Secrets in Kubernetes Secret related APIs:
  • Get a Kubernetes secret provider on a gateway group.
  • Update a Kubernetes secret provider on a gateway group.
  • Delete a Kubernetes secret provider on a gateway group.

Fixes

Data Plane

• Fixed issue: Duplicated gateway instance IDs result in inaccurate CPU counts.

Console (Dashboard)

• Fixed issue: Alert email delivery failed due to an invalid From Name format in the SMTP server configuration.
• Fixed issue: Plugin metadata is not deleted when deleting the custom plugin.
• Fixed issue: The Skip Path Prefix field is not removed when manually adding a stream service.
• Fixed issue: The priority of route cannot be set to negative numbers.

3.6.1

Release Date: 2025-03-14

Fixes

Plugins

• Limit Count Advanced
  • Fixed issue: Intermittently experiences 500 errors during load testing.
• OpenID Connect
  • Fixed issue: The plugin does not support configuring verify issuer.

3.6.0

Release Date: 2025-02-26

Breaking Changes

• Removed service runtime configurations in service templates, for better template reuse across gateway groups. Existing service runtime configurations within service templates will be removed, but your published service configurations will remain unchanged. Furthermore, the publishing process is simplified and streamlined, with no service runtime configurations allowed during the process. See the renewed guide to publish service.

Features

Data Plane

• Supported the configuration of upstream mTLS: see Configure mTLS between API7 Enterprise and Upstream for more details.

Console (Dashboard)

• Supported Logged in with Email: API7 Enterprise dashboard now supports login using either username or email address with password. To use email for login or to receive notifications, please bind an email address to your user profile.
• Supported configuring mTLS for upstreams.
• Supported referencing environment variables for SSO connection information.
• Introduced a form-based UI for plugin configuration.
• Added Basic Authentication as an authentication option for Developer Portal credentials. If the API product allows multiple authentication types, any valid credential can be used.

Fixes

Data Plane

• Fixed issue: Race condition problem while update upstream.nodes.#11916.
• Fixed service discovery issue: Upstream original_nodes is not updated when fill_node_info structure after cloning the nodes table.#10722.

3.5.5

Release Date: 2025-03-14

Fixes

Plugins

• Limit Count Advanced
  • Fixed issue: Intermittently experiences 500 errors during load testing.
• OpenID Connect
  • Fixed issue: The plugin does not support configuring verify issuer.
  • Fixed issue: Unable to validate audience claim.#11018

3.5.4

Release Date: 2025-03-07

Fixes

Plugins

• Elasticsearch Logger
  • Fixed issue: The plugin cannot configuring the index to dynamically send data based on the current date in the plugin.

Console (Dashboard)

• Fixed issue: Re-publishing with a template can lead to the loss of upstream configurations.
• Fixed issue: The OpenAPI cache on the page failed to invalidate after a service was rebuilt with ADC.
• Optimized slow queries.

3.5.3

Release Date: 2025-02-18

Fixes

• Fixed issue: Alert email subject cannot contain variables.

3.5.2

Release Date: 2025-02-18

Fixes

Data Plane

• Fixed issue: Failed to enable the Log Rotate plugin.
• Fixed issue: Duplicate data may occasionally occur in gateway instances during the upgrade process, specifically when using MySQL databases.
• Fixed issue: Deletion of custom plugins may occasionally fail.
• Fixed issue: When the data plane reports metrics, it may occasional encounter 500 errors.

Plugins

• Proxy Rewrite
  • Fixed issue: Version compatibility issue with the plugin.

Admin API

• List all stream routes in a published service on a gateway group
  • Fixed issue: Response error.

Console (Dashboard)

• Fixed issue: Upgrading the dashboard before the DP Manager during a version upgrade can cause the DP Manager to restart continuously.

3.5.1

Release Date: 2025-02-06

Fixes

Plugins

• OpenTelemetry
  • Fixed issue: Cannot reporting request.url as route.url when the plugin reports dynamic routes /v2/:customerNumber.

Console (Dashboard)

• Fixed issue: Failed to configure the Azure SMTP server to send alert emails.

3.5.0

Release Date: 2025-01-27

Features

Data Plane

• Multiple Upstreams in a Service: For advanced scenarios such as canary deployments, blue-green deployments, or managing multiple clusters, a service can now utilize multiple upstreams. In such cases, a default upstream serves as the primary target for most requests, while other upstreams can be used for specific purposes, such as routing traffic to a canary deployment or a secondary cluster. See the renewed Configure Canary Traffic Shifting for details.

info

The old Canary Rule function is no longer available.

• Supported custom configuration of DP metrics label through Prometheus plugin metadata.
• Optimized performance of data plane Prometheus metrics reporting.
• [Beta] Configured mTLS for upstream. API support is currently available. Full support is coming soon.

Plugins

• OpenID Connect
  • Added redirect_after_logout_uri for plugin that do not have an end_session_endpoint.#10653
• Zipkin
  • Added Zipkin variable.#10361
• Proxy Rewrite
  • Supported miltiple regex pattern matching.#9194
  • Supported variable when rewrite header.#9112
• GRPC web
  • Supported configuring allow-headers.#10904
• Mocking
  • Supported adding headers.#9720
• OPA
  • Supported sending headers upstream returned by OPA.#9710
• HTTP Logger
  • Supported compressed responses in loggers.#10884
• Kafka Logger
  • Supported compressed responses in loggers.#10884
• RocketMQ Logger
  • Supported compressed responses in loggers.#10884
• Traffic Split
  • Supported HTTPs.#9115

Admin APIs

• Added Multiple Upstreams related APIs:
  • Create a upstream in a published service on a gateway group.
  • Update a upstream in a published service on a gateway group.
  • Patch a upstream in a published service on a gateway group.
  • List all upstreams in a published service on a gateway group.
  • Get a upstream in a published service on a gateway group.
  • Delete a upstream in a published service on a gateway group.
• Updated Published Service APIs due to the new feature:Configured mTLS for upstreams:
  • Create a published service on a gateway group
    • Added properties: client_certificate, ca_certificate, tls_verify.
  • Create a upstream in a published service on a gateway group
    • Added properties: client_certificate, ca_certificate, tls_verify.
  • Update published service(without publishing)
    • Added properties: client_certificate, ca_certificate, tls_verify.
  • Update a upstream in a published service on a gateway group
    • Added properties: client_certificate, ca_certificate, tls_verify.

Console (Dashboard)

• Multiple Upstreams in a Service: For advanced scenarios such as canary deployments, blue-green deployments, or managing multiple clusters, a service can now utilize multiple upstreams. In such cases, a default upstream serves as the primary target for most requests, while other upstreams can be used for specific purposes, such as routing traffic to a canary deployment or a secondary cluster. See the renewed Configure Canary Traffic Shifting for details.
• Prohibited new resource creation due to exceeding the License CPU limit.
• Added page size selection for API7 Portal dashboard pages.
• Supported both YAML/JSON format for plugin configurations.
• Improved UI for upstream health check configuration.
• Renamed Enable/Disable Plugin to Add/Delete Plugin for improved accuracy.

Fixes

Plugins

• Traffic Split
  • Fixed issue: LRU Cache object creation function causes client request exceptions.
• Limit Conn
  • Fixed issue: Report error attribute does not exist because using HTTP variable in stream mode.#9816
• Prometheus
  • Fixed issue: Even after the Prometheus plugin is disabled, all features related to Prometheus are not entirely shut down..#11117
• OpenID Connect
  • Fixed issue: The redirect_uri was set to ngx.var.request_uri if not configured and caused the underlying lua-resty-openidc module to raise error.#7690
• Zipkin
  • Fixed issue: Getting a nil value in log phase.#10666
• Proxy Rewrite
  • Fixed issue: Incompatibility problems arise from not setting ngx.var.uri.#9309
• Log Rotate
  • Fixed issue: The use of string.byte is less efficient than string.sub.#9984

3.4.2

Release Date: 2025-02-18

Fixes

Admin APIs

• List all stream routes in a published service on a gateway group
  • Fixed issue: Response error.

Console (Dashboard)

• Fixed issue: Upgrading the dashboard before the DP Manager during a version upgrade can cause the DP Manager to restart continuously.

3.4.1

Release Date: 2025-01-14

Fixes

Data Plane

• Fixed issue: Configuring access_log_format in DP and setting access_log_format_escape to json, the result will append an extra request_id.

Console (Dashboard)

• Fixed issue: Pasting the password failed when using BasicAuth authentication for online debugging in API7 Portal.

3.4.0

Release Date: 2025-01-07

Features

Data Plane

• SNI Management: Introduced SNI as a new mechanism for managing TLS and mTLS authentication and certificate matching. See Configure mTLS between Client and API7 Gateway for details.

Plugins

• OpenID Connect
  • Added authorization parameters.#10058
  • Added more attributes.#10591
  • Added required scopes configuration property.#10493
  • Added session.cookie configuration.#10919
  • Supported setting headers in introspection request.#11090
• Fault Injection
  • Supported header injection.#9039.
• Skywalking Logger
  • Supported $hostname in skywalking service_instance_name.#9401
  • Add option to include request body and response body in logger plugins.#10888
• Forward Auth
  • Added exception configuration status_on_error.#10898
  • Supported degradation.#9435.
• Elastic Search Logger
  • Added compatibility headers.#10828
  • Added option to include request body and response body in logger plugins.#10888
• Prometheus
  • Supported custom configuration of DEFAULT_BUCKETS.#9673
• CORS
  • Supported for the Timing-Allow-Origin header.#9365
• File Logger:
  • Added schema attribute definition for logger plugins.#10738
• HTTP Logger:
  • Added schema attribute definition for logger plugins.#10738
• Syslog
  • Added option to include request body and response body in logger plugins.#10888
• SLS Logger
  • Added option to include request body and response body in logger plugins.#10888
• TCP Logger
  • Added option to include request body and response body in logger plugins.#10888
• UDP Logger
  • Added option to include request body and response body in logger plugins.#10888
• Tencent Cloud CLS
  • Added schema attribute definition for logger plugins.#10738
  • Added option to include request body and response body in logger plugins.#10888

Admin APIs

• Added SNI related APIs:
  • Create a SNI.
  • Update a SNI on a gateway group.
  • List all SNIs on a gateway group.
  • Get a SNI on a gateway group.
  • Delete a SNI on a gateway group.

Console (Dashboard)

• API7 Portal Monitoring: Provided monitoring data and visualizations to track API Product metrics.
• Applied custom plugin configuration at the gateway group level. See Add Custom Plugin for details.

Fixes

Data Plane

• Fixed issue: Shared memory leak used by Redis delayed synchronization function.
• Fixed issue: Warn log when sending requests to external services insecurely.#11403

Plugins

• AI Proxy
  • Fixed issue: Query parameters from override.endpoint are not sent to LLM.
• OpenID Connect
  • Fixed issue: Not closing session and blocking until TTL expired when using lockable session storage backend.#10788
• Forward Auth
  • Fixed issue: Request body is too large.#10589
  • Fixed issue: Plugin does not work if the request is POST and authentication service API is GET.#11021
• GRPC Web:
  • Fixed issue: Receiving an error missing trailers.#10851
• GRPC Transcode
  • Fixed issue: The position of enumerations in pb_option_def is wrong.#11448

Console (Dashboard)

• Fixed issue: Audit log failed to record when publishing multiple services.

Dependencies

• Data plane upgraded to LuaJit 2.1-20240815.
• Removed grpc-client-nginx-module.

3.3.4

Release Date: 2025-02-18

Fixes

Admin APIs

• List all stream routes in a published service on a gateway group
  • Fixed issue: Response error.

Console (Dashboard)

• Fixed issue: Upgrading the dashboard before the DP Manager during a version upgrade can cause the DP Manager to restart continuously.

3.3.3

Release Date: 2025-01-14

Fixes

Data Plane

• Fixed issue: Configuring access_log_format in DP and setting access_log_format_escape to json, the result will append an extra request_id.

Console (Dashboard)

• Fixed issue: Pasting the password failed when using BasicAuth authentication for online debugging in API7 Portal.

3.3.2

Release Date: 2024-12-24

Fixes

Console (Dashboard)

• Fixed issue: Dashboard failed to start when upgrading from 3.2.16.2 or older version to 3.3.1 and higher version.

3.3.1

Release Date: 2024-12-19

Fixes

Data Plane

• Fixed issue: Plugins running in the rewrite phase will be executed repeatedly after hitting a consumer.

3.3.0

Release Date: 2024-12-17

Features

Data Plane

• Refactored an expiration and elimination mechanism in the data plane.

Plugins

• OpenID Connect
  • Synchronized the latest APISIX code.
• Datadog
  • Reported consumer username tag.#11354
• Body Transformer
  • Supported content-type using x-www-form-urlencoded format and parsing uri parameters of get requests#10496
• OpenTelemetry
  • Added variables.#8871
• OpenID Connect
  • Added proxy_opts attribute.#9948

Console (Dashboard)

• Announced the General Availability (GA) of the API7 Portal, a comprehensive solution for API exposure and consumption. Explore the key concepts of the API Portal and Developers, and begin your journey towards productize services.
• Recorded request IDs in access logs and error logs.
• Added prompt in the alert history when an alert policy had not been configured with a notification channel.
• Supported integration with external Prometheus metrics.

Security

• Fixed the vulnerabilities from the CVE report.

Fixes

Data Plane

• Fixed issue: Data plane queries to the DPM for consumer errors, other than 404 errors, should not have been cached.

Plugins

• CORS
  • Fixed issue: The Access-Control-Expose-Headers response header will be overwritten.#11136.
• Body Transformer
  • Fixed issue: The input_format enumeration lacks a means to prevent body parsing and validation, leading to unnecessary warnings.#10862

Console (Dashboard)

• Fixed issue: After disabling the API7 integrated authentication, password login on the login page had been unavailable.
• Fixed issue: The plugin global rules search result is not accurate.

3.2.16.7

Release Date: 2024-12-13

Fixes

• Fixed issue: The DP Manager had entered an infinite loop when it received truncated Prometheus metrics.
• Fixed issue: Data plane synchronization with the control plane may have been disrupted due to an interrupted watch.
• Fixed issue: The Redis delayed synchronization function of the rate limiting plugin had not worked as expected for low-frequency requests.
• Fixed issue: The shared memory used by Limit Count Advanced plugin had been faulty.
• Fixed issue: radixtree_uri_with_parameter had been unable to match requests containing path parameters with special characters.
• Fixed issue: The remain value in Limit Count Advanced plugin sliding window should have been rounded down, and the reset value should have had two decimal places.

3.2.16.6

Release Date: 2024-11-25

Improvements

• The JWT Auth plugin supported key_claim_name.
• Added gateway group filtering to monitoring.

Fixes

• Fixed UI issues in alert pages.
• Fixed issue: Multiple data plane containers had been identified as a single instance in the control plane, which had impaired license control capabilities and some metric reporting display functions.
• Fixed issue: Audit logs failed to record when multiple services were published.
• Revised SSL certificate expiration alert condition text.
• Fixed issue: The health check had failed because the node IP address had not been updated.
• Added validation of the legitimacy of Lua code in plugins to the control plane codes.
• Added a record of error messages for sub-plugins to the Multi Auth plugin.
• Removed extra warning log in the Basic Auth plugin.
• Fixed the permission verification error of the secret providers when new credentials were added.
• Fixed issue: Added published service on gateway group had lacked the skip path prefix configuration item.

3.2.16.5

Release Date: 2024-11-21

Improvements

• Added multipart content type to body transformer.
• Adjusted resource ID length limit from 64 to 256.
• The workflow plugin has supported limit-count-advanced as an action.
• Refactored core.response.exit to clarify parameter definitions.
• Recorded the executed plugins in the request context to ensure that the same plugin had only been executed once when using the workflow plugin.

Fixes

• Fixed issue: Enabling the prefer_name option in the Prometheus plugin will cause the filters on the monitor page to malfunction.
• Fixed issue: When an anonymous consumer is matched, the x-consumer-custom-id header is not added to the request.
• Fixed issue: When configured together, the body transformer plugin and CORS plugin had caused errors with OPTIONS requests.
• Temporarily removed the sandbox mechanism in theexit transformer plugin.

3.2.16.4.1

Release Date: 2024-12-09

Fixes

• Fixed issue: The DP Manager had entered an infinite loop when it received truncated Prometheus metrics.
• Fixed issue: Data plane synchronization with the control plane may have been disrupted due to an interrupted watch.

3.2.16.4

Release Date: 2024-11-01

Features

Send Notification through Email

Alert policies can send notification through webhook and email at the same time by utilizing the new Contact Points. A Contact Point defines a set of email addresses or webhook URLs that can be used by multiple alert policies.

See Trigger Gateway Alerts for instruction.

note

Existing Webhook Templates will be migrated to new contact points and notifications, ensuring seamless transition and backward compatibility for alert policies.

Limit Count Advanced Plugin

Enhanced the open-source limit count plugin with a sliding window algorithm for more accurate rate limiting.

Exit Transformer Plugin

The exit-transformer plugin supports the customization of gateway responses based on the status codes, headers, and bodies returned from APISIX plugins. When configured as a global plugin, it also supports the response customization when a route that does not exist is requested.

Count Healthy Gateway Instances in a Gateway Group Through Alert Policy

If the number of healthy gateway instances in a gateway group falls below a critical threshold, it indicates potential service disruptions and impacts on traffic handling. This scenario is particularly relevant in Kubernetes deployments, where gateway instances may experience failures or be scaled down unexpectedly.

Create an alert policy for counting healthy gateway instances in a gateway group and send notifications to relevant personnel.

Utilized Expression Matching

Enable Expression Match in a route to match requests based on specific variables for greater precision, similar to nginx. Use expressions in the format [[var, operator, val], [var, operator, val], ...] to define matching criteria. Note that cookie name matching is case-sensitive.

See Expressions and lua-resty-expr for more details.

Security

• Added a status interface for self health checks on the data plane. For details, see enable data plane health check for high availability.

Improvements

• JWT Auth Plugin now supports more algorithm.
• Enriched more metrics in Grafana Dashboard Template.
• Allowed users to log in by pressing Enter.

Fixes

• Fixed issue: CORS Plugin expose_headers default value should not be *.
• Fixed issue: Successfully added first stream route when adding stream service.
• Fixed issue: max_req_body_bytes limit does not take effect in logger plugins.
• Fixed issue: Dynamic updates to rate limiting parameters in the Limit Count Plugin are now reflected in the data plane.
• Fixed issue: Services deleted via API are now consistently removed from the data plane.

3.2.16.3

Release Date: 2024-10-21

Features

Reference Secrets in AWS Secrets Manager

A secret object is a piece of sensitive information that needs to be protected from unauthorized access, while a secret provider object is used to set up integration with an external secret manager(HashiCorp Vault, AWS Secret Manager, etc.), so that API7 Gateway can establish connections and fetch secrets from the secret manager dynamically at runtime.

See Reference Secrets in AWS Secrets Manager for more details.

Anonymous Consumers for API authentication

An anonymous consumer does not need to authenticate, but can be restricted by rate limiting. You should configure anonymous consumers in authentication plugins on the service/route, then combined with rate limiting plugins.

For details, see the following documentation:

• Key Authentication
• Basic Authentication
• JWT Authentication
• HMAC Authentication
• Rate Limit with Anonymous Consumers

Security

• Added a status interface for self health checks on the data plane. For details, see enable data plane health check for high availability.

Improvements

• Supported for 2 million consumers.
• Sorted the consumer list by name.
• Removed conf_server from API7 gateway.
• Improved rate limiting related plugins to be more flexible, allowed for consumer-specific rate limits on a per-service/route basis. For details, see Limit Count Plugin and Limit Req Plugin.
• Advanced request & response transformation:
  • During request transformation, support passing Lua code to obtain values.
  • Aligned the capabilities of Kong's Request Transformation and Response Transformation.
• Displayed the total number of routes added in a service.
• Changed plugin list configuration from data plane to control plane. Not compatible with version under 3.2.15.0
• Added certificate expiration reminder in alert policies.
• Displayed a notification explaining the logout reason before redirecting to the login page due to multi-device login.
• Improved frontend page responsiveness and loading speed.
• Optimized the "Use Upstream Timeout" UI.
• Optimized API7 Portal(Beta) list page rendering speed.

Fixes

• Fixed issue: multiple paths can now be configured for a single route on the Dashboard.
• Fixed issue：the OpenTelemetry Plugin did not support set_ngx_var.
• Fixed issue: the ACL Plugin should not output warning logs during normal use.
• Enhanced data plane lua_ssl_trusted_certificate configuration item.
• Synchronized the Body Transformer Plugin code with the APISIX mainline version.
• Resolve issue: when a plugin that is not available to the stream module is configured on a service, the data plane prints error logs.
• Changed the Edit operation for Token to Edit Name.
• Resolve issue: when editing a service registry, the service discovery type does not match the form.

3.2.16.2

Release Date: 2024-10-11

Fixes

• Fixed the issue where plugin configuration updates in Consumer were not taking effect.

3.2.16.1

Release Date: 2024-10-04

Improvements

• Improved Developer Portal(Beta) performance.

Fixes

• Fixed panic issue in the radixtree_host_uri routing mode when deleting routes.
• Fixed incompatibility between custom authentication type plugins and the multi-auth plugin.

3.2.16.0

Release Date: 2024-09-30

Features

Reference Secrets in HashiCorp Vault

info

This is a breaking change. The secrets resource has been renamed to secret provider to align with best practices and facilitate integration with external secret management tools. All associated APIs have been updated accordingly.

A secret object is a piece of sensitive information that needs to be protected from unauthorized access, while a secret provider object is used to set up integration with an external secret manager(HashiCorp Vault, AWS Secret Manager, etc.), so that API7 Gateway can establish connections and fetch secrets from the secret manager dynamically at runtime.

See Reference Secrets in HashiCorp Vault for more details.

Improvements

• 【Breaking Change】Removed the JWT plugin's functionality for issuing tokens, and removed the ability to upload private keys. See JWT Plugin for details.
• Added support for deleting offline gateway instances.
• Added a sync_rate parameter to plugins that utilize Redis to control the frequency of counter synchronization with Redis. Real-time synchronization can put significant pressure on Redis.
• Supported accessing specific route detail pages via URL.
• Supported API online test for API7 Portal(Beta).
• UI Improvement: shorten the custom host input box.
• UI Improvement: change the load balancing algorithm dropdown to radio buttons.
• UI Improvement: new style for creating labels.

Fixes

• Fixed issue: the data plane failed to start due to an improperly cleaned config_listen.sock.
• Fixed issue: requests return a 404 error after disabling the service.
• Added keepalive_timeout configuration to splunk-hec-logging plugin.
• Removed whitespace before and after the delimiter after splitting consumer labels.
• Fixed issue: the Skywalking plugin cannot be restarted after being destroyed.
• Handled encryption and decryption correctly when non-authentication plugin configurations were applied to the consumer.
• Fixed issue: built-in permission policies should not be able to deleted.
• Fixed issue: ingress controller type gateway group should be able to delete.
• Fixed issue: data plane now supports / as a path prefix.
• Fixed UI issue: clicking on the label page jumps to the search bar.
• Fixed UI issue: after creating and deleting a token, the new token prompt does not disappear.
• Added Chinese translation for the plugin categories.
• Enlarged the plugin description text box to fully display the plugin's introduction.
• Fixed the issue where the new token prompt did not disappear after creating and deleting a token.

3.2.15.2.1

Release Date: 2024-12-09

Fixes

• Fixed issue: The DP Manager had entered an infinite loop when it received truncated Prometheus metrics.
• Fixed issue: Data plane synchronization with the control plane may have been disrupted due to an interrupted watch.

3.2.15.2

Release Date: 2024-09-19

Fixes

• Adjusted the attach-consumer-label plugin to execute in the before_proxy phase.

3.2.15.1

Release Date: 2024-09-18

Fixes

• Fixed issue: Using token to get instance_token returns 401.

3.2.15.0

Release Date: 2024-09-14

Features

Consumer Credentials

info

This is a breaking change. Creating new authentication plugins (key-auth, basic-auth, JWT-auth, or HMAC-auth) for consumers is no longer supported. Please use consumer credentials instead. Existing plugin configurations will remain accessible and editable until disabled.

Consumer credentials offer enhanced flexibility by allowing multiple credentials per consumer. They replace traditional authentication plugins like key-auth, basic-auth, JWT-auth, and HMAC-auth, providing a more user-friendly experience. See Manage Consumer Credentials for details.

Security

• The root user, admin, becomes a protected account that cannot be modified by roles, permission policies, or other users. It cannot be deleted or have its password reset by other users.

Improvements

• Sorted the service list alphabetically by name is now supported.
• Added gateway group ID to every audit log, so you can search or filter audit logs by gateway group.
• Recorded audit log for automatically deleted gateway instances that have been offline for more than 7 days.
• Supported filtering published services on a gateway group by label.
• Ensured control plane addresses do not end with a slash.
• Supported annotations in Helm.
• Provided configuration options to control the timeout for data plane heartbeat and telemetry requests, and adjust the default value to 30s.

Fixes

• Clarified the error message when a user logs in via SSO after SCIM is enabled, but the user does not exist in the system.
• Fixed the issue of failed canary configuration adjustments after modifying no version published service.

3.2.14.6

Release Date: 2024-08-28

Features

ARM Installation

Standardized ARM installation packages are available since version 3.2.14.6.

Security

• Fixed known CVE vulnerabilities.

Improvements

• Reduced installation image size through component optimization.
• Enabled mqtt-proxy plugin support for stream routes.
• Enhanced alert policy trigger conditions to include Allowed license CPU quota exceeded.

Fixes

• Wrote data plane certificate to a fixed local file.
• Fixed the issue of not being able to directly set the weight of the canary upstream to 100 when starting canary.
• Adjusted the order of custom plugins in the init_worker phase to avoid printing warning logs when the data plane restarts.
• Fixed UI display of blank route Methods when calling Admin API without methods.
• Fixed the issue where the route name length limit was 100 characters when synchronizing with ADC.
• Fixed the issue of alerts being sent even after the alert policy was disabled.

3.2.14.5.1

Release Date: 2024-12-09

Fixes

• Fixed issue: The DP Manager had entered an infinite loop when it received truncated Prometheus metrics.
• Fixed issue: Data plane synchronization with the control plane may have been disrupted due to an interrupted watch.

3.2.14.5

Release Date: 2024-08-20

Fixes

• Fixed a body validation bug in the response-rewrite plugin when body_base64 is set to false.

3.2.14.4.1

Release Date: 2024-12-09

Fixes

• Fixed issue: The DP Manager had entered an infinite loop when it received truncated Prometheus metrics.
• Fixed issue: Data plane synchronization with the control plane may have been disrupted due to an interrupted watch.

3.2.14.4

Release Date: 2024-08-14

Features

Override Upstream Timeout for Each Route

API7 Gateway offers granular control over request handling by enabling the configuration of distinct upstream timeouts for individual routes, to override the timeout configuration at the upstream side.

User Permission Boundary

Permissions boundaries define the maximum allowable permissions for a user, acting as a safeguard against excessive privilege escalation.

Security

• Upgraded frontend dependency.
• Ensured single device login - new login will revoke previous active sessions.
• Prohibited importing old license.
• Upgraded OpenResty version to fix security vulnerabilities.

Improvements

• Added service description in service hub list and published services list.
• Added "Connecting" status for service registry to avoid misunderstanding.
• Optimized custom plugin: Code Obfuscation and Encrypted Storage.
• Displayed a notification when using a test environment license.
• Implemented card-based UI for plugin management and modification.
• Supported configuration of custom plugin metadata.
• Minimized the image size of API7 Enterprise.

Fixes

• Fixed the issue of empty values for service runtime configuration parameters (e.g., host, path prefix) being lost when publishing a service version to a gateway group.
• Eliminated unnecessary audit log generation for dry-run license uploads.
• Fixed issue with incorrect route creation and modification timestamps.
• Fixed plugin metadata schema validation errors.
• Improved service search accuracy.
• Fixed issue with plugin loss during service template publishing.

3.2.14.3

Release Date: 2024-08-06

Fixes

• Supported referencing $env in SSL Certificates.
• Fixed UI instability when labels contained periods.
• Removed source code from frontend build artifacts.

3.2.14.2

Release Date: 2024-07-30

Fixes

• Fixed UI error for viewing Ingress Controller routes on the Dashboard.
• Fixed missing default Helm release name when installing gateway instance on Kubernetes.
• Enhanced Microsoft Entra ID (Azure AD) integration through ID token utilization.
• Fixed the issue that plugin inconsistencies may occur between service templates and published gateway groups.

3.2.14.1

Release Date: 2024-07-22

Improvements

Import OpenAPI to Create Service on Gateway Group

Simply import your OpenAPI specification directly into a gateway group to have your new service and all its routes ready.

Unveiling Granular Access Control with API7 Portal

Leverage custom roles and permission policies for granular control over access to API Products.

Security

• Control plane address must be HTTPs.
• Removed the use of ngx.req.get_post_args(0), use the default value instead to avoid potential attacks.
• Regenerate Ingress Controller deployment scripts now requires second confirmation.

Managing Published Service Basics without Versioning

Service name/description/labels now can be modified without publishing a new version.

First Route Creation During Service Setup

Allowing you to define the initial route right from the start. This eliminates the need for a separate step and simplifies your workflow.

Fixes

• Merged datadog plugin fix(https://github.com/apache/apisix/pull/11354) to API7 Enterprise.
• Fixed the issue of DP being invisible on the console.
• Fixed an issue: service registry status was always displayed as "disconnected" after changing the Prometheus data reporting method from remote-write to scrape.
• Fixed issue: Data plane encountered errors after deploying a custom plugin through the Dashboard.
• Fixed UI issue: you can not modify upstream of published service on a Ingress Controller gateway group.
• Wrong notification: When switching to Nodes, even if health checks are enabled, the prompt for users to enable health checks still exists.
• Fixed issue: When uploading a custom plugin, if there is a parsing error, the plugin name displayed in the error message does not match the actual file name.

3.2.14.0

Release Date: 2024-07-08

Features

Brand Access Control

info

This is a breaking change. Roles from older versions can not be kept.

API7 Enterprise moves beyond traditional role-based permissions, adopting a permission policy architecture for granular access control through reusable policies assigned to roles. See roles and permission policies

Improvements

Configure Priority for Routes

In specific scenarios, you can configure same routes within two different services. With priority determining which route handles the request. The route with a higher assigned priority will be used first.

Harden mTLS Certificate Security

Improved following issues:

• Overly Long Certificate: The certificate string is too long and should be shortened.
• Unnecessary Tokens: The certificate contains unnecessary tokens that should be removed.
• Shared CA: Using the same Certificate Authority (CA) for multiple certificates is insecure.
• Mismatched Certificate Handling: When a certificate mismatch occurs, the handshake should immediately fail, rejecting the client's request instead of proceeding with further validation.

Include Parameter lua_shared_dict in API7 Helm Chart

Introduced new parameter to Helm chart.

Fixes

• Upgrading from older version may cause missing upstream data or 404 errors.
• UI error encountered during service request URL update.
• Fixed Developer Portal library issue.
• Fixed HTTP logger plugin memory leak.
• Frontend and backend password policies are inconsistent.
• The data-mask plugin reports an error when the GET request does not match any route.
• The status field of the ApisixUpstream CRD is recorded incorrectly
• Data Plane supports configuring the reporting interval for monitoring data.
• Fixed warning logs after configuring plugin metadata.
• Fixed plugin reload issue.
• Reduced the number of PostgreSQL connections.
• Optimized frontend resource consumption.
• Removed trailing dot in FQDN.
• Plugin Metadata should be able to be deleted.

3.2.11.8

Release Date: 2024-06-26

Fixes

• Reduced API latency by minimizing etcd calls.
• Kine database connection pool configuration can function normally.

3.2.11.7

Release Date: 2024-06-24

Fixes

• Improve API performance.
• Data Plane supports disabling telemetry data collection and configuring reporting intervals.
• Custom plugins can function even without a schema definition.

3.2.11.6

Release Date: 2024-06-24

Fixes

• Large data sets no longer cause etcd range API error.

3.2.13.0

Release Date: 2024-06-19

Admin API Breaking Changes

1. The service template API has been migrated to the "/api/services/template" path prefix.

• Service template APIs
• Route template APIs

2. The original "/apisix/admin/services" endpoint now requires the gateway_group_id parameter.

• Service APIs on the gateway group
• Route APIs on the gateway group

Features

Create/Update Service on Gateway Group without Publishing

If version control is not your requirement, you can now directly create services on the gateway group. These services become active immediately, eliminating the need for a separate publishing step. This simplifies the deployment process and saves you time.

However, it is important to consider the trade-off involved. By bypassing the publishing stage, you also lose the ability to easily roll back to a previous version or track the version changes.

See the latest starter tutorial for details: Launch your first API.

Integrate with Ingress Controller(UI Support)

API7 Gateway officially introduces Ingress Controllers, a new type of gateway group. While the dashboard offers convenient management for creating and viewing your Ingress Controller, configuration modifications require to declarative way for any configuration changes.

Improvement

Search for Gateway Group Name and Filter by Labels

Makes it easier to find the specific gateway group you are looking for within the gateway group list.

Secure Sensitive Data in Configuration File

The database's DSN configuration (including access address, username, and password) can be configured through environment variables and Helm chart.

Support Prometheus Authentication

Prometheus remote write now supports Basic Auth/mTLS.

Support Secret Feature for SSL Variables

Secure ssl.certs and ssl.keys with encrypted secrets.

Fixes

• The ctx.var variable will be updated promptly after setting headers.
• Duplicate SSL certificates cannot be uploaded.

3.2.11.5

Release Date: 2024-06-18

Fixes

• The ssl_verify configuration now works fine for the Login Option OIDC and LDAP protocols.

3.2.11.4

Release Date: 2024-06-07

Fixes

• Protect sensitive fields within the login options related to API.

3.2.12.0

Release Date: 2024-05-24

Admin API Breaking Changes

1. The "service status" field has been changed from "0: enabled, 1: disabled" to "0: disabled, 1: enabled".

• Publish a service
• Update service runtime configurations by ID
• Get all published services in Gateway Group

2. The "ID" field has been removed from the consumer API. Queries and deletions are now performed using "gateway group ID" and "username".

• Consumers APIs

3. SSL-related APIs now require the "gateway group ID" parameter.

• SSL APIs

Features

Stream Route

API7 Gateway extends beyond API management. It can also handle Layer 4 (L4) traffic, like database or Kafka connections. Add a stream service and several stream routes to Proxy TCP Traffic.

Custom Role (UI Support)

Design your own custom roles with granular permission control. See Add Custom Role.

Ingress Controller (Beta, API Support Only)

Integrate with Ingress Controller.

Improvement

Optimize Left Navigation Menu

• Users will now see the gateway group menu as the primary landing page.
• Change the Service menu item to Service Hub.

Fixes

• Avoid duplicate API keys when using key-auth plugin.
• Enable allowlist and denylist at the same time in ua-restriction plugin.
• Reset the password without expiring the access token.
• Labels can be up to 64 characters long and include spaces.
• Validate the configuration of loggly plugin successfully.
• Force configuration synchronization to the data plane, even with schema validation errors. This prevents data loss and ensures uninterrupted workflow.
• The meaning of API7 Gateway service status is consistent with the corresponding field in Apache APISIX.

3.2.11.3

Release Date: 2024-05-20

Fixes

• etcd watch can pass SNI correctly.
• API7 Enterprise will attempt to create a database automatically. If permission issues arise, it will launch using a pre-configured database provided by the user, preventing installation failure.

3.2.11.2

Release Date: 2024-05-20

Fixes

• Labels can be up to 64 characters long and include spaces.
• Force configuration synchronization to the data plane, even with schema validation errors. This prevents data loss and ensures uninterrupted workflow.

3.2.11.1

Release Date: 2024-05-08

Features

SSO Role Mapping

This automated role mapping eliminates the need for manual role assignment by Super Admins. Users who satisfy the defined key-value mapping rules will be automatically assigned the corresponding roles upon login. For details, see Set Role Mapping.

SCIM Provisioning

Streamline your identity management with SCIM Provisioning. It automatically synchronizes user data from your Identity Provider, ensuring consistent and effortless user management. For details, see Sync User Data from IdP.

Custom Role (Beta, API Support Only)

Design your own custom roles with granular permission control. UI support coming soon.

Improvement

Upgrade to OpenSSL 3

Improved Security, Performance, and Availability.

Plugin Global Rules Ordering

To streamline the management of global rules, API7 Enterprise merges multiple rules into a single rule, ensuring that plugin configurations are unique within each rule.

Fixes

Settings Modal Add HTTP Protocol Detection

Not properly detecting whether HTTP or HTTPS is required, leading to errors when deploying gateway instances using the given script.

Error Uploading SSL Certificate

An issue exists where uploading an SSL certificate intended for gateway group A may inadvertently assign it to gateway group B.

Support Host Level Dynamic Setting of TLS Protocol Version

Incorporated the fix from the resolved Apache APISIX issue.

3.2.10.1

Release Date: 2024-04-28

Features

Support MySQL 5.7

API7 Enterprise now supports MySQL 5.7.

3.2.10.0

Release Date: 2024-04-22

Breaking Changes

Bind Token with User

Tokens are bound to specific users and share the same permissions. When the user is deleted, the associated token will also be deleted.

3.2.9.5

Release Date: 2024-04-16

Features

Upstream mTLS(API Support Only)

API7 Enterprise now supports mutual TLS (mTLS) authentication between the gateway and upstream services. mTLS is a form of communication security that requires both parties to present certificates to each other. This ensures that both parties are who they claim to be and that the data transmitted between them is encrypted. UI support coming soon.

3.2.9.4

Release Date: 2024-04-07

Fixes

Assessment of CPU Core Limitations

Fixed the issue that occurs when the maximum number of CPU cores is reached.

3.2.9.3

Release Date: 2024-04-03

Features

Integrate with Vault (Beta)

You can store sensitive data securely in your Vault. Admin API support is available; UI support coming soon.

3.2.9.2

Release Date: 2024-04-01

Features

Support SAML SSO Login

API7 Enterprise supports Single Sign-On (SSO) with SAML implementations. For details about how to configure SAML SSO login method, see configure SSO with SAML.

Plugin: Data Mask

The data-mask plugin provides the capability to remove or replace sensitive information in request headers, request bodies, and URL queries. Learn more about Data Mask.

Feature Enhancements

Skip Path Prefix

You can opt to skip the path prefix when sending requests to the upstream. This adjustment is imperceptible to users and may be useful when using different path prefixes to identify APIs sent to different gateway groups.

Better Health Check Configuration UI

Introduced a user-friendly and intuitive UI for your health check configuration in upstreams.

Upgraded Encryption Algorithm

Upgraded from AES128 to AES256 algorithm.

Performance Improvement

Eliminated the impact caused by disabling plugins.

3.2.9.1

Release Date: 2024-03-19

Features

Support Add Custom Plugin

API7 Enterprise now allows you to build custom plugins to add extra functionalities and manage API traffic with custom flow. See how to Add Custom Plugin

Support OIDC SSO Login

API7 Enterprise supports Single Sign-On (SSO) with OIDC implementations. For details about how to configure the LDAP SSO login method, see configure SSO with LDAP.

Use Service Labels as API Provider Scope

By assigning service labels as the scope for an API Provider, you can grant them access to all services with a specific label. It will help reduce the workload of the Super Admin. Typically, services can be grouped using a 'Department' label. Thus, users from that department will be able to access all services belonging to that department.

3.2.8.1

Release Date: 2024-02-08

Features

Support Nacos Service Discovery

API7 Enterprise uses service discovery to automatically detect available upstream services, keeping their addresses in a database (called a service registry). Therefore, an API gateway can always fetch the latest list of upstream addresses through the service registry, ensuring all requests are forwarded to healthy upstream nodes.

In this release, API7 Enterprise supports integrating with Nacos service discovery, which can be used to publish services and synchronize services between gateway groups.

Support LDAP SSO Login

API7 Enterprise supports Single Sign-On (SSO) with LDAP implementations. Integrating API7 Enterprise with LDAP enables you to log your LDAP users into API7 Enterprise as part of API7 Enterprise' SSO infrastructure. For details about how to configure the LDAP SSO login method, see configure SSO with LDAP.

Support Adding Gateway Instances using Kubernetes

A gateway instance is a single proxy that handles traffic. In this release, API7 Enterprise supports adding gateway instances to a gateway group using Kubernetes. For details, see add gateway instances.