An open-source platform for publishing, subscribing to, and securely consuming APIs through a unified API gateway.
All APIs. One Place.
Publish APIs, subscribe securely, and consume them through a unified API gateway—without relying on a centrally curated marketplace.
Modern applications rely on APIs for everything from AI models and payment gateways to weather services and communication platforms. As the number of providers grows, managing subscriptions, authentication, API keys, and usage becomes increasingly fragmented.
API Store sits between API providers and API consumers, providing a unified platform for publishing, subscribing to, and consuming APIs through a single gateway.
Unlike traditional API marketplaces, API Store follows a community-first approach rather than a centrally curated one. Developers are free to publish APIs without requiring approval from a central authority. Future versions will introduce community-driven discovery, reputation, and rating systems to help surface high-quality APIs.
The platform handles authentication, API key management, request routing, rate limiting, and usage tracking, allowing developers to focus on building and consuming APIs instead of managing the surrounding infrastructure.
Managing APIs shouldn't require managing multiple dashboards, authentication mechanisms, subscriptions, and API keys across different providers.
API Store provides a consistent platform for both API providers and API consumers.
For providers, it offers a straightforward way to publish and manage APIs.
For consumers, it provides a unified experience for subscribing to APIs and accessing them through a secure gateway.
The platform is designed to be self-hostable, extensible, and production-ready, making it suitable as the foundation for an API marketplace or an internal API management platform.
Commercial API marketplaces already exist and solve many real-world problems. The goal of API Store is different.
I wanted to build the backend infrastructure that powers an API marketplace from scratch. This project focuses on the engineering challenges behind authentication, API publishing, subscriptions, API key management, gateway routing, rate limiting, and usage analytics while keeping the architecture modular and easy to understand.
- Publish APIs
- Update API metadata
- Ownership validation
- Usage analytics
- Browse available APIs
- Subscribe to APIs
- Secure API key generation
- Unified gateway access
- JWT authentication
- BCrypt password hashing
- API Gateway
- Redis-based rate limiting
- Usage tracking
- Flyway database migrations
- Docker deployment
- Health monitoring
- Global exception handling
| Method | Endpoint | Description |
|---|---|---|
| POST | /auth/register | Register a new user |
| POST | /auth/login | Authenticate user |
| Method | Endpoint | Description |
|---|---|---|
| GET | /apis | List all APIs of user |
| GET | /apis/all | List all APIs |
| POST | /apis | Publish an API |
| GET | /apis/me/subscription | View subscribed APIs |
| POST | /apis/{id}/subscription | Subscribe to an API |
| DELETE | /subscriptions/{id} | Cancel subscription |
| GET | /apis/{apiId}/usage | View API usage analytics |
/gateway/{apiId}/**
The gateway validates the consumer's API key, enforces rate limits, forwards the request to the target API, records usage statistics, and returns the provider's response.
- User authenticates using JWT.
- Provider publishes an API.
- Consumer subscribes to the API.
- A unique API key is generated and securely stored.
- Consumer sends requests through the gateway.
- API key is validated.
- Rate limit is enforced.
- Request is forwarded to the target provider.
- Usage statistics are recorded.
- Provider response is returned to the consumer.
The platform is built around four core entities:
- Users publish APIs and subscribe to APIs.
- APIs are owned by a single user.
- Subscriptions link users to APIs and securely store hashed API keys.
- API Usage records gateway requests for analytics and monitoring.
JWT enables stateless authentication, making the platform easier to scale without maintaining server-side sessions.
Redis provides extremely fast in-memory operations, making it ideal for implementing request counting and rate limiting.
Database schema changes are version-controlled, ensuring every deployment uses the same database structure.
API keys are treated like passwords. They are never stored in plain text, reducing the impact of a potential database compromise.
A gateway provides a single entry point for all API requests, allowing authentication, rate limiting, request forwarding, and usage tracking to be handled consistently.
Docker provides a reproducible deployment environment so the entire platform can run consistently across development and production environments.
The API Gateway was load tested using Apache JMeter to evaluate stability and throughput under concurrent traffic.
- Apache JMeter
- Spring Boot 3
- PostgreSQL
- Redis
- Docker
- JVM: G1GC (
-Xms512m -Xmx512m)
- 100 concurrent users
- 2,000 total requests
- Gateway endpoint proxying JSONPlaceholder
- Successfully processed 2,000 requests
- 0% application errors
- Stable CPU and memory usage during testing
- JVM remained healthy with only Young Generation GC events
- No Full GC or OutOfMemoryError observed
- End-to-end latency was primarily affected by the external API being proxied.
- JVM garbage collection accounted for only a small fraction of total execution time.
- HikariCP tuning had minimal impact because database access was not the primary bottleneck.
- Community ratings and reviews
- API search
- Categories and tags
- Provider profiles
- API versioning
- Billing and monetization
- Multi-instance API Gateway
- Distributed rate limiting
- Response caching
- Provider dashboard
- Web frontend
Contributions are welcome.
If you discover a bug, have an improvement, or would like to add a feature, feel free to open an issue or submit a pull request.
Please keep contributions focused, well documented, and aligned with the project's architecture.
This project is licensed under the MIT License.
