WSO2 logo
CONTACT
Blog
 

What's New in WSO2 API Manager 4.7

  • Matt Tanner
  • Senior Director, Product Marketing - API Platform, WSO2

WSO2 API Manager 4.7 is now generally available. In March, WSO2 launched the API Platform to make enterprise APIs agent-ready. With this release, you can now connect your existing control plane to the new API Platform Gateway, which brings HTTP/2 and HTTP/3 support and a new Go-based policy engine.

This release is focused on giving your existing investment in WSO2 API Manager a wider reach, including:

  • Control of the new API Platform Gateway
  • Integration with the latest Kubernetes and Immutable Gateways
  • MCP governance and analytics capabilities
  • AsyncAPI v3 support
  • JDK 21 compilation support
  • Many API Key and OAuth improvements

Here's what's new.

Control the new API Platform Gateway

The API Platform Gateway is a new gateway built on Envoy Proxy with a Go-based codebase and a policy-first architecture. It's designed for modern protocols like HTTP/2 and HTTP/3, high-throughput cloud native deployments, and GitOps-driven configuration rollout.

Key characteristics:

  • HTTP/2 and HTTP/3 support, enabling the low-latency, bidirectional communication that AI agents and MCP traffic require.
  • A Go-based policy engine, with ready-to-use policies from the Policy Hub, covering authentication, AI guardrails, MCP access control, transformations, and observability.
  • GitOps-friendly configuration, where routing, authentication, rate limiting, and transformations live as platform policies rather than per-server configuration.

In version 4.7, your API Manager Control Plane can deploy and manage APIs on the API Platform Gateway alongside existing Classic Gateway deployments. There is no requirement to migrate. APIs, policies, and governance still live in WSO2 API Manager, and the API Platform Gateway becomes an additional deployment target alongside the gateways you already use. The source for the API Platform Gateway is open and Apache 2.0-licensed in the wso2/api-platform repository.

Classic Gateway and the new API Platform Gateway

Starting with 4.7, the Synapse-based gateway previously known as Universal Gateway is now called Classic Gateway. This is a rename only. There are no functional differences, no deprecation, and no action required.

WSO2 API Manager 4.7 supports both gateway runtimes from a single control plane. You choose which gateway fits each workload. The Classic Gateway is the right choice for mediation-heavy and protocol-mixed workloads that depend on Synapse flexibility. The API Platform Gateway is built for modern protocols and high-throughput, cloud native environments.

  Classic Gateway API Platform Gateway
Architecture Java / Synapse Go / Envoy Proxy
Best for Mediation-heavy, protocol-mixed workloads Modern protocols (HTTP/2, HTTP/3), high-throughput, GitOps-driven environments
Policy model XML / Synapse mediation flows Go-based policy engine, with policies installable from the Policy Hub
Changes in 4.7 Remains the default gateway in WSO2 API Manager. Still shipped and fully supported. Newly supported. Now controllable from the WSO2 API Manager Control Plane.

You can run both side by side. APIs, policies, and governance still live in API Manager, and you can move workloads to the API Platform Gateway on your own timeline.

Major upgrades to Kubernetes and Immutable Gateways

Kubernetes Gateway v2.0 and Immutable Gateway v4.0 are both major releases in 4.7. The gateway family now converges on a single Envoy-based, Go-driven foundation, so the API Platform Gateway, Kubernetes Gateway, and Immutable Gateway share the same modern runtime architecture. WSO2 API Manager 4.7 controls all three from one control plane.

  • Kubernetes Gateway v2.0 has been upgraded to run on Envoy Gateway and is aligned with the Kubernetes Gateway API standard, bringing modern traffic management, extensibility, and cloud native fit to Kubernetes deployments.
  • Immutable Gateway v4.0 is built on the same gateway runtime as the API Platform Gateway, packaged for air-gapped, regulated, or edge environments where APIs are baked into an image at build time.

Access the full API platform from WSO2 API Manager

WSO2 API Manager customers can access the broader API Platform ecosystem. AI Workspace is available as an add-on alongside your WSO2 API Manager deployment, giving AI teams a dedicated experience to manage LLM and MCP assets. The new monetization add-on integrates with your existing WSO2 API Manager deployments for powerful AI cost and usage analytics.

MCP governance support

WSO2 API Manager 4.6 introduced first-class MCP capabilities. The Classic AI Gateway gained MCP proxying, and customers could expose REST APIs as MCP tools or front existing MCP servers with a managed proxy.

WSO2 API Manager 4.7 adds MCP Governance on top. MCP Proxies can now be governed by organization-level rulesets configured centrally in WSO2 API Manager, so platform teams apply consistent rules to every MCP Proxy on the platform rather than configuring each one per team. The MCP Gateway itself sits between MCP clients and MCP servers and applies security, access control, rate limits, and policy enforcement to every tool call.

For customers building or onboarding internal AI agents, this brings MCP traffic under the same governance controls as the rest of your API estate.

Major improvements to API Key and OAuth functionality

WSO2 API Manager 4.7 brings a meaningful set of API key, access token, and key manager improvements aimed at customers running OAuth at scale in production:

  • Access tokens are no longer persisted in the product database by default.
  • A global maximum expiration can now be set on OAuth2 application access tokens.
  • Secret rotation can be enforced as platform policy on OAuth applications.
  • A generic "Other" key manager type lets you onboard key managers without a purpose-built connector.

See the release notes for full details on each.

AsyncAPI v3 support

WSO2 API Manager has supported AsyncAPI since 4.0, when it became the first to deliver out-of-the-box AsyncAPI support for WebSockets, webhooks, and SSE. Version 4.7 extends that support to AsyncAPI 3.x.x by upgrading the underlying apicurio-data-models parser. APIs defined against AsyncAPI v3 import, version, and deploy through the same workflow as REST APIs.

JDK 21 compiler support

WSO2 API Manager 4.7 moves the product's compile-time JDK from 11 to 21. Runtime environments have already supported both JDK 17 and JDK 21; this change brings compilation in line with the latest dependencies and aligns WSO2 API Manager with a Java version that is on long-term support. For operators, that means a supported Java baseline with a long maintenance horizon, without changing the runtime versions you can deploy on.

Upgrading to 4.7

Since WSO2 API Manager’s Control Plane can now drive both the Classic Gateway and the new API Platform Gateway, users can adopt the new gateway on whatever timeline works for them. This gives teams the flexibility to move a single API to the Platform Gateway, run a phased migration to bring everything over, or simply stick with the Classic Gateway. Either way, your existing investment in WSO2 API Manager carries forward and the integration with the broader API Platform extends where the control plane can reach.

WSO2 API Manager 4.7 is a minor version upgrade from 4.6 and follows the same upgrade path as previous minor releases. For older versions, the upgrade documentation covers the migration steps.

Full release notes, downloads, and upgrade documentation are available on the product-apim releases page on GitHub and the WSO2 product downloads page.