June 8, 2022 By Dave Tropeano 4 min read

The IBM Cloud API Gateway service is deprecated and will be shut off on 31 August 2022. Here are the migration options you have as a Functions user.

Previously, IBM Cloud Functions and IBM Cloud Foundry users have been able to take advantage of the IBM Cloud API Gateway service for traffic limiting, splitting and authentication. Unfortunately, the API Gateway service is deprecated and will be shut off on 31 August 2022. Existing API Gateway endpoints will no longer route to their respective Cloud Function actions or Cloud Foundry apps come September 1, 2022. This means that any workload invoking Functions actions via API Gateway endpoints needs to be modified.

All API Gateway endpoints are associated with a secured web action. The require-whisk-auth annotation is set to a random string and this string must be passed in the header of the action invocation for authentication to succeed. You can inspect your actions in the ibmcloud command line to see what the unique key value is for each action:

~ $ ibmcloud functions action get hello2
ok: got action hello2
    "namespace": "e6928f1d-8b5d-xxxx-9xxx-4cd0ca7b8c31",
    "name": "hello2",
    "version": "0.0.1",
    "exec": {
        "kind": "python:3.9",
        "binary": false
    "annotations": [
            "key": "exec",
            "value": "python:3.9"
            "key": "web-export",
            "value": true
            "key": "final",
            "value": true
            "key": "require-whisk-auth",
            "value": "d56ba43b-xxxx-xxxx-f2f241b5d71b"
    "limits": {
        "timeout": 60000,
        "memory": 256,
        "logs": 10,
        "concurrency": 1
    "publish": false,
    "updated": 1651699400594

No matter what solution you migrate to from API Gateway, you will likely need to pass this key in the HTTP header when you invoke the web action, so it is best you make a table of your API endpoints, web actions and authentication key. For example, the above would pass d56ba43b-xxxx-xxxx-f2f241b5d71b in the header for the X-Require-Whisk-Auth parameter value.

Here are some recommended options for migrating your API Gateway endpoints

Do not replace API Gateway

Note that this isn’t the same as “do nothing.” You must migrate away from API Gateway; the service is being shut down. But you don’t need to replace it with another API gateway, necessarily. You could decide to just invoke the Functions web actions directly. Depending on how you were using API Gateway —e.g., for rate limiting, OAuth, etc. — you might need to make a change or two in your action itself. But if your usage was light, you can just invoke the action directly, passing in the whisk-auth secret in the HTTP header.

API Connect Reserved

The recommended migration path from IBM Cloud API Gateway is to a reserved instance of API Connect. The IBM® API Connect Reserved Instance offers a dedicated API Connect instance that runs on IBM-managed infrastructure. Reserved Instance provides value by balancing the flexibility of a shared infrastructure with the isolation of an API Connect Reserved Instance. It is a single-tenant deployment that is based on the topology and functionality of the API Connect service on IBM Cloud Public.

Once you have your own instance of API Connect, you can export the API Gateway definitions, modify them and then import the new definitions to your API Connect Reserved instance. The API Gateway Migration Guide covers how to set up an API Connect Reserved instance and import your existing API definitions into it. The Migrating Cloud Functions APIs provides specific instructions on exporting and modifying your Cloud Functions API Gateway endpoints.

API Management within IBM Cloud Pak for Integration

IBM Cloud Pak for Integration® is a hybrid integration platform with an automated, closed-loop approach that supports multiple styles of integration within a single, unified experience. Unlock business data and assets as APIs, connect cloud and on-premises applications, reliably move data with enterprise messaging, deliver real-time event interactions, transfer data across any cloud and deploy and scale with cloud-native architecture and shared foundational services — all with end-to-end enterprise-grade security and encryption.

To install Cloud Pak for Integration, you would first provision a Red Hat OpenShift cluster in IBM Cloud and follow the installation guide for Cloud Pak for Integration.

API Gateway endpoints can be migrated to API Management within IBM Cloud Pak for Integration using the same export-clean up-import workflow outlined above for migrating to API Connect Reserved.


Kong bills itself as “The world’s most popular API gateway. Built for hybrid and multicloud, optimized for microservices and distributed architectures.” While we can’t verify that statement, we can say that Kong is a very popular open-source API gateway solution built on NGINX and Lua that supports a large ecosystem of partners and plugins. Kong can be installed as a Docker container image or natively on virtual machines or Kubernetes clusters, such as Red Hat OpenShift.

While you can install Kong as a Docker container image or on a single virtual machine, production installations should use an HA architecture like you would get with deploying the IBM Cloud Kubernetes Service or our managed OpenShift service.

The open-source version of Kong does not have an out-of-the-box way to import OpenAPI (“swagger”) specifications. Thankfully, there are a number of open-source packages that address this need, such as openapi-2-kong and the Swagger to Kong container image.


KrakenD is an “ultra-performant open-source Gateway that can transform, aggregate or remove data from multiple services, with linear scalability.” KrakenD goes beyond typical proxy and API gateway solutions that mainly (just) forwards clients to backend services. KrakenD implements a rich middleware plugin architecture as well and common cloud-native patterns like backend for frontend and micro-frontend. This minimizes the number of REST backends a client needs to integrate with and simplifies overall architecture.

KrakenD Enterprise supports import and export of OpenAPI specifications, but the base open-source project does not. API Gateway users will have to manually enter their API specifications into the KrakenD UI or CLI unless they have an enterprise license for KrakenD.

KrakenD is available as a Docker container image, can run native on virtual machines or can be deployed in a Kubernetes cluster. As with our advice using Kong, production installations of KrakenD should use an HA architecture like you would get with deploying the IBM Cloud Kubernetes Service or our managed OpenShift service.

Next steps

IBM Cloud Functions actions can benefit from API management. An API gateway can act as a proxy to web actions and provides them with additional features, including HTTP method routing, client id/secrets, rate limiting and CORS. Unfortunately, with the deprecation of IBM Cloud API Gateway you must modify any workload using API Gateway endpoints.

IBM’s recommendation is to use an IBM® API Connect Reserved Instance, but you do have other open-source and commercial options as outlined in this article.

Click here for more information on how to migrate your IBM Cloud API Gateway endpoints.

More from Cloud

IBM Cloud Virtual Servers and Intel launch new custom cloud sandbox

4 min read - A new sandbox that use IBM Cloud Virtual Servers for VPC invites customers into a nonproduction environment to test the performance of 2nd Gen and 4th Gen Intel® Xeon® processors across various applications. Addressing performance concerns in a test environment Performance testing is crucial to understanding the efficiency of complex applications inside your cloud hosting environment. Yes, even in managed enterprise environments like IBM Cloud®. Although we can deliver the latest hardware and software across global data centers designed for…

10 industries that use distributed computing

6 min read - Distributed computing is a process that uses numerous computing resources in different operating locations to mimic the processes of a single computer. Distributed computing assembles different computers, servers and computer networks to accomplish computing tasks of widely varying sizes and purposes. Distributed computing even works in the cloud. And while it’s true that distributed cloud computing and cloud computing are essentially the same in theory, in practice, they differ in their global reach, with distributed cloud computing able to extend…

How a US bank modernized its mainframe applications with IBM Consulting and Microsoft Azure

9 min read - As organizations strive to stay ahead of the curve in today's fast-paced digital landscape, mainframe application modernization has emerged as a critical component of any digital transformation strategy. In this blog, we'll discuss the example of a US bank which embarked on a journey to modernize its mainframe applications. This strategic project has helped it to transform into a more modern, flexible and agile business. In looking at the ways in which it approached the problem, you’ll gain insights into…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters