What's new in API Connect Enterprise as a Service

Find out about the newest features and the latest updates in API Connect Enterprise as a Service.

API Connect Enterprise as a Service is an integrated API management offering, where all of the steps in the API lifecycle, and the actions that surround it, are performed within the offering. You can use the free Trial subscription for 30 days before upgrading to a paid subscription. For more information, review the Subscription terms.

Highlights

Key updates added recently to API Connect Enterprise as a Service.
New API Connect capabilities
This release introduces new capabilities that enhance API publishing, discovery, governance, and runtime management. Together, these capabilities support centralized oversight, improved developer experiences, and secure, cloud-native API operations across distributed environments.

  • Developer Portal capability

    The Developer Portal provides an enhanced experience for API providers, API consumers, and administrators.

    • API providers can publish APIs and related assets, run engagement programs such as hackathons, and track API usage through built-in analytics.
    • API consumers can easily discover, test, and subscribe to APIs, accelerate development using custom assets, and collaborate with the community through comments and discussions.
    • Administrators can configure and manage the portal, oversee user communities, and set up marketplaces that support multiple provider and consumer organizations.

    For more information, see Using Developer Portal.

  • Federated API Management capability

    Federated API Management introduces a centralized way to manage distributed API environments. You can now connect, manage, and monitor multiple API runtimes and data planes from a single interface, even when they are deployed across different regions, cloud platforms, or vendors.

    It also provides:

    • Unified policy templates for consistent governance across all environments
    • Cross-platform visibility into performance, security, compliance, and subscription management
    • Simplified management of gateway and portal runtimes from one place

    For more information, see Using Federated API Management.

  • IBM DataPower Interact Gateway capability

    AI is moving into production outside the enterprise control plane. When AI calls bypass APIs, governance fractures. When teams create side doors, risk explodes and ownership disappears. The IBM DataPower Interact Gateway, provided in IBM API Connect SaaS, allows you to bring AI seamlessly into your existing enterprise integration layer. The IBM DataPower Interact Gateway is an enterprise integration layer that governs how AI executes and exchanges traffic across APIs, systems, and workflows without adding new silos or disrupting existing architectures.

    Key features include:

    • Reuse what you have already built
    • Control AI at the point of interaction
    • Scale AI without fragmenting the enterprise

    IBM DataPower Interact Gateway helps you govern, control, and socialize Model Context Protocol tools and agent interactions using the same API management principles that you already know.

    For more information, see Managing AI services using IBM DataPower Interact Gateway.

  • webMethods API Gateway capability

    The webMethods API Gateway provides a secure, policy-driven runtime for managing and exposing APIs to external consumers. It enforces authentication, authorization, traffic management, and mediation policies to protect APIs from threats and ensure optimal performance. A web-based administrative interface and built-in analytics deliver full operational visibility. For more information, see Using webMethods API Gateway.

  • DataPower Nano Gateway capability
    We’re introducing the DataPower Nano Gateway, a lightweight, cloud-native gateway designed to secure application domains at the microservice level. Unlike the traditional DataPower® API Gateway, which protects APIs at the enterprise level through the DMZ, the Nano Gateway operates within your internal network to secure specific application domains and API sets. For more information, see Using the DataPower Nano Gateway to secure an application domain.

The following sections list the new features and enhancements in API Connect Enterprise as a Service, in reverse chronological order as they became available.

IBM API Studio replaces API Designer

IBM API Studio is an AI-powered tool for API design and management that replaces API Designer. It introduces several enhancements:

  • GenAI and IBM watsonx.ai integration to automate repetitive tasks across the API lifecycle
  • AI-assisted error remediation, iterative testing, and automated validation to improve API quality
  • AI-driven automation that reduces manual effort and enhances consistency and accuracy across API development workflows

For more information, see Creating, deploying, and publishing APIs using IBM API Studio.

Dark Mode support across user interfaces

Dark Mode is now available across all supported user interfaces, improving usability and visual comfort in low-light environments. You can switch between Light and Dark themes at any time using the Theme button in the user interface.

Supported interfaces:
  • Providers
    • Cloud Manager
    • API Manager
  • Consumers
    • Consumer Catalog
    • CMS Portal

TLS verification in Toolkit

The Toolkit now validates the server certificate signer during the TLS handshake, enforcing secure-by-default connections through a trusted Certificate Authority (CA).

Impact on existing commands (V12):

If you continue using the pre-v12 login command without specifying a CA, the command fails with an error indicating that certificate validation is required.

Example (old behavior):

./apic login --server apicdev1032.rtp.raleigh.ibm.com --sso

Error:

You must provide a CA certificate (--certificate-authority <ca_file>) to verify the server identity.
(Use --insecure-skip-tls-verify to bypass certificate validation – insecure)

New and updated Toolkit flags:

You can control TLS validation using the following flags:

  • --certificate-authority <ca_file>: Specifies one or more CA certificate files used to verify the server certificate.
    Example:
    ./apic login --server apicdev1032.rtp.raleigh.ibm.com \
  --sso \
  --certificate-authority common1.crt \
  --certificate-authority common2.crt
  • --insecure-skip-tls-verify: Skips validation of the server certificate. This makes the HTTPS connection insecure and is not recommended.
    Example:
    ./apic login --server apicdev1032.rtp.raleigh.ibm.com \
  --sso \
  --insecure-skip-tls-verify
  • --insecure-skip-pkix-validation: Skips verification of the complete TLS certificate chain. This option is insecure.
    Example:
    ./apic login --server apicdev1032.rtp.raleigh.ibm.com \
  --sso \
  --certificate-authority common1.crt \
  --insecure-skip-pkix-validation
  • --tls-server-name <string>: Specifies the server name to use for certificate validation. If not provided, the hostname used to connect to the server is used.
    Example:
    ./apic login --server apicdev1032.rtp.raleigh.ibm.com \
  --sso \
  --tls-server-name <tls-server-name>

One-time Toolkit configuration (recommended):

Instead of passing TLS-related flags with every command, you can configure them once at the Toolkit level.

  • Configure CA certificates:
    ./apic config:set ca_file="/etc/ca1.crt" ca_file="/etc/ca2.crt"
    After this configuration, you can use the same login command as before V12:
    ./apic login --server apicdev1032.rtp.raleigh.ibm.com \
  --sso
  • Configure insecure TLS skip once (not recommended):
    ./apic config:set insecure_skip_tls_verify=true
    Once either ca_file or insecure_skip_tls_verify is set as a one-time configuration, existing commands continue to work without additional flags.

  1. Self-signed certificates

    For servers using self-signed certificates, you must explicitly provide the full certificate chain, including the root CA, to establish trust.

    If you have not customized your endpoint certificates, use ingress-ca as the Certificate Authority.

    Extract the ingress CA certificate:
    kubectl get secret ingress-ca \
  -o jsonpath='{.data.tls\.crt}' \
  -n <namespace> | base64 --decode

  2. Certificates from well-known Certificate Authorities

    For certificates issued by well-known Certificate Authorities that are already included in the system’s default certificate pool, verification succeeds automatically and no additional certificates are required.

Update API specification from API form view

You can now update an existing API configuration by uploading an updated API specification file or by providing a URL to the updated specification. The uploaded specification fully overrides the existing API specification, including resources, operations, request and response structures, and security definitions.

SOAP API creation

You can now create a SOAP API that exposes an existing SOAP service by adding a WSDL file in one of the following ways:

  • Load a .wsdl file from a directory when the WSDL has no external dependencies.
  • If the WSDL references other WSDL or XSD files, package the primary WSDL file and all dependent WSDL and XSD documents into a single .zip file, and then load the .zip file from a directory to create the SOAP API.

Transfer Advisor for porting APIs to DataPower Nano Gateway

The Transfer Advisor feature enables you to port existing APIs from DataPower API Gateway to DataPower Nano Gateway. It analyzes APIs for compatibility and provides detailed reports with status indicators (Compatible, Not Compatible, Unknown, or Manual). Compatible APIs can be grouped into new projects in IBM API Studio for publishing. For more information, see Porting APIs to DataPower Nano Gateway.

AWS Secrets Manager integration for DataPower Nano Gateway

You can now manage external secrets for Nano Gateway deployments by connecting to AWS Secrets Manager. This integration securely stores sensitive information such as API keys, passwords, and certificates in AWS using IAM role-based authentication without long-term credentials. Secrets are automatically synchronized to ensure gateway deployments have access to the latest values. For more information, see Adding a secret for DataPower Nano Gateway.

DataPower Gateway (v5 compatible) and DataPower API Gateway support

New APIs support DataPower Gateway (v5 compatible) and DataPower API Gateway capabilities. This support includes updated policies, routing behavior, and error handling for consistent execution across gateway versions.

Support for adding IBM managed gateways to an API Connect Enterprise as a Service instance

You can now add an IBM managed gateway to your API Connect Enterprise as a Service instance. IBM managed gateways are automatically provisioned and configured by IBM, simplifying gateway setup and ongoing management.

This enhancement expands the gateway options available in API Connect Enterprise as a Service, allowing you to choose between IBM managed gateways and remote gateways that you deploy and configure manually.

For more details, see Adding an IBM managed gateway to your API Connect Enterprise as a Service instance.

Support for adding a remote DataPower API Gateway to an API Connect Enterprise as a Service instance.

You can now add a remote DataPower® API Gateway to your API Connect Enterprise as a Service instance. This capability allows you to deploy and manage the gateway in your own environment while continuing to use IBM API Connect SaaS for API management.

This enhancement provides additional flexibility for organizations that require direct control over gateway deployment and configuration. For more details, see Adding a remote gateway to your API Connect Enterprise as a Service instance.

TLS server profiles for DataPower Gateway

You can now configure TLS (Transport Layer Security) server profiles for remote DataPower API Gateways and IBM managed DataPower Gateways. TLS profiles define the certificate chain and cipher suites used when API Connect presents server endpoints to external systems.

Configuring TLS profiles helps ensure secure communication between API gateways and client applications, API gateways and backend services, and remote gateways and the API Connect instance.

For more details, see Configuring TLS profile for gateways.

Server Name Indication (SNI) support for gateway endpoints

You can now configure Server Name Indication (SNI) for API Connect gateway endpoints. SNI enables the gateway to present the appropriate TLS certificate based on the hostname requested by the client during the TLS handshake.

With SNI, you can host multiple secure domains on the same IP address, with each domain using its own TLS certificate. This capability allows API Connect gateways to serve different certificates for different domain names, improving flexibility when managing secure endpoints. For more details, see Configuring Server Name Indication (SNI).

New tools and formats in API Agent

API Agent now integrates directly with API Manager and IBM API Studio to bring natural language API automation into your existing workflows. You can design, secure, publish, and test APIs without switching tools. New analytics querying provides insights into API performance and system operations. The update also includes automated policy generation to streamline security and governance. API specification generation continues to evolve for better development support.

For teams using Model Context Protocol (MCP), API Agent now supports native MCP server connectivity for seamless integration with your infrastructure. These enhancements complement the existing Visual Studio Code plug-in, giving developers more flexibility to automate API lifecycle tasks.

Secure or insecure TLS validation mode for engagement destinations

You can now enable or disable the TLS validation mode for engagement destinations.

By default, API Connect analytics runs in secure mode, which means TLS validation is enabled. To send engagement data to a TLS-secured endpoint with an untrusted or non-compliant certificate, you can configure the destination to run in insecure mode, which disables certificate validation. For more information, see Configuring TLS validation mode for engagement destinations.

New filters for enhanced analytics

Added two filters that help you refine your analytics:

  • operation_path: Use this filter to narrow results by the specific operation path in the API.
  • status_code: Use this filter to narrow results by the status code that is set on the outbound response.

For more information, see Filtering displayed analytics data

New charts for enhanced analytics

Added three new charts to help you analyze API performance and usage:

  • Top 5 APIs with slowest and fastest response times: Identify performance extremes across your APIs.
  • Top API paths by calls: View API paths with their call counts to gain usage insights.
  • Enhanced API calls chart: API calls are grouped by application.

For more information, see Accessing analytics in the API Manager UI.

Enhanced client map experience

The client map on the dashboard now includes zoom-in and zoom-out controls. These controls help you explore regions in more detail. For more information, see Analytics dashboards

Analytics and audit API timezone support

You can now specify a time zone (for example, Europe/Berlin) for the analytics and audit API to get the date and time in the local time zone. For more information, see Analytics REST API.

Configurable sort order for analytics leaderboard reports

Analytics leaderboard reports now support configurable sorting. For more information, see Leaderboard report.

Error rate information in analytics leaderboard reports

Analytics leaderboard reports now include additional error rate information to show the percentage of calls which have resulted in an error. For more information, see Leaderboard report.

Analytics AI dashboard renamed to AI LLM dashboard

The Analytics AI dashboard is now renamed the AI LLM dashboard. For more information, see Analytics dashboards.

Policy error messages in analytics event viewer

Any policies that return an error message are now shown in the Analytics event viewer, which can be useful for problem determination by showing why an API call returned an error. This capability is currently limited to API calls for the NanoGW but might be expanded to other gateways over time. For more information, see Discover view.

Disk usage report in analytics

A new disk usage report is now available in the analytics reports tab, providing comprehensive insights into storage consumption. The report displays total API calls, total memory used, storage used, average event size, and the percentage of total disk usage across APIs, products, applications, and consumer organizations. This report enables better capacity planning and resource management for your API infrastructure. For more information, see Disk usage report.

Trend forecasting in analytics

Analytics now includes trend forecasting capabilities that enable you to anticipate future API traffic patterns based on historical data analysis. For more information, see Trend Forecasting.

Sankey chart for API usage by consumer organization

A new Sankey chart visualization is available in analytics to show API usage by consumer organization. For performance and readability, the chart displays only the top 20 consumer organizations. This chart is available in the Call volume trends report and the Consumer trends report, providing enhanced visibility into API consumption patterns across your organization. For more information, see Analytics dashboards.

GeoIP Enrichment for initiator.host.address

GeoIP attributes are now available for the initiator.host.address field, which is stored as type ip. When GeoIP is enabled, audit events can include geographic and location metadata that is associated with the initiator’s IP address. For more information, see Audit events.

Enhanced User Management interface

An enhanced User Management interface is available to manage teams, user groups, users, and members.
  • Teams: A team is a collection of users.
  • User Groups: A user group is composed of users, and roles can be assigned to it.

Heartbeat and Metrics datasource types

You can now use heartbeat and metrics datasource types with rules in Engagement if you are using the Federated API Management capability. For more information, see

Run in Postman button

You can now configure API Connect to display a Run in Postman button in the API Explorer page of CMS Portal and Consumer Catalog. The Run in Postman button allows API consumers to quickly import and test APIs in Postman directly from the CMS Portal and Consumer Catalog. To configure the Run in Postman button, you must add specific metadata to the API definition and publish it. For more information, see Configuring the Run in Postman button.