Release 2025.07.0 LATEST MAIN VERSION

Publication Date: July 24, 2025

HIGHLIGHTED NEW FEATURE

  • Active-Active Multi-Region Support

Added support for high availability and regional load distribution with Active-Active architecture across Kubernetes clusters in multiple locations.See.

  • Server Side Streaming Support

Server Side Streaming feature has been added, which provides continuous data flow from server to client. See.

WARNING When the SSE feature is enabled, the connection pool and retry mechanisms are disabled. In addition, fragmented data sent on the response line is not logged and cannot be viewed in log traffic.

NEW FEATURE

  • Support for WebSocket and HTTP on the same port

WebSocket and HTTP protocols can now be run simultaneously over the same port. See.

WARNING  In old configurations, WebSocket was used as a different port. But now HTTP and WebSocket protocols will work on the same port 8091.

  • WebLogic JMS Connection Support

Added WebLogic JMS (Java Message Service) connection support using Script policy.

  • Cache Performance Tuning Parameters Added

Added new configuration parameters for cache performance settings. See.

  • API Traffic: New Search Fields Added

In API traffic, the ability to search via the 'To Backend API Body' and 'From Backend API Body' fields on the basic search screen has been added. See.

  • Selectively Enabling WS-A and WS-RM Settings

Even if WS-A and WS-RM are defined in the WSDL, these settings can now be manually activated by selecting them on the screen.

  • Added Disable SSL Validation Field to Routing Tab

Disable SSL Validation field added to the Routing tab to disable SSL validation. See.

WARNING  When this option is enabled, the following SSL/TLS validation errors are ignored:

  • Self-signed certificates: Connections are allowed even if the certificate is not signed by a trusted authority.

  • Expired certificates: Connections are established even if the certificate has expired.

  • Invalid hostname: The certificate is accepted even if it does not match the target domain.

  • Untrusted CA: Certificates issued by unknown or untrusted certificate authorities are not rejected.

  • Invalid certificate chain: Connections proceed even if the certificate chain is incomplete or broken.

IMPORTANT IMPROVEMENTS AND CHANGES

  • Read-only view in script policies has been updated to allow content copying.
  • Field updates made in Throttling and Quota policies have been integrated into the Management API. See1. See2.
  • Checks and improvements were added for possible null value scenarios in Condition Rules.
  • Cache TTL settings have been improved for Circuit Breaker, Client Banner, and API Proxy (Response, Group Response, Endpoint Response).
  • An option has been added to Client Banner policies to determine whether an error should be thrown if identity is not found. See.
  • Cache health check queries now also verify the status of the cache cluster.
  • Multipart Form Data content is partially reflected in the API traffic, excluding file content.
  • Configuration parameters related to WebSocket have been updated. See.
  • Some issues in WebSocket routing processes have been resolved. See.
  • API traffic JSON logs now include routingRetryCount and routingFailoverCount information.
  • In connector log settings defined in the Environment, message body truncation units have been changed from KB to character count. See.
  • Policy-related information has been added to the Trace tab. See.
  • The database backup screen in the Apinizer Manager interface has been disabled.
  • When using mTLS during routing, not only the truststore selected specifically for the related routing but also other existing certificates defined in Apinizer can now be used.
  • Even if mTLS is not used in WebSocket routing processes, it is now possible by default to use existing certificates defined in Apinizer.
  • The display on the traffic screen for spec access has been changed to ‘apinizer://spec/’.
  • Detailed error that occurs when keystore or truststore is not found in the environment in routing mTLS settings.
  • In SOAP services, another SOAP API proxy service can be defined under the sub-location.

  • The http2Enabled parameter was added to prevent connection issues with WebSocket when the Gateway type is set to HTTP+WebSocket. See.

  • The policies named WS-Security-To-Target and WS-Security-From-Target have been made available under Global Policies.
  • The image published on Docker Hub under the name apinizercloud/portal is now published under the name apinizercloud/apiportal.

WARNING This image name must be used with the new version. The old image name is not supported in updates.

BUG FIXES

APNZ-5090: The missing policy_group collection that did not occur when upgrading to 2025.04.X versions is now automatically created.

APNZ-5062: When authorized and sending requests via the Portal, the header information is now sent with the requested value instead of a fixed "Authorization".

APNZ-5053: In routing operations, the root context is now removed only where it first appears in the path.

APNZ-4936: In Client Traffic & Time Metrics reports, the number of requests received by the reverse proxy shows as zero.

APNZ-4918: Extra newline character issue in SIEM logs.

APNZ-4914: Constant errors thrown when entering the API Proxy Group page.

APNZ-4984: JWT and OAuth2 authentication methods should not be added for WebSocket and gRPC.

APNZ-4988: When obtaining a JWT token, if the user is not in the ACL list, an incorrect error message is returned.

APNZ-3907: After adding a SOAP 1.1 type service, when the routing address is changed to SOAP 1.2, the routing address may disappear in the API documentation created in Apinizer.

APNZ-4541: If an LDAP user or group is defined, these permissions are deleted when the project name is changed.

APNZ-4835: Enumeration definitions in the Rest2Soap transformation policy are not correctly processed and converted as enums.

APNZ-4550: In Rest2Soap, XSD schemas are not reflected in the OpenAPI output.

APNZ-4280: Because Rest2Soap cannot resolve input schemas of some methods, the body appears as only <string> in the OpenAPI output.

APNZ-5007: On the Token Request page, although multiple environments are defined, only the first defined environment is displayed.

APNZ-5014: Cache connection does not consider the tuneCacheConnectionPoolMaxConnectionTotal value; the number of connections operates differently, independently of cache configuration.

APNZ-5024: In XPath and JSONPath expressions, when the path is not found, it should return null but currently returns an empty string ("").

APNZ-5032: On the Manager login page, login requests with empty username or password should not be forwarded to the backend.

APNZ-5033: When sending a multipart form request, the default Content-Type value should be set to UTF-8.

APNZ-5038: When the grant_type is set to password in the proxy group, the token cannot be obtained.

APNZ-5054: Rest2Soap’s issue with failing to convert paths for Array types.

APNZ-5052: The "Disable Try It" setting on the Portal does not work correctly.

APNZ-5078: After changing the project’s relative path, associated proxy groups become non-functional.

APNZ-4837: In Rest2Soap transformation, even when the "unwrap body" option is enabled for responses, it is not reflected in the "show example" section.

APNZ-5066: When the routing expression contains / characters, these characters are duplicated and added extra during routing.

APNZ-5068: If the API proxy relative path contains / characters and parentheses ( or ) appear before or after it, deployment fails.

APNZ-5073: In JWT and OAuth2 policies, the accepted audience information generated for the "policy group" is incorrect.

APNZ-5079: When server stream is enabled, there are issues with form data submission and log display.

APNZ-5080: When the Keystore JKS is updated, the JKS data does not change.

APNZ-5082: When setting up a multi-region cluster, the cluster cannot select the cache address it will use.

APNZ-5105: During async API calls and script executions, a null error may occur because the context content is not read-only.

APNZ-5102: When deployment is saved in the environment, access URLs defined in Management API settings are deleted.

APNZ-5111: When the server side enabled setting is on, POST-type empty messages cannot be sent through the reverse proxy.

APNZ-5114: Errors occur in some proxies during project import.

APNZ-5118: Environment type should not be changed.

APNZ-5125: In new environments, WebSocket works even if only the HTTP type is enabled.

APNZ-5138: The values of enum expressions in the query editor screen are not displayed.

APNZ-5131: Cache errors occur during version migration.

WARNING  Due to the Hazelcast version upgrade, existing cache pods may fail to synchronize properly. Therefore, all cache pods should be scaled down to 0 before being restarted to ensure a clean and consistent startup.

APNZ-5138: In the 'Create JSON Schema' operation in the Data Operations section, 'required' fields should be removed.

APNZ-4901: Metrics on the Kubernetes Resources page can be displayed up to 1.5 hours in the past, regardless of the filter.

APNZ-4598: While a user authorized from the LDAP group does not have admin rights, the user is being dropped from the session due to the history tab on some proxies.

APNZ-5151: Issue with discarding from authorization-based interface in Collection field in Test Console.


Release 2025.04.0 

Publication Date : April 16, 2025

NEW FEATURE

  • Client Ban Support

A Client Ban Policy has been created for client ID-based access control. The old, simple version of the Routing tab has been removed. See

  • Rate Limit Checklist Module

To simplify Rate Limit management, a new module has been developed that allows users to adjust their access amount in bulk.

A new field called "external" has been added to Credentials for institutions whose credential management is not done via Apinizer. See

  • OIDC/OAuth2 Callback URL Support

Added support for defining callback URLs for OIDC/OAuth2 integrations.

IMPORTANT IMPROVEMENTS AND CHANGES

  • New additions for the API Based Throttling and API Based Quota sections have been included in the Management API.
  • For WebSocket and gRPC, the variables in the script policy have been updated to show only those related to error messages and context variables.
  • The "Metric Initialization" parameter, which enables Prometheus metrics, has been updated to be configurable via environment variables. See: Bkz1, Bkz2
  • It is now possible to add values to the target field using regular expressions in API Based Throttling and API Based Quota definitions.
  • Rate limit statistics can now be returned in the response headers for the following policies: API Based Throttling, API Based Quota, Client Based Throttling, Client Based Quota, and Rate Limit Control List.
  • The WWW-Authenticate header returned upon authentication failure can now be optionally removed from the error pipeline.
  • When the variable type is defined as "custom", its initial value can now be set via script. See
  • Script policies can now also be executed for WebSocket and gRPC protocols.
  • Support has been added for including a detailed list of target values in API Based Throttling and API Based Quota definitions. See: See, See
  • A new section has been added to the Gateway Environments page to manage Kubernetes annotations for worker and cache components. 

BUG FIXES

APNZ-4967: WebSocket policies should also be executed for the Connect method.

APNZ-4966: It should be possible to return Authentication and similar policy errors or responses over WebSocket.

APNZ-4965: WebSocket does not receive the XFF (X-Forwarded-For) header information.

APNZ-4952: When a project is exported/imported, the link between global policies and the ones attached to API Proxy/API Proxy Group is lost.

APNZ-4950: On the API Proxy Group page, there are issues when switching between tabs.

APNZ-4948: In Connection definitions, if you stay on the page after initial creation and try to perform another action, an "ID already exists" error is shown.

APNZ-4941: While creating and saving an Elasticsearch connection, the backend creates it, but it is not saved on the frontend.

APNZ-4940: When fields are found via JsonPath and they are of nested map or list type, the results are displayed in the format a=b.

APNZ-4938: In the API Proxy ACL Method Authorization screen, credentials disappear after an update.

    • In the new version, when assigning authorization to empty API methods, the screen freezes after each update and the organization being edited disappears.
    • Once the page is refreshed, the credential reappears, but no second update can be made without refreshing the page.

APNZ-4936: In the Client Traffic & Time Metrics reports, requests to the reverse proxy, durations, etc., are shown as 0. This issue occurs only on reverse proxies; proxies with endpoints display data correctly.

APNZ-4949: When creating a project using the admin user, the admin is not automatically assigned as the owner.

APNZ-4915: After using "Save and Deploy" during Credential creation, the list view used to appear and the API Proxy was automatically reselected. However, currently, the list does not appear, and the API Proxy list cannot be selected again.

APNZ-4816: In Mock API, only the last value added via conditions inside the 200 response works; the others return a 204 status.


Release 2025.01.0

Publication Date: January 31, 2025

HIGHLIGHTED NEW FEATURE

  • New API Proxy Types: gRPC and WebSocket

Added two new types of API Proxy creation options: gRPC, WebSocket.  See.

gRPC Proxy Support:

  • Unary gRPC calls (a single request from the client, a single response from the server)
  • Server streaming gRPC calls (a single request from the client, a stream of responses from the server)
  • Client streaming gRPC calls (a stream of requests from the client, a single response from the server)
  • Bidirectional streaming gRPC calls (bi-directional data streaming between client and server)
  • gRPC-Web support (for browser-based gRPC communication)
  • TLS/SSL secure connection support


WebSocket Proxy Support:

  • Standard WebSocket protocol (ws://)

  • Secure WebSocket protocol (wss://)

  • Text message format

  • Binary message format


Policies can be partially executed on these two new types of API proxies, and incoming and outgoing messages can be sent to log connectors.

The test console does not yet support these two protocols.

  • New Environments Suitable for New API Proxy Types

The “Communication Protocol Type” field has been added to the environments. The deployment environments of API Proxies have been organized to be automatically matched according to the proxy types. REST and SOAP API Proxies can be deployed to HTTP type environments, gRPC API Proxies to gRPC type environments and WebSocket API Proxies to WebSocket type environments. With this update, proxy type and deployment environment compatibility is guaranteed and wrong environment selections are prevented.See.

The following policies and settings are currently not supported: WS-Security STS Token, mTLS Authentication, Script, Backend API Authentication, API Call, API Proxy Group, CORS Settings, Cache Settings, XML/JSON Error Response Template, Load Balancing Type, Define Circuit Breaker, Define Client Flow Banner, Define Proxy Server, NTLM Settings, and Customize Error Messages.

  • Geolocation Management with IP Control

IP controls can be done according to Geolocation data (Country, Province). See.

WARNING Since the log data structure kept with this change has changed, organizations using Elastic search need to update the log index template and make rollover index. You can visit this page for the new index structure.

  • Settings Group Management

It has been enabled to create and assign Global Settings to both API Proxy and API Proxy Group with the Settings Group screen.See.

  • Policy Group Management

With the Policy Group screen, it has been enabled to create and assign a Policy Group to both API Proxy and API Proxy Group. Please see here.See.

With this development, the structure of the Policy Display screens has been redesigned to allow readonly user access in the future.

  • Deploy Operations Synchronization and Result Display Enhancement

It has been enabled to show the result of all Deploy operations in detail.    See.

WARNING With this development, a comprehensive improvement has been made for pod deployment processes over kubernetes service. In the previous version, for deployment operations sent from Manager to Worker, Worker would broadcast this deployment asynchronously to other pods in its environment. Due to this structure, it was not possible to directly view whether Worker successfully deployed to other pods on the Manager screen, and possible errors could only be detected from system logs. In addition, since the deployment status of pods in the namespace could not be tracked instantly, inaccessible pods could cause inconsistencies in the system.

With the new development, the entire deployment process has been synchronized. The communication between Manager and Worker has been strengthened, so that when any pod cannot be accessed, errors can be caught instantly and displayed on the Manager screen. The results of all pod deployment operations over Kubernetes service are now reported in detail on the user interface. Thanks to these improvements, the transparency of the deployment process has been increased and it is easier to detect and manage errors faster. One thing to note is that deployment times may increase slightly due to the full synchronization of the previously partially asynchronous process.

NEW FEATURE

  • AI Powered Chatbot Integration for API Portal

An AI-powered chatbot integrated into API Portal. See.

  • Support Package Request Management for API Portal

“Support Package Request” screen has been added to API Portal Manager for easy management of support package requests. See.

  • Viewing and Managing Support Packages for API Portal

“Support Package Feature” screen has been added to API Portal to view and manage support packages. See.

  • Management of Support Package Types for API Portal

“Support Package Type” screen has been added to API Portal to manage support package types. See.

  • Support Packages Management for API Portal

“Support Package” screen has been added to API Portal to manage support packages. See.

  • Jira Integration for API Portal

Jira integration was added to API Portal. It was ensured that users can create their requests directly through the API Portal and easily track them through the Jira system. Bkz.

  • Jira Integration for API Portal Admin Panel

Jira integration has been added to the API Portal Admin panel, so users can manage and monitor requests through Jira. Bkz.

  • Cookies Management for API Portal

Cookies management has been added to API Portal. See.  

  •  API Product Update - Application Creation Button for API Portal

In API Product update section in API Portal, a button to create an application if the user has no application has been added. See.

  • WSDL definition files can be downloaded in Zip format.
  • Maintenance mode feature has been added to API Proxies.  See
  • Timeout values for deployment time have been made parametrically configurable.  See
  • TLS settings have been made parametric with JVM parameters. See
  • Location data has been added to the log structure. This data contains latitude and longitude fields. See.

IMPORTANT IMPROVEMENTS AND CHANGES

  • A "Redeploy All" option has been added to API Proxies and API Proxy Groups that use Global Policies, Policy Groups, and Settings Groups. See1, See2, See3.

  • The loading of settings and fonts on the Portal has been updated to run automatically when the system is first started.

  • While creating a new API Proxy, the default value for the "Ignore Error Response Template In Case Of Error On Backend API" parameter in the Routing section has been set to false.
    WARNING This change ensures that in the case of a backend error, the error response is returned using the error response template, thereby preventing a potential security vulnerability.

  • Formatted display of data in API Traffic Logs, Test Console Response Logs, AuthToken Logs, and Trace Logs has been removed to avoid misinterpretation risks. With this change, logs are now presented as they are received.

  • The title and description section on the API Product page in the API Portal has been made dynamic.

  • The test button has been removed from the endpoints tab of API Proxy Groups for undeployed environments. See.

  • On the Admin Projects page, the Members and Roles column has been removed. A new column has been added to the table showing Relative Path, its active/inactive status, and the actual path if available. See.

  • The visibility of the Try It button in the API Portal has been made dynamic for each API Product. See.

  • The list of supported Content-Encoding values for responses returned by the API has been expanded. Previously, only gzip, deflate, and br were supported. Now, gzip, deflate, br, compress, and zstd encoding types are also supported.

BUG FIXES

APNZ-4755: Test console does not open properly the second time.

APNZ-4746: When values such as product or responsible are deleted in API Portal, pages are not opened due to null error.

APNZ-4737: If the test console is closed from the cross on the top right, the body field is not loaded in the next test endpoint request.

APNZ-4720: API Proxy exports are exported as empty zip file.

APNZ-4697: The job that deletes app logs every night at 1am should be removed, because this prevents app purge jobs from working properly.

APNZ-4626: Policies exported from API Proxy cannot be imported to Policy Group.

APNZ-4204: Wrong value is deleted during deletion from Access-Control-Allow-Origin values in CORS.

APNZ-4702: Repeated export option appears in Export/Import menu.

APNZ-4780: Wrong library in mail import in Groovy.

APNZ-4771: When switching between tabs in the API traffic log screen, the body field is not updated without clicking.

APNZ-4752: Errors related to policies;

  • When registering Groovy script in Script Policy, the script type is not registered correctly.
  • When adding a new rule in business rule, the variable selection slides back and the page hangs after cancel.
  • Some of the API Calls appear more than once in the trace.
  • 'Updated' appears twice after the policy is saved.
  • Although there are no errors in the console, error messages are not reflected on the readonly screen.

APNZ-4741: The SOAP message returned from the backend is now fully logged.

APNZ-4714: When using the 'zstd' encoding in the Accept-Encoding header, the response content could not be correctly encoded, resulting in corrupted content.

APNZ-3933: Policies exported from the API Proxy cannot be imported into the Proxy Group.

APNZ-4756: In the Mock Proxy, for the first method, errors occur in API Calls that were previously functioning and are still appearing in logs. Corresponding error messages are not displayed on screen, and this condition is logged as a 404 error.

APNZ-4790: In the test console, the "name" and "value" modal windows for adding headers open in the background.

APNZ-4787: When "one way" is selected in the API Call and then switched to "two way," the "not change default" option is not selected by default and remains inactive.

APNZ-4822: When sending a file with multipart/form-data and the file content is missing, the corresponding part is not sent to the backend.

APNZ-4815: Newly added Context Values are not fully visible in the script view.

APNZ-4812: Search filters do not work in the Portal Accounts section of API Manager.

APNZ-4799: In the request pipeline, the "Activate All" and "Disable All" policy actions affect response and error handling in the method, but the "All" options do not reflect these changes.

APNZ-4678: When a DB2 API connection is deleted, DB2 APIs that depend on it become unusable.

APNZ-4286: On the Admin Projects page, the listing shows all records instead of the first 10 entries.

APNZ-4806: Direct API Product links do not open properly in the API Portal.

APNZ-4829: When the failover setting is disabled in the log connector, the "Apply" operation hangs for a long time without reaching the system timeout. Even if the user refreshes the page, the setting cannot be disabled and the changes are not applied.

APNZ-4836: The string exists condition in the Business Rule policy does not work as expected.

APNZ-2889: When an API Product is deleted, blank rows appear in the ApiProductAppRegister table on the Account screen.

APNZ-4831

  • When adding WSS user information, an extra timestamp field appears in readonly mode when only the username field should be added. Also, the password field is displayed explicitly.
  • When the page refreshes after deploying on API Proxy Group, the system shows the redeploy option. However, the API Proxy Groups page shows the group as correctly deployed.
  • The CodeMirror body in the test console is displayed with 3 characters aligned inside.
  • When API Proxy is imported, the word imported is unnecessarily added to the relative path field.