HOW IT WORKS
Inside the translator.
A fast data plane that stays out of the way. A control plane that pushes a route change to every node in under five seconds. No restarts, no redeploys.
SYSTEM TOPOLOGY · trAPIoka v4 · saas / on-prem / sidecar
data planecontrol planecustomer
CALLERS
any client, any protocol
any client, any protocol
CLIENT
browser SPA
REST · OAuth2
CLIENT
mobile app
GraphQL · JWT
CLIENT
internal svc
gRPC · mTLS
CLIENT
partner system
SOAP · WSSE
CLIENT
iot device
MQTT · API key
EDGE
terminate + ingest
terminate + ingest
TLS
edge listener
tls 1.3 · alpn · h2/h3
AUTHN
identity layer
jwt · oauth · mtls · key · sigv4
WAF
threat detector
owasp crs + custom rules
RATE
limiter
per route · ip · key
CORE
translate + transform
translate + transform
ROUTE
resolver
path/method · sla aware
XFORM
request transformer
jsonpath · xslt · lua · js
PROTO
protocol bridge
rest · soap · grpc · ssh · ws · mqtt
XFORM
response transformer
redact · validate · diff
GUARDRAILS
resilience
resilience
RETRY
retry engine
jittered · idempotency-aware
BREAK
circuit breaker
per upstream · window-based
FALL
fallback executor
cached · static · scripted
TIME
timeout enforcer
layered · per stage
UPSTREAMS
target systems
target systems
UPSTREAM
soap mainframe
on-prem · via connector
UPSTREAM
grpc microservice
kubernetes · mtls
UPSTREAM
ssh device
switch · plc · bastion
UPSTREAM
cloud rest api
partner · saas vendor
UPSTREAM
database
oracle · pg · mssql
OBSERVABILITY
read-only sinks
read-only sinks
TRACE
otlp exporter
tempo · jaeger · honeycomb
METRIC
prom scrape
grafana · datadog · new relic
LOG
structured log
jsonl · siem-ready
AUDIT
hash-chained ledger
pg append-only · s3 export
CONTROL PLANE
off-path · async
off-path · async
UI
web console
react · embedded in binary
API
admin api
rest + grpc · oas described
CLI
tpk cli
gitops · ci pipelines
SYNC
config distributor
push to data plane · < 5s
STORE
config store
postgres · sqlite · etcd
CONTROL PLANE / DATA PLANE
A split that lets you change anything, in production, in seconds.
The data plane is the gateway. It serves requests. The control plane is everything else, UI, CLI, API, config distribution. The data plane never blocks on the control plane.
DATA PLANE
The gateway that handles every request.
Stateless. Written in Rust. Holds compiled route programs in memory. Reads its config from a local snapshot, not from the database, not from the network. If the control plane goes down, the data plane keeps serving.
- Compiled routes, never interprets YAML at request time
- Memory-only hot path, atomic config swap
- Survives loss of the control plane indefinitely
- Scales horizontally · stateless rolling deploy
P99 OVERHEAD
0.8ms
RPS / CORE
28,400
RAM / 1k ROUTES
142 MB
CONTROL PLANE
The brain that defines what to do.
Where routes are authored, validated, versioned, and pushed. Changes are git-trackable, peer-reviewable, rollback-able. The distributor pushes a new snapshot to every data plane node in under 5 seconds.
- Declarative routes, YAML or Terraform · versioned in git
- Schema validation + dry-run before publish
- Push distribution, no polling, no restarts
- RBAC + audit on every change · 4-eyes approval gates
CONFIG PROPAGATION
< 5s
ROLLBACK
1 click
RESTARTS REQUIRED
0
PERFORMANCE
Benchmarks that don't embarrass us.
Single c7g.4xlarge node, 1 KiB JSON payload, mTLS in, mTLS out, full route program (auth + waf + transform + retry). Run it yourself with tpk bench.
P99 LATENCY OVERHEAD
THROUGHPUT · RPS PER CORE
MEMORY · 1k ACTIVE ROUTES
CONFIG IS THE API
If it isn't in YAML, it doesn't exist.
Every route, transformation, security rule, retry policy, and SLA target is declarative and version-controlled. The console is a viewer. The git history is the audit trail.
# routes/payments/modernize.yaml id: payments-modernize version: v18 owner: team-payments listen: protocol: REST path: "/v2/payments/:id" method: [GET] authn: [jwt, mtls] upstream: protocol: SOAP endpoint: "https://core.internal/PaymentService" connector: on-prem-east auth: vault://soap-core/wsse transform: request: "./transforms/json-to-soap.xsl" response: "./transforms/soap-to-json.lua" redact: ["$.account.ssn", "$..cvv"] validate: "./schema/payment.v2.yaml" sla: p99_ms: 25 error_budget: "0.1%/30d" on_breach: pagerduty://payments
PUBLISH
$ tpk validate routes/ ✓ 142 routes parsed ✓ 38 transforms compiled ✓ 17 schemas resolved ✓ no breaking changes vs. prod $ tpk plan --env prod + route payments-modernize@v18 (new) ~ route inventory-sync@v4 (modified) - route partners-legacy@v9 (deprecated → 410) $ tpk apply --env prod ↻ distributing to 14 nodes… ✓ us-east-1 (5 nodes) · 1.2s ✓ eu-west-1 (5 nodes) · 1.8s ✓ ap-south-1 (4 nodes) · 2.1s ✓ propagation complete · 4.3s
Every change is a git commit. Every deploy is a tpk apply. Every rollback is a tpk apply --ref <previous-sha>. No special tooling for ops, no UI-only configuration paths, no manual hotfixes.
READ THE WHITEPAPER
90 pages. No marketing.
Full architecture spec, threat model, performance methodology, and reference deployments for AWS, GCP, Azure, and bare-metal Kubernetes.