Features Docs Enterprise Pricing GitHub
FR Book a Demo
🇪🇺 Apache 2.0 · On-premise deployment · DORA-supportive

Are your APIs ready
for AI agents?

STOA is the European sovereign gateway that connects your existing APIs to AI agents — without rewriting, with full governance and audit trail.

Federate One control plane for Kong, Gravitee, Apigee, Azure APIM, AWS & webMethods
Bridge Your SOAP and legacy APIs become MCP tools — no rewrite needed
Govern Same policies for humans and AI agents. Every action audited.
Book a Demo See the deployment scenario
Why Now

Three forces are converging on your integration layer

Your current API gateway wasn't built for what's coming.

January 2025

DORA & NIS2 enforcement

ICT third-party providers must be auditable and replaceable. A US-owned gateway gives you neither the control nor the exit strategy regulators expect.

Ongoing risk

Cloud Act exposure

Data transiting through a US provider's infrastructure is accessible to US authorities — even when hosted in Europe. This includes API traffic metadata.

Already happening

Ungoverned AI agents

Your teams are already using Claude, GPT, and Copilot. Without an agent gateway, every API call from an AI agent is unmeasured, unaudited, and uncontrolled.

CNCFCNCF
MCPMCP Protocol
IETFIETF
OpenIDOpenID Connect
OAuthOAuth 2.1
OPAOpen Policy Agent
Apache 2.0
K8sKubernetes
CNCFCNCF
MCPMCP Protocol
IETFIETF
OpenIDOpenID Connect
OAuthOAuth 2.1
OPAOpen Policy Agent
Apache 2.0
K8sKubernetes
The Problem

Before & After

What changes when you deploy STOA alongside your existing infrastructure.

Before STOA
API catalog lives in a spreadsheet — no single source of truth
API subscription requires emails, meetings, and weeks of waiting
Rigid identity layer — federating IDPs is a multi-month project
Gateway is an expensive black box — no visibility, no portability
AI agents calling your APIs? No governance, no audit, no metering
After STOA
Visual API portal with self-service catalog and search
Self-service subscription — developers onboard in minutes
Federated identity across IDPs — connect your AD, Keycloak, or Okta
Orchestrate Kong, Gravitee, or Apigee from one control plane
AI agents governed by MCP — every call audited, metered, controlled
Integration Effort

From custom integration work to declarative config

Connecting legacy APIs to AI agents typically requires months of custom middleware development. STOA replaces this with declarative configuration.

Custom Integration
Months
  • Procurement & vendor evaluation
  • Infrastructure provisioning & hardening
  • Gateway deployment & configuration
  • Per-API integration work
  • Security policy setup & audit
  • Custom MCP adapter development
  • Testing, validation & compliance review
STOA Platform
Weeks
  • Deploy on-premise or cloud (Helm or Docker)
  • Connect your existing gateway & IDP
  • Define UAC contracts — APIs become MCP tools
  • AI agents connect via governed MCP
Platform Capabilities

Everything you need to govern AI agents

MCP Gateway

Every AI agent action audited and governed

Native Model Context Protocol gateway. AI agents discover and call your APIs through a secure, governed endpoint. OAuth 2.1 + PKCE, RBAC, full audit trail.

Legacy Bridge

SOAP & webMethods APIs accessible to AI in days

Connect existing enterprise APIs to the AI agent ecosystem. No rewrite needed — STOA translates protocols, federates identity, and adds governance.

Universal API Contract

One contract, every protocol — halve your API surface management

Define once, expose as REST and MCP. OpenAPI auto-transforms with schema validation at the edge. No duplication, no drift.

AI Observability

Token metering per team — know exactly what AI costs you

Full-stack observability for API and AI agent traffic. Token consumption per tenant, distributed tracing, real-time dashboards. Grafana + Loki + Tempo included.

Self-Service Portal

Developers onboard in minutes, not weeks of tickets

A developer portal where teams discover, test, and subscribe to APIs and MCP tools. Self-service onboarding with automatic key provisioning.

Architecture

Cloud + On-Premise

Hybrid by design. Deploy the control plane in your cloud or on-premise. Your data stays where your compliance requires.

STOA Control Plane (your cloud or ours)
Portal
Control Plane
Keycloak
Observability
MCP Gateway
API Sync
OIDC Federation
Metrics Push
Your Infrastructure (on-premise)
Your IDP
Your Gateway
Your Backends
In Practice

How a regulated enterprise connects legacy APIs to AI agents

A representative deployment scenario based on typical enterprise integration patterns.

1

Week 1 — Deploy & Connect

  • Deploy STOA on-premise (Helm chart on existing K8s cluster)
  • Connect to existing IDP (Active Directory via OIDC federation)
  • Register the existing API gateway (Kong, webMethods, or Gravitee)
2

Week 2 — Bridge Legacy APIs

  • Import 12 SOAP APIs via the Legacy Bridge — auto-converted to MCP tools
  • Define UAC contracts for each API — one definition, REST + MCP exposure
  • Self-service portal live — developers can discover and subscribe
3

Week 3 — AI Agents in Production

  • Internal AI agents access legacy APIs through governed MCP endpoints
  • RBAC policies applied — same rules for humans and AI agents
  • Token metering per team, full audit trail, DORA-ready reporting

Based on representative enterprise deployment patterns. Actual timelines vary by environment complexity.

Why STOA

What Makes STOA Different

Four pillars that define the STOA approach to AI agent governance.

MCP-Native

Governance for AI agents, not just APIs.

MCP is built into the core — not bolted on as a plugin. Every API you publish is instantly governed and accessible to AI agents via the Model Context Protocol.

🔗

Universal API Contract

Define once, expose everywhere.

One contract powers REST and MCP endpoints. Change once, propagate to all consumers automatically. No duplication, no protocol-specific maintenance.

🇪🇺

European Sovereign

Built in France. Hosted in Europe.

The US Cloud Act allows American authorities to access data held by US providers — even in Europe. STOA is built and hosted under European jurisdiction. GDPR-native, NIS2-ready, DORA-supportive.

🔓

True Open Source

Apache 2.0 core. Enterprise support available.

Full Apache 2.0 license — no BSL, no feature gates, no surprise relicensing. Enterprise support, SLAs, and managed deployment available for teams that need them.

Who We Are

Built by integration experts

STOA is built by CAB Ingénierie, a French company with 15+ years of experience in enterprise integration.

Founder — 15+ years in enterprise integration

webMethods, API Management, and identity federation for large European enterprises and regulated industries.

Engineering choices

  • Rust gateway — high performance, memory safe, no GC pauses
  • Python control plane — FastAPI, SQLAlchemy, async-first
  • React console & portal — TypeScript, modern tooling
🇪🇺

The only European sovereign Agent Gateway that is fully open source (Apache 2.0) and deployable on-premise.

Platform Facts

Enterprise-grade from day one

0 Enterprise gateways supported
0+ Pages of documentation
Full Full MCP Protocol coverage
Hybrid On-premise or cloud
Standards

Built on Open Standards

🔐
IETF Token Exchange
RFC 8693
🔑
OpenID Connect
OIDC Federation
🛡️
CNCF Keycloak
Identity Provider
📊
CNCF Prometheus
Observability
⚙️
MCP Protocol
AI Agent Gateway
📄
Apache License 2.0
True Open Source
Pricing

Simple, Transparent Pricing

Start with the full platform for free. Enterprise support when you need it.

Community

Free forever

Self-hosted. Full platform. For teams evaluating STOA.

  • Full MCP Protocol support
  • Control Plane API + Console UI
  • Developer Portal
  • Multi-gateway orchestration
  • UAC (Universal API Contract)
  • Community support (GitHub, Discord)
Get Started Free
Recommended

Enterprise

Custom pricing

Support, SLA, SSO, and multi-environment for production teams.

  • Everything in Community
  • SSO / SAML integration
  • Multi-environment (dev/staging/prod)
  • Advanced analytics dashboard
  • Priority support with SLA
  • Custom domain + TLS
  • Onboarding & migration assistance
Book a Demo
Regulated Industries

Sovereign

Custom pricing

Dedicated EU infrastructure. DORA audit support. Air-gapped deployment.

  • Everything in Enterprise
  • Dedicated infrastructure (EU)
  • On-premise or air-gapped deployment
  • NIS2 / DORA audit support features
  • Dedicated success manager
  • Custom SLA + penetration testing support
Book a Demo

Have questions? Read the FAQ

Pricing details available upon request. Plans and features subject to change before general availability.

Frequently Asked Questions

Everything you need to know about STOA pricing, deployment, and compliance.

Is STOA really free?
Yes. STOA is open source under the Apache 2.0 license. You can self-host the full platform at no cost, forever. No usage limits, no feature gates, no trial expiration. Enterprise and Sovereign plans add support, SLAs, and managed services.
What's included in the Community plan?
The full platform: MCP Gateway, Control Plane API, Console UI, Developer Portal, multi-gateway orchestration, UAC, basic observability, and community support via GitHub and Discord.
How does Enterprise pricing work?
Enterprise pricing is based on your deployment scale and support needs. Contact our team for a custom quote. We offer flexible options for both cloud-hosted and on-premise deployments.
Can we deploy STOA on-premise or air-gapped?
Yes. STOA is designed for on-premise, hybrid, and air-gapped deployments. The entire platform runs on your infrastructure — nothing phones home. Helm charts and Docker images are provided.
Is STOA DORA-compliant?
STOA supports compliance with DORA requirements — it does not guarantee compliance by itself. Features include: full audit trail for AI and API actions, ICT third-party risk documentation, on-premise deployment for data residency, and exportable compliance reports. Your compliance team should evaluate STOA as part of your broader DORA program.
Do you support penetration testing?
Yes. Sovereign plan customers can conduct penetration testing against their STOA deployment. We provide documentation for security assessments and can coordinate with your security team.
How do we migrate from another API gateway?
STOA provides migration guides for Kong, Gravitee, Apigee, webMethods, Azure APIM, and AWS API Gateway. The multi-gateway orchestration feature lets you run STOA alongside your existing gateway during transition — no big-bang migration required.
Who is behind STOA?
STOA is built by CAB Ingénierie, a French company with 15+ years of experience in enterprise integration (webMethods, API Management, identity federation). The platform is open source under Apache 2.0.

Still have questions? Get in touch hello@gostoa.dev

Ready to govern your
AI agents?

See how STOA connects your legacy APIs to AI agents with full governance, European sovereignty, and zero vendor lock-in.

Book a Demo Read the Documentation
6 enterprise gateways supported
101 pages of documentation
Full MCP Protocol coverage
Apache 2.0 — no BSL