Cratopus icon
Join Waitlist

Introduction

Crate is the API gateway for developers who want enterprise-grade reliability without the enterprise-grade headache. We provide an O(1) in-memory router, automatic SSL, and a "fail-open" architecture that keeps your services running even if our control plane has issues.

Note

Crate is currently in private beta. Features are subject to change.

Quick Start

Since Crate is a fully managed platform, there is nothing to install. Getting started takes less than 2 minutes.

  1. Log in to the Crate Dashboard.
  2. Create a new Gateway.
  3. Point your domain's CNAME record to the endpoint provided (e.g., gateway.crate.cc).
  4. Define your first route (e.g., send /api to your backend server).

Crate will automatically provision an SSL certificate for your domain within seconds.

Routing

Crate uses a high-performance radix-tree router (O(1) lookup) powered by Go's standard library. Routes are matched based on:

  • Hosts: api.myapp.com, docs.myapp.com
  • Paths: /users, /billing/* (supports wildcards)

Prioritization is automatic: specific host matches take precedence over wildcard hosts, and longer path matches take precedence over shorter ones.

Load Balancing

Traffic distribution is handled at the routing layer. Supported strategies include:

  • Static: Routes traffic to a single upstream destination.
  • Round Robin: Cycles request sequentially across a pool of upstreams (coming soon to v2 router).

Path Rewriting

By default, Crate acts as a transparent proxy. However, you can configure Path Stripping to decouple your public API structure from your internal service layout.

Rate Limiting

Crate implements a distributed Token Bucket algorithm backed by Redis for low-latency rate checks. Limits can be defined by:

  • IP Address: (Default) Limit requests per client IP.
  • Headers: Match specific API keys or Custom Headers.
  • Cookies & Query Params: Identify users via session cookies or tokens in the URL.

When a limit is exceeded, Crate returns a 429 Too Many Requests status code along with standard rate limit headers (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset).

Configuration

Rate limits are defined in `requests/second`, `requests/minute`, or `requests/hour`.

API Keys

Secure your gateway configuration by generating API Keys. These keys are used to authenticate requests to the Crate Configuration API via the Authorization: Bearer <key> header.

Managing Keys

API Keys are managed directly through the Crate Dashboard:

  1. Navigate to Settings > API Keys in the dashboard.
  2. Click Generate New Key to create a token.
  3. Copy the key immediately — it will not be shown again.

We recommend rotating keys every 90 days for maximum security.

Domains & SSL

Crate handles zero-config SSL issuance via Let's Encrypt. Simply add your custom domain in the dashboard and verify ownership via DNS.

Once verified, the certificate is automatically generated, stored securely, and renewed before expiration.

Rule Management

Rules represent reusable logic attached to routes, primarily used for rate limiting and request transformation.

Managing Rules

Rules can be configured visually in the Crate Dashboard:

  • Attach Rules: Select a domain path and choose from available rules (e.g., Rate Limit, Auth Check).
  • Configure Logic: Set parameters like requests/minute or allowed IP ranges directly in the UI.
  • Real-time Updates: Changes to rules propagate to the gateway instantly.

API Reference

Interact with your gateway programmatically using the Crate API. All changes made via the API are applied instantly.

Authentication

All requests must include your API Key in the Authorization header:

Authorization: Bearer <YOUR_API_KEY>

Configuration API

Manage your gateway routes and rules programmatically.

Get Domain Config

GET https://api.crate.cc/v1/domain/{id}/config

Limit: 5 req/min

Returns the current list of rules and routes for the specified domain.

Update Domain Config

PUT https://api.crate.cc/v1/domain/{id}/config

Limit: 5 req/min

Replaces the entire configuration for the domain with the provided list of rules.

Body:

Note

This operation is atomic and destructive. It replaces all existing rules for the domain.

[
  {
    "name": "Main API Route",
    "path": "/api/*",
    "methods": ["GET", "POST", "PUT", "DELETE"],
    "active": true,
    "details": {
      "destinations": ["http://backend-service:8080"]
    }
  },
  {
    "name": "Rate Limit Auth",
    "path": "/auth/*",
    "methods": ["POST"],
    "active": true,
    "details": {
      "identifier": "X-API-Key",
      "identifier_type": "header",
      "rate_limit": {
        "limit": 5,
        "rate": "minute"
      },
      "destinations": ["http://auth-service:3000"]
    }
  }
]