The Production Pivot: Crate vs. ngrok API Gateway
For a decade, ngrok was the tool you used for local tunnels. But recently, they’ve made a move into the production lane with their API Gateway-as-a-Service. They’ve added JWT validation, rate limiting, and a ‘Traffic Policy’ engine.
If you’re deciding between the new ngrok Gateway and Crate, the choice comes down to one thing: Do you want a shared cloud service, or do you want dedicated managed infrastructure?
I. The Policy Engine: CEL vs. JSONata
ngrok’s new gateway uses Common Expression Language (CEL) for their traffic policies. CEL is excellent for simple boolean logic—checking if a header exists or if a JWT claim is valid. However, it is not a transformation engine.
The Crate Advantage: Deep Data Reshaping
Crate is built on JSONata. While ngrok is focused on filtering traffic, Crate is built for transforming it.
// Theory: Why JSONata beats CEL for Managed Gateways
// ngrok's CEL is perfect for 'if/then' logic.
// Crate's JSONata is built for 'input/output' mapping.
func (g *Gateway) TransformPayload(input []byte) ([]byte, error) {
// In Crate, the managed engine can flatten nested JSON, rename
// keys, and inject dynamic data in a single pass before
// it ever reaches your backend.
return g.jsonataEngine.Execute(input, "$map(payload, function($v) { ... })")
}
This allows you to maintain legacy API support or bridge incompatible microservices without touching a single line of your own code. We manage the transformation layer so you can keep your backend lean.
II. The Managed Isolation Gap: Shared Cloud vs. Dedicated Hardware
ngrok’s Gateway-as-a-Service is a multi-tenant platform. Your API traffic is processed by the same shared “Points of Presence” (PoPs) as thousands of other users.
- ngrok: A shared, multi-tenant environment. Your p99 latency is subject to the ‘Noisy Neighbor’ effect of other users’ traffic spikes within the ngrok cloud.
- Crate: Dedicated Physical Isolation. On our Business Tier, we provision entirely separate bare-metal servers at Colocrossing to handle your gateway traffic. You aren’t just isolated by a virtual firewall; you are on your own physical hardware. No shared CPU cache, no shared NICs, and zero hypervisor jitter.
III. The ‘Tunnel’ Tax: Pricing Predictability
ngrok has moved to a complex Pay-As-You-Go model involving ‘Traffic Policy Units’ (TPUs), endpoint hours, and data transfer fees. For a high-traffic production API, these “micro-meters” make it impossible to forecast your monthly burn.
Crate’s Financial Firewall is built on the opposite philosophy:
- Fixed Infrastructure Costs: We provide predictable, flat-rate tiers based on the dedicated hardware assigned to you.
- Egress Management: Crate’s Waterfall Routing intelligently routes traffic to exhaust your existing free tiers and low-cost bandwidth providers first, actively protecting your margins from the “Success Tax” of usage-based gateways.
IV. Resilience: Active Failover vs. Shared Outages
When you use a shared managed gateway, a platform-wide outage takes you down with everyone else.
Crate’s In-Flight Retries give you active control over your resilience. If your primary downstream provider returns a 5xx, our engine detects it mid-request and automatically re-routes the payload to a healthy secondary node.
// Theory: The Managed Retry Logic
// Crate allows you to define safe retry methods (like GET)
// and unsafe ones (like POST) to prevent double-processing
// during a provider-level failover.
func shouldRetry(req *http.Request, err error, cfg RouteConfig) bool {
if isNetworkError(err) {
return true
}
return cfg.RetryMethods[req.Method]
}
Comparison Summary
| Feature | ngrok API Gateway | Crate.cc |
|---|---|---|
| Logic Type | Filtering & Boolean (CEL) | Full Payload Reshaping (JSONata) |
| Hosting Model | Shared Multi-tenant Cloud | Dedicated Managed Bare Metal |
| Isolation | Software-defined (Shared) | Physical (Dedicated Hardware) |
| Pricing | Usage-Based (TPUs/Data) | Predictable / Tier-Based |
| Failover | Internal / Proprietary | Active In-Flight Retries |