Side by Side
At a Glance
14 dimensions of comparison between Naftiko and Gravitee — same row, different layer of the stack. Scan top-to-bottom to see where each product makes a different choice on the same axis.
Dimension
Naftiko
Gravitee
Category
Naftiko
Spec-driven integration platform
Gravitee
Open-source API + Event + AI Agent management platform
Origin
Naftiko
Kin Lane (API Evangelist) + Jerome Louvel (Restlet → Talend → Qlik), 2025
Gravitee
David Brassely + Titouan Compiegne + Nicolas Geraud, 2015 — Gravitee.io around it
Primary primitive
Naftiko
Capability — consumes APIs, exposes REST / MCP / Skills / A2A
Gravitee
API definition (v2 proxy, v4 message-oriented) + SharedPolicyGroup
Layer in the stack
Naftiko
Build-time + ship-time + runtime engine that creates the artifact
Gravitee
Runtime gateway + management plane + AI gateway + identity provider — governs traffic to artifacts
Core artifact
Naftiko
YAML capability spec (declarative, alpha2)
Gravitee
10 Kubernetes CRDs (ApiDefinition, ApiV4Definition, Application, Subscription, Plan, ManagementContext, SharedPolicyGroup, Group, KafkaRoute, Notification)
Open source posture
Naftiko
Apache 2.0 Framework, free Fleet community edition, paid Standard / Enterprise
Gravitee
Apache 2.0 OSS APIM + AM core; Enterprise tier (AI Agent Mgmt, Federation, Alert Engine, FinOps) commercial
Multi-protocol exposure
Naftiko
REST + MCP + Skills + A2A (roadmap) — same capability, all protocols
Gravitee
HTTP, Kafka, MQTT, WebSocket, SSE, gRPC, MCP, A2A — protocol-mediated by the v4 gateway
Governance scope
Naftiko
Design-time (Spectral lint), admission (Kyverno / OPA), runtime engine
Gravitee
Runtime: 50+ policies (JWT, OAuth2, rate-limit, transforms, RAG, prompt guard-rails, PII redaction, semantic cache)
Discovery surface
Naftiko
Backstage capability catalog + scorecards
Gravitee
Developer portal (Cockpit), API Products, Federation discovery (AWS / Apigee / Kong / Azure / MuleSoft)
Audit / observability
Naftiko
OpenTelemetry + Prometheus + structured logs
Gravitee
Built-in analytics + audit + Alert Engine (latency, errors, quota, AI-token-spend); OTel/Prometheus exporters
Identity / OAuth
Naftiko
Runtime secret injection (env, ExternalSecrets); Keycloak / OpenFGA roadmap
Gravitee
Gravitee Access Management (OAuth2/OIDC, SAML, MFA, factors, IdP federation, OpenFGA / AuthZen authorization)
AI / MCP posture
Naftiko
Builds MCP servers, REST APIs, Agent Skills from existing APIs
Gravitee
Routes traffic to LLMs via LLM Proxy + governs agent-to-MCP traffic via MCP Tool Server v2
Cost / FinOps
Naftiko
Cost-center labels propagated to K8s; Kubecost integration
Gravitee
Per-request analytics + AI token tracking + per-app/plan usage rollups (Enterprise)
Founder framing
Naftiko
“Capability fleet” — many ships, one navy
Gravitee
“The federated API Management platform for the AI agent era”
Common Ground
Where They Overlap
Both Naftiko and Gravitee bet on the layer above per-vendor MCPs. Here are the 8 concrete places where those bets actually meet — same problem, sometimes the same shape, increasingly the same conversation.
1
Both treat AI/MCP as governed first-class traffic
Gravitee ships an LLM Proxy (OpenAI / Anthropic / Bedrock / Azure / Mistral / Hugging Face) with prompt guard-rails, semantic caching, and PII redaction, plus an MCP Tool Server v2 that puts agents behind enforceable identity. Naftiko exposes capabilities as MCP servers and routes LLM calls through governed adapters. Same outcome from opposite ends of the wire.
2
Both are Kubernetes-native and CRD-shaped
Gravitee ships ten CRDs (ApiDefinition, ApiV4Definition, Application, Subscription, Plan, ManagementContext, SharedPolicyGroup, Group, KafkaRoute, Notification) under the Gravitee Kubernetes Operator. Naftiko Standard ships a NaftikoCapability CRD + operator. Both treat Kubernetes as a first-class policy plane, GitOps-friendly out of the box.
3
Both ship a developer-portal / discovery surface
Gravitee Cockpit aggregates multi-environment API catalogs, API Products, and Federation-discovered APIs from foreign gateways. Naftiko Fleet integrates Backstage with capability scorecards and a fabric explorer. Both want developers and machines to find what is shippable in one place.
4
Both apply governance through declarative policy chains
Gravitee runs ordered policies (JWT, OAuth2, RateLimit, Transform, AI guard-rail, RAG, PII, etc.) bundled into SharedPolicyGroups attachable to many APIs. Naftiko applies Spectral rules + OPA + runtime checks per consume / expose. Different syntax, similar shape: declarative policy chains, not imperative code.
5
Both support OpenTelemetry + Prometheus out of the box
Naftiko emits OTel events from every capability container. Gravitee exports OTel tracing + Prometheus metrics + structured analytics + audit events. Audit and metric signals can land in the same downstream observability stack without rework.
6
Both ship multi-cluster / multi-environment governance
Gravitee Cockpit aggregates installations across regions and clusters under one control plane; Federation pulls APIs from AWS, Apigee, Kong, Azure APIM, and MuleSoft. Naftiko Fleet’s NaftikoFabricExplorerPage aggregates capability dependency graphs across fabrics. Both target the same enterprise pain.
7
Both treat reusable policy bundles as a real engineering surface
Gravitee SharedPolicyGroups exist precisely so a JWT + rate-limit + AI guard-rail bundle can be authored once and applied to every API consistently. Naftiko ships reusable policy chains as part of the capability spec. Both refuse the “copy-paste policy per service” anti-pattern.
8
Both are aggressively positioning against ungoverned vendor MCPs
Gravitee MCP Tool Server v2 exists because vendors’ raw MCP endpoints aren’t enterprise-shaped — no identity, no audit, no token caps. Naftiko’s entire wedge is “vendor MCPs are too generic for context-engineering.” Different solutions, identical thesis.
Where We Diverge
How Naftiko Is Different
The clearest single-sentence difference: Naftiko builds the MCP servers, REST APIs, and Agent Skills that Gravitee governs, routes, and meters. Naftiko is the artifact factory; Gravitee is the regulated runtime. They sit on the same release path, not the same shelf.
1
Build-the-artifact vs govern-the-artifact
Naftiko
Take an existing API (Bloomberg AIM, GitHub, SAP) and ship it as a governed MCP server / REST API / Skill. The capability YAML is the new endpoint.
Gravitee
Govern HTTP / Kafka / MQTT / MCP / LLM traffic to backend services that already exist. The ApiDefinition CRD describes the policed path to an existing endpoint.
Naftiko has no gateway story; Gravitee has no API-builder story. Two different layers of the same release.
2
Multi-protocol exposure vs multi-protocol mediation
Naftiko
A single capability serves REST (humans + tools), MCP (AI agents), Agent Skills (skill-bundle agents), and A2A (roadmap) from one YAML and one container.
Gravitee
v4 gateway mediates HTTP, Kafka, MQTT, WebSocket, SSE, gRPC, MCP, A2A — but those protocols are destinations for traffic, not outputs of an authored spec.
3
Capabilities as the primitive vs ApiDefinition + SharedPolicyGroup as the primitives
Naftiko
Primary identity is “the thing that does X” — a functional unit with declared consumes and exposes.
Gravitee
Primary identities are API definitions, plans, subscriptions, and reusable policy chains over backend endpoints.
Naftiko reasons in business-domain capabilities; Gravitee reasons in API + traffic + policy primitives.
4
Source-side governance vs gateway-side governance
Naftiko
Governs the consume side — HTTPS enforcement, PII detection on consumed APIs, credential governance, retry safety per upstream. Owns the supply chain.
Gravitee
Governs the gateway — JWT/OAuth2/AM, rate-limit, transforms, AI guard-rails, semantic cache, PII redaction. Owns the regulated boundary.
5
Capability YAML vs ten Kubernetes CRDs as the source of truth
Naftiko
One declarative YAML spec drives the engine, the validation pipeline, the operator, the governance, and the runtime topology — same file from author to ops.
Gravitee
Ten CRDs per concern (ApiDefinition + ApiV4Definition + Application + Subscription + Plan + ManagementContext + SharedPolicyGroup + Group + KafkaRoute + Notification) — composable but operationally chunkier.
6
Consume-anything vs gateway-as-the-source-of-traffic
Naftiko
Consumes HTTP, file (CSV / JSON / XML), HAR, Postman / OpenAPI imports, web pages — including non-Kubernetes upstream services.
Gravitee
Federation discovers APIs across AWS, Apigee, Kong, Azure APIM, MuleSoft — but the policy plane is the Gravitee gateway. Service-mesh-shaped thinking.
7
Builds Agent Skills as a first-class output vs not shipped
Naftiko
exposes: skill ships an Agent Skills bundle alongside the capability’s MCP and REST surface — same spec, three artifacts.Gravitee
MCP Tool Server v2 governs MCPs but doesn’t produce skill bundles. Skills come from somewhere else.
8
Open-source-first vs OSS-APIM-with-commercial-AI-tier
Naftiko
Apache 2.0 Framework, intended to land in CNCF, with paid Fleet editions on top. Open-source is the engine; commercial wraps governance + ops around it.
Gravitee
Apache 2.0 APIM + AM core (very deep). AI Agent Management module (LLM Proxy, MCP Tool Server v2, prompt guard-rails, FinOps) is commercial Enterprise. Open-source is the gateway; commercial is the AI / agent layer.
Partnership Thesis
Service Partnership
Naftiko is the artifact factory. Gravitee is the regulated runtime. A Naftiko capability that ships a REST or MCP expose is the natural upstream service for a Gravitee ApiDefinition, an MCP Tool Server entry, an LLM Proxy backend, and a developer-portal listing — all on the same release. The capability map below wires the Naftiko-built artifact into every Gravitee surface it can plug into.
“Naftiko ships the MCP servers, REST APIs, and Agent Skills your enterprise needs. Gravitee governs the gateway, brokers the LLM tokens, enforces the policies, manages the identities, and meters the AI consumption. Together: the artifact-and-runtime stack for the AI agent era.”
Two First-Meeting Questions
Q1. Naftiko-as-API-source for Gravitee APIM
Would Gravitee.io consider a documented “Naftiko as the upstream API source” pattern in APIM — where every Naftiko-built REST capability lands automatically as an ApiDefinition (or ApiV4Definition) CRD, gets a developer-portal entry, and ships under a managed Plan with no extra glue? The capability map below treats every APIM CRD as a Naftiko-publishable target for exactly this reason.
Q2. Naftiko-built MCP behind Gravitee MCP Tool Server
Would Gravitee MCP Tool Server v2 include a “register a Naftiko-built MCP” quickstart — pointing at the Naftiko exposes:mcp adapter as the canonical way to put a new governed MCP server behind the tool server? Naftiko produces MCPs; Gravitee governs MCP traffic, identity, and AI token spend; the join point is a one-page docs section.
Integration Kit
Partnership Capability Map
10 Naftiko capabilities authored to integrate with Gravitee as a service partner. Each one consumes a specific Gravitee surface and exposes it as REST + MCP through the Naftiko engine — shipped as inline alpha2 YAML in the api-evangelist repository and published to the apis.io capability catalog.
Gravitee APIs Discovery
gravitee-apis-discovery
Pull live API definitions, deployments, lifecycle state, and start/stop status from a Gravitee APIM environment into Naftiko Fleet — Backstage shows what the gateway is currently governing alongside Naftiko-declared capabilities.
Gravitee API Publish
gravitee-api-publish
When a Naftiko capability ships a REST or v4 message expose, publish the matching Gravitee ApiDefinition (or ApiV4Definition) and API Product so the gateway starts routing + governing traffic to it on the same release.
Gravitee Shared Policy Groups
gravitee-shared-policy-groups
Author Gravitee SharedPolicyGroups (reusable JWT / rate-limit / transforms / AI guard-rails / RAG bundles) via Naftiko's declarative spec layer — one spec, one deploy, applied across every Gravitee API the customer ships.
Gravitee MCP Tool Server Register
gravitee-mcp-tool-server-register
Register a Naftiko-built MCP server with Gravitee MCP Tool Server v2 so Gravitee enforces identity, audit, token tracking, and AI guard-rails on agent-to-MCP traffic in front of it.
Gravitee LLM Proxy Bridge
gravitee-llm-proxy-bridge
Route Naftiko-side LLM calls through Gravitee's LLM Proxy — OpenAI / Anthropic / Bedrock / Azure / Mistral / Hugging Face under one OpenAI-compatible surface with prompt-token tracking, semantic caching, prompt guard-rails, and PII redaction layered in.
Gravitee Access Management Bridge
gravitee-am-bridge
Manage Gravitee Access Management (security domains, OAuth2 / OIDC applications, identity providers, MFA factors) from Naftiko spec — declared identity requirements provision matching domain + application + IdP wiring automatically.
Gravitee Subscriptions Management
gravitee-subscriptions-management
Manage Gravitee applications, plans, and subscriptions from Naftiko spec — provision and revoke consumer access to APIs alongside the API definitions Naftiko ships, keeping consumer-side state in lockstep with API-side state.
Gravitee Alert Engine Bridge
gravitee-alert-engine-bridge
Configure Gravitee Alert Engine triggers (latency, error-rate, quota, AI-token-spend, anomaly) and bridge fired alerts back into Naftiko's notification pipeline — same alerting intent declared once, both sides react.
Gravitee Federation Bridge
gravitee-federation-bridge
Pull federated API discovery from Gravitee — APIs that Federation has discovered across AWS API Gateway, Apigee, Kong, Azure API Management, MuleSoft — into Naftiko Fleet so the capability registry sees every governed API regardless of which gateway terminates it.
Gravitee FinOps Bridge
gravitee-finops-bridge
Pull Gravitee analytics — request counts, latency percentiles, error rates, AI-token consumption, per-app + per-plan usage — into Naftiko's per-call cost attribution model so every capability call carries its real Gravitee-measured cost.
