Side by Side
At a Glance
14 dimensions of comparison between Naftiko and Traefik — same row, different layer of the stack. Scan top-to-bottom to see where each product makes a different choice on the same axis.
Dimension
Naftiko
Traefik
Category
Naftiko
Spec-driven integration platform
Traefik
Cloud-native edge router + API gateway + (Hub) API management + AI/MCP gateway
Origin
Naftiko
Kin Lane (API Evangelist) + Jerome Louvel (Restlet → Talend → Qlik), 2025
Traefik
Emile Vauge, 2016 — Traefik Labs around it
Primary primitive
Naftiko
Capability — consumes APIs, exposes REST / MCP / Skills / A2A
Traefik
IngressRoute / Middleware / Service — routing rules over backend services
Layer in the stack
Naftiko
Build-time + ship-time + runtime engine that creates the artifact
Traefik
Network edge + middleware + (Hub) API mgmt; routes traffic to artifacts
Core artifact
Naftiko
YAML capability spec (declarative)
Traefik
Kubernetes CRDs (IngressRoute, Middleware, API, APIPlan, AIService, etc.)
Open source posture
Naftiko
Apache 2.0 Framework, free Fleet community edition, paid Standard / Enterprise
Traefik
MIT-licensed Proxy (free, very popular); Hub is contract-only commercial
Multi-protocol exposure
Naftiko
REST + MCP + Skills + A2A (roadmap) — same capability, all protocols
Traefik
HTTP/1/2/3, TCP, UDP, gRPC, WebSocket; (Hub adds) OpenAI-compatible AI proxy + MCP gateway
Governance scope
Naftiko
Design-time (Spectral lint), admission (Kyverno / OPA), runtime engine
Traefik
Edge enforcement: WAF, OAuth2/OIDC/OPA, rate-limit, headers, IPAllowList — at the proxy boundary
Discovery surface
Naftiko
Backstage capability catalog + scorecards
Traefik
Built-in dashboard + Hub multi-cluster API inventory + APIPortal
Audit / observability
Naftiko
OpenTelemetry + Prometheus + structured logs
Traefik
Prometheus + Datadog + InfluxDB + StatsD + OpenTelemetry tracing + access logs
Identity / OAuth
Naftiko
Runtime secret injection (env, ExternalSecrets); Keycloak / OpenFGA roadmap
Traefik
(Hub) LDAP, JWT, HMAC, OAuth2, OIDC, OPA; HashiCorp Vault integration
AI / MCP posture
Naftiko
Builds MCP servers, REST APIs, Agent Skills from existing APIs
Traefik
(Hub) Routes traffic to MCPs (MCP Gateway) and LLMs (AI Gateway with Presidio + NVIDIA Safety)
Cost / FinOps
Naftiko
Cost-center labels propagated to K8s; Kubecost integration
Traefik
Hub annual subscription; opaque tier-based pricing
Founder framing
Naftiko
“Capability fleet” — many ships, one navy
Traefik
“One platform. One gateway. Every request governed”
Common Ground
Where They Overlap
Both Naftiko and Traefik bet on the layer above per-vendor MCPs. Here are the 8 concrete places where those bets actually meet — same problem, sometimes the same shape, increasingly the same conversation.
1
Both treat AI/MCP as governed first-class traffic
Traefik Hub ships an AI Gateway (LLM proxy with caching, PII redaction, jailbreak detection) and an MCP Gateway (identity-aware agent-to-MCP routing). Naftiko exposes capabilities as MCP servers and routes LLM calls through governed adapters. Same outcome from opposite ends of the wire.
2
Both are Kubernetes-native and CRD-shaped
Traefik Hub uses CRDs (API, APIVersion, APIPlan, APIPortal, ManagedSubscription, AIService, IngressRoute, Middleware). Naftiko Standard ships a NaftikoCapability CRD + operator. Both treat Kubernetes as the policy plane.
3
Both ship a developer-portal / discovery surface
Traefik Hub ships APIPortal + APICatalogItem; Naftiko Fleet integrates Backstage with capability scorecards and a fabric explorer. Both want developers and machines to find what is shippable in one place.
4
Both apply governance through declarative middleware-style chains
Traefik runs ordered HTTP middlewares (RateLimit, Headers, BasicAuth, ForwardAuth, IPAllowList, CircuitBreaker, Retry). Naftiko applies Spectral rules + OPA + runtime checks per consume / expose. Different syntax, similar shape: declarative policy chains, not imperative code.
5
Both support OpenTelemetry + Prometheus out of the box
Naftiko emits OTel events from every capability container. Traefik exports Prometheus + OTel tracing + structured access logs. Audit and metric signals can land in the same downstream observability stack.
6
Both ship multi-cluster / multi-environment governance
Traefik Hub aggregates multi-cluster API inventory and dashboards. Naftiko Fleet’s NaftikoFabricExplorerPage aggregates capability dependency graphs across fabrics. Both target the same enterprise pain.
7
Both treat plugins / extensions as a real engineering surface
Traefik runs Yaegi-interpreted Go plus WebAssembly plugins at runtime without recompiling. Naftiko supports inline scripting (JavaScript, Python, Groovy) sandboxed in the engine. Both let teams extend behavior in the data path without forking the core.
8
Both are aggressively positioning against ungoverned vendor MCPs
Traefik Hub MCP Gateway exists because vendors’ raw MCP endpoints aren’t enterprise-shaped. Naftiko’s entire wedge is “vendor MCPs are too generic for context-engineering.” Different solutions, identical thesis.
Where We Diverge
How Naftiko Is Different
The clearest single-sentence difference: Naftiko builds and exposes the MCP servers, REST APIs, and Skills that Traefik routes traffic to. Naftiko is the artifact factory; Traefik is the network edge. They sit on the same release path, not the same shelf.
1
Build-the-artifact vs route-to-the-artifact
Naftiko
Take an existing API (Bloomberg AIM, GitHub, SAP) and ship it as a governed MCP server / REST API / Skill. The capability YAML is the new endpoint.
Traefik
Route HTTP / TCP / UDP / MCP traffic to backend services that already exist. The CRD describes the path to an existing endpoint.
Naftiko has no ingress story; Traefik has no API-builder story. Two different layers of the same release.
2
Multi-protocol exposure vs multi-protocol routing
Naftiko
A single capability serves REST (humans + tools), MCP (AI agents), Agent Skills (skill-bundle agents), and A2A (roadmap) from one YAML and one container.
Traefik
Routes HTTP/1/2/3, TCP, UDP, gRPC, WebSocket, plus (in Hub) OpenAI-compatible AI proxy and MCP gateway — but those protocols are destinations for traffic, not outputs of an authored spec.
3
Capabilities as the primitive vs IngressRoute / Middleware as the primitives
Naftiko
Primary identity is “the thing that does X” — a functional unit with declared consumes and exposes.
Traefik
Primary identities are routing rules and middleware chains over backend Services.
Naftiko reasons in business-domain capabilities; Traefik reasons in network-shaped routing primitives.
4
Source-side governance vs edge-side governance
Naftiko
Governs the consume side — HTTPS enforcement, PII detection on consumed APIs, credential governance, retry safety per upstream. Owns the supply chain.
Traefik
Governs the edge — WAF, OAuth2/OIDC/OPA, rate-limit, IPAllowList, headers, request size. Owns the perimeter.
5
Capability YAML vs Kubernetes CRD as the source of truth
Naftiko
One declarative YAML spec drives the engine, the validation pipeline, the operator, the governance, and the runtime topology — same file from author to ops.
Traefik
Multiple CRDs per concern (IngressRoute + Middleware + Service + AIService + API + APIPlan + APIPortal + ManagedSubscription) — composable but operationally chunkier.
6
Consume-anything vs Kubernetes-only inputs
Naftiko
Consumes HTTP, file (CSV / JSON / XML), HAR, Postman / OpenAPI imports, web pages — including non-Kubernetes upstream services.
Traefik
Hub is Kubernetes-native only. Service discovery covers Docker, Nomad, ECS, Consul, etcd, file — but the policy plane is K8s.
7
Builds Agent Skills as a first-class output vs not shipped
Naftiko
exposes: skill ships an Agent Skills bundle alongside the capability’s MCP and REST surface — same spec, three artifacts.Traefik
MCP Gateway routes to MCPs but doesn’t produce skill bundles. Skills come from somewhere else.
8
Open-source-first vs OSS-proxy-with-commercial-Hub
Naftiko
Apache 2.0 Framework, intended to land in CNCF, with paid Fleet editions on top. Open-source is the engine; commercial wraps governance + ops around it.
Traefik
MIT-licensed Proxy is the OSS foundation (very popular). Hub is contract-only commercial. Open-source is the proxy; commercial is the API mgmt + AI / MCP gateway.
Partnership Thesis
Service Partnership
Naftiko is the artifact factory. Traefik is the network edge. A Naftiko capability that ships a REST or MCP expose is the natural upstream service for a Traefik IngressRoute, an API CRD, an MCP Gateway entry, and a developer-portal listing — all on the same release. The capability map below wires the Naftiko-built artifact into every Traefik surface it can plug into.
“Naftiko ships the MCP servers, REST APIs, and Agent Skills your enterprise needs. Traefik routes the traffic, terminates the TLS, applies the middleware, publishes the API, and governs the agents that call it. Together: the artifact-and-edge stack for the AI integration era.”
Two First-Meeting Questions
Q1. Naftiko-as-API-source for Traefik Hub
Would Traefik Labs consider a documented “Naftiko as the upstream API source” pattern in Hub — where every Naftiko-built REST capability lands automatically as an API CRD, gets a developer-portal entry, and ships under a managed APIPlan with no extra glue? The capability map below treats every Hub CRD as a Naftiko-publishable target for exactly this reason.
Q2. Naftiko-built MCP behind Traefik MCP Gateway
Would Traefik Hub MCP Gateway include a “register a Naftiko-built MCP” quickstart — pointing at the Naftiko exposes:mcp adapter as the canonical way to put a new governed MCP server behind the gateway? Naftiko produces MCPs; Traefik governs MCP traffic; the join point is a one-page docs section.
Integration Kit
Partnership Capability Map
11 Naftiko capabilities authored to integrate with Traefik as a service partner. Each one consumes a specific Traefik surface and exposes it as REST + MCP through the Naftiko engine — shipped as inline alpha2 YAML in the api-evangelist repository and published to the apis.io capability catalog.
Traefik Routes Discovery
traefik-routes-discovery
Pull live router, service, middleware, and entrypoint inventory from a running Traefik Proxy and expose it as a Naftiko Fleet discovery feed — Backstage shows what the proxy is currently routing to alongside Naftiko-declared capabilities.
Traefik IngressRoute Publish
traefik-ingressroute-publish
When a Naftiko capability ships a REST or MCP expose, publish the matching Traefik IngressRoute (or IngressRouteTCP) so the proxy starts routing traffic to it on the same release.
Traefik Middleware as Policy
traefik-middleware-as-policy
Author Traefik Middleware CRDs (RateLimit, Headers, BasicAuth, ForwardAuth, IPAllowList, CircuitBreaker, Retry, ReplacePath, etc.) via Naftiko's declarative spec layer — one spec, one deploy, two systems wired up.
Traefik Rate Limit Sync
traefik-rate-limit-sync
Synchronize Naftiko expose-side rate-limit declarations with Traefik RateLimit middlewares so the edge enforces exactly what the Naftiko spec declared — no drift between declared limits and enforced limits.
Traefik AI Gateway Bridge
traefik-ai-gateway-bridge
Route Naftiko-side LLM calls through Traefik Hub's AI Gateway — semantic caching, PII redaction (Presidio), jailbreak detection (NVIDIA Safety NIMs), per-token observability — automatic, OpenAI-compatible passthrough.
Traefik MCP Gateway Register
traefik-mcp-gateway-register
Register a Naftiko-built MCP server with Traefik Hub MCP Gateway so Traefik does identity-aware routing, capability scoping, and audit logging on agent-to-MCP traffic in front of it.
Traefik API Management Publish
traefik-api-management-publish
Publish Naftiko-built REST exposes as Traefik Hub API CRDs (API, APIVersion, APIBundle) so they automatically land in the developer portal with try-it consoles, plans, and managed subscriptions.
Traefik Developer Portal Sync
traefik-developer-portal-sync
Push Naftiko-built REST OpenAPI specs into Traefik Hub APIPortal + APICatalogItem CRDs so they appear in Traefik's branded developer portal with try-it consoles, plan badges, and subscription flows.
Traefik Managed Subscription Sync
traefik-managed-subscription-sync
Surface Traefik Hub ManagedSubscription state into Naftiko Fleet so every Naftiko-built API knows which downstream applications are currently subscribed to it (under which plan, in which bundle).
Traefik ACME Cert Manager
traefik-acme-cert-manager
Manage Let's Encrypt / ACME certificate state via Traefik's TLSStore + TLSOption CRDs so Naftiko-built REST exposes that need TLS pick up Traefik-managed certificates automatically.
Traefik Metrics Bridge
traefik-metrics-bridge
Pull Traefik Proxy's Prometheus metrics endpoint and expose request-rate, latency, and error series alongside Naftiko's OpenTelemetry stream so a single dashboard shows ingress + capability behavior together.
