Kong API Gateway 3.14

An API gateway is the traffic cop in front of an application programming interface, checking credentials, applying limits, and routing requests before they hit a backend service. Kong’s 3.14 release, published April 7, adds a new long-term-support version for teams that want those checks to be stricter by default. (developer.konghq.com) Kong’s changelog lists 3.14.0.0 on April 7, 2026, followed by 3.14.0.1 on April 10, 2026. Kong’s version policy says the first minor release each year becomes the long-term-support release, and the breaking-changes page identifies 3.14 as the new long-term-support line after 3.10. (developer.konghq.com 1) (developer.konghq.com 2) (developer.konghq.com 3) In plain terms, plugins are the gateway’s rule modules: one can verify a token, another can rate-limit traffic, and another can inspect messages. Kong says its gateway loads these modules to add features without changing the core proxy. (developer.konghq.com) The authentication piece here is JSON Web Token, a signed packet of claims that lets a client prove who it is without sending a password on every request. Kong’s JWT plugin accepts tokens in headers or cookies and can verify registered claims such as expiration time and “not before” time before proxying a request. (developer.konghq.com 1) (developer.konghq.com 2) (developer.konghq.com 3) That matters for banks, healthcare systems, and other regulated platforms that often need more than a yes-or-no login check. Kong’s OpenID Connect and JWT tooling already supports mapping token claims to consumers, and 3.14’s release notes also tighten several security defaults, including certificate verification and hidden credentials on new plugin configurations. (developer.konghq.com 1) (developer.konghq.com 2) (developer.konghq.com 3) WebSocket traffic is the always-open version of an application programming interface connection, used when a client and server need to keep talking back and forth in real time. Kong’s WebSocket Validator plugin checks individual messages against a schema before forwarding them, including text or binary messages sent by a client or an upstream service. (developer.konghq.com) Kong’s 3.14 release also changes the default route protocols from “http,https” to “https” for new routes. The same release switches several defaults toward stronger cryptography, including HMAC-SHA256 for event hooks and certificate verification turned on by default in more places. (developer.konghq.com) (developer.konghq.com) The monetization piece sits in Konnect, Kong’s hosted platform around the gateway. Kong’s Metering and Billing docs say customers can meter gateway requests in real time, define free, flat-fee, usage-based, or tiered pricing, enforce usage limits, and turn those records into subscriptions and invoices. (developer.konghq.com) (developer.konghq.com) (developer.konghq.com) That puts the release in line with Kong’s recent pitch to platform teams that want one control point for security, analytics, and product packaging. Kong’s own Konnect materials say the platform is built to govern, observe, and monetize API and artificial intelligence traffic across self-managed and cloud deployments. (konghq.com) (developer.konghq.com) For teams running older long-term-support builds, Kong says 3.10 configurations can be migrated to 3.14 with deck file conversion tooling. The message in the docs is straightforward: newer gateway releases are carrying more of the policy, security, and billing logic that companies used to bolt on elsewhere. (developer.konghq.com)