Feature flags & OpenFeature are here

Formerly known as api-shield, same project, new name.

Control how your API behaves at runtime

Waygate is a runtime behavior layer for your API. Disable a broken route, enforce limits per user, roll out to 10% of traffic, or schedule a maintenance window. No code changes. No restarts. No redeployments.

Get Started → GitHub
$ uv add "waygate[all]"
app.py 
from fastapi import FastAPI
from waygate import make_engine
from waygate.fastapi import (
    WaygateMiddleware, WaygateAdmin,
    maintenance, env_only, deprecated,
    force_active, rate_limit,
)

engine = make_engine()
app    = FastAPI()
app.add_middleware(WaygateMiddleware, engine=engine)

# Database migration in progress
@app.get("/payments")
@maintenance(reason="Back at 04:00 UTC")
async def get_payments(): ...

# Hidden in production silently
@app.get("/debug")
@env_only("dev", "staging")
async def debug_info(): ...

# 100 req/min per IP, no extra config
@app.get("/search")
@rate_limit("100/minute", key="ip")
async def search(): ...

# Immune to all checks, always 200
@app.get("/health")
@force_active
async def health(): ...

# Dashboard + REST API at /waygate
app.mount("/waygate",
    WaygateAdmin(engine=engine, auth=("admin", "secret"))
)
Feature flags OpenFeature compliant Canary rollouts A/B testing Percentage rollouts Rate limiting Maintenance mode Scheduled windows Zero-restart control Audit log Redis backends Webhooks CLI control Multi-service fleet Env gating Feature flags OpenFeature compliant Canary rollouts A/B testing Percentage rollouts Rate limiting Maintenance mode Scheduled windows Zero-restart control Audit log Redis backends Webhooks CLI control Multi-service fleet Env gating
5 Flag Types Supported
3 Storage Backends
0 Restarts Needed
MIT Open Source
The problem

API behavior is buried in code and deployments

Changing how your API behaves requires editing code, merging a PR, and waiting for a deploy. Disabling a broken route, adjusting a rate limit, or restricting a feature to one user segment all go through the same slow path. There is no dedicated layer for runtime control.

The solution

A dedicated runtime layer for API behavior.

waygate sits between your framework and your business logic. It handles route lifecycle, rate limiting, feature flags, and rollouts in one place. Changes take effect immediately from a dashboard, CLI, or REST API with no code changes and no server restart.

Feature Flags

OpenFeature compliant. Boolean, string, float, JSON. Targeting rules, segments, percentage rollouts, prerequisites.

Rate Limiting

Per-IP, per-user, per-key, or global. Tiered limits, burst allowance, real-time policy mutation. Memory, file, or Redis.

Route Lifecycle

Maintenance, env gating, deprecation, instant disable. Per route. Managed from dashboard, CLI, or REST API with no code changes.

Waygate admin dashboard

Admin dashboard — route states, rate limits, audit log, and feature flags. No JS framework required.

What makes it different

Route-level control that other tools don't have.

LaunchDarkly, Flagsmith, and Unleash operate at the application layer with no concept of what a route is. waygate does feature flags and gives you route-level control: put /api/payments into maintenance, schedule the window, reset its rate limit counters when it comes back, and see a live dashboard of every route's state across your fleet.

Route-aware request context

waygate reads request.state.user_id, FastAPI dependencies, and ASGI request context directly. The route is the unit of control, not a string key passed to an SDK.

Maintenance windows, not just toggles

Schedule /api/payments out for 2 hours. When the window closes, the route comes back automatically, rate limit counters reset, and a webhook fires to Slack. No code change needed.

No SaaS, no API keys

Back your state with Redis you already run, or a plain JSON file for local dev. No data leaves your infra. No third-party uptime dependency sitting in your request path.

Disabled and env-gated routes hidden from /docs

Disabled and env-gated routes hidden from /docs

Maintenance banner injected into Swagger UI

Maintenance banners injected live into Swagger UI

Why waygate

Everything you need to control API behavior at runtime

01

Decorator-first DX

State lives next to the route. @maintenance, @disabled, @env_only, @rate_limit. One line, zero boilerplate.

02

Fail-open by default

If the backend is unreachable, requests pass through. Waygate never takes down your API due to its own failures.

03

OpenFeature compliant

Use any OpenFeature-compatible SDK. Switch providers without rewriting flag evaluation logic. Vendor-portable from day one.

04

HTMX admin dashboard

Live SSE updates. Audit log. Flag evaluation stream. No JavaScript framework. Mount at any path in two lines.

05

Multi-service fleet

WaygateServer + WaygateSDK for centralized control across multiple services. State synced via SSE with zero per-request latency.

06

Full CLI + REST API

Every dashboard action is available from the terminal or CI pipeline. Token auth. Cross-platform config at ~/.waygate/config.json.

Get started

Add runtime control to your API today

Install in seconds. No external services required. Currently supports FastAPI, more adapters coming.

$ uv add "waygate[all]"
Read the Docs Star on GitHub
PyPI Python License