Secret-safe gateway
api.oanor.com fronts your upstream. Header allow-list, no DB access, 503 on Redis outage. Designed against accidental leakage.
Features
Everything you need to ship an API.
A clean gateway, per-customer keys, plans with trials, customer webhooks and a public marketplace — all in one place.
Per-customer API keys
Issue, revoke, rotate. Plaintext shown once. SHA-256 stored. RPS quota enforced atomically.
Plans & quotas
Free, Pro, Enterprise tiers out of the box. Per-second rate limit + monthly quota in Redis.
Multilingual auto-content
Hero image, SEO copy, translations generated on publish. EN + DE today, ten more on the way.
Built-in observability
Prometheus /metrics endpoint, Redis stream of every call, Postgres audit log of every admin action.
Pure PHP, no framework
Modular monolith. Strict Public/Internal split enforced via Deptrac. PHPStan level 8. PHP-CS-Fixer.
For providers
Tools for API providers.
Define plans, watch usage, reply to reviews, get paid monthly.
RapidAPI-style plan editor
Free + paid tiers, hard/soft limits, overage pricing, free trials and feature bullets per plan.
Per-endpoint analytics
P50/P95/P99 latency and error-rate trends per endpoint, in a slide-in drawer.
Reply to reviews
Address feedback inline; replies show as a quoted block under each customer review.
Subscriber overview
Pseudonymized list of active subscribers with current-month usage per plan.
For customers
Built for the developer who consumes APIs.
Browse, subscribe, integrate, monitor — without writing your own gateway.
Per-API subscriptions
Pay each provider directly at their listed price; one monthly platform invoice on top.
Live usage bars
Monthly + daily quota visualization per subscription, color-coded at 80% and 100%.
HMAC-signed webhooks
subscription.renewed, quota.warning, payout.paid and more — signed, retried, logged.
Side-by-side compare
Stack up to three APIs and compare price, uptime, latency and pricing tiers at a glance.
Bookmarks + activity feed
Star APIs, follow what changed, get notifications when subscribed providers ship updates.
Platform
Trust + transparency by default.
EU-only servers, signed webhooks, immutable audit log, public roadmap.
EU-only by default
Hetzner Falkenstein. No data leaves the EU unless you explicitly enable a region.
Automated translations
API descriptions, hero copy and SEO content translated on publish. EN + DE today.
Immutable audit log
Every admin action persisted with actor, IP and payload diff. Queryable for compliance.
Cryptographic delivery
X-Oanor-Signature: sha256=<hex> over the raw body. Verify before trusting.
—
p50 gateway overhead
13
webhook event types
10%
platform cut, no extras
EU
data residency