Keycloak and Kong Gateway — OSS vs Commercial Licensing
Quick reference for the OSS vs commercial licensing split for Keycloak (identity/auth) and Kong Gateway (API gateway). Both follow the same pattern: Apache 2.0 OSS core, optional commercial tier from the primary vendor.
Why / When to Use
Use this when evaluating whether to adopt the free OSS version or pay for the commercial build for either tool in a production infrastructure stack.
Core Concept
| Keycloak | Kong Gateway | |
|---|---|---|
| OSS license | Apache 2.0 | Apache 2.0 |
| Commercial option | Red Hat build of Keycloak | Kong Gateway Enterprise |
| Commercial vendor | Red Hat (IBM) | Kong Inc. |
| What you get extra | Enterprise support, SLAs, security patches, hardened builds | Kong Manager UI, advanced analytics, RBAC, OIDC, premium plugins |
| Pricing | Subscription-based | Custom (contact sales) |
Key Options / Variants
Start with OSS when:
- Team can self-manage upgrades and security patches
- No hard SLA requirement
- Don’t need Kong Manager GUI or advanced Kong analytics
Upgrade to commercial when:
- Enterprise support or SLA contractually required
- Need Red Hat’s hardened/security-patched Keycloak builds
- Kong: need RBAC, advanced rate limiting, OIDC plugin, or Kong Manager UI
Gotchas
- The OSS versions are production-ready — commercial tiers add support guarantees and enterprise features, not core functionality
- Kong Gateway Enterprise pricing is opaque (contact sales); budget conversations may take time
- Red Hat’s Keycloak build lags slightly behind community releases (patching takes time)
Source
Conversation “Commercial use permissions” — 2026-05-21.