Schedule a Demo
Chapters
Architecture
Depth & Proof
Fitting Your Stack
Security Model
Trust & Operations
Straight Answers

The questions your architect will actually ask.

We wrote down the hardest version of every question a skeptical infrastructure lead raises before signing off — latency, blast radius, proof, pricing, lock-in — and answered them without the gloss. Tap a question to open it.

14 questions 5 chapters open only what you need
Start reading
Chapter 1 / 5

Architecture

How the connection actually behaves — from handshake to teardown, and everything holding it up in between.

Q1 · Latency

"Transient connections per transaction" — doesn't that add latency to every API call?

A cross-country TLS handshake is the slow part. We terminate it on a gateway near the client, so the negotiation is short — and the long haul back to your server runs on a tunnel that's already open and needs no handshake at all.

A TLS handshake over a short distance is fast. Over a long one — a client on one coast, your server on the other — each round-trip of that negotiation has to cross the whole country, and those round-trips are what cost you. That handshake alone can run around 100 ms before any data even moves.

BillionAPIs terminates that handshake on a gateway close to the client, so the only live negotiation happens over a short hop — on the order of 10 ms. From the gateway back to your server, traffic rides an encrypted tunnel that is already established and already knows its route. There is no per-call handshake on that leg to pay for.

On your side, connections are outbound-only — no inbound ports, no NAT traversal, no hole punching. Your network team validates one standard connectivity pattern. The encryption itself uses protocols already built into your operating system, so there is nothing proprietary to audit.

Q2 · The control plane

Isn't the control plane just standing infrastructure you haven't eliminated — only moved?

Yes, there is one — every control-plane/data-plane design has one. The difference is what you have to protect: you trade a sprawl of systems, each one a potential gap, for a single server you can lock down properly.

Correct — there is a control plane. It's a pattern that's been proven for decades, and we don't pretend otherwise.

Here's the difference: it sits inside your infrastructure, locked down, and is never reachable from the outside without prior controls. Every connection in and out goes through its own authentication and authorization. The only external exposure is DNS, sitting behind the same tooling — Cloudflare or equivalent — you already run today.

The advantage is focus. Instead of enforcing security across dozens of distributed gateways and endpoints, you concentrate protection on one thing: air-gapped, multi-factor, configuration changes through infrastructure-as-code only. Most breaches don't happen because a single well-protected system fails. They happen because a team is protecting dozens of systems and the posture slips somewhere in the sprawl.

Q3 · Inbound ports

"No open inbound ports" — so how does the initial handshake happen? Something has to be listening.

Nothing on your perimeter listens. Your side only dials out to the platform, so there's no inbound port to open — and nothing exposed to attack from the outside.

Something does listen — but it's the platform's gateways, sitting near your clients, never anything on your perimeter. BillionAPIs is a complete infrastructure deployment, not an appliance you bolt onto what you have: tunnels, L3/L4 firewalling, API gateway, API security, and data protection, all deployed as one stack inside your perimeter.

Your API endpoints and services connect to it via outbound tunnels; your API clients connect through gateways near them. Nothing listens on the public internet, and nothing requires an inbound port opening on your side. One infrastructure, one perimeter — you connect to it outbound, and that's it.

Chapter 2 / 5

Depth & Proof

What's actually built versus what's roadmap — and how you'd verify the difference yourself.

Q4 · CAMARA & TM Forum

The CAMARA and TM Forum surface — real implementations, or stubs returning mock data?

The northbound surface is spec-complete from day one — and reachable as REST, GraphQL, and MCP, so developers and agents can both consume it. Southbound, the connection to your real backends is honest about what's live versus mock, and lights up at your pace.

No one builds one of these standards in full on day one. Teams implement the handful of APIs that justify near-term spend; the rest sit on a roadmap. But partners expect a complete surface regardless — and that's the gap the gateway closes, from two directions.

Northbound — the surface your partners integrate against — is spec-complete on day one: every endpoint present and callable. And it isn't just REST for developers; the same surface is exposed as GraphQL and as MCP tools, so your agents can consume it directly. Southbound — where the gateway connects to your real systems — is where the real work happens, one backend at a time. Where you've implemented an API, the gateway passes through to it. Where you haven't, it returns a spec-compliant response and is marked as mock — not dressed up as live.

The effect is on the timeline. Reaching a complete, conformant surface used to be a multi-year effort; here it's there on day one, and connecting your real backends behind it is measured in weeks, not years — you set the pace.

Q5 · Test coverage

How deep is the regression coverage behind that surface, really?

Because it's a published spec, we know exactly what to test for. Where a backend is implemented, we test it for accuracy and completeness. Where it isn't, we mark it mock rather than claim coverage we don't have.

The useful thing about building against a published standard is that the standard is the test contract. The spec defines every endpoint's shape, so we know precisely what correct looks like and can test against it — no guessing about intended behavior.

So coverage tracks reality honestly. Where you've connected a real backend, that path is tested for accuracy and completeness against the spec. Where you haven't, it runs as a marked mock — and we say so, rather than reporting a passing test for something that isn't really there. As you light up more backends, the suite extends with them; with a well-defined spec and AI-assisted development, that's a matter of days, not a project of its own.

Chapter 3 / 5

Fitting Your Stack

Whether this replaces what you have, sits beside it, or is worth building yourself.

Q6 · Two gateways?

If I keep my existing gateway and add yours, don't I now have two things to manage instead of one?

You're not adding a second copy of the same job — you're adding a second path. That path is how you validate the tech on live traffic and adopt it through procurement, without touching what already runs.

A single path is a single point of failure: if it breaks or comes under attack, there's nowhere else for traffic to go. Adding BillionAPIs gives the same traffic a second, independent path — and that's the point, not the overhead.

A second path is also how you validate and adopt without risk. Send a slice of traffic through BillionAPIs and compare (A/B). Roll it out further only as it proves itself (canary). Keep your existing path as an automatic fallback if the primary is ever degraded or attacked. That makes this both a technical-validation and a procurement path: your team proves the technology on real traffic while procurement moves at its own pace, and you decide if and when to consolidate. You're not managing two of the same thing — you're gaining options a single path never gave you.

Q7 · One deployment vs. an ecosystem

"One deployment" sounds like it's doing the job of a dozen products. Is that real, or oversimplified?

Every tool in your stack is an iceberg: a small capability on the surface, a huge mass of config, glue, and tribal knowledge underneath. One deployment keeps the capabilities and removes the mass under all of them.

It's real, but not the way "one product replaces twelve products" usually means. What we replace isn't the visible capability of each tool — it's everything submerged underneath it. A gateway, a WAF, a rate limiter each look small at the surface. Beneath every one sits the real mass: configuration, integration glue, on-call runbooks, and the tribal knowledge of how it all fits together. A dozen tools isn't a dozen small costs. It's a dozen icebergs.

That submerged mass is where the time actually goes. Engineers spend more of their day finding problems than fixing them. Most incident time is gone before the fix even starts — burned on figuring out how a fragmented stack is behaving. One deployment keeps the capabilities you rely on and removes the mass under all of them at once.

Your team could assemble and run this themselves. The honest question is whether you can afford to — and we get that you're skeptical. So add BillionAPIs at a fraction of what your current stack costs, run it alongside what you have, and only replace the rest once it's earned it.

Q8 · Build it yourself

My team can build a tunnel-per-request system with mutual TLS in a few weeks. Why would we buy this instead?

Your team can build this. The real question is whether that's the best use of the team you have — the tunnel is maybe 5% of what's actually needed, and the rest never stops needing maintenance.

Start with a different question: do you want your best engineers spending their time on commodity infrastructure — tunnels, firewalls, rate limiters — or on the product that actually makes your company win? Every sprint spent maintaining plumbing is a sprint not spent on what your team is uniquely good at.

You can build the tunnel-per-request piece in a few weeks — call it 5% of what's actually needed. Left to build: L3/L4 firewalling, a full API gateway with routing and lifecycle management, authentication across OAuth/JWT/mTLS, per-consumer and per-agent rate limiting, a policy engine, observability, agent isolation. Then maintain all of it, upgrade it, and staff on-call for it, across every cloud you run in.

And that's only for today's requirement. When agentic workloads hit production and need per-agent policy, or a partner asks for full spec compliance, you rebuild — pulling your best people off the product again.

Chapter 4 / 5

Security Model

What's actually enforced today, what's still on the roadmap, and where human judgment still has to lead.

Q9 · Cutting corners?

Are we cutting corners here?

No — the opposite. One language chosen for the job, and isolation built into the structure: a fault in one session physically can't spread to the rest.

No corners — but a specific design choice worth being direct about. The runtime is built entirely in Rust, chosen for throughput and memory safety, not a general-purpose web language repurposed for systems work. The underlying tunneling relies on open-source, already-audited protocols you can inspect yourself.

And structurally: every pipeline is single-session — created for one session, destroyed when it ends. A fault in one session doesn't cascade into everything else running, the way it can in a shared, always-on appliance. Each session is isolated, self-contained, and disposable — the blast radius is one.

Q10 · Data Identity

"Data Identity" — is this just tagging fields with a fancier name?

Today it's a real sensitivity catalog built from your own specs. Next, that catalog wires into live enforcement. This isn't pattern-matching with a new name.

Data in motion mostly has no identity today. That gap is a big reason Broken Object Level Authorization (BOLA) has topped the API vulnerability lists for years running. Every existing layer checks the identity of the caller: authenticated, authorized for the endpoint, call goes through. Almost nothing checks whether that caller has the privilege to see the specific data coming back. That's the blind spot.

Data Identity works from the other direction: classify what a piece of data actually is — its sensitivity, independent of who's asking or where it's headed — so policy can be defined against the data itself. We already do this today at the design-time layer: every attribute in your API specs gets classified for sensitivity, with a plain-language rationale, building the catalog this needs. Carrying that classification into real-time, in-motion enforcement across the data path is the direction we're building toward next.

Q11 · Stolen credentials

If an attacker has valid, stolen credentials, doesn't your tunnel just give them a private, encrypted channel out?

We remove every other avenue of attack, so your team's judgment is spent on the one problem that actually needs it: anomalous behavior from valid credentials.

No infrastructure is foolproof against a perfect impersonation — valid credentials, correct behavior, nothing to flag at the door. But the question that actually matters isn't whether the credentials were valid. It's what happens next: what data is being accessed, at what privilege level, and where it's headed. That's where classification-based checks — not caller identity alone — start to matter.

Our architecture is built to close off every other avenue first: no standing connections, no inbound ports, no persistent surface to probe. That narrows the problem to the one thing that genuinely needs human judgment: anomalous behavior from valid credentials. Your team defends that — not everything, everywhere, all at once.

Chapter 5 / 5

Trust & Operations

Where your traffic actually goes, what happens on mobile, and who keeps it running.

Q12 · Where does my traffic go?

My API traffic is routing through a startup's infrastructure. What's your SOC 2? Your ISO 27001?

Single-tenant, deployed inside your own environment. Cross-customer leakage isn't a policy we follow — it's a path that doesn't exist.

Nothing routes through our infrastructure. BillionAPIs is single-tenant by design — when you deploy, we stand up a dedicated environment inside your infrastructure, on your behalf. There is no shared BillionAPIs cloud your traffic passes through, and no multi-tenant fabric where your traffic could intermix with another customer's. That's not a policy commitment — it's a property of the architecture: there's no shared path to leak through.

Your data stays in your environment. Your security team controls the deployment. Your compliance posture is yours — we don't weaken it, we inherit it. Audit the environment yourself; it's your infrastructure.

Q13 · Mobile & app stores

Apple restricts apps that embed VPN-like functionality. Does MobileApp Shield survive App Store review?

Its job is to authenticate that each transaction comes from a genuine, uncompromised app — not a rooted device, an emulator, or a tampered clone. It's app-scoped and works within the OS's controls, never around them.

Start with what it's for. In fintech the risk isn't only eavesdropping on the wire — it's a transaction that looks legitimate but comes from a compromised context: a rooted or jailbroken device, an emulator, or a repackaged clone of your app. MobileApp Shield exists to authenticate each transaction as coming from a genuine, correctly-signed app, and to make faking that as hard as possible.

It works from inside your own app — device-integrity signals and a hardware-bound identity travel with the app's own API traffic, and the final trust decision is made server-side, not left to the client. It's app-scoped: no device-wide VPN, no capturing other apps' traffic, no asking the OS to route the phone through a system tunnel — so it isn't what App Store review restricts. Every control the mobile OS already enforces stays exactly where it is; this adds app-level assurance on top, it doesn't work around anything.

Q14 · Leaving

If we stop paying, what happens to our data and our deployment?

We don't take anything when you go — your data was never on our infrastructure to begin with. Keeping the deployment running afterward is something we work out case by case.

Short answer: there's nothing for us to take. BillionAPIs is single-tenant and runs inside your own environment — your data, your configurations, your policies all live in your infrastructure, never ours. Stopping payment can't put any of that at risk, because it was never on our side to begin with.

Keeping the deployment running after you discontinue service is something we handle case by case, scoped to your environment.

Still have questions?

The best way to answer the rest is to see it running against your own environment.

Schedule a Demo