On April 6th, 2026, we released an updated version of Apigee.

This change introduces the new apigee.coreServiceAgent IAM role for Apigee. Effective immediately, use apigee.coreServiceAgent instead of the apigee.serviceAgent role.

For information on the new role, see apigee.coreServiceAgent.

Fixed

Correction to April 2, 2026 release note: Deployment disruption for Apigee Drupal Portal via Google Cloud Marketplace

For the deployment disruption announced on April 2, the announcement noted that deployment and management functionality using Google Cloud Deployment Manager would definitely be unavailable during the transition. This statement is incorrect. The functionality might be unavailable.

See the Known issue for more information.

Deployment disruption for Apigee Drupal Portal via Google Cloud Marketplace

Google Cloud Deployment Manager was deprecated as of March 31, 2026. We are currently transitioning the Apigee Drupal Portal Marketplace solution to use Infrastructure Manager. During this transition period, some deployment and management functionalities are unavailable.

Impact:

• New Deployments: Starting April 1, 2026, attempting to deploy a new Apigee Drupal Portal instance using the "Deploy" button on the Google Cloud Marketplace will fail.
• Existing Deployments: Your underlying resources (such as VMs and Cloud SQL databases) are unaffected and will continue to run normally. However, you can no longer use Deployment Manager-based features to manage the deployment via the Marketplace UI or the gcloud deployment-manager tool.

Workaround & Resolution: Any configuration changes or management tasks must be performed directly on the individual Google Cloud resources (Compute Engine, Cloud SQL, etc.) rather than through the Marketplace UI.

We are actively working to release the updated Infrastructure Manager-based solution.

General Availability (GA) launch of Model Context Protocol (MCP) in Apigee

With this release, Model Context Protocol (MCP) in Apigee is generally available, enabling you to expose your Apigee APIs as MCP tools to agentic applications.

Any MCP client that supports remote MCP endpoints over HTTP/S can access these tools. Because the endpoints are managed, you don't need to install or manage local MCP servers, remote MCP servers, or additional infrastructure to enable agentic applications to access your services.

MCP in Apigee is available for Subscription, Pay-as-you-go, and Evaluation organizations, including organizations with Data Residency and VPC Service Controls enabled.

For more information on using MCP in Apigee, see MCP in Apigee overview.

Change

Updated MCP server target endpoint for MCP Discovery Proxies

With the GA launch of Model Context Protocol (MCP) in Apigee, the structure of the MCP server target endpoint for MCP Discover Proxies has changed to ORG_NAME.mcp.apigee.internal.

Private preview customers using the previous format (mcp.apigee.internal) are encouraged to update their proxies to reflect the new structure. Existing endpoints using the old format will continue to work, but new endpoints will use the new structure.

Announcement

On March 31st, 2026, we released an updated version of Apigee.

Feature

Enhanced OAS server URL path handling for MCP in Apigee

With this feature enhancement, your OpenAPI specification (OAS) configurations behave exactly as defined in the OAS standard, automatically combining the server.url base path value with individual operation paths.

For example, a server URL ofhttps://example.com/api/v1 paired with a path of /users will now correctly route to https://example.com/api/v1/users without additional manual intervention.

If you previously prepended base paths to your OAS paths entries, remove the path segment from your servers.url field to prevent duplication. For example, change https://example.com/api/v1 to https://example.com.

For more information, see Create an OpenAPI 3.0 specification.

Issue

Known Issue 496552286: Deployment fails for MCP Discovery Proxies in regions with capacity limitations.

For more information, see Apigee known issues.

On March 26th, 2026, we released an updated version of Apigee (1-17-0-apigee-6).

Security

Fixed

On March 19th, 2026, we began maintenance updates of Apigee instances configured for maintenance windows.

If you set a preferred window for maintenance for your instance, and your instance version is below 1-16-0-apigee-6, your instance will be updated to 1-16-0-apigee-6 within the next seven to 21 days. A notification containing the expected date of upgrade will be sent within the next two business days.

For more information on participating in scheduled maintenance windows, see Maintenance overview and Manage Apigee instance maintenance windows.

On March 17th, 2026, we released an updated version of Apigee (1-17-0-apigee-5).

Fixed

On March 10th, 2026, we released an updated version of Apigee (1-17-0-apigee-4).

Security

Fixed

On February 24th, 2026, we released an updated version of Apigee (1-17-0-apigee-3).

Fixed

Security

On February 13, 2026, we published a security bulletin for Apigee.

Security

A vulnerability was identified in the Apigee platform (CVE-2025-13292) that could have allowed a malicious actor with administrative or developer-level permissions in their own Apigee environment to elevate privileges and access cross-tenant data.

Security bulletin published: GCP-2026-010

On February 10, 2026, we released an updated version of Apigee (1-17-0-apigee-2).

Security

Announcement

On February 6th, 2026, we released an updated version of Apigee.

Known Issue: 480997525 - Proxy calls fail with The URI contains illegal characters error after Netty upgrade

On January 21st, 2026, we released an updated version of Apigee (1-17-0-apigee-1).

Fixed

Security

The Apigee Extension Processor provisioning API is available

Apigee Extension Processor customers can now use the Extension Processor provisioning API to create traffic extensions. For more information, see Get started with the Apigee Extension Processor

Announcement

On December 29th, 2025, we released an updated version of Apigee.

New Apigee policies for LLM Token Management are now Generally Available (GA)

Two new Apigee policies for managing Large Language Model (LLM) workloads are now Generally Available (GA). These policies provide fine-grained control and rate-limiting for AI application traffic as follows:

• LLMTokenQuota policy
  • This policy monitors and enforces limits on LLM response token usage to control overall LLM expenditure and resource allocation.
  • It can be configured with <CountOnly> (placed in the response flow to track tokens consumed) or <EnforceOnly> (placed in the request flow to block calls if the quota is exceeded).
  • If the quota is reached, Apigee returns an HTTP 429 (Too Many Requests) status code.
  • For more information, see LLMTokenQuota Policy.
• PromptTokenLimit policy
  • This policy provides a token-based rate-limiting mechanism analogous to the SpikeArrest policy, specifically for the tokens consumed by the user's prompt message.
  • It calculates the prompt's token count using the widely adopted o200k_base encoding technique.
  • If the configured token rate limit is exceeded, the incoming request is blocked, returning an HTTP 429 (Too Many Requests) status code.
  • For more information, see PromptTokenLimit policy.

Related documents:

• Get started with Apigee AI token policies
• Rate-limiting
• Comparing rate-limiting policies
• Managing API products
• LLMTokenQuota policy
• PromptTokenLimit policy

Announcement

On December 23, 2025, we released an updated version of Apigee.

On December 10th, 2025, we released an updated version of Apigee (1-16-0-apigee-6).

Fixed

Mask KVM values

You can now turn on key value map (KVM) masking to mask values with asterisks (*****). For more information, see About KVM masking.

On November 17, 2025, we released an updated version of Apigee (1-16-0-apigee-5).

Feature

Secure and validate documents using WS-Security with X.509 certificates

You can now secure and validate SOAP documents using WS-Security with X.509 certificates using crypto object methods. See Secure SOAP documents using WS-Security with X.509 certificates and Validate SOAP documents using WS-Security with X.509 certificates.

Change

New field available in the Apigee Organization API

With this release, a new field is added to the Apigee Organization API. The new caCertificates (plural) field returns the value of the original CA certificate field and can hold additional values. The original caCertificate (singular) field is deprecated.

Security

Fixed

On October 31, 2025, we released an updated version of Apigee (1-16-0-apigee-4).

Security

Fixed

On October 29, 2025, we released an updated version of Apigee.

Feature

Support for API-product scoped quotas

You can now set quotas at the API product level to limit the number of requests all API proxies in the API product can process within a specified time frame. See Configuring the quota policy to use API product quota settings for information and instructions.

NOTE: API product-scoped quotas are not supported in Apigee hybrid at this time.

Feature

Enhanced Validation for API products

Heightened validation logic for creating and updating API products is now available. Apigee now explicitly verifies proxy and environment resources against your organization when creating and updating API products.

Please ensure that all referenced resources exist and are correctly associated with your organization to avoid validation errors.

On October 27, 2025, we released an updated version of Apigee.

Feature

Introduction of the target.evaluated.url flow variable

This release includes a new flow variable, target.evaluated.url, which should be used instead of the target.url flow variable in cases when the URL is dynamically constructed based on user input.

For more information, see the target flow variables documentation.

Fixed

Announcement

On October 16, 2025, we released an updated version of Apigee (1-16-0-apigee-3).

Removal of deprecated Gemini Code Assist @Apigee tool.

The Gemini Code Assist @Apigee tool is shut down as of October 14, 2025.

See Gemini Code Assist @Apigee tool deprecation for information.

Deprecation of the Gemini Code Assist @Apigee tool.

The Gemini Code Assist @Apigee tool is deprecated and will be shut down as of October 14, 2025.

See Gemini Code Assist @Apigee tool deprecation for information.

Previously unreported customer DNS misconfigurations now result in DNS errors

Apigee removed the automatic DNS fallback functionality that was in 1-16-0-apigee-2. This removal surfaces customer DNS misconfigurations that previously did not show as DNS errors.

See Known Issue 445936920.

Announcement

On September 12, 2025, we released an updated version of Apigee (1-16-0-apigee-2).

API hub navigation update

The API hub section is now moved to the top level of the Apigee left navigation menu. This change improves discoverability and access to the API hub features.

On September 9, 2025, we released an updated version of Apigee (1-16-0-apigee-1).

Change

On September 4, 2025, we released an updated version of Apigee.

Feature

Apigee policies for LLM/GenAI workloads are Generally Available (GA)

Four new Apigee policies supporting LLM/GenAI workloads are now GA:

• SemanticCacheLookup policy
• SemanticCachePopulate policy
• SanitizeUserPrompt
• SanitizeModelResponse

The Apigee semantic caching policies enable intelligent response reuse based on semantic similarity. Using these policies in your Apigee API proxies can minimize redundant backend API calls, reduce latency, and lower operational costs. With this release, the semantic caching policies support URL templating, enabling the use of variables for AI model endpoint values.

The Model Armor policies protect your AI applications by sanitizing user prompts to and responses from large language models (LLMs). Using these policies in your Apigee API proxies can mitigate the risks associated with LLM usage by leveraging Model Armor to detect prompt injection, prevent jailbreak attacks, apply responsible AI filters, filter malicious URLs, and protect sensitive data.

For more information on using these policies in your Apigee API proxies, see:

• Get started with semantic caching policies
• Get started with Apigee Model Armor policies

Apigee Server-Sent Events (SSE) and EventFlows are supported for use with the Apigee Extension Processor.

The Apigee SSE feature enables continuous response streaming from server-sent event (SSE) endpoints to clients in real time. To learn more about this feature, see Streaming server-sent events.

The Apigee Extension Processor is a traffic extension that lets you use Cloud Load Balancing to send callouts from the data processing path of the application load balancer to the Apigee Extension Processor. To learn more, see the Apigee Extension Processor overview.

Announcement

On September 3, 2025, we released an updated version of Apigee.