PEXA’s early architecture relied heavily on traditional, human-scale API provisioning processes. API specs were defined, routes manually configured, and access granted by support engineers through CRM workflows.

But as the ecosystem expanded, complexity multiplied:

• - **Thousands of API consumers**, spanning financial institutions, legal firms, councils, brokers, and SaaS platforms
• - **Fine-grained access control**, down to individual API versions, endpoints, scopes, and data elements
• - **Around 300,000+ spam or DDoS attempts every year**, plus even higher volumes of phishing attacks
• - **Guaranteed payment settlement flows**, where PEXA backs the transaction if bank transfers fail
• - **B2G regulatory oversight**, demanding auditability, mTLS enforcement, and strict data entitlements

“PEXA is in that ecosystem where we integrate with banks, law firms, conveyancers, loan providers," said Rupesh Papneja, Principal Engineering, PEXA. "It’s a very big ecosystem. Payments go through our platform. We also give guarantees in terms of payments when the property ownership is transferred.”

Despite being stable, the legacy system wasn’t optimized for rapid scale or agentic automation.

“Almost 100% is self-serviced today by platform teams, API support teams, and our clients, including AI agents and AI tooling,” Papneja said.

But to reach that future, PEXA needed a gateway layer that could support:

• - Programmatic infrastructure control via HTTP
• - Stateful API cataloging for AI agents
• - Uniform user journeys across developer portals, support consoles, and CRM
• - Automated consumer disablement during security incidents
• - Integration with [_MCP (Model Context Protocol)_](https://konghq.com/blog/learning-center/what-is-mcp)_MCP (Model Context Protocol)_ servers
• - SRE (Site Reliability Engineering) agents for alert reduction and self-healing
• - Compliance validation before API publication
• - Cloud-agnostic deployment across environments
• - Centralized logging, AI-generated analytics, and reports

PEXA introduced an **operator pattern**, inspired by cloud control loops used in Kubernetes and Terraform controllers.

At its core, the operator functions as an **HTTP-enabled orchestration layer** that maintains state, triggers Kubernetes jobs, and exposes APIs to both internal teams and AI agents.

Instead of every persona writing separate automation code for portals, SRE tooling, and CRM, PEXA built **one unified control system**.

• - Developer portal users call the operator
• - API support engineers call the operator
• - CRM forms in Salesforce trigger operator actions
• - SRE alert workflows are verified by agents via operator calls
• - AI support agents provision API access in minutes instead of hours
• - Security disablement buttons in the portal instantly deactivate compromised consumers
• - Internal API catalogue state is exposed to AI agents via MCP servers

“Take an example of two personas: an API support member and a dev portal user. Both want to subscribe to an API product version with specific scope," Papneja said. "How do we ensure the experience is the same, and we write only one code? That’s why we built the operator.”

**Governance automation**

To maintain compliance across thousands of integrations, PEXA embedded governance checks into GitHub CI/CD pipelines. If API specs aren't following guidelines, they don’t get published. That’s how PEXA balances speed with control.

**Security abstraction**

During a breach or compromised partner incident, PEXA must disable API consumers instantly without impacting the entire platform. 

“If a third-party system is hacked, we disable the consumer at any cost," Papneja said. "Our support teams can click one button on the dev portal, and the operator handles it automatically."

PEXA’s Kong-powered transformation delivered measurable impact across infrastructure, developer velocity, and operational efficiency. 

PEXA reduced its **total cost of ownership by nearly 50%**, replacing heavy legacy gateway operations with a leaner, software-defined connectivity layer. API onboarding — once measured in hours — now completes in **about 2 minutes, down from 60+ minutes**, keeping settlement participants moving without delay.

Continuous availability remains core to the platform’s DNA, but the operational burden has shifted. **SRE agents now validate platform health and triage API reliability**, reducing the need for around-the-clock human monitoring. When a security incident demands action, teams can **deactivate a consumer instantly with a single click**, letting automation contain the threat, not amplify it.

With **thousands of B2B and B2G integrations** across banks, law firms, councils, and property ecosystems, PEXA operates at national scale and is already built for machine participation. **MCP servers, support agents, and SRE agents are running in beta**, forming the foundation for agentic operations across the property settlement lifecycle.

Centralized observability and auditability complete the picture: **unified logs and AI-generated API usage reports** provide a real-time system of record for every endpoint and consumer. Under persistent threat, PEXA mitigates **300,000+ DDoS or spam attacks annually**, with Kong protecting the platform’s most critical APIs.

And before anything goes live, **API specifications are scored and validated against security and compliance policies**, ensuring the ecosystem advances safely with momentum, guardrails, and intelligence in equal measure.

“It seems like a lot of work, but we migrated to Kong Konnect in six months with a lean team," Papneja said. "Now we’re looking to adopt Kong’s API scorecard, analytics API, and service protection plugins to remove more internal code and use native platform capabilities.”

PEXA didn’t just modernize its gateway layer. It modernized how infrastructure is controlled, how compliance is enforced, how developers ship safely, and how AI agents interact with regulated APIs.

**Key capabilities gained:**

• - Critical infrastructure resilience via decentralized API orchestration
• - Cloud-agnostic flexibility for deployment
• - HTTP-driven infrastructure control through operator loops
• - AI agent enablement across support and reliability teams
• - One unified automation layer across dev portal, CRM, and SRE tooling
• - Automated compliance gating before API publication
• - Real-time consumer disablement for security incidents
• - Centralized logging and analytics for audit and AI reporting
• - MCP server integration to expose API catalogue intelligence
• - SRE alert reduction using reflective agent verification
• - Service-level protection plugins for rate limiting beyond route level

PEXA is already in the next wave: embracing [the age of AI connectivity](https://konghq.com/blog/news/the-age-of-ai-connectivity)the age of AI connectivity and the **agentic API economy**, where AI agents act as first-class consumers, SRE agents self-heal platform reliability, and API onboarding is fully automated through CRM-driven triggers. This shift also reflects a broader evolution across [highly regulated](https://konghq.com/resources/e-book/ai-projects-regulation-compliance-strategies)highly regulated ecosystems.

PEXA’s transformation demonstrates something deeper than digitization.

• - When property settlement becomes software, API governance becomes national infrastructure
• - When support becomes autonomous, humans become verifiers, not bottlenecks
• - When infrastructure is HTTP-controlled, AI agents become safe operators, not rogue consumers

Most importantly, PEXA’s platform didn’t just scale its services. It scaled **intelligence, trust, and compliance** across an entire country’s property economy, securely powered by Kong.