Svenska Spel Scores Big with Futuristic API Platform by Kong
State-owned Swedish gaming company turns custom-built integrations into standardized, secure, cloud-ready API platform
transactions daily
APIs
API calls a day
Reaching nearly 4M+ customers through digital, retail, and partner channels
Svenska Spel is a leader in regulated gambling in Sweden, operating one of the country’s largest gaming distribution networks and returning all profits directly to the Swedish Treasury.
Overhauling the fragmented digital ecosystem of Sweden's largest gaming distribution network
Svenska Spel is a Swedish state-owned gaming company founded in the 1930s, when regulated betting began to take shape nationally. Today, the company operates across the lottery, sports betting, and online casino segments within Sweden, reaching nearly 4 million customers through digital, retail, and partner channels.
“Every second adult in Sweden is a customer of ours,” said Henrik Häglund, Head of Platforms and Operations at Svenska Spel, during their session at API Summit 2025.
Considering gaming is a highly regulated sector, Svenska Spel holds a dual responsibility: providing entertainment and upholding financial-grade trust. The team describes their mission as both running a gaming business and guardrailing a system built on fairness, transparency, and public accountability.
“We act both as a provider of entertainment and with a bank-like responsibility,” Häglund said.
The company's work extends far beyond operations: the company funds gambling addiction research, supports Swedish sports, and returns all profits to the Swedish state by reinvesting directly into society.
The stakes behind the scenes are equally high. Svenska Spel handles 10 million transactions every day, and to them, each one is personal.
“Behind every transaction, there’s a customer hoping for a win. Each transaction represents a dream. Reliability and accuracy aren’t just technical goals for us; it’s how we earn trust.”
As new products launched and the Swedish gaming market continued edging up, Svenska Spel’s digital ecosystem grew fragmented and complex. The organization integrated with more partners, more vendors, and more gaming systems than ever. What they needed wasn’t just connectivity but a secure, scalable foundation to ensure that, as Häglund put it, “every interaction, external or internal, is secure, scalable, and seamless.”
This is the story of how Svenska Spel overhauled that foundation with Kong Konnect, building a standardized, cloud-ready API platform capable of supporting mission-critical traffic while buckling up for the next decade of growth and innovation.
Managing complexity, security, and flexibility across a growing ecosystem
While Svenska Spel is a gaming company, half its employees work in technology roles. In many ways, Svenska Spel has become a tech company specializing in gaming.
For years, the company relied on a web of custom-built integration components and gateways. These solutions were originally designed to meet specific needs, and for a long time, they worked well. They delivered low latency, strong performance, and high stability across their three-node data center. But over time, these bespoke systems came with a cost: complexity that hindered scale, slowed innovation, and made integration work increasingly difficult.
“We realized these custom solutions were hard to maintain, difficult to integrate, and had future limitations. They made it hard to scale, to innovate, and move fast.”
Svenska Spel was managing:
- 700+ APIs
- 1 million API calls per day
- Rapid growth in external partners with different technical stacks
- Multiple kinds of clients accessing internal and external services
Each custom gateway behaved differently. Each integration pattern had unique quirks. And each partner required specialized handling. Consequently, teams lacked a unified way to onboard integrations, secure traffic, and maintain consistency.
In addition, security requirements continued to intensify. Gaming companies around the world face rising cybersecurity and compliance expectations, and Svenska Spel is no exception. Svenska Spel needed:
- Zero-trust security
- Consistent identity enforcement
- Support for both internal and external clients
- Auditable, compliant traffic flows
- Predictable governance without slowing teams down
“Demand for strong security has grown as the world around us changes," Häglund said. "Stricter security requirements are simply a fact of life.”
But perhaps the most challenging constraint was that a major cloud migration was on the horizon; the company did not yet know which cloud provider they would ultimately adopt and/or when. This uncertainty meant the new API platform needed to be cloud-ready without being cloud-dependent.
Standardizing with Kong, Kubernetes, OIDC, and zero trust
After years of incremental evolution, the leadership team at Svenska Spel realized the company's architecture could no longer support the company’s future ambitions. They needed to move from:
- 600 tightly coupled modules to 130 well-defined microservices
- Custom-built systems to standardized, open tooling
- Ad-hoc APIs to designed API products
- On-prem complexity to cloud-ready primitives
- Fragmented traffic flows to unified governance
The transformation required not just new technology but a new operating model. And that new model started with Kong.
The team evaluated internal builds and external vendors. As Häglund put it, their goal was clear: “standardized simplicity — not another custom-built solution to maintain.” Finally, they chose Kong Konnect for three reasons:
- A SaaS control plane that simplifies migration
- Cloud-consistent patterns that work on-prem and in the cloud
- A flexible foundation for both internal and external API traffic
“With Kong Konnect, we get the control plane as SaaS, meaning we no longer tie it to on-prem solutions. That makes migration much smoother. It allows us to use the same architecture on-prem as in the cloud.”
A packaged API integration gateway powered by Kong
One of the most transformative elements of the modernization was the creation of an internal package called the API Integration Gateway, built on top of Kong. It includes Helm charts for data planes and control plane components, bundles together Kong plugins selected for common integration needs, includes the Spiffy Helper sidecar to manage SPIFFE/SVID identity, and gives teams a consistent blueprint they can deploy themselves. And most importantly, each client or partner gets its own dedicated gateway.
“We have one of these API Integration Gateways for each client and each external partner,” said Mattias Karlsson, Product Owner API, K8 and CIAM at Svenska Spel. “We do this to keep them completely isolated from each other, so no client can affect another in a negative way.”
This isolation produced immediate security and operational benefits:
- No shared failure domains
- No cross-tenant interference
- Easier maintenance windows
- Clear ownership boundaries
A modern identity and authorization framework
Svenska Spel adopted a highly secure flow built on OIDC, authorization code flow, secure session authentication, SPIFFE/SPIRE identities (SVID), and a custom plugin built with help from the Kong team.
Mattias walked through one example.
- A client authenticates against the identity provider.
- It receives an authorization code.
- The gateway exchanges that code for an access token without sending the token to the browser.
- Kong stores the token encrypted in a secure session store.
- Kong returns a session cookie to the client.
- When the client makes a request, Kong verifies the cookie, retrieves the token, and forwards the request.
- The microservice gateway validates the token again before processing.
This setup ensures zero-trust enforcement at every layer.
“We don’t actually share the access token with the browser,” Mattias said. “The token stays inside the Kong data plane.”
Standardizing microservices with Envoy and Kubernetes
Svenska Spel defines each microservice as a Kubernetes namespace, fronted by an Envoy-based microservice gateway. Key security properties include:
- All incoming requests must contain an access token.
- Token validation occurs against the authorization service.
- All network traffic is denied by default.
- Teams must explicitly allow ingress and egress.
“Every microservice isn’t accessible by default,” Mattias said. “It requires owners to take explicit actions to allow both incoming and outgoing requests.”
Preparing for the future: Kong operator and service catalog
Svenska Spel is already testing Kong Operator, which improves Kubernetes-native API gateway management and integrates with the service catalog. They plan to bring it into production as soon as version 2.1 becomes available.
A cloud-ready, secure, and scalable platform, built for the future
Svenska Spel’s transformation is ongoing, but the shift to Kong Konnect and standardized microservices has already delivered major outcomes.
- A unified, standardized API platform — The organization now has consistent API governance across hundreds of services, isolated gateways for every partner integration, predictable identity and security patterns, and a self-service model for internal teams.
- Zero-trust security built into every layer — With OIDC, SPIFFE/SPIRE, Envoy-based gateways, and strict Kubernetes network policies, Svenska Spel now enforces token validation on every request, secure identity at both gateway and microservice layers, strict isolation between integrations, and cloud native security primitives.
- Faster migration and cross-environment consistency — By using Kong Konnect’s SaaS control plane, teams can maintain identical patterns on-prem and in cloud environments, dramatically reducing migration complexity.
- A platform designed for AI and future growth — The modernization aligns with Svenska Spel’s long-term vision of moving from endpoints to API products and from system data to reusable data products — and all while building a foundation ready for AI, personalization, and real-time analytics
- A roadmap for what's next — Svenska Spel’s migration plans include adopting Kong Operator in production, expanding partner integrations into the new flow, migrating gaming site APIs at scale, completing the modernization journey before the end of 2026, and completing the full cloud migration before 2028.
Svenska Spel has turned a complex, custom-built integration landscape into a standardized, secure, and cloud-ready platform that’s capable of supporting millions of daily transactions, compliant with stringent regulatory requirements, and friendly to the next generation of gaming innovation.
By adopting Kong, modern identity management frameworks, Kubernetes-native microservices, and reusable gateway patterns, the company has built a foundation that is faster, safer, and far more scalable than what came before.
More Customer Stories
Leading Brazilian cryptocurrency platform uses Kong to decentralize its architecture
“We use Kong Konnect for vitals, management, and the dev portal that exposes our APIs—all as a central platform for automation."
Nordic digital wallet unifies platforms, accelerates scaling, and protects 10B+ monthly API calls with a Kubernetes-native gateway model
A global logistics leader operating across 130+ countries built Stargate, an AI-driven incident triage engine that cuts time-to-detection and first-response from 20 minutes to seconds
State-owned Swedish gaming company turns custom-built integrations into standardized, secure, cloud-ready API platform
A billion daily healthcare transactions, unified through Kong with resilience engineered into every request