Why a gateway
Putting TrustGate between your apps and your model providers gives you one control point for:- Multi-provider access — first-class adapters for OpenAI, Anthropic, Azure OpenAI, AWS Bedrock, Google Gemini, Vertex AI, Groq, Mistral, and DeepSeek (plus any OpenAI-compatible endpoint), behind one OpenAI-compatible surface.
- Smart routing & load balancing — round-robin, weighted, least-connections, random, and semantic strategies, with health checks and fallback chains.
- Cost & abuse control — request rate limiting, token/dollar LLM budgets, per-model cost caps, request-size guards, and embedding-based semantic caching to cut spend on repeated prompts.
- Tool & prompt governance — allow-list, validate, and reshape the tools an agent can call; inject and version system prompts; restrict which models a consumer may reach.
- Guardrails — built-in TrustGuard, OpenAI Moderation, Azure Content Safety, and AWS Bedrock guardrail policies to inspect prompts and responses inline.
- Multi-tenancy & auth — per-gateway consumers authenticated by API key, OAuth2, OIDC, or mTLS, with policies scoped globally or per consumer.
- Observability — rich per-request telemetry (model, tokens, cost, latency breakdown, routing attempts, policy chain) streamed to Kafka by default, with an opt-in per-gateway OpenTelemetry (OTLP) exporter and TrustLens forwarding, where it powers detection alerts.
- Agent tooling — a dedicated MCP plane exposes MCP servers and tools to agents with full OAuth2 support.
The building blocks
You configure TrustGate through its Admin API (or the console), then send traffic to the proxy. Six objects make up a gateway:| Object | What it is |
|---|---|
| Gateway | The top-level tenant, addressed by a slug. Owns everything below. |
| Registry | An upstream backend — an LLM provider endpoint or an MCP server. |
| Consumer | The calling application’s identity. Owns routing and credentials, addressed by a slug in the URL. |
| Auth | A credential (API key, OAuth2, OIDC, mTLS) that authenticates as a consumer. |
| Policy | A governance rule that runs at request/response stages — rate limiting, budgets, caching, tool governance, guardrails, CORS, and more. |
| Role | Routing config selected from OIDC token claims, for identity-based routing. |
How a request flows
Where to go next
Quickstart
Zero to a forwarded completion in six API calls.
Architecture
Planes, the request lifecycle, and infrastructure.
Core concepts
Gateways, registries, consumers, auth, policies, roles.
Admin API
The full open-source REST API.