NeuralTrust | The leading security platform for generative AI

The Admin API is the open-source control plane for TrustGate. Everything the console does, you can do over REST — create gateways, register upstreams, mint consumer keys, attach policies. The endpoint pages in this section are generated directly from the AgentGateway OpenAPI spec and include a live request builder.

Base URL & authentication

The Admin plane listens on :8080. All /v1/... routes require a bearer admin JWT (HS256), signed with the deployment’s SERVER_SECRET_KEY:

Authorization: Bearer <admin-jwt>

See Server security for how to mint one, and the Quickstart for an end-to-end walk through.

Resources

Group	Path	Manages
System	`/healthz`, `/readyz`, `/__/version`	Probes and build info (no auth).
Gateways	`/v1/gateways`	Gateways.
Registries	`/v1/gateways/{gateway_id}/registries`	Registries + test-connection, tools.
Consumers	`/v1/gateways/{gateway_id}/consumers`	Consumers + registry/role/auth/policy attach.
Auth	`/v1/gateways/{gateway_id}/auths`	Auth credentials.
Policies	`/v1/gateways/{gateway_id}/policies`	Policies + global, duplicate.
Roles	`/v1/gateways/{gateway_id}/roles`	Roles + registry binding.
Catalogs	`/v1/providers-catalog`, `/v1/models-catalog`, `/v1/mcp-servers-catalog`	Read-only reference data.

The proxy is separate

This reference covers the Admin API. Runtime traffic goes to the Proxy plane (:8081) on the OpenAI-compatible routes — POST /{consumer_slug}/v1/chat/completions, /v1/messages, and /v1/responses — authenticated with the consumer’s X-AG-API-Key (or an OAuth2/IDP token), not the admin JWT. See Architecture and the Quickstart.

​Base URL & authentication

​Resources

​The proxy is separate

Base URL & authentication

Resources

The proxy is separate