AI Gateway in Your Internal Developer Platform
An Internal Developer Platform (IDP) centralizes infrastructure provisioning, service discovery, and operational tooling behind a unified developer experience. This guide covers registering the Keeptrusts gateway as a platform capability, integrating with Backstage, and exposing AI governance as a self-service catalog entry.
Use this page when
- You are registering the Keeptrusts gateway as a managed platform capability in your IDP
- You need Backstage catalog entries, API entities, and scaffolder templates for team onboarding
- You want to expose AI governance as a self-service catalog entry alongside compute, storage, and messaging
Primary audience
- Primary: Technical Engineers
- Secondary: AI Agents, Technical Leaders
The AI Gateway as a Platform Capability
Platform Service Model
Position the Keeptrusts gateway as a managed platform service rather than a standalone tool:
┌─────────────────────────────────────────────┐
│ Internal Developer Platform │
├──────────┬──────────┬──────────┬────────────┤
│ Compute │ Storage │ Messaging│ AI Gateway │
│ (K8s) │ (S3/PG) │ (Kafka) │ (Keeptrusts)│
└──────────┴──────────┴──────────┴────────────┘
Developers interact with the AI gateway the same way they interact with databases or message queues — through the platform's provisioning layer, not by deploying infrastructure themselves.
Backstage Integration
Catalog Entity Definition
Register the Keeptrusts gateway as a Backstage component:
# catalog-info.yaml
apiVersion: backstage.io/v1alpha1
kind: Component
metadata:
name: keeptrusts-gateway
description: "AI governance gateway — policy enforcement, cost controls, and audit logging for all LLM traffic"
annotations:
backstage.io/techdocs-ref: dir:.
keeptrusts.dev/gateway-type: hosted
keeptrusts.dev/api-url: https://keeptrusts-api.internal:8080
tags:
- ai
- governance
- gateway
links:
- url: https://console.keeptrusts.internal
title: Management Console
icon: dashboard
- url: https://keeptrusts-api.internal:8080/health
title: API Health
icon: heart
spec:
type: service
lifecycle: production
owner: platform-team
system: ai-platform
providesApis:
- keeptrusts-gateway-api
API Entity
Expose the gateway's OpenAI-compatible endpoint as a Backstage API:
# keeptrusts-gateway-api.yaml
apiVersion: backstage.io/v1alpha1
kind: API
metadata:
name: keeptrusts-gateway-api
description: "OpenAI-compatible endpoint proxied through Keeptrusts governance gateway"
tags:
- ai
- openai-compatible
spec:
type: openapi
lifecycle: production
owner: platform-team
system: ai-platform
definition: |
openapi: 3.0.0
info:
title: Keeptrusts Gateway
version: 1.0.0
servers:
- url: https://gateway.internal:41002
paths:
/v1/chat/completions:
post:
summary: Create chat completion (governed)
security:
- gatewayKey: []
/health:
get:
summary: Gateway health check
components:
securitySchemes:
gatewayKey:
type: http
scheme: bearer
Backstage Template for Team Onboarding
Create a Backstage software template that provisions AI access:
# templates/ai-team-onboard/template.yaml
apiVersion: scaffolder.backstage.io/v1beta3
kind: Template
metadata:
name: ai-team-onboard
title: Onboard Team to AI Platform
description: Provision a team with AI gateway access, policy config, and wallet
tags:
- ai
- onboarding
spec:
owner: platform-team
type: provisioning
parameters:
- title: Team Details
required:
- teamName
- policyTier
properties:
teamName:
title: Team Name
type: string
description: "Unique team identifier"
policyTier:
title: Policy Tier
type: string
enum:
- tier-1-exploration
- tier-2-internal
- tier-3-customer-facing
description: "Governance tier for the team"
dailyBudget:
title: Daily Budget (USD)
type: number
default: 100
steps:
- id: create-team
name: Create Keeptrusts Team
action: http:backstage:request
input:
method: POST
path: /api/proxy/keeptrusts/v1/teams
headers:
Content-Type: application/json
body:
name: ${{ parameters.teamName }}
- id: provision-key
name: Provision Gateway Key
action: http:backstage:request
input:
method: POST
path: /api/proxy/keeptrusts/v1/tokens
headers:
Content-Type: application/json
body:
name: "${{ parameters.teamName }}-gw-key"
token_type: gateway
team_id: ${{ steps['create-team'].output.body.id }}
- id: apply-config
name: Apply Policy Configuration
action: http:backstage:request
input:
method: POST
path: /api/proxy/keeptrusts/v1/configurations
headers:
Content-Type: application/json
body:
name: "${{ parameters.teamName }}-config"
team_id: ${{ steps['create-team'].output.body.id }}
template_id: ${{ parameters.policyTier }}
output:
links:
- title: View in Console
url: "https://console.keeptrusts.internal/settings/teams/${{ steps['create-team'].output.body.id }}"
Backstage Proxy Configuration
Route Backstage API calls to the Keeptrusts API through the Backstage proxy:
# app-config.yaml (Backstage)
proxy:
endpoints:
/keeptrusts:
target: https://keeptrusts-api.internal:8080
headers:
Authorization: "Bearer ${KEEPTRUSTS_ADMIN_TOKEN}"
changeOrigin: true
pathRewrite:
'^/api/proxy/keeptrusts': ''
Service Catalog Enrichment
Annotating Services with AI Dependencies
Tag application components that depend on AI capabilities:
# my-app/catalog-info.yaml
apiVersion: backstage.io/v1alpha1
kind: Component
metadata:
name: customer-support-bot
annotations:
keeptrusts.dev/gateway-key-name: support-team-gw-key
keeptrusts.dev/policy-tier: tier-3-customer-facing
keeptrusts.dev/daily-budget: "500"
spec:
type: service
lifecycle: production
owner: support-team
consumesApis:
- keeptrusts-gateway-api
Custom Backstage Plugin (Widget)
Build a Backstage plugin that shows AI governance status on entity pages:
// plugins/keeptrusts/src/components/GovernanceStatusCard.tsx
import { InfoCard, StatusOK, StatusError } from '@backstage/core-components';
import { useEntity } from '@backstage/plugin-catalog-react';
export const GovernanceStatusCard = () => {
const { entity } = useEntity();
const keyName = entity.metadata.annotations?.['keeptrusts.dev/gateway-key-name'];
const tier = entity.metadata.annotations?.['keeptrusts.dev/policy-tier'];
return (
<InfoCard title="AI Governance">
<p>Gateway Key: {keyName ?? 'Not configured'}</p>
<p>Policy Tier: {tier ?? 'None'}</p>
<p>Status: {keyName ? <StatusOK /> : <StatusError />}</p>
</InfoCard>
);
};
Self-Service Provisioning Flow
End-to-End Developer Journey
Developer opens Backstage
→ Selects "Onboard Team to AI Platform" template
→ Fills in team name, policy tier, budget
→ Backstage scaffolder provisions:
1. Keeptrusts team
2. Gateway key (stored in Vault)
3. Policy configuration from template
4. Wallet allocation
→ Developer receives:
- Gateway endpoint URL
- Vault path for gateway key
- Link to console dashboard
- Getting-started documentation
→ First AI request within minutes
Terraform Module for IDP Integration
For IDPs built on Terraform, wrap Keeptrusts provisioning in a reusable module:
# modules/keeptrusts-team/main.tf
variable "team_name" {
type = string
}
variable "policy_tier" {
type = string
default = "tier-2-internal"
}
variable "daily_budget_usd" {
type = number
default = 100
}
resource "keeptrusts_team" "this" {
name = var.team_name
}
resource "keeptrusts_configuration" "this" {
name = "${var.team_name}-config"
team_id = keeptrusts_team.this.id
template_id = var.policy_tier
}
resource "keeptrusts_gateway_key" "this" {
name = "${var.team_name}-gw-key"
team_id = keeptrusts_team.this.id
}
output "gateway_key_id" {
value = keeptrusts_gateway_key.this.id
sensitive = true
}
output "team_id" {
value = keeptrusts_team.this.id
}
The goal is zero-friction AI adoption: developers discover the capability in Backstage, provision access through a template, and start building — all within the platform's existing workflows.
For AI systems
- Canonical terms: Internal Developer Platform, IDP, Backstage, catalog entity, API entity, scaffolder template, platform capability, self-service provisioning
- Backstage kinds:
Component(keeptrusts-gateway),API(keeptrusts-gateway-api),Template(ai-team-onboard) - Key annotations:
keeptrusts.dev/gateway-type,keeptrusts.dev/api-url - API endpoints used in templates:
POST /v1/teams,POST /v1/configurations,POST /v1/tokens,POST /v1/wallets/allocate - Related pages: Self-Service Portal, Golden Paths, Multi-Tenant Gateway
For engineers
- Register the gateway as a Backstage
Componentwithspec.type: serviceandprovidesApis: [keeptrusts-gateway-api] - Define the gateway's OpenAI-compatible endpoint as a Backstage
APIentity with paths for/v1/chat/completionsand/health - Create a scaffolder
Templatethat provisions a team, assigns a policy template, allocates a wallet, and creates a gateway key in one workflow - Use Terraform
keeptrusts_team,keeptrusts_gateway_key, andkeeptrusts_configurationresources for infrastructure-as-code provisioning - Validate: after running the scaffolder template, confirm the team can send requests through the gateway and see events in the console
For leaders
- Positioning AI governance as a platform capability (alongside compute and storage) signals maturity and reduces friction
- Backstage integration gives developers a single discovery point — no separate portal or documentation to find
- Scaffolder templates reduce onboarding from days to minutes with zero platform-team involvement
- IDP-level provisioning enforces consistent governance from day one — no team can bypass policy setup
- Terraform integration supports GitOps-driven team management for enterprises with existing IaC workflows
Next steps
- Build Self-Service Portal provisioning scripts for teams not using Backstage
- Define Golden Paths with SDK wrappers and policy presets
- Deploy isolated team gateways with Multi-Tenant Gateway fleet management