Building a Self-Service AI Portal

Platform teams should not be a bottleneck for AI adoption. This guide covers building a self-service portal where developers provision their own AI access, choose from pre-approved policy templates, and start building with guardrails in place — all without filing a ticket.

Use this page when

• You are building automated team onboarding that provisions gateway keys, policy configs, and wallets
• You need API-driven or Terraform-based provisioning scripts for self-service AI access
• You want to eliminate platform team as a bottleneck by letting developers provision their own governed AI access

Primary audience

• Primary: Technical Engineers
• Secondary: AI Agents, Technical Leaders

Gateway Key Provisioning

API-Driven Key Creation

Gateway keys (kt_gk_...) are the credential developers use to send traffic through the Keeptrusts gateway. Automate provisioning through the tokens API:

# Create a gateway key for a developer team
curl -X POST https://keeptrusts-api.internal:8080/v1/tokens \
  -H "Authorization: Bearer $ADMIN_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "team-frontend-dev",
    "token_type": "gateway",
    "team_id": "team_frontend_uuid",
    "description": "Frontend team development gateway key",
    "expires_at": "2026-12-31T23:59:59Z"
  }'

The response includes the key value — store it securely and deliver it to the requesting team via your secrets management system.

Automated Provisioning Script

Wrap the API calls in a provisioning script that teams trigger through your internal portal:

#!/usr/bin/env bash
set -euo pipefail

TEAM_NAME="${1:?Usage: provision-ai-access.sh <team-name>}"
API_URL="${KEEPTRUSTS_API_URL:-https://keeptrusts-api.internal:8080}"
ADMIN_TOKEN="${KEEPTRUSTS_ADMIN_TOKEN:?Set KEEPTRUSTS_ADMIN_TOKEN}"

echo "Creating team: ${TEAM_NAME}"
team_id=$(curl -sf -X POST "${API_URL}/v1/teams" \
  -H "Authorization: Bearer ${ADMIN_TOKEN}" \
  -H "Content-Type: application/json" \
  -d "{\"name\": \"${TEAM_NAME}\"}" | jq -r '.id')

echo "Assigning default policy template..."
curl -sf -X POST "${API_URL}/v1/configurations" \
  -H "Authorization: Bearer ${ADMIN_TOKEN}" \
  -H "Content-Type: application/json" \
  -d "{
    \"name\": \"${TEAM_NAME}-config\",
    \"team_id\": \"${team_id}\",
    \"template_id\": \"standard-guardrails-v2\"
  }" > /dev/null

echo "Provisioning gateway key..."
gw_key=$(curl -sf -X POST "${API_URL}/v1/tokens" \
  -H "Authorization: Bearer ${ADMIN_TOKEN}" \
  -H "Content-Type: application/json" \
  -d "{
    \"name\": \"${TEAM_NAME}-gw-key\",
    \"token_type\": \"gateway\",
    \"team_id\": \"${team_id}\"
  }" | jq -r '.token')

echo "Gateway key provisioned. Deliver securely to the team."
echo "Key prefix: ${gw_key:0:12}..."

Terraform Provider Integration

For teams using Terraform to manage infrastructure, model Keeptrusts resources as Terraform HTTP data sources or use a custom provider wrapper:

# keeptrusts-team.tf
resource "keeptrusts_team" "data_science" {
  name        = "data-science"
  description = "Data science team AI access"
}

resource "keeptrusts_gateway_key" "data_science_dev" {
  name    = "data-science-dev"
  team_id = keeptrusts_team.data_science.id

  lifecycle {
    create_before_destroy = true
  }
}

resource "keeptrusts_configuration" "data_science_policy" {
  name        = "data-science-policy"
  team_id     = keeptrusts_team.data_science.id
  template_id = "standard-guardrails-v2"
}

output "gateway_key_id" {
  value     = keeptrusts_gateway_key.data_science_dev.id
  sensitive = true
}

Console Team Management

The management console provides a team management interface under Settings → Teams. Platform administrators can:

• Create teams and assign members
• Set team-level spend limits via wallet allocations
• Bind policy configurations to teams
• View per-team event dashboards and cost breakdowns

Team Hierarchy

Structure teams to match your organization:

Organization
├── Platform Team (admin)
├── Product Engineering
│   ├── Frontend Squad
│   └── Backend Squad
├── Data Science
│   ├── ML Engineering
│   └── Research
└── Customer Support
    └── AI Assistants

Each team gets its own gateway key, policy config, and wallet. Nested teams inherit parent policies unless explicitly overridden.

Template Library

Pre-Approved Policy Templates

Maintain a library of vetted policy templates that teams select during onboarding:

# templates/standard-guardrails-v2.yaml
keeptrusts:
  template:
    name: "Standard Guardrails v2"
    description: "Baseline safety policies for general AI usage"
    version: "2.0"
  policies:
    - name: pii-filter
      type: output_filter
      action: redact
      patterns: ["SSN", "credit_card", "phone_number"]
    - name: prompt-injection-guard
      type: input_filter
      action: block
      detection: prompt_injection
      sensitivity: medium
    - name: cost-cap
      type: spend_limit
      action: block
      max_daily_usd: 100
    - name: disclaimer
      type: output_modifier
      action: append
      text: "AI-generated content. Verify before use."

# templates/healthcare-hipaa.yaml
keeptrusts:
  template:
    name: "Healthcare HIPAA"
    description: "HIPAA-compliant policies for healthcare AI"
    version: "1.0"
  policies:
    - name: phi-redaction
      type: output_filter
      action: redact
      patterns: ["patient_name", "MRN", "DOB", "SSN", "diagnosis"]
    - name: no-medical-advice
      type: output_filter
      action: block
      categories: ["medical_diagnosis", "treatment_recommendation"]
    - name: audit-all
      type: event_logging
      action: log
      log_level: full
      retention_days: 2555

Template Validation

Validate templates in CI before publishing:

# Validate all templates
for tmpl in templates/*.yaml; do
  echo "Validating ${tmpl}..."
  kt policy lint --file "${tmpl}"
done

Developer Onboarding Automation

Onboarding Workflow

Automate the complete onboarding flow from team creation to first request:

# .github/workflows/onboard-team.yml
name: Onboard AI Team
on:
  workflow_dispatch:
    inputs:
      team_name:
        description: "Team name"
        required: true
      template:
        description: "Policy template"
        required: true
        type: choice
        options:
          - standard-guardrails-v2
          - healthcare-hipaa
          - finance-sox
          - minimal-logging

jobs:
  provision:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Provision team
        run: ./scripts/provision-ai-access.sh "${{ inputs.team_name }}"
        env:
          KEEPTRUSTS_ADMIN_TOKEN: ${{ secrets.KEEPTRUSTS_ADMIN_TOKEN }}

      - name: Apply template
        run: |
          kt policy lint --file "templates/${{ inputs.template }}.yaml"
          ./scripts/apply-template.sh "${{ inputs.team_name }}" "${{ inputs.template }}"
        env:
          KEEPTRUSTS_ADMIN_TOKEN: ${{ secrets.KEEPTRUSTS_ADMIN_TOKEN }}

      - name: Notify team
        run: |
          echo "Team ${{ inputs.team_name }} provisioned with ${{ inputs.template }} template."
          echo "Gateway key stored in Vault at secret/keeptrusts/${{ inputs.team_name }}/gw-key"

Developer Quickstart Kit

Provide a quickstart package that developers receive after provisioning:

# quickstart.sh — run after receiving your gateway key
export KEEPTRUSTS_GATEWAY_URL="https://gateway.internal:41002"
export KEEPTRUSTS_GATEWAY_TOKEN="kt_gk_your_key_here"

# Test connectivity
curl -s "${KEEPTRUSTS_GATEWAY_URL}/health" | jq .

# Send a test request
curl -X POST "${KEEPTRUSTS_GATEWAY_URL}/v1/chat/completions" \
  -H "Authorization: Bearer ${KEEPTRUSTS_GATEWAY_TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "gpt-4o",
    "messages": [{"role": "user", "content": "Hello, world!"}]
  }'

This script confirms the gateway is reachable and the key is valid, giving developers immediate confidence that their AI access is working.

For AI systems

• Canonical terms: gateway key provisioning, kt_gk_..., token_type=gateway, self-service, team onboarding, Terraform provider, provisioning script
• API endpoints: POST /v1/tokens (gateway key creation), POST /v1/teams, POST /v1/configurations, POST /v1/wallets/allocate
• Token types: gateway (for app traffic) and access (for console/API access)
• Related pages: Golden Paths, Internal Developer Platform, Multi-Tenant Gateway

For engineers

• Create gateway keys with POST /v1/tokens using token_type: "gateway" and a team_id
• Build a provisioning script that creates a team, assigns a policy template, allocates wallet credits, and provisions a gateway key in sequence
• Deliver keys securely via your secrets management system — never return them in plaintext logs
• Use Terraform keeptrusts_team and keeptrusts_gateway_key resources for IaC-driven provisioning
• Include a smoke-test script in the onboarding kit that verifies gateway connectivity and key validity
• Validate: curl $GATEWAY_URL/health returns 200, then send a test completion request with the provisioned key

For leaders

• Self-service provisioning eliminates the platform team as an adoption bottleneck — teams onboard in minutes, not days
• Every provisioned key comes with policy guardrails pre-configured from templates
• Terraform integration supports enterprise change management workflows and audit trails
• Gateway key expiration (expires_at) enforces credential hygiene without manual intervention
• Wallet allocation at provisioning time sets cost boundaries from day one

Next steps

• Define Golden Paths with policy presets and SDK wrappers for onboarded teams
• Register in your Internal Developer Platform via Backstage templates
• Manage fleet at scale with Multi-Tenant Gateway patterns