Unified Access
Unified Access lets you use OpenAI and Anthropic models through Keeptrusts-managed credentials with built-in billing, rate limiting, and governance.
How it works
- Model catalog — Browse available models with published per-token pricing.
- Access policies — Control which teams, service users, gateways, or tagged resources can use each model.
- Budget policies — Set hourly, daily, weekly, and monthly spending limits before reservations are made.
- Auto top-up — Refill wallets automatically when balances fall below a threshold.
- Zero Data Retention — Enable passthrough or strict controls for sensitive workloads.
Billing
- Provider list prices with 0% markup on supported Unified Access models.
- Team seats include monthly credits that are consumed before the shared org wallet.
- Service users are billed from wallet funds only.
- Usage is traffic metered per request and settled from actual token usage.
Supported endpoints
| Endpoint | Provider | Format |
|---|---|---|
POST /v1/chat/completions | OpenAI | Chat Completions |
POST /v1/responses | OpenAI | Responses API |
POST /v1/messages | Anthropic | Messages API |
OAuth integration
Unified Access supports OAuth 2.0 PKCE for programmatic access:
- Register clients in Settings → Unified Access → OAuth Clients.
- Use
code_challenge_method=S256— plain PKCE is rejected. - Refresh tokens rotate on every successful use.
See Unified Access OAuth for the full flow.
Access policies
Access policies decide who can use which models:
- Allow and deny rules support tag-based resource matching.
- Deny always overrides allow.
- When multiple allow rules match, the most restrictive limits win.
- Use simulation before rollout to confirm the effective decision.
Budget policies
Budget policies cap spend across time windows:
- Hourly, daily, weekly, and monthly windows.
- Evaluated before wallet reservation.
- Exhausted budgets return
429and do not reserve wallet funds.
See Unified Access budgets for policy design guidance.
Zero Data Retention (ZDR)
For sensitive workloads:
passthroughsetsstore=falseupstream and skips cache use.strictalso strips request and response bodies from event logs.
Next steps
- Review Unified Access budgets.
- Configure OAuth clients with Unified Access OAuth.
- Use Unified Access configuration reference when updating gateway YAML.