Hosted Gateway for Team-Wide IDE Integration
Instead of each developer running a local gateway, you can deploy a hosted gateway that the entire team connects to. This centralizes policy enforcement, shares the engineering cache across developers, and provides a single audit trail for all IDE AI usage.
Use this page when
- You are working through Hosted Gateway for Team-Wide IDE Integration as an implementation or operating workflow in Keeptrusts.
- You need the practical steps, expected outcomes, and related validation guidance in one place.
- If you need exact field-by-field reference instead of a workflow page, use the linked reference pages in Next steps.
Primary audience
- Primary: Technical Engineers
- Secondary: AI Agents, Technical Leaders
Why Use a Hosted Gateway
| Benefit | Local Gateway | Hosted Gateway |
|---|---|---|
| Policy updates | Each developer pulls updates | Update once, applies to all |
| Engineering cache | Per-machine, no sharing | Shared across the team |
| Audit trail | Fragmented across machines | Single unified log |
| Onboarding | Each dev installs and configures | Point IDE to a URL |
| Secret management | Keys on each laptop | Keys managed centrally |
Architecture
Developer A (VS Code) ──┐
Developer B (IntelliJ) ──┼──→ https://gateway.yourcompany.com/v1
Developer C (Cursor) ──┘ │
▼
Keeptrusts Hosted Gateway
│
Policy Chain Evaluation
│
┌────────┴────────┐
▼ ▼
OpenAI API Anthropic API
Deploy with Docker Compose
Create a docker-compose.yml for the hosted gateway:
services:
keeptrusts-gateway:
image: keeptrusts/gateway:latest
ports:
- "41002:41002"
environment:
- KEEPTRUSTS_GATEWAY_TOKEN=your-gateway-key
- KEEPTRUSTS_API_URL=https://api.yourcompany.com
- OPENAI_API_KEY=${OPENAI_API_KEY}
- ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
volumes:
- ./policy-config.yaml:/etc/keeptrusts/policy-config.yaml:ro
command: >
kt gateway run
--policy-config /etc/keeptrusts/policy-config.yaml
--listen 0.0.0.0:41002
restart: unless-stopped
Start the gateway:
docker compose up -d
TLS Termination
For production use, place the gateway behind a TLS-terminating reverse proxy. Use nginx, Caddy, or your cloud load balancer:
# /etc/nginx/conf.d/gateway.conf
server {
listen 443 ssl;
server_name gateway.yourcompany.com;
ssl_certificate /etc/ssl/certs/gateway.crt;
ssl_certificate_key /etc/ssl/private/gateway.key;
location / {
proxy_pass http://localhost:41002;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Support streaming responses
proxy_buffering off;
proxy_cache off;
proxy_read_timeout 300s;
}
}
DNS Configuration
Create a DNS record pointing to your gateway host:
gateway.yourcompany.com → A → <your-server-ip>
Or use a CNAME if deploying behind a load balancer.
Configure Team IDEs
Once the hosted gateway is running, each developer points their IDE to the shared URL:
| IDE | Setting | Value |
|---|---|---|
| VS Code (Continue) | apiBase in config.json | https://gateway.yourcompany.com/v1 |
| JetBrains (Continue) | apiBase in config.json | https://gateway.yourcompany.com/v1 |
| Cursor | Models → OpenAI Base URL | https://gateway.yourcompany.com/v1 |
| Neovim (gptel) | :host parameter | gateway.yourcompany.com |
| Zed | api_url in settings.json | https://gateway.yourcompany.com/v1 |
Each developer authenticates with their personal access key (created in the console under Settings → Access Keys).
Gateway Keys vs. Access Keys
Two key types are involved in a hosted gateway setup:
| Key Type | Purpose | Who Holds It |
|---|---|---|
| Gateway Key | Authorizes the gateway runtime to connect to the Keeptrusts API | The hosted gateway server |
| Access Key | Authorizes individual developer requests through the gateway | Each developer |
The gateway key is set as KEEPTRUSTS_GATEWAY_TOKEN on the server. Access keys are passed by developers in their IDE's API key field.
Deploy on Kubernetes
For larger teams, deploy the gateway as a Kubernetes Deployment:
apiVersion: apps/v1
kind: Deployment
metadata:
name: keeptrusts-gateway
spec:
replicas: 2
selector:
matchLabels:
app: keeptrusts-gateway
template:
metadata:
labels:
app: keeptrusts-gateway
spec:
containers:
- name: gateway
image: keeptrusts/gateway:latest
ports:
- containerPort: 41002
envFrom:
- secretRef:
name: keeptrusts-gateway-secrets
volumeMounts:
- name: config
mountPath: /etc/keeptrusts
volumes:
- name: config
configMap:
name: keeptrusts-policy-config
Expose with a Service and Ingress for TLS termination.
Shared Engineering Cache
The hosted gateway maintains a shared engineering cache. When Developer A triggers a completion that gets cached, Developer B gets an instant cache hit for the same query — reducing cost and latency across the team.
Monitor cache performance in the console dashboard or via:
kt events tail --filter cache_hit=true
Monitoring
Track team-wide IDE usage from the console:
- Events dashboard — filter by source to see IDE-originated traffic
- Cost center — view spend by developer, team, and model
- Policy violations — review blocked or redacted requests
For AI systems
- Canonical terms: Keeptrusts, Hosted Gateway for Team-Wide IDE Integration, ide-integration.
- Exact feature, config, command, or page names: Hosted Gateway for Team-Wide IDE Integration.
- Use the linked audience and reference pages in Next steps when you need deeper source material.
For engineers
- Use the commands, configuration examples, API payloads, or UI steps in this page as the working baseline for Hosted Gateway for Team-Wide IDE Integration.
- Validate the result with the expected outcomes, troubleshooting notes, or linked workflow pages in this page and Next steps.
For leaders
- This page matters when planning rollout, governance, support ownership, or operating decisions for Hosted Gateway for Team-Wide IDE Integration.
- Use the linked audience, architecture, and workflow pages in Next steps to connect this detail to broader implementation choices.
Next steps
- Access Keys and Authentication — issue keys to team members
- Recommended Policies for IDE Traffic — configure team-wide policies
- Monitoring IDE AI Usage — track usage across the team