Skip to main content

Google AI Studio (Gemini API)

Route OpenAI-compatible client traffic through Keeptrusts to the Gemini API. Applications call the local Keeptrusts endpoint; the gateway owns the upstream credential and applies the configured policy chain.

Use this page when

  • You already have access to Google AI Studio (Gemini API) and need to route it through Keeptrusts.
  • You want one explicit provider target that can be linted and reviewed before rollout.
  • You need a stable integration contract without copying mutable prices, context limits, or retirement dates into your config.

Prerequisites

  • Install the kt CLI.
  • Obtain the upstream credential and an enabled model or endpoint from Google AI Studio (Gemini API).
  • Obtain a Keeptrusts runtime API token for the gateway and a separate gateway key, access key, or personal API token for client requests. --agent uses only the runtime token.

Configure the provider

Replace the replace-with-... values before starting the gateway. The example uses the current google-ai-studio runtime contract.

pack:
name: google-ai-studio-integration
version: 1.0.0
enabled: true
policies:
chain:
- prompt-injection
- pii-detector
- audit-logger
providers:
targets:
- id: google-ai-studio-primary
provider: google-ai-studio
provider_type: google-ai-studio
format: google-gemini
model: "replace-with-gemini-model-id"
base_url: https://generativelanguage.googleapis.com
secret_key_ref:
env: KEEPTRUSTS_GEMINI_API_KEY

The provider credential is resolved inside the gateway process. It is not the credential that client applications send to Keeptrusts.

Start and verify

export KEEPTRUSTS_API_TOKEN="replace-with-keeptrusts-api-token"
export KEEPTRUSTS_GEMINI_API_KEY="replace-with-upstream-credential"

kt policy lint --file policy-config.yaml
kt gateway run \
--agent google-ai-studio-integration \
--listen 127.0.0.1:41002 \
--policy-config policy-config.yaml

KEEPTRUSTS_API_TOKEN authenticates the gateway runtime and control-plane synchronization. Do not reuse it as the client credential.

In another terminal, export the separate client token, confirm the gateway is healthy, and send one request:

export KEEPTRUSTS_CLIENT_TOKEN="replace-with-separate-client-token"

curl -fsS http://127.0.0.1:41002/healthz
curl -fsS http://127.0.0.1:41002/v1/chat/completions \
-H "Authorization: Bearer ${KEEPTRUSTS_CLIENT_TOKEN}" \
-H "Content-Type: application/json" \
-d '{"model":"replace-with-gemini-model-id","messages":[{"role":"user","content":"Reply with one short sentence."}]}'

Use the same model identifier in the request and target unless you have configured an explicit multi-model route.

Current Keeptrusts contract

SettingBehavior
providergoogle-ai-studio
Upstream requestGemini generateContent at /v1beta/models/{model}:generateContent
Upstream authenticationx-goog-api-key from KEEPTRUSTS_GEMINI_API_KEY
Client endpoint/v1/chat/completions on the Keeptrusts gateway

Google AI Studio and Vertex AI use different authentication and endpoint construction. Use the Vertex page for Google Cloud project and regional routing.

Model and production checks

  • Verify the model ID, region, endpoint availability, and account permissions in the official provider surface before rollout.
  • Treat pricing, max_context_tokens, retention metadata, and certifications as operator declarations. Add them only after checking your current contract.
  • Validate streaming, tools, structured output, and other optional request features for the selected request family and model; provider-wide assumptions are unsafe.
  • Keep the upstream credential server-side. Bind production listeners only to the intended interface and protect them with your normal ingress controls.

Next steps