OpenAI
Keeptrusts works as a transparent, drop-in gateway for OpenAI's API. Point your application at the Keeptrusts gateway instead of api.openai.com — all policy enforcement, audit logging, and safety controls are applied automatically with no code changes beyond the base URL. Both the /v1/chat/completions and /v1/responses endpoints are fully supported.
Use this page when
- You need the exact command, config, API, or integration details for OpenAI.
- You are wiring automation or AI retrieval and need canonical names, examples, and constraints.
- If you want a guided rollout instead of a reference page, use the linked workflow pages in Next steps.
Primary audience
- Primary: AI Agents, Technical Engineers
- Secondary: Technical Leaders
Prerequisites
- OpenAI API key — obtain one from the OpenAI Platform.
- Keeptrusts CLI — install
kt(quickstart guide). - Export your API key:
export OPENAI_API_KEY="sk-your-key-here"
Keeptrusts auto-detects OPENAI_API_KEY when provider is set to "openai". No additional auth configuration is required unless you use a custom header or a gateway endpoint.
Configuration
Create a policy-config.yaml with your provider targets:
pack:
name: openai-gateway
version: 1.0.0
enabled: true
policies:
chain:
- prompt-injection
- pii-detector
- audit-logger
providers:
strategy: single
targets:
- id: openai-gpt4o
provider: openai
model: gpt-4o
base_url: https://api.openai.com/v1
secret_key_ref:
env: OPENAI_API_KEY
Start the gateway:
kt gateway run \
--listen 0.0.0.0:41002 \
--policy-config policy-config.yaml
In the recommended workflow, the provider target in policy-config.yaml is the source of truth. The gateway reads OPENAI_API_KEY through secret_key_ref instead of relying on --upstream overrides.
Provider Fields
All fields available on a providers.targets[] entry for OpenAI:
| Field | Type | Default | Description |
|---|---|---|---|
id | string | required | Unique identifier for this target |
provider | string | required | Provider ID: "openai", "openai:chat:gpt-4o", or "openai:responses:gpt-4o" |
model | string | required | Model name, e.g. "gpt-4o", "gpt-4o-mini" |
base_url | string | https://api.openai.com/v1 | API base URL (auto-detected for OpenAI) |
secret_key_ref | object | OPENAI_API_KEY | Object reference to the environment variable holding the API key |
api_key_header | string | Authorization | HTTP header used for authentication |
api_key_prefix | string | Bearer | Prefix prepended to the key value in the header |
timeout_seconds | integer | 60 | Maximum time for non-streaming requests |
stream_timeout_seconds | integer | none | Maximum time for streaming requests; falls back to timeout_seconds |
max_context_tokens | integer | none | Maximum tokens in the context window (used for context compression) |
max_messages | integer | none | Maximum number of messages to retain in the conversation |
headers | map | {} | Additional HTTP headers to send with each request |
format | string | "openai" | Wire format: "openai" (native, no translation) |
provider_type | string | "openai" | Explicit provider type; overrides URL heuristic detection |
description | string | none | Human-readable description for dashboards and logs |
weight | float | 1.0 | Routing weight for weighted_round_robin strategy |
data_policy | object | none | Data handling policy (see below) |
pricing | object | none | Token pricing in USD per 1M tokens (prompt, completion) |
data_collection | string | none | "allow" or "deny" — per-provider data collection policy |
zdr | boolean | false | Shorthand for zero data retention |
region | string | none | Data residency region, e.g. "us", "eu" |
health_probe | object | none | Active health probe configuration |
Authentication
OpenAI uses the standard Authorization: Bearer <key> pattern. Keeptrusts auto-detects this when provider is "openai":
# These are the defaults — you only need to set secret_key_ref
secret_key_ref:
env: "OPENAI_API_KEY"
api_key_header: "Authorization"
api_key_prefix: "Bearer "
For Azure OpenAI or custom endpoints that use a different auth scheme, override the header fields:
secret_key_ref:
env: "AZURE_OPENAI_API_KEY"
api_key_header: "api-key"
api_key_prefix: ""
base_url: "https://your-resource.openai.azure.com/openai/deployments/gpt-4o"
Supported Models
| Model | Context Window | Notes |
|---|---|---|
gpt-4o | 128K | Flagship multimodal model |
gpt-4o-mini | 128K | Cost-optimized variant |
gpt-4.1 | 1M | Latest generation |
gpt-4.1-mini | 1M | Cost-optimized latest generation |
gpt-4.1-nano | 1M | Smallest latest generation |
gpt-4-turbo | 128K | Previous generation turbo |
gpt-3.5-turbo | 16K | Legacy, fastest |
o1 | 200K | Reasoning model |
o1-mini | 128K | Compact reasoning model |
o3-mini | 200K | Latest compact reasoning model |
Any model available on the OpenAI API can be used — set the model field to the model ID string.
Client Examples
Once the gateway is running, point your client to http://localhost:8080 instead of https://api.openai.com.
- Python
- Node.js
- cURL
from openai import OpenAI
client = OpenAI(
base_url="http://localhost:8080/v1",
api_key="sk-your-key", # still validated by the upstream
)
response = client.chat.completions.create(
model="gpt-4o",
messages=[
{"role": "system", "content": "You are a helpful assistant."},
{"role": "user", "content": "Explain quantum computing in one paragraph."},
],
temperature=0.7,
max_tokens=256,
)
print(response.choices[0].message.content)
import OpenAI from "openai";
const client = new OpenAI({
baseURL: "http://localhost:8080/v1",
apiKey: "sk-your-key",
});
const response = await client.chat.completions.create({
model: "gpt-4o",
messages: [
{ role: "system", content: "You are a helpful assistant." },
{ role: "user", content: "Explain quantum computing in one paragraph." },
],
temperature: 0.7,
max_tokens: 256,
});
console.log(response.choices[0].message.content);
curl http://localhost:8080/v1/chat/completions \
-H "Authorization: Bearer sk-your-key" \
-H "Content-Type: application/json" \
-d '{
"model": "gpt-4o",
"messages": [
{"role": "system", "content": "You are a helpful assistant."},
{"role": "user", "content": "Explain quantum computing in one paragraph."}
],
"temperature": 0.7,
"max_tokens": 256
}'
Streaming
Keeptrusts fully supports OpenAI's server-sent event (SSE) streaming. Set stream: true in your request — the gateway applies policies to each chunk in real time.
Configure a separate streaming timeout to accommodate long-running generations:
pack:
name: openai-providers-4
version: 1.0.0
enabled: true
providers:
targets:
- id: openai-streaming
provider: openai
model: gpt-4o
policies:
chain:
- audit-logger
policy:
audit-logger:
immutable: true
retention_days: 365
log_all_access: true
- Python
- cURL
from openai import OpenAI
client = OpenAI(base_url="http://localhost:8080/v1", api_key="sk-your-key")
stream = client.chat.completions.create(
model="gpt-4o",
messages=[{"role": "user", "content": "Write a short story about AI."}],
stream=True,
)
for chunk in stream:
if chunk.choices[0].delta.content:
print(chunk.choices[0].delta.content, end="", flush=True)
curl http://localhost:8080/v1/chat/completions \
-H "Authorization: Bearer sk-your-key" \
-H "Content-Type: application/json" \
-N \
-d '{
"model": "gpt-4o",
"messages": [{"role": "user", "content": "Write a short story about AI."}],
"stream": true
}'
Advanced Configuration
Multi-Model Fallback
Automatically fail over to a cheaper model when the primary is unavailable:
pack:
name: openai-providers-5
version: 1.0.0
enabled: true
providers:
targets:
- id: primary
provider: openai
model: gpt-4o
secret_key_ref:
env: OPENAI_API_KEY
- id: fallback
provider: openai
model: gpt-4o-mini
secret_key_ref:
env: OPENAI_API_KEY
policies:
chain:
- audit-logger
policy:
audit-logger:
immutable: true
retention_days: 365
log_all_access: true
Latency-Based Routing
Route each request to the provider target with the lowest observed latency:
pack:
name: openai-providers-6
version: 1.0.0
enabled: true
providers:
targets:
- id: gpt4o-us
provider: openai
model: gpt-4o
secret_key_ref:
env: OPENAI_API_KEY
- id: gpt4o-eu
provider: openai
model: gpt-4o
base_url: https://eu.api.openai.com/v1
secret_key_ref:
env: OPENAI_API_KEY_EU
policies:
chain:
- audit-logger
policy:
audit-logger:
immutable: true
retention_days: 365
log_all_access: true
Circuit Breaker
Temporarily remove unhealthy targets from the rotation:
pack:
name: openai-providers-7
version: 1.0.0
enabled: true
providers:
targets:
- id: openai-main
provider: openai
model: gpt-4o
secret_key_ref:
env: OPENAI_API_KEY
policies:
chain:
- audit-logger
policy:
audit-logger:
immutable: true
retention_days: 365
log_all_access: true
Retry Policy
Retry transient failures automatically:
pack:
name: openai-providers-8
version: 1.0.0
enabled: true
providers:
targets:
- id: openai-gpt4o
provider: openai
model: gpt-4o
secret_key_ref:
env: OPENAI_API_KEY
policies:
chain:
- audit-logger
policy:
audit-logger:
immutable: true
retention_days: 365
log_all_access: true
Context Compression
Automatically truncate conversation history to fit within the model's context window:
pack:
name: openai-providers-9
version: 1.0.0
enabled: true
providers:
targets:
- id: openai-gpt4o
provider: openai
model: gpt-4o
secret_key_ref:
env: OPENAI_API_KEY
policies:
chain:
- audit-logger
policy:
audit-logger:
immutable: true
retention_days: 365
log_all_access: true
Zero Data Retention
Enforce that no prompt or completion data is stored by the provider:
pack:
name: openai-providers-10
version: 1.0.0
enabled: true
providers:
targets:
- id: openai-zdr
provider: openai
model: gpt-4o
secret_key_ref:
env: OPENAI_API_KEY
policies:
chain:
- audit-logger
policy:
audit-logger:
immutable: true
retention_days: 365
log_all_access: true
A/B Testing Between Models
Split traffic across models with weighted routing:
pack:
name: openai-providers-11
version: 1.0.0
enabled: true
providers:
targets:
- id: variant-a
provider: openai
model: gpt-4o
secret_key_ref:
env: OPENAI_API_KEY
- id: variant-b
provider: openai
model: gpt-4o-mini
secret_key_ref:
env: OPENAI_API_KEY
policies:
chain:
- audit-logger
policy:
audit-logger:
immutable: true
retention_days: 365
log_all_access: true
Rate Limiting
Enforce per-provider request rate limits:
pack:
name: openai-providers-12
version: 1.0.0
enabled: true
providers:
targets:
- id: openai-gpt4o
provider: openai
model: gpt-4o
secret_key_ref:
env: OPENAI_API_KEY
policies:
chain:
- audit-logger
policy:
audit-logger:
immutable: true
retention_days: 365
log_all_access: true
Token Cost Tracking
Declare pricing for cost dashboards and budget alerts:
pack:
name: openai-providers-13
version: 1.0.0
enabled: true
providers:
targets:
- id: openai-gpt4o
provider: openai
model: gpt-4o
secret_key_ref:
env: OPENAI_API_KEY
policies:
chain:
- audit-logger
policy:
audit-logger:
immutable: true
retention_days: 365
log_all_access: true
Best Practices
- Use
stream_timeout_secondsfor streaming requests — long generations can exceed the default timeout. - Set
max_context_tokensbelow the actual model limit to leave headroom for the response. - Enable health probes on production targets so routing strategies can detect outages early.
- Use
data_policyto document and enforce your organization's data handling requirements. - Prefer
fallbackstrategy for critical workloads; uselatencyorweighted_round_robinfor cost/performance optimization. - Separate API keys per environment — use distinct
secret_key_refvalues for dev, staging, and production. - Declare
pricingeven if approximate — it enables cost dashboards and per-request budget enforcement. - Use
provider_type: "openai"explicitly when routing through non-standard base URLs to ensure correct auto-detection.
For AI systems
- Canonical terms: Keeptrusts gateway, OpenAI, GPT-4o, GPT-4o-mini, o1, o3, provider target, policy-config.yaml,
provider: "openai", OPENAI_API_KEY. - Config field names:
provider,model,base_url: "https://api.openai.com/v1",secret_key_ref.env: "OPENAI_API_KEY",format: "openai",provider_type: "openai",pricing,data_policy. - Provider shorthand:
openai:chat:<model>(e.g.,openai:chat:gpt-4o). - Key behavior: OpenAI is the reference format — all other providers translate to/from OpenAI wire format. No format translation needed.
- Best next pages: Anthropic integration, Azure OpenAI integration, Provider routing.
For engineers
- Prerequisites: OpenAI API key (
OPENAI_API_KEYenv var from platform.openai.com),ktCLI installed. - Start command:
kt gateway run --listen 0.0.0.0:41002 --policy-config policy-config.yaml. - Validate:
curl http://localhost:8080/v1/chat/completions -H 'Content-Type: application/json' -d '{"model":"gpt-4o","messages":[{"role":"user","content":"hello"}]}'. - OpenAI is the native wire format — no translation overhead. Clients send standard OpenAI SDK requests unchanged.
- Declare
pricingfields for accurate cost dashboards (GPT-4o: $2.50/$10.00 per 1M tokens input/output). - Use
provider_type: "openai"explicitly when routing through non-standard base URLs.
For leaders
- OpenAI is the de facto standard API format — all other providers translate to/from it, making OpenAI the lowest-friction starting point.
- Keeptrusts audit logging, PII redaction, and prompt-injection detection apply transparently without application changes.
- Cross-provider fallback (OpenAI → Anthropic or Bedrock) provides resilience without vendor lock-in.
- OpenAI's data retention and training policies should be reviewed — configure
data_policyto document your compliance posture.
Next steps
- Anthropic integration — cross-provider fallback with automatic format translation
- Azure OpenAI integration — OpenAI models with Azure data residency
- Provider routing strategies — multi-provider fallback and cost optimization
- Policy configuration — prompt-injection, PII, and safety policy reference
- Quickstart — install
ktand run your first gateway