Voyage AI
Connect Keeptrusts to Voyage AI embeddings through the local embeddings route. Applications call the local Keeptrusts endpoint, and the gateway owns the upstream credential and provider routing.
:::caution Route-specific governance
The current /v1/embeddings handler authenticates the client, resolves the
agent and provider, performs connected billing when enabled, and proxies the
embedding request. It does not execute the Chat Completions/Responses policy
chain. In particular, adding prompt-injection, PII, or audit policies to the
pack does not make those policies run on embedding input. Use this integration
only when that boundary is acceptable, and validate required controls outside
this route before production rollout.
:::
Use this page when
- You already have access to Voyage AI and need to route it through Keeptrusts.
- You want one explicit provider target that can be linted and reviewed before rollout.
- You need a stable integration contract without copying mutable prices, context limits, or retirement dates into your config.
Prerequisites
- Install the
ktCLI. - Obtain the upstream credential and an enabled model or endpoint from Voyage AI.
- Obtain a Keeptrusts runtime API token for the gateway and a separate gateway key, access key, or personal API token for client requests.
--agentuses only the runtime token.
Configure the provider
Replace the replace-with-... values before starting the gateway. The example
uses the required voyage:embedding:<model> provider shorthand so the gateway
selects the embeddings request family.
pack:
name: voyage-integration
version: 1.0.0
enabled: true
policies:
chain:
- audit-logger
providers:
targets:
- id: voyage-primary
provider: "voyage:embedding:replace-with-voyage-model-id"
base_url: https://api.voyageai.com
secret_key_ref:
env: KEEPTRUSTS_VOYAGE_API_KEY
The public config contract requires a non-empty policies.chain.
audit-logger keeps this pack valid for request families that do execute the
policy pipeline; it does not add policy coverage to /v1/embeddings. The
provider credential is resolved inside the gateway process; it is not the
credential that client applications send to Keeptrusts.
Start and verify
export KEEPTRUSTS_API_TOKEN="replace-with-keeptrusts-api-token"
export KEEPTRUSTS_VOYAGE_API_KEY="replace-with-upstream-credential"
kt policy lint --file policy-config.yaml
kt gateway run \
--agent voyage-integration \
--listen 127.0.0.1:41002 \
--policy-config policy-config.yaml
KEEPTRUSTS_API_TOKEN authenticates the gateway runtime and control-plane synchronization. Do not reuse it as the client credential.
In another terminal, export the separate client token, confirm the gateway is healthy, and send one request:
export KEEPTRUSTS_CLIENT_TOKEN="replace-with-separate-client-token"
curl -fsS http://127.0.0.1:41002/healthz
curl -fsS http://127.0.0.1:41002/v1/embeddings \
-H "Authorization: Bearer ${KEEPTRUSTS_CLIENT_TOKEN}" \
-H "Content-Type: application/json" \
-d '{"model":"replace-with-voyage-model-id","input":["Govern this text."]}'
Use the same model identifier in the request and target unless you have configured an explicit multi-model route.
Current Keeptrusts contract
| Setting | Behavior |
|---|---|
provider | voyage:embedding:<model> |
| Upstream request | Voyage embeddings at /v1/embeddings |
| Upstream authentication | Bearer token from KEEPTRUSTS_VOYAGE_API_KEY |
| Client endpoint | /v1/embeddings on the Keeptrusts gateway |
| Policy-chain coverage | The current embeddings handler does not evaluate the Chat Completions/Responses policy chain |
Embedding dimensions and accepted input options vary by model. Verify them in Voyage documentation and keep indexing and query workloads on compatible settings.
Model and production checks
- Verify the model ID, region, endpoint availability, and account permissions in the official provider surface before rollout.
- Treat
pricing,max_context_tokens, retention metadata, and certifications as operator declarations. Add them only after checking your current contract. - Verify input type, batch-size, token, and output-dimension limits for the selected Voyage model. The gateway forwards the OpenAI-style embeddings body and does not make every vendor-specific option portable.
- Do not infer text-generation features such as streaming, tools, or structured output from embedding-model support.
- Keep the upstream credential server-side. Bind production listeners only to the intended interface and protect them with your normal ingress controls.