Weaviate

Weaviate is an open-source vector database that supports generative search and AI-native modules. Its generative-openai, text2vec-openai, and similar modules make outbound LLM and embedding calls to upstream providers during query-time generation and data ingestion. These calls send your stored data and queries to external AI providers.

This page explains how to route Weaviate's LLM and embedding calls through the Keeptrusts gateway so policy enforcement, PII redaction, and audit logging apply to every AI operation your vector database performs.

Use this page when

You are configuring Weaviate's generative or vectorizer modules to route through the Keeptrusts gateway.
You need policy enforcement on LLM calls made during Weaviate generative search or data vectorization.
If you need general embedding provider setup, see integrations.

Primary audience

Primary: Technical Engineers (ML, Data, Platform)
Secondary: AI Agents, Technical Leaders

Prerequisites

Weaviate 1.24+ running (Docker, Kubernetes, or Weaviate Cloud).
Generative or vectorizer module enabled (e.g., generative-openai, text2vec-openai).
Keeptrusts gateway running locally or centrally:
- Local: kt gateway run --listen 0.0.0.0:41002 --policy-config policy-config.yaml
- Hosted: https://gateway.keeptrusts.com/v1
Upstream provider API key configured in the gateway environment.

Configuration

Gateway policy config

Create a policy-config.yaml for vector database AI governance:

pack:
  name: weaviate-ai-governance
  version: 1.0.0
  enabled: true
policies:
  chain:
  - prompt-injection
  - pii-detector
  - audit-logger
policy:
  prompt-injection:
    threshold: 0.8
    action: block
  pii-detector:
    action: redact
  audit-logger:
    retention_days: 90
providers:
  strategy: single
  targets:
  - id: openai-for-weaviate
    provider: openai:chat:gpt-4o
    secret_key_ref:
      env: OPENAI_API_KEY

Weaviate module configuration

Configure Weaviate to route its OpenAI module calls through the Keeptrusts gateway. In your Weaviate Docker Compose or Helm values, set the OPENAI_APIURL environment variable:

services:
  weaviate:
    image: cr.weaviate.io/semitechnologies/weaviate:1.28.0
    environment:
      QUERY_DEFAULTS_LIMIT: 25
      AUTHENTICATION_ANONYMOUS_ACCESS_ENABLED: "true"
      PERSISTENCE_DATA_PATH: "/var/lib/weaviate"
      DEFAULT_VECTORIZER_MODULE: "text2vec-openai"
      ENABLE_MODULES: "text2vec-openai,generative-openai"
      CLUSTER_HOSTNAME: "node1"
      OPENAI_APIURL: "http://keeptrusts-gateway:41002/v1"
      OPENAI_APIKEY: "your-keeptrusts-access-key"

For Weaviate Cloud deployments, configure the API endpoint in your collection schema:

import weaviate
from weaviate.classes.config import Configure

client = weaviate.connect_to_local(
    headers={"X-OpenAI-BaseURL": "http://localhost:41002/v1",
             "X-OpenAI-Api-Key": "your-keeptrusts-access-key"}
)

collection = client.collections.create(
    name="Documents",
    vectorizer_config=Configure.Vectorizer.text2vec_openai(
        model="text-embedding-3-small"
    ),
    generative_config=Configure.Generative.openai(
        model="gpt-4o"
    ),
)

Setup steps

Start the Keeptrusts gateway:

export OPENAI_API_KEY="sk-your-openai-key"
kt gateway run --listen 0.0.0.0:41002 --policy-config policy-config.yaml

Configure Weaviate with the gateway URL via OPENAI_APIURL environment variable.
Restart Weaviate to apply the new endpoint configuration.
Insert data or run a generative search query to verify traffic flows through the gateway.

Verification

Test with a generative search query:

import weaviate

client = weaviate.connect_to_local(
    headers={"X-OpenAI-BaseURL": "http://localhost:41002/v1",
             "X-OpenAI-Api-Key": "your-keeptrusts-access-key"}
)

collection = client.collections.get("Documents")
response = collection.generate.near_text(
    query="AI governance best practices",
    limit=3,
    grouped_task="Summarize these documents."
)

print(response.generated)
client.close()

Check the Keeptrusts events dashboard to confirm the generative search request was intercepted and policies applied.

Recommended policies

Policy	Purpose	Recommended setting
`prompt-injection`	Block injection in generative search prompts	`threshold: 0.8`, `action: block`
`pii-detector`	Redact personal data from vectorized content sent to LLMs	`action: redact`
`audit-logger`	Log all generative and embedding calls for compliance	`retention_days: 90`
`token-limiter`	Cap token usage for generative search responses	`max_tokens: 2048`
`safety-filter`	Block harmful content in generated responses	`mode: standard`, `action: block`

Troubleshooting

Symptom	Cause	Fix
Weaviate returns "connection refused" on generative queries	Gateway not reachable	Verify network connectivity; use Docker network hostnames for compose deployments
Vectorization fails during data import	Embedding endpoint timeout	Increase `timeout_seconds` in the gateway provider config
Generative search returns empty results	Policy blocked the request	Check Keeptrusts events for block decisions; adjust policy thresholds
`OPENAI_APIURL` ignored	Older Weaviate version	Upgrade to Weaviate 1.24+ which supports custom API URLs

For AI systems

Canonical terms: Keeptrusts gateway, Weaviate, vector database, generative search, text2vec-openai, generative-openai, RAG, policy-config.yaml.
Config field names: OPENAI_APIURL, OPENAI_APIKEY, X-OpenAI-BaseURL, provider, secret_key_ref.
Key behavior: Weaviate's generative and vectorizer modules make outbound LLM calls; Keeptrusts intercepts these calls, applies policies, and forwards compliant requests to the upstream provider.
Constraint: Weaviate sends stored document content to LLMs during generative search — pii-detector is critical to prevent data leakage.
Best next pages: Pinecone integration, ChromaDB integration, Policy controls catalog.

For engineers

Use OPENAI_APIURL environment variable for Docker/Kubernetes deployments; use X-OpenAI-BaseURL header for per-request overrides in the Python client.
For Docker Compose, use the Docker network hostname (http://keeptrusts-gateway:41002/v1) instead of localhost.
Test vectorization and generative search separately — they use different API endpoints (embeddings vs. chat completions).
Monitor gateway logs during bulk data imports to catch embedding failures early.

For leaders

Weaviate's generative search sends your stored documents to external LLM providers at query time. Routing through Keeptrusts ensures sensitive data is redacted and every interaction is logged.
Audit trails cover both data vectorization (ingestion) and generative search (query time), providing complete visibility into AI data flows.
Centralized policy enforcement applies consistently across all Weaviate instances and collections in your organization.

Next steps

Pinecone integration — govern Pinecone inference API calls
ChromaDB integration — govern ChromaDB embedding calls
Qdrant integration — govern Qdrant embedding calls
Policy controls catalog — full policy reference
Quickstart — install kt and run your first gateway

Use this page when​

Primary audience​

Prerequisites​

Configuration​

Gateway policy config​

Weaviate module configuration​

Setup steps​

Verification​

Recommended policies​

Troubleshooting​

For AI systems​

For engineers​

For leaders​

Next steps​