Give Developers a Best-in-Class AI Gateway Experience
Developers hate friction. If your AI governance layer adds latency, requires SDK changes, or breaks streaming, teams will route around it. Keeptrusts is a drop-in replacement for direct provider API calls — same endpoints, same SDKs, same streaming behavior — with governance built in.
Use this page when
- You need to adopt AI governance without changing application code or requiring new SDKs.
- You want developers to self-service their own gateway keys and use existing OpenAI-compatible SDKs.
- You are evaluating whether Keeptrusts adds latency or breaks streaming for your workloads.
Primary audience
- Primary: Technical Leaders
- Secondary: Technical Engineers, AI Agents
What you'll achieve
- Zero-change migration — point existing OpenAI SDKs at Keeptrusts and everything works
- Full streaming support — SSE and WebSocket proxy with no buffering penalty
- Multi-provider format translation — call one endpoint, reach any provider
- Self-service API keys — developers generate their own gateway keys from the console
- Per-key policy scoping — attach different policies to different keys
OpenAI-compatible endpoint
Keeptrusts exposes the same /v1/chat/completions endpoint that OpenAI uses. Any application or SDK that targets the OpenAI API works without modification.
# Before — direct OpenAI call
from openai import OpenAI
client = OpenAI(api_key="sk-...")
# After — same code, point at your gateway
client = OpenAI(
api_key="kt_gk_...", # Keeptrusts gateway key
base_url="https://gateway.yourco.com/v1" # Your gateway URL
)
response = client.chat.completions.create(
model="gpt-4o",
messages=[{"role": "user", "content": "Summarize this report"}]
)
No SDK changes. No wrapper libraries. No new dependencies.
Supported SDKs
Any SDK that targets the OpenAI API contract works out of the box:
| SDK | Language | Status |
|---|---|---|
openai | Python | Full compatibility |
openai | Node.js / TypeScript | Full compatibility |
Azure.AI.OpenAI | C# / .NET | Full compatibility |
openai-java | Java / Kotlin | Full compatibility |
go-openai | Go | Full compatibility |
| LangChain / LlamaIndex | Python | Full compatibility via OpenAI provider |
Streaming SSE support
Keeptrusts proxies Server-Sent Events (SSE) streams in real time. Tokens arrive at the client as soon as the upstream provider emits them — no buffering, no added latency.
# Streaming works identically through the gateway
stream = client.chat.completions.create(
model="gpt-4o",
messages=[{"role": "user", "content": "Write a haiku about governance"}],
stream=True
)
for chunk in stream:
print(chunk.choices[0].delta.content, end="", flush=True)
Policy evaluation happens on both phases:
- Input phase — policies run before forwarding to the provider (blocking, redaction, injection detection)
- Output phase — policies run on the complete response after streaming finishes (quality scoring, citation verification)
Multi-provider format translation
Developers call one endpoint. Keeptrusts translates the request to the target provider's native format.
pack:
name: developer-experience-providers-1
version: 1.0.0
enabled: true
providers:
targets:
- id: openai-gpt4o
provider: openai
model: gpt-4o
secret_key_ref:
env: OPENAI_API_KEY
- id: anthropic-sonnet
provider: anthropic
model: claude-sonnet-4-20250514
secret_key_ref:
env: ANTHROPIC_API_KEY
- id: azure-gpt4o
provider: azure-openai
model: gpt-4o
base_url: https://my-resource.openai.azure.com
secret_key_ref:
env: AZURE_OPENAI_KEY
policies:
chain:
- audit-logger
policy:
audit-logger:
immutable: true
retention_days: 365
log_all_access: true
Developers always call the OpenAI-format endpoint. Keeptrusts handles:
- Request body translation (OpenAI ↔ Anthropic ↔ Azure)
- Authentication header mapping
- Response normalization back to OpenAI format
- Error code mapping to standard HTTP status codes
# This call reaches Anthropic under the hood — developer doesn't need to know
curl -X POST https://gateway.yourco.com/v1/chat/completions \
-H "Authorization: Bearer kt_gk_..." \
-H "Content-Type: application/json" \
-d '{
"model": "claude-sonnet-4-20250514",
"messages": [{"role": "user", "content": "Hello"}]
}'
Gateway key management
Developers generate their own gateway keys from the console. Each key can be scoped to specific configurations and policies.
Creating keys from the console
- Navigate to Settings → Gateway Keys
- Click Create Gateway Key
- Set a name, expiry, and optional configuration binding
- Copy the
kt_gk_...key — it's shown only once
Creating keys from the CLI
# Generate a gateway key bound to a specific configuration
kt gateway-key create \
--name "dev-team-key" \
--configuration-id my-config \
--expires-in 90d
Key scoping
| Scope | What it controls |
|---|---|
| Configuration binding | Which policy chain applies to requests using this key |
| Expiry | Automatic key rotation — keys expire and must be regenerated |
| Team attribution | Requests are attributed to the team that owns the key |
| Rate limits | Per-key rate limits prevent individual key abuse |
Local development with the CLI gateway
Developers can run a local gateway for development and testing:
# Start a local gateway on port 41002
kt gateway run --policy-config ./policy-config.yaml --port 41002
# Test a request through the local gateway
curl -X POST http://localhost:41002/v1/chat/completions \
-H "Content-Type: application/json" \
-d '{
"model": "gpt-4o",
"messages": [{"role": "user", "content": "Test request"}]
}'
The local gateway applies the same policy chain as production. Developers can iterate on configs locally before deploying.
WebSocket proxy
For applications that use WebSocket-based AI interactions, Keeptrusts proxies WebSocket connections with the same policy enforcement:
gateway:
websocket:
enabled: true
max_message_size_bytes: 1048576
idle_timeout_seconds: 300
WebSocket messages pass through the same input and output policy chains as HTTP requests.
Quick wins
- Point one SDK client at the gateway — verify zero-change compatibility in 5 minutes
- Generate a gateway key for each developer — enable self-service access with per-key attribution
- Run
kt gateway runlocally — give developers a local policy sandbox - Enable format translation — let developers target any provider through one endpoint
For AI systems
- Canonical terms: OpenAI-compatible endpoint, gateway key, SSE streaming, format translation, per-key policy scoping.
- API surface:
/v1/chat/completions(OpenAI-compatible), gateway keys (kt_gk_...), self-service console key generation. - Supported SDKs: openai (Python/Node), Azure.AI.OpenAI, openai-java, go-openai, LangChain, LlamaIndex.
- Best next pages: Migrate from Direct API, Gateways & Actions, Access Keys & Gateway Keys.
For engineers
- Prerequisites: gateway running with at least one provider target configured.
- Change only
base_urlandapi_keyin your existing OpenAI SDK client — no other code changes required. - Validate streaming: run a
stream=Truerequest and confirm tokens arrive without buffering delays. - Generate a gateway key from the console (Settings → Gateway Keys) and test with
curl -H "Authorization: Bearer kt_gk_..."against the gateway. - Multi-provider translation: set
modelto any supported model name; the gateway routes to the correct provider automatically.
For leaders
- Zero-change migration means no sprint capacity needed for application refactoring — governance is an infrastructure change.
- Self-service gateway keys reduce platform team toil and eliminate key-sharing security risks.
- Per-key policy scoping lets you enforce different controls per application or environment without gateway duplication.
- If developers route around governance, you lose visibility; a frictionless DX prevents shadow AI.
Next steps
- Migrate from Direct API Calls — step-by-step migration guide in 30 minutes
- Gateway Keys — deep dive into key management and scoping
- Gateways & Actions — understand gateway architecture and routing
- Reduce AI Spend by 40% — add cost controls on top of the developer-friendly gateway
- Declarative Config Reference — full gateway configuration schema