Ingate is an all-in-one AI gateway for enterprise that sits between your applications and LLM providers. It combines a transparent proxy, full observability, prompt versioning, automated evaluations, provider fallback, response caching, guardrails, budget controls, and security governance in a single platform. No SDK required, no code changes needed.

Why use an AI gateway instead of separate tools?

Most AI infrastructure requires stitching together separate tools for observability, prompt management, evaluation, and request routing. Each tool adds its own SDK, configuration, and data silo. An all-in-one gateway like Ingate gives you a single integration point: one base URL change, and you get logging, evals, prompts, caching, guardrails, and budget controls working together. No SDK, no glue code, no data fragmentation.

Does Ingate require an SDK?

No. Ingate works with any HTTP client in any language. Change your base URL to point at Ingate and your existing OpenAI, Anthropic, or custom LLM code works unchanged. Ingate auto-detects the provider from the request path, so most integrations don't even need an extra header. Setup takes under 5 minutes.

What features does Ingate include?

Ingate includes: transparent proxy with SSE streaming, provider fallback, format translation (OpenAI Chat, Responses API, and Anthropic), response caching, PII redaction, prompt injection detection, 14 built-in evaluators, versioned prompt registry, interactive playground, datasets, session tracking, cost tracking, budget controls, audit logging, HMAC-signed webhooks, scoped API keys with rotation, multi-tenant RBAC, REST ingestion API, OpenTelemetry receiver, and Bring Your Own Storage (BYOS).

How does Ingate handle security?

Provider API keys are encrypted with AES-256-GCM at rest. API keys are stored as SHA-256 hashes and never logged. Ingate supports scoped keys with per-provider and per-model restrictions, zero-downtime key rotation, PII redaction on request bodies, prompt injection detection, SSRF protection on outbound requests, and a complete audit log of administrative actions. Auth endpoints are rate-limited to prevent brute-force attacks.

What plans does Ingate offer?

Ingate offers two plans. The Free plan includes the transparent proxy, SSE streaming, request logging, a 7-day retention period, and a built-in dashboard. The Enterprise plan adds prompt versioning, evaluations, datasets, playground, provider fallback, format translation, response caching, PII redaction, guardrails, webhooks, audit log, budget controls, cost tracking, Prometheus metrics, BYOS, custom retention, and a 99.9% uptime SLA.

Configuration

All Ingate configuration is managed through the cloud dashboard. No config files, no CLI flags, no self-hosting.

Overview

Ingate is a fully managed cloud service. All configuration is done through the Ingate Dashboard at app.ingateai.com or programmatically via the Management API. There are no config files to edit, no CLI flags to set, and no infrastructure to manage.

This page covers every configuration surface available in the dashboard, organized by section. Settings marked Enterprise require an Enterprise plan.

Getting started

New to Ingate? Start with Quick Start to create your account and make your first proxied request in under two minutes.

Providers

Configure your upstream LLM providers in Dashboard → Providers. Each provider defines a target API that Ingate proxies requests to.

Provider Settings

Setting	Description
Name	Unique identifier used in `X-Ingate-Provider` header (e.g. `openai`, `anthropic`)
Base URL	Upstream API base URL (e.g. `https://api.openai.com`)
Auth Mode	API Key: Ingate injects your stored key. Passthrough: the caller supplies their own key.
API Key	Your provider API key (stored encrypted, only used in API Key auth mode)
Default Provider	When enabled, requests without an `X-Ingate-Provider` header route here
Enabled / Disabled	Toggle a provider on or off without deleting its configuration

Adding a Provider

Navigate to Dashboard → Providers → Add Provider
Enter a name, base URL, and select an auth mode
If using API Key mode, paste your provider's API key
Optionally mark it as the default provider
Click Save

Once configured, route requests to the provider using the header:

bash

curl https://api.ingateai.com/v1/chat/completions \
  -H "X-Ingate-Key: sk-ingate-your-key" \
  -H "X-Ingate-Provider: openai" \
  -H "Content-Type: application/json" \
  -d '{"model": "gpt-4o-mini", "messages": [{"role": "user", "content": "Hello"}]}'

Auth modes

Use API Key mode when your team shares a single provider account. Ingate injects the stored key so callers never see it. Use Passthrough mode when each caller has their own provider credentials.

Team & Access

Manage your organization, team members, API keys, and permissions in Dashboard → Settings.

Organization Settings

Org name & slug: display name and URL-safe identifier
Plan: view your current plan (Free or Enterprise)
Billing: manage payment methods and invoices (Enterprise)

Team Management

Invite team members by email. Each member is assigned a role that controls their access level across the dashboard and API.

Role	Permissions
Owner	Full access. Billing, org deletion, role management. One per org.
Admin	Manage providers, keys, team members, and all settings. Cannot delete org.
Member	View providers and logs. Create and manage their own API keys.
Viewer	Read-only access to logs, analytics, and dashboards.

API Key Management

Create and manage API keys in Dashboard → API Keys. Each key can be named, scoped to specific providers or models, and optionally assigned to an app.

Create keys with descriptive names (e.g. "Production Backend", "Staging")
Scope keys to limit access to specific providers or models
Rotate keys with configurable overlap periods for zero-downtime rotation
Revoke keys instantly. The change takes effect immediately

Key visibility

API keys are shown only once at creation. Copy and store them securely. They cannot be retrieved from the dashboard later.

You can also manage keys programmatically. See Authentication for API details.

Rate Limiting

Configure per-key rate limits in Dashboard → API Keys → Rate Limits. Rate limits protect your upstream providers from excessive usage and help enforce fair access across teams and applications.

Settings

Setting	Description
Requests per minute	Maximum number of requests a single API key can make per minute
Enabled / Disabled	Toggle rate limiting per key without changing the limit value

When a key exceeds its rate limit, Ingate returns a 429 Too Many Requests response with a Retry-After header:

json429 Response

{
  "error": "rate_limit_exceeded",
  "message": "Rate limit exceeded for this key",
  "retry_after_seconds": 12
}

Default limits

Keys created on the Free plan default to 60 requests/minute. Enterprise plans can set custom limits per key.

Provider Fallback

Configure automatic provider fallback chains in Dashboard → Providers → Fallback. When a primary provider returns an error or times out, Ingate automatically retries the request with the next provider in the chain.

Enterprise feature

Provider fallback is available on Enterprise plans.

Settings

Setting	Description
Fallback chain	Ordered list of providers to try (e.g. OpenAI → Anthropic → Azure OpenAI)
Max retries	Maximum number of fallback attempts before returning an error (default: 1)
Trigger conditions	HTTP status codes that trigger fallback (default: 429, 500, 502, 503, 504)

How It Works

A request targets the primary provider (e.g. openai)
The provider returns a triggering error (e.g. 503 Service Unavailable)
Ingate replays the request to the next provider in the fallback chain
The response includes an X-Ingate-Fallback: true header so you know fallback was used

Model compatibility

Fallback works best when providers support compatible models. If you fall back from OpenAI to Anthropic, ensure your request uses the X-Ingate-Translate header so Ingate can translate the request format automatically.

Data Retention

Configure how long Ingate retains request logs, eval results, and analytics data in Dashboard → Settings → Data Retention.

Data Type	Free Plan	Enterprise Plan
Request logs	7 days	Configurable (up to unlimited)
Eval results	7 days	Configurable (up to unlimited)
Analytics / metrics	7 days	Configurable (up to unlimited)
Audit log	30 days	Configurable (up to unlimited)

Data older than the retention period is automatically purged. Enterprise customers can set retention per data type and choose to retain data indefinitely.

BYOS for full control

Need unlimited retention and full data sovereignty? Bring Your Own Storage lets you connect your own PostgreSQL database. You control the data lifecycle entirely.

Webhooks

Configure webhook endpoints in Dashboard → Settings → Webhooks to receive real-time notifications when events occur in your Ingate organization.

Settings

Setting	Description
Endpoint URL	HTTPS URL that receives webhook POST requests
Events	Which event types to subscribe to
Secret	HMAC signing secret for verifying webhook authenticity
Enabled / Disabled	Toggle a webhook without deleting it

Event Types

Event	Description
`request.completed`	A proxied request completed successfully
`request.failed`	A proxied request failed (upstream error)
`budget.soft_limit`	A budget soft limit was reached (Enterprise)
`budget.hard_limit`	A budget hard limit was hit, requests blocked (Enterprise)
`key.created`	A new API key was created
`key.revoked`	An API key was revoked
`provider.fallback`	A request was rerouted via provider fallback (Enterprise)

Webhook Payload

Each webhook delivery is a signed POST request with a JSON body:

jsonWebhook payload

{
  "id": "evt_abc123",
  "type": "request.completed",
  "timestamp": "2026-04-04T11:15:00Z",
  "org_id": "org_xyz",
  "data": {
    "request_id": "req_def456",
    "provider": "openai",
    "model": "gpt-4o-mini",
    "status": 200,
    "latency_ms": 842,
    "tokens_in": 52,
    "tokens_out": 128
  }
}

Verify webhook signatures using the X-Ingate-Signature header. The signature is an HMAC-SHA256 hex digest of the raw request body using your webhook secret.

pythonverify_webhook.py

import hmac
import hashlib

def verify_signature(payload: bytes, signature: str, secret: str) -> bool:
    expected = hmac.new(
        secret.encode(), payload, hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(expected, signature)

Budget Controls

Set spending limits per organization, app, or API key in Dashboard → Budgets. Budgets track estimated spend based on token usage and provider pricing.

Enterprise feature

Budget controls are available on Enterprise plans. See Budget Controls for full documentation.

Settings

Setting	Description
Scope	Organization, app, or individual API key
Soft limit	Dollar threshold that triggers a warning webhook and dashboard alert
Hard limit	Dollar threshold that blocks further requests until the next reset
Reset period	Monthly (resets on the 1st) or custom billing cycle

When a hard limit is reached, proxied requests return 429 with a budget_exceeded error until the budget resets or the limit is raised.

Response Caching

Enable response caching in Dashboard → Settings → Caching to reduce latency and cost for repeated identical requests.

Enterprise feature

Response caching is available on Enterprise plans. See Response Caching for full documentation.

Settings

Setting	Description
Enabled / Disabled	Toggle caching for your organization
TTL (minutes)	How long cached responses are valid (default: 10 minutes)

Caching applies only to deterministic requests (temperature: 0). Cached responses include an X-Cache: HIT header. Cache misses are forwarded to the upstream provider and the response is stored for subsequent requests.

PII Redaction

Configure automatic PII redaction rules in Dashboard → Settings → PII Redaction. When enabled, Ingate scans request and response bodies and redacts sensitive information before it reaches the upstream provider or is stored in logs.

Enterprise feature

PII redaction is available on Enterprise plans.

Settings

Setting	Description
Enabled / Disabled	Toggle PII redaction for your organization
Redaction mode	Mask: replace with `[REDACTED]`. Hash: replace with a deterministic hash.
Entity types	Select which PII types to redact
Scope	Requests only, Responses only, or Both

Supported Entity Types

Entity	Example
Email addresses	`alice@example.com` → `[REDACTED_EMAIL]`
Phone numbers	`+1-555-123-4567` → `[REDACTED_PHONE]`
Credit card numbers	`4111-1111-1111-1111` → `[REDACTED_CC]`
Social security numbers	`123-45-6789` → `[REDACTED_SSN]`
IP addresses	`192.168.1.1` → `[REDACTED_IP]`
API keys / secrets	`sk-abc123...` → `[REDACTED_KEY]`

Compliance

PII redaction helps meet GDPR, HIPAA, and SOC 2 requirements by ensuring sensitive data never reaches third-party LLM providers or persists in logs.

Bring Your Own Storage (BYOS)

Connect your own PostgreSQL database in Dashboard → Settings → Storage. With BYOS, all request logs, eval results, and analytics data are stored in your infrastructure instead of Ingate's hosted database.

Enterprise feature

BYOS is available on Enterprise plans. See Bring Your Own Storage for full documentation.

Settings

Setting	Description
PostgreSQL connection URL	Connection string to your database (stored encrypted)
SSL mode	Required, preferred, or disabled

Setup

Navigate to Dashboard → Settings → Storage
Enter your PostgreSQL connection URL
Click Test Connection: Ingate validates connectivity and permissions
Click Enable BYOS: Ingate runs migrations on your database and begins routing data

Requirements

Your PostgreSQL instance must be accessible from Ingate's infrastructure (allow-listed IPs are shown in the dashboard). The database user must have permission to create tables and indexes.

Configuration Summary

Quick reference for where to find each setting in the dashboard:

Feature	Dashboard Location	Plan
Providers	Dashboard → Providers	All
API Keys	Dashboard → API Keys	All
Team Members	Dashboard → Settings → Team	All
Rate Limiting	Dashboard → API Keys → Rate Limits	All
Data Retention	Dashboard → Settings → Data Retention	All (limits on Free)
Webhooks	Dashboard → Settings → Webhooks	All
Provider Fallback	Dashboard → Providers → Fallback	Enterprise
Budget Controls	Dashboard → Budgets	Enterprise
Response Caching	Dashboard → Settings → Caching	Enterprise
PII Redaction	Dashboard → Settings → PII Redaction	Enterprise
BYOS	Dashboard → Settings → Storage	Enterprise