Organizations & Teams

Multi-tenant hierarchy: organizations contain teams, apps, providers, and API keys. Each org has isolated data and independent configuration.

Overview

Ingate is built around organizations as the unit of tenancy. Every resource (logs, prompts, evals, providers, API keys, budgets) belongs to an organization. Data is fully isolated between orgs.

Organizations have a plan (free or enterprise) that determines which features are available. Keys belong to orgs, and entitlements flow from key → org → plan → features. Feature enforcement happens in middleware, not scattered checks.

Hierarchy

Organization
├── Members (users with roles)
├── Teams (logical groupings)
├── Apps (services / projects)
│   └── API Keys (scoped to app)
├── Providers (LLM backends)
├── Prompts
├── Evals
├── Datasets
├── Budgets
└── Webhooks

Cloud-only platform

Ingate is a fully managed cloud service. There is no self-hosted or on-premise deployment. All organizations, data, and configuration live on Ingate's infrastructure at api.ingateai.com.

Organizations

An organization is created automatically when a user signs up. The creating user becomes the owner with full administrative access.

Organization Properties

FieldDescription
idUUID, auto-generated unique identifier
slugURL-safe short name (e.g. acme-corp)
nameDisplay name
planfree or enterprise

Manage Organization

bash
# Get current org details (requires admin role)
curl https://api.ingateai.com/api/v1/org \
  -H "Authorization: Bearer <token>"

# Update org settings
curl -X PUT https://api.ingateai.com/api/v1/org \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"name": "Acme Corp"}'

Providers

Providers represent the LLM backends your organization routes requests to, such as OpenAI, Anthropic, Azure OpenAI, Ollama, or any custom HTTP endpoint. Manage providers in Dashboard → Providers.

Adding a Provider

Navigate to Dashboard → Providers → Add Provider. Each provider needs a name, base URL, and auth mode:

FieldDescription
nameUnique identifier within the org (e.g. openai, azure-gpt4)
base_urlUpstream API base URL
auth_modeapi_key (Ingate manages the key) or passthrough (client sends own credentials)
api_keyProvider API key, encrypted with AES-256-GCM at rest (API Key mode only)
auth_headerCustom auth header name (default: Authorization)
auth_schemePrefix before key value (default: Bearer)
bash
# Add a provider via API
curl -X POST https://api.ingateai.com/api/v1/providers \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "openai",
    "base_url": "https://api.openai.com",
    "auth_mode": "api_key",
    "api_key": "sk-proj-your-openai-key"
  }'

Editing & Deleting Providers

bash
# Update a provider
curl -X PUT https://api.ingateai.com/api/v1/providers/openai \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"base_url": "https://api.openai.com", "api_key": "sk-proj-new-key"}'

# Delete a provider
curl -X DELETE https://api.ingateai.com/api/v1/providers/openai \
  -H "Authorization: Bearer <token>"

Deleting active providers

Deleting a provider that is currently in use by API keys or fallback chains will cause those requests to fail. Reassign keys and update fallback chains before deleting.

Default Provider

One provider can be marked as the default for your org. The default is used when a request has no X-Ingate-Provider header and path auto-detection doesn't match.

bash
# Set default provider
curl -X PUT https://api.ingateai.com/api/v1/providers/default \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"provider_name": "openai"}'

Provider Limits

Free plans support up to 3 providers. Enterprise plans have unlimited providers. See Plans & Feature Gating below for the full comparison.

Auto-detection

Ingate automatically detects the target provider from the request path. Standard OpenAI and Anthropic paths work without any header. See the Providers page for the full auto-detection table and priority chain.

Teams

Teams are logical groupings within an organization. Use them to segment usage analytics and organize members.

bash
# Create a team
curl -X POST https://api.ingateai.com/api/v1/teams \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"name": "Backend Team", "description": "Backend services team"}'

# List teams
curl https://api.ingateai.com/api/v1/teams \
  -H "Authorization: Bearer <token>"

Apps

Apps represent distinct services or projects that use the gateway. Each app can have its own API keys, and usage is tracked per-app for analytics and budget enforcement.

bash
# Create an app
curl -X POST https://api.ingateai.com/api/v1/apps \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"name": "Customer Support Bot", "description": "Production chatbot"}'

# List apps
curl https://api.ingateai.com/api/v1/apps \
  -H "Authorization: Bearer <token>"

App-scoped API keys

When you create an API key and bind it to an app, all requests made with that key are automatically attributed to the app in logs, analytics, and budget tracking.

Plans & Feature Gating

Each organization has a plan that determines which features are available. The Free plan is designed to be fully functional for development and small-scale production. You get the complete proxy, logging, prompt management, eval engine, and analytics out of the box. Enterprise unlocks advanced operational features like fallback chains, guardrails, caching, and extended retention.

Features gated to the Enterprise plan return 403 with error_code: "plan_required" when accessed from a Free org.

FeatureFreeEnterprise
Transparent proxy + streaming
Request logging + dashboard
Prompt registry & versioning
Eval engine (14 evaluators)
Datasets & Playground
Session & user tracking
Usage analytics
Provider auto-detection
Provider fallback chains
Format translation
PII redaction & guardrails
Response caching
Webhooks
Audit log
Budget controls
Cost tracking
Prometheus metrics
Per-key rate limits
BYOS (Bring Your Own Storage)
Providers3 maxUnlimited
API keys per org5100
Log retention7 daysCustom (up to unlimited)
Priority support
Custom SLA

Generous free tier

The Free plan includes everything you need to ship an LLM-powered product: transparent proxy, streaming, prompt management, the full eval engine with all 14 evaluators, datasets, playground, session tracking, and usage analytics. Upgrade to Enterprise when you need advanced operational controls like fallback chains, guardrails, caching, and custom retention.

Check Entitlements

Query the entitlements endpoint to see which features your org's plan includes. Use this to conditionally enable UI features or validate access before making gated API calls.

bash
# View current org's entitlements
curl https://api.ingateai.com/api/v1/auth/entitlements \
  -H "Authorization: Bearer <token>"
jsonResponse (200 OK)
{
  "org_id": "org-uuid",
  "plan": "free",
  "entitlements": {
    "proxy": true,
    "streaming": true,
    "logging": true,
    "prompts": true,
    "evals": true,
    "datasets": true,
    "playground": true,
    "sessions": true,
    "usage_analytics": true,
    "provider_auto_detection": true,
    "provider_fallback": false,
    "format_translation": false,
    "pii_redaction": false,
    "guardrails": false,
    "caching": false,
    "webhooks": false,
    "audit_log": false,
    "budget_controls": false,
    "cost_tracking": false,
    "prometheus_metrics": false,
    "per_key_rate_limits": false,
    "byos": false,
    "priority_support": false,
    "custom_sla": false
  },
  "limits": {
    "max_providers": 3,
    "max_api_keys": 5,
    "log_retention_days": 7
  }
}

Entitlement flow

Entitlements are resolved from the chain: API key → org → plan → features. Feature enforcement happens in middleware. Gated features return 403 plan_required before the request reaches any handler.
Previous
Playground
Next
Authentication