Skip to main content

Security And Governance

GenAI Smart Router centralizes caller access, provider credentials, admin access, telemetry boundaries, license enforcement, and optional content governance so applications and agent clients do not handle provider keys directly.

Governance Layers

LayerPurpose
Caller tokensAuthenticate application and agent traffic, bind public caller metadata, and limit allowed model groups.
Model-group allow listsPrevent callers from requesting groups outside their contract or project scope.
Quotas and budgetsEnforce RPM, TPM, concurrency, traffic shaping, daily/monthly token limits, and spend controls before upstream calls.
Admin authenticationProtect browser/admin endpoints with Basic Auth or OIDC when enabled by the deployment.
Casbin authorizationAuthorize admin/report/security/content actions by subject, object, and action.
Metrics isolationKeep /metrics restricted to metrics-admin callers.
PII filteringRedact configured text before target selection, cache-key generation, policy inputs, and upstream calls.
License enforcementGate licensed capabilities with safe status surfaces and caller-visible license-* errors.

Data Handling Boundaries

Public and hosted docs should use placeholder tokens, placeholder hosts, and sample model group names only. Operational diagnostics and reports must not expose raw provider keys, raw router tokens, token hashes, raw prompts, raw images, raw tool outputs, full upstream headers, full config files, private signing keys, or full license payloads.