SecRouter documentation

SecRouter is a self-hosted, OpenAI-compatible AI gateway that sits in front of your LLMs and enforces governance and cost control on every request: SSO authentication, per-user policy and budgets, deny-by-default egress with a data-classification gate, and a hash-chained, metadata-only audit log.

It’s a drop-in endpoint — point any OpenAI-compatible client at SecRouter, change the base URL, and keep your code.

What it does

Govern — OIDC SSO + MFA, per-user/group model allowlists, deny-by-default egress. Contain spend — per-user token & cost tracking, budgets, rate limits, smart routing. Prove it — tamper-evident audit, mapped to NIST 800-171 R2 / CMMC L3 controls.

Get started

• Install
  • Prerequisites
  • Local dev (security off)
  • Secured test stack (Docker)
  • Production
• Usage
  • Authenticate
  • Make a request
  • Smart routing & overrides
  • Endpoints
  • See your usage
  • Admin console
  • Client integration (OpenAI SDKs)
• Configuration
  • Shape
  • The security block
  • Reload without restart

• Install — run it in dev, as a secured Docker stack, or in production.

• Usage — the API, authentication, the admin console, smart routing.

• Configuration — providers, tiers, and the security block.

The request pipeline

Every call flows through four gates, with usage metered and everything logged:

client ──▶ AuthN ──▶ AuthZ ──▶ route ──▶ egress gate ──▶ authorized model
          (OIDC)    (policy +   (cheapest   (deny-by-default
                     quota)     capable)     + data residency)

If any gate says no, the request never leaves your boundary.