LLM Gateway
Authenticated, OpenAI-API-compatible reverse proxy that routes LLM requests across multiple backends — with OIDC login, per-user API tokens, RBAC-gated server-side tools, and a built-in chat UI. Self-hostable, one binary, SQLite for state.
Contents
- What it does
- Tools the model can call
- The built-in web UI
- Scheduled actions
- Conversation compaction
- Integrations (per-user MCP connectors)
- Quick start (local development)
- Configuration
- Using the gateway
- Production deployment (container + systemd)
- Documentation
- Contributing
- License
What it does
- OpenAI-compatible API —
POST /v1/chat/completions(streaming + non-streaming),POST /v1/embeddings,POST /v1/images/generations+POST /v1/images/edits,POST /v1/audio/transcriptions, andGET /v1/models. Point any OpenAI SDK at it. - Multi-backend routing — named upstream pools (
chat/transcription/embedding/imagekinds). Each pool load-balances across its backends (round-robin or least-in-flight) with per-backend health probes. Models are discovered live from each backend's/modelsendpoint, so loading a model on a backend makes it routable with no config change. - Model aliases + fallback — give clients a stable name (
alias = ["qwen"]on a backend) that routes to whatever real model is loaded, so swapping the model needs no client change; the same alias on several backends is a load-balanced group. Optional fallbacks cover an unknown model name ([fallback].<kind>) or a known model whose backends are all down (fallback_offline). Seedocs/upstreams.md. - OIDC login — browser sign-in against your identity provider; the gateway then issues its own
gwk_…API tokens. Provider secrets come only from the environment. - Per-user tokens + RBAC — tokens are SHA-256-hashed at rest and revocable. Roles (mapped from OIDC claims) gate which models and server-side tools each user may use.
- Server-side tools — the gateway runs tools mid-completion (web search, fetch-URL, document rendering, code execution, RAG, network lookups, and more); the client just sees a normal completion. Full list in Tools the model can call.
- Chat UI — a server-rendered, mobile-friendly chat at
/chatwith persisted multi-conversation history, token-by-token streaming, file attachments, voice dictation, shareable/exportable conversations, and resume-on-reconnect (every turn is written to SQLite as it happens). - RAG — operator-managed, indexed codebases that the chat model can search.
- Agent Skills — drop a
SKILL.mdbundle (or.skillarchive) in and the chat model loads it on demand to follow your house style, brand, or domain playbooks — progressive disclosure, no fine-tuning. Upload, view, and delete them at/admin/skills, live (no restart), RBAC-gated per role. See Agent Skills. - Scheduled actions — per-user prompts that run on a cron schedule (hourly / daily / weekly / monthly, or a raw cron expression), each evaluated in its own timezone. A friendly builder assembles the cron and shows the next run times live; every fire opens a chat you can read back in the UI — a fresh one each time, or (optionally) continuing the previous run's conversation as history. See Scheduled actions.
- Integrations (per-user MCP connectors) — an admin-curated catalog of MCP servers (Google Workspace, GitHub, Atlassian, GitLab, …) that each user connects to with their own account at
/integrations. OAuth (with dynamic client registration where supported) or a user-supplied token; tokens are encrypted at rest and refreshed in the background. The connected servers' tools then become available to the model, scoped to that user's own permissions. See Integrations.
Tools the model can call
This is the part most "OpenAI-compatible proxy" projects don't have. The gateway can execute tools server-side, in the middle of a completion: the model asks to search the web, read a PDF you attached, render a branded PDF, run code in a throwaway sandbox, or query an indexed codebase — the gateway runs it, feeds the result back, and the client just receives one ordinary completion with the finished answer. It works identically through the raw /v1/chat/completions API and the built-in chat UI.
Every tool is RBAC-gated per role, and each user can flip their own grants on and off on the /tools page:
| Category | Tools | What the model can do |
|---|---|---|
| Web & retrieval | search_web, fetch_url, wikipedia |
Search the web (SearXNG or Brave), fetch any URL (text → UTF-8, images → viewable, other binary → metadata), and pull encyclopedic summaries. |
| Documents | fetch_attachment, upload_attachment, typst_* |
Read files the user attached — including two-tier PDF reading (extract the text layer first; rasterize scanned pages for a vision model if that comes back empty) — attach files back into its own reply, and render PDF/PNG documents from operator-defined Typst templates (invoices, letters, reports). |
| Document canvas | create_document, edit_document, … |
Build up a long document (report, spec, article) across turns and edit it section-by-section in a live side panel, then export it to PDF/DOCX/PPTX — instead of regenerating the whole thing every reply. See docs/file-conversions.md. |
| Images | generate_image, edit_image |
Generate an image from a text prompt (diagrams, mockups, marketing visuals) and, where the backend supports it, edit an existing image (image-to-image) — rendered inline in the reply. Routes to an image-kind upstream pool (any OpenAI /images/*-compatible backend: a hosted provider or a self-hosted model). edit_image appears only when a backend advertises edit support, and is refused against non-GDPR-compliant backends. |
| Code & sandbox (opt-in) | run_in_sandbox, generate_document, convert_document, capture_webpage, render_typst, … |
Run Python/shell in an isolated, single-use VM (data crunching, format conversion, plotting), turn Markdown into PDF/DOCX/PPTX, convert between office/PDF/image formats, screenshot a web page, and render Typst or Excalidraw. Enabled by the [sandbox] block — see docs/sandbox.md and docs/file-conversions.md. |
| Memory | remember, recall |
Persist durable facts about the user (preferences, projects) and recall them in later conversations. |
| Network & ops | dns_lookup, whois_lookup, tls_cert, lookup_ip |
DNS-over-HTTPS records, RDAP domain registration, TLS-certificate inspection ("is this cert about to expire?"), and GeoIP for any IP or hostname. |
| Location | get_user_location |
Use the approximate IP-based location that's always in context, or ask the browser for precise GPS when the task needs it. |
| Utility | convert_currency, get_current_timestamp, company_echo |
Convert currencies at daily ECB rates, get the timezone-aware current time, and echo a message back verbatim (company_echo is a built-in smoke test for the tool-call loop). |
| Knowledge base | rag_list_collections, rag_search |
Search operator-indexed codebases/corpora and get back the matching chunks with file paths, line ranges, and scores. |
| Integrations | mcp__<server>__* |
Call the tools of any bridged MCP server. Each server's tools are namespaced so two servers can't collide. |
| Skills | read_skill |
Load an operator-installed skill — brand guidelines, house style, domain playbooks — then apply it: pull the SKILL.md, then any referenced asset (e.g. an SVG to inline). |
Tools turn themselves on. Tools start off to keep the model's tool list short — short lists are cheaper and the model picks tools more accurately. When a request needs a capability the model doesn't currently have, it calls a built-in enable_tools tool to switch the relevant ones on; their real schemas appear on the next turn and stay on for the rest of the conversation. So the model reaches for exactly what it needs, when it needs it, without the operator wiring per-conversation tool lists — all still bounded by what the user's role permits.
The built-in web UI
Beyond /chat, the gateway ships a small operator and account UI — no separate dashboard to deploy. Admin pages are gated to the admin role.
The UI is fully localized — English, German, French, Spanish, Russian, and Chinese. Switch languages from the flag icon in the sidebar (or on the login page); the choice is stored in a cookie, so it applies immediately and persists across sessions.
![]() |
![]() |
Backends (/admin/backends) — live health, in-flight load, and discovered models for every upstream pool. |
RAG (/rag) — index a codebase from a git URL and watch it go from pending to ready. |
There's also /tokens (mint, rotate, and revoke your gwk_… API tokens — and scope each token to a subset of your tools), /usage (your own request/token usage), /memory (view and edit what the assistant has remembered about you), /scheduled (prompts that run on a cron schedule — see Scheduled actions), /admin/models (server-wide sampling defaults, per-model reasoning budgets, and per-model context windows that drive conversation compaction), and /admin/users (registered users with their resolved roles). The users page can also let an admin impersonate another user for debugging — every impersonation is audited and shows a persistent banner. Impersonation is opt-in: it's off unless you set [gateway].allow_impersonation = true (default false), in which case the Impersonate buttons appear and POST /admin/users/impersonate is accepted; otherwise the buttons are hidden and that endpoint returns 403.
The /chat page itself does more than stream replies: fork a conversation, share it via a public link, pin favourites, export to Markdown or PDF, edit-and-retry a turn, dictate with the voice button, and set per-conversation reasoning effort. See docs/ui.md.
Scheduled actions
Every signed-in user can have prompts run automatically on a schedule at /scheduled — a daily standup digest, a weekly repo summary, an hourly health check. Each scheduled action is just a saved prompt plus a model, a schedule, and a timezone; when it fires, the gateway opens a chat session driven by the same engine as the interactive /chat page, so the result lands as an ordinary conversation you can open and read afterward. By default each run starts a fresh conversation; turn on reuse and each run instead continues the previous run's chat — replaying the last few rounds as history — so the model builds on what it said last time. Schedules are per-user and private (scoped by user, behind the normal session login — no admin role needed).
The schedule builder. Pick Hourly, Daily, Weekly, Monthly, or Advanced. The friendly modes expose just the fields they need (a minute; a time; weekday checkboxes; a day-of-month) and the gateway assembles a standard 5-field cron expression from them — non-technical users never have to see cron. Advanced takes a raw minute hour day-of-month month day-of-week expression for anything the presets can't express. Either way the expression is evaluated in the IANA timezone you choose (e.g. Europe/Berlin), and a live preview — computed server-side via POST /scheduled/preview so it can't drift from what the scheduler actually does — shows a plain-English summary plus the next three run times. Each action also has a tools toggle (web search, RAG, attachments — same set as in chat).
How runs fire. A background worker polls every 30 seconds and runs every action whose next occurrence is due, claiming each one atomically first so a slow run or a restart can't double-fire. If the gateway was down across one or more scheduled slots, the missed occurrences collapse into a single catch-up run on the first poll after startup rather than replaying as a backlog. Actions can be paused (the worker skips them) and resumed, edited, or deleted from the same page.
Conversation compaction
A chat replays its whole history to the model on every turn, so a long conversation's prompt grows until it crowds the model's context window. The gateway compacts automatically: once a turn's measured prompt size (the upstream's own prompt_tokens) crosses a fraction of the model's context window, a background task — off the turn's critical path, like title generation — summarises the oldest turns into a single dense summary. The next turn then replays [request context] + [summary] + [most recent turns verbatim] instead of the full history. As the conversation keeps growing it's re-compacted: the previous summary plus the newly-aged turns fold into a fresh summary, so context stays bounded across an arbitrarily long chat.
Nothing is lost from the UI — the summarised turns stay in the transcript, scrollable above an "earlier messages condensed" divider; they're just not sent upstream. Tool results from the folded turns are fed into the summariser (they're never replayed as normal history, yet are often the load-bearing context).
Tuning lives in [chat.compaction] (all optional): enabled (default true), trigger_ratio (fraction of the window at which it fires, default 0.7), default_context_window (fallback window in tokens for models without a per-model value, default 32768), keep_recent_turns (how many recent turns stay verbatim, default 6), min_turns_to_compact (anti-thrash floor, default 4), and summary_max_tokens (default 1024). Per-model context windows are set in /admin/models; a blank field falls back to default_context_window.
- Rust (edition 2024, toolchain pinned to 1.95 via mise) — a workspace of 5 crates:
gateway,session-core,cli,shared, andsandbox-runner. - rama 0.3.0-rc1 — HTTP server, router, middleware, and proxying.
- plait — type-checked, auto-escaping server-rendered HTML (
html! { … }). - datastar — client-side reactivity over SSE, self-hosted from the binary.
- daisyUI v5 + Tailwind v4 — design system, compiled to a single CSS file at build time.
- sqlx + SQLite — persistent state (users, tokens, sessions, chat history, RAG collection registry). Bulk RAG content — chunk text, lexical index, vectors — lives in per-collection stores under
[rag].data_dir, not in the main DB.
The CSS bundle and datastar.js are baked into the binary via include_bytes!, so the runtime image needs no asset directory.
Integrations (per-user MCP connectors)
Each signed-in user can connect their own accounts — Gmail/Calendar/Drive, GitHub, Atlassian (Jira/Confluence), GitLab, Slack, Kiwi.com flight search, and any other MCP server — at /integrations, so the model can act on their behalf with their permissions. It's a self-hosted, per-user connector store comparable to the connectors in desktop AI apps.
An admin curates which servers the catalog offers at /admin/connectors; users just click Connect. Four auth models are supported, chosen per connector:
- OAuth 2.1 + dynamic client registration — nothing to configure beyond a URL (e.g. Atlassian, GitLab.com, a self-hosted Google Workspace server).
- OAuth 2.1 with a manual client — the admin registers one OAuth app once (e.g. GitHub, Slack).
- User-supplied token — each user pastes their own API token / PAT (e.g. self-managed GitLab CE).
- None — a public, unauthenticated server (e.g. Kiwi.com flight search); users still connect individually to opt its tools into their own chats.
Per-user OAuth tokens are encrypted at rest (AES-256-GCM) and refreshed in the background so connections don't silently expire. Each connected server's tools are namespaced (mcp__<server>__*) and obey the same per-tool always/ask/off controls as the built-in tools. Provider and deployment setup — including the self-hosted Google Workspace and GitLab CE bridges — is in deploy/README.md and docs/connectors.md.
Quick start (local development)
You need mise, which manages the Rust + Node toolchains.
mise install # Rust 1.95 + Node 24 cp gateway.example.toml gateway.toml $EDITOR gateway.toml # set at least one [upstream_pools.*] backend (and [oidc] to sign in) mise run dev # runs the gateway (debug build) on http://localhost:8080
If you're editing the UI, run the asset watchers in separate terminals (the committed bundles mean these are optional for plain backend work):
mise run watch-css # rebuild app.css on change mise run watch-js # rebuild app.js on change
Open http://localhost:8080. Signing in / minting tokens needs an [oidc] block (see below).
UI-only shortcut (no OIDC): mise run dev-ui boots a real server with mock backends and a pre-seeded session, and prints a session cookie you can paste into a browser or Playwright.
Full developer workflow: docs/dev-workflow.md.
Configuration
Configuration is a single TOML file — gateway.toml in the working directory, or wherever $GATEWAY_CONFIG points. gateway.example.toml is the fully-commented reference; copy it and trim to taste.
Secrets never live in the file. The config holds the names of environment variables (e.g. session_key_env = "GATEWAY_SESSION_KEY"); the gateway reads the actual values from its own environment at startup.
A minimal but complete config:
[bind] host = "127.0.0.1" # bind loopback; put a TLS-terminating reverse proxy in front port = 8080 [db] path = "gateway.sqlite" [gateway] public_url = "https://gateway.example.com" # external URL; used to build the OIDC callback token_ttl_days = 90 session_key_env = "GATEWAY_SESSION_KEY" # names the env var holding a 64-hex (32-byte) key allow_impersonation = false # opt-in admin impersonation (default false); see below # At least one upstream pool. `kind` is chat | transcription | embedding | image. [upstream_pools.local_chat] kind = "chat" strategy = "least_inflight" # or "round_robin" [[upstream_pools.local_chat.backend]] name = "gpu-01" base_url = "http://gpu-01.internal:8000/v1" # api_key_env = "GPU01_KEY" # if the backend itself needs a bearer token # alias = ["qwen", "fast"] # stable client-facing names → this backend's model # Needed for sign-in + token minting. Without it, /auth/login and `gw auth login` don't work. [oidc] issuer = "https://id.example.com/realms/company" client_id = "llm-gateway" client_secret_env = "GATEWAY_OIDC_CLIENT_SECRET" scopes = ["email", "profile", "groups"] roles_claim = "groups"
The environment variables that config refers to:
export GATEWAY_SESSION_KEY=$(openssl rand -hex 32) # 32 random bytes, hex-encoded export GATEWAY_OIDC_CLIENT_SECRET=… # from your OIDC provider export GATEWAY_MCP_KEY=$(openssl rand -hex 32) # optional: 32-byte key encrypting per-user MCP connector OAuth tokens at rest
GATEWAY_MCP_KEY is optional: it's the AES-256-GCM key under which each user's MCP-connector OAuth tokens (and admin-stored connector client secrets) are encrypted in the database. If unset, the gateway derives a stable key from GATEWAY_SESSION_KEY; if that's also unset (dev), an ephemeral key is used and stored connections won't survive a restart (users simply reconnect). Set it explicitly if you want connector encryption decoupled from session-cookie signing.
Optional blocks, each documented inline in gateway.example.toml:
[rbac]+[[roles]]— map OIDC claim values to roles, and gate models/tools per role.[chat.s3]— store chat attachments in S3 / MinIO / R2 / Backblaze B2 (see below).[typst]— register document-rendering tools from a templates directory.[sandbox]— enable the code-execution + document tools by pointing at a sandbox-runner service (seedocs/sandbox.md).[geoip]— IP→location for theget_user_locationtool (IP2Location LITE database).[[mcp.servers]]— bridge external MCP tool servers.[rag]— index git repos and search them from chat (see RAG).[fallback]— server-wide fallback models per kind, for unknown or all-offline model names (seedocs/upstreams.md).[usage]— request/token usage accounting behind the/usagepage (retention-pruned; on by default).[feedback]— the in-UI feedback widget that files GitHub issues.
Chat attachments (S3)
The chat composer accepts any file via paperclip / drag-drop / clipboard paste. Each file is uploaded to S3 (or any S3-compatible store) and either inlined into the user message as a fenced text block (CSV / JSON / source code / …) or referenced via image_url content parts on the OpenAI request (images). Add a [chat.s3] block:
[chat.s3] endpoint = "https://s3.eu-central-1.amazonaws.com" region = "eu-central-1" bucket = "my-gateway-attachments" access_key_env = "GATEWAY_S3_ACCESS_KEY" secret_key_env = "GATEWAY_S3_SECRET_KEY" # key_prefix = "chat-attachments" # optional, this is the default
…and export the credentials in the gateway's environment:
export GATEWAY_S3_ACCESS_KEY=AKIA… export GATEWAY_S3_SECRET_KEY=…
Notes:
- The bucket can stay fully private (no public-read ACL, no presign capability needed on the credentials): the gateway fetches every byte server-side and hands it to the upstream LLM inline — images as a
data:URI in the request, other files as text. Soendpointonly needs to be reachable from the gateway, not from the upstream LLM's network. Path-style requests are always used, so DNS-style bucket subdomains aren't required; the same shape works for MinIO, Backblaze B2, and R2. - Capability gating isn't done at the gateway — wire only multi-modal chat models into the pools. A mismatch surfaces as the upstream's own error in the chat bubble.
- Past-turn attachments are stripped from the replayed history (kept as
[attached: name.ext (omitted)]stubs) so the context window stays bounded.
RAG (codebase search)
Point the gateway at git repositories; it clones, chunks, and embeds them, and exposes them to the chat model through the rag_search tool (plus rag_list_collections, so the model can discover what's available). It's for "answer from our code and docs" without stuffing a whole repo into the context window.
Requirements: an embedding-kind upstream pool (chunks and queries are embedded through it), git on the host PATH (the indexer shells out to it — the container image ships it), and a [rag] block. The block is optional; its main knob is data_dir (a second, clone_concurrency, is documented in gateway.example.toml):
[rag] data_dir = "/mnt/data/gateway-rag" # optional; default ./data/rag
Each collection gets a self-contained folder <data_dir>/<uuid>/ holding its SQLite store (chunk text + lexical index), its index.usearch (vectors), and the git clone/. This is the heavy, fully regenerable state — put data_dir on a big/cheap disk, separate from the small [db].path you actually back up. Deleting a collection in the UI removes its folder.
Adding a collection. As an admin, open /rag (or POST /api/v0/rag/collections) and provide: a name, git URL + branch/tag, an optional PAT for private repos, the embedding model id, include/exclude globs, and chunk size/overlap (characters; default 800/100). A background worker clones and embeds it; status moves pending → cloning → indexing → ready (or error, with the message shown). A collection can aggregate several git sources (multiple repos or branches), each managed and re-indexed independently. Re-index re-pulls the sources and rebuilds the collection.
Globs match the repo-relative path, in three forms (there is no full glob engine):
| Pattern | Matches |
|---|---|
*.rs, *.md |
file extension |
src/, target/ |
path prefix (note the trailing slash) |
vendor, node_modules |
substring anywhere in the path |
* or ** |
everything |
An empty include list means "everything not excluded." Binaries, files larger than 1 MB, and .git/ are always skipped; excludes win over includes.
Retrieval is hybrid. A query runs against both a dense vector index (usearch, cosine) and a lexical BM25 index (SQLite FTS5), and the two rankings are fused with reciprocal rank fusion. Dense recall catches paraphrases; lexical recall catches exact identifiers (e.g. osd_op_timeout) that embeddings tend to blur. Queries are embedded with an instruction prefix (asymmetric retrieval); documents are embedded bare.
Sizing. The vector index dominates disk, at roughly chunks × embedding_dims × 4 bytes. With a 4096-dim model (e.g. Qwen3-Embedding-8B) that's ~16 KB per chunk, so a codebase that splits into ~100k chunks needs ~1.5 GB. Embedding is the slow part of indexing — budget time accordingly for large repos, and prefer narrow globs (source + docs) over * on a huge tree.
Agent Skills
Skills are operator-installed instruction bundles the chat model loads on demand — house style, brand guidelines, domain playbooks — without fine-tuning or stuffing everything into the system prompt. A skill is a SKILL.md (YAML frontmatter name + description, then a markdown body) plus optional references/ and assets/. The model only sees each permitted skill's name + description up front (cheap); when a request matches, it calls read_skill to pull the full body, then read_skill(name, path) for a referenced file (e.g. an SVG logo to inline into HTML). Once loaded in a conversation the guidance stays applied for the rest of it.
Managing skills. Point [skills] at a directory and drop bundles in:
[skills] dir = "/var/lib/gateway/skills" # optional; default ./data/skills
As an admin, open /admin/skills to upload a .skill archive (a zip of a SKILL.md bundle), view a skill's rendered SKILL.md + file tree, and delete one — all live, with no restart: the store re-scans the directory and hot-swaps the loaded set. RBAC gates which roles may use which skill; read_skill rides along automatically for any role that's been granted a skill. Grants come from two sources, unioned: each role's static skills list in the config (["*"] for all, exactly like tools), plus a per-skill grant editor in the UI — click Granted to on a skill to pick the roles allowed to load it. UI grants are stored in the DB and take effect immediately; config grants stay authoritative and show read-only in the dialog.
Using the gateway
1 — Get an API token. Either:
- CLI:
gw auth loginopens your browser, authenticates via OIDC, and saves agwk_…token locally; or - UI: sign in at
/login, then create a token on the/tokenspage.
2 — Call it like the OpenAI API:
export OPENAI_API_KEY=gwk_… export OPENAI_BASE_URL=https://gateway.example.com/v1 openai api chat_completions.create -m <model-id> -g user "Hello"
GET /v1/models lists every model the gateway has discovered across all pools — pick a model id from there.
3 — Or just use the chat UI at /chat: pick a model, attach files, and chat with streaming replies. Conversations persist server-side and resume on reconnect.
CLI (gw)
In a clone, run it via mise run cli -- <args>; a release build produces a standalone gw binary. Target a non-default gateway with --gateway <url> (default http://localhost:8080).
| Command | What it does |
|---|---|
gw ping |
Check the gateway is reachable (GET /healthz). |
gw auth login |
Browser OIDC login; saves a token locally. --no-browser prints the URL instead; --profile <name> keeps multiple identities. |
gw auth whoami |
Show the authenticated user. |
gw auth logout |
Revoke the local token on the gateway and forget it locally. |
gw auth tools |
List the tools your role(s) grant. |
HTTP endpoints
| Endpoint | Auth | Purpose |
|---|---|---|
POST /v1/chat/completions |
Bearer token | Chat completions (streaming + non-streaming). |
POST /v1/embeddings |
Bearer token | Embeddings. |
POST /v1/images/generations |
Bearer token | Image generation (routes to an image-kind pool). |
POST /v1/images/edits |
Bearer token | Image editing (multipart: image + prompt); routes to an image-kind pool. |
POST /v1/audio/transcriptions |
Bearer token | Whisper-style transcription (multipart upload). |
GET /v1/models |
Bearer token | All discovered models across pools (deduplicated by id). |
GET /v1/me |
Bearer token | Caller identity + the tools your role(s) grant (backs gw auth whoami / gw auth tools). |
POST /v1/auth/logout |
Bearer token | Revoke the bearer token used for the call (backs gw auth logout). |
GET /v1/sandbox/files/{run}/{filename} |
Bearer token | Download a file a sandbox run produced for the caller (scoped to your user). |
GET /healthz, GET /readyz |
none | Liveness / readiness probes. |
/, /login, /chat, /tokens, /tools, /memory, /scheduled, /integrations, /usage |
session cookie | Web UI (/integrations is the per-user MCP connector store; /usage shows your own request/token usage; admins get an in-page "All users" toggle). |
/admin/users, /rag, /admin/models, /admin/backends, /admin/skills, /admin/connectors |
admin role | Admin UI (the users page lists registered users and starts impersonation; connectors curates the MCP catalog — see docs/connectors.md for provider setup). |
POST /impersonate/stop |
session cookie | End an active impersonation and return to your own account. |
/feedback, /feedback/extract, /feedback/config |
session cookie | Feedback widget: file a GitHub issue, turn a voice transcript into structured fields, and report whether the feature is configured. Enabled by the [feedback] config block. |
/api/v0/* |
session cookie | JSON APIs backing the UI. |
The /v1/* endpoints require Authorization: Bearer gwk_…. Client Authorization headers are dropped at the proxy and the configured upstream key (if any) is injected; hop-by-hop headers are filtered both ways; upstream 4xx/5xx are relayed verbatim. The UI pages use the signed session cookie minted at OIDC login.
Production deployment (container + systemd)
CI builds target/release/gateway and publishes a runtime container image (debian:trixie-slim plus git + ca-certificates, which the RAG indexer needs). The binary is built outside the Dockerfile and COPYed in. To build locally:
mise run build # produces target/release/gateway (and fetches the typst CLI) docker build -t gateway:dev . # Dockerfile COPYs the release binary into the image
deploy/quadlet/ ships a hardened systemd-podman Quadlet (read-only rootfs, all capabilities dropped, runs as an unprivileged uid). Its README is the full walkthrough; in short:
sudo install -d -m 0750 /etc/gateway sudo install -m 0644 deploy/quadlet/gateway.container /etc/containers/systemd/ sudo install -m 0644 deploy/quadlet/gateway.volume /etc/containers/systemd/ sudo install -m 0600 deploy/quadlet/gateway.example.env /etc/gateway/gateway.env sudo install -m 0640 gateway.example.toml /etc/gateway/config.toml sudo $EDITOR /etc/gateway/gateway.env # GATEWAY_SESSION_KEY, GATEWAY_OIDC_CLIENT_SECRET, … sudo $EDITOR /etc/gateway/config.toml # upstreams, [oidc], and DB path on the volume sudo systemctl daemon-reload sudo systemctl enable --now gateway.service
Operational notes:
- TLS: the unit binds
127.0.0.1:8080— terminate HTTPS with a reverse proxy (Caddy / Traefik / nginx) in front. Set[gateway].public_urlto the external HTTPS URL so the OIDC callback is correct, and register<public_url>/auth/callbackas a redirect URI on your OIDC client. - State: the SQLite DB + session store live in a Podman-managed named volume and survive image swaps. Point
[db].path(and[rag].data_dir, if used) at that volume. - Updates: Quadlet treats
Image=as the source of truth and won't re-pull:lateston restart — pin a digest or a:<git-sha>tag in production.
Docker Compose
For hosts running Docker rather than podman, deploy/compose.example.yml is the equivalent stack (gateway + self-hosted Google Workspace MCP server, plus the sandbox runner and egress proxy under the sandbox profile).
All deployment-relevant docs — both methods, every component, the full Google Workspace connector setup — live in deploy/README.md.
Documentation
Architecture, auth, the gateway API, tools/RBAC, upstreams, and testing are documented in docs/. AGENTS.md doubles as human onboarding.
Contributing
Contributions are welcome — see CONTRIBUTING.md for the workflow, the sign-off requirement, and the Contributor License Agreement (CLA.md).
License
Licensed under the GNU Affero General Public License v3.0 (AGPL-3.0-only) — see LICENSE.
You are free to use, study, modify, and redistribute this software, including in a commercial setting. Because it is AGPL, one obligation stands out: if you run a modified version to provide a network service, you must offer the complete corresponding source — including your modifications — to the users of that service (AGPL §13). The UI carries a persistent "Source" link for this; operators of a modified deployment should point it at their own source via the GATEWAY_SOURCE_URL environment variable.
Commercial licensing. If the AGPL's terms don't fit your use case, a separate commercial license is available — contact croit GmbH (info@croit.io).
Third-party components bundled with or linked into the binary retain their own licenses; see NOTICE.






