A production-ready AI gateway proxy with PII protection, multi-provider support, and comprehensive request logging.
- π PII Protection: Automatic detection and blocking of sensitive data (API keys, passwords, private keys, JWT tokens, AWS secrets)
- π Multi-Provider Support: OpenAI, Anthropic, GitHub Copilot with unified API
- π Request Logging: Track all requests, responses, tokens, and latency
- βοΈ Load Balancing: Round-robin distribution across multiple API keys
- π API Key Management: Secure storage with AES-256-GCM encryption
- π€ OAuth Authentication: GitHub and Google OAuth support
- π Dashboard: Web UI for monitoring and management
- πΎ MySQL Database: Production-ready with automatic indexing
- π Easy Deployment: Docker + GitHub Actions CI/CD
ββββββββββββββββββββββββ βββββββββββββββββββββββββββββββ
β Browser / Dashboard β β API Clients (curl/SDK/IDE) β
β Next.js (Port 3000) β β X-Proxy-Key: rpk_... β
ββββββββββββ¬ββββββββββββ ββββββββββββββββ¬βββββββββββββββ
β JWT (Bearer eyJ...) β Proxy Key (rpk_...)
βΌ βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β AI PROXY β Rust / Axum β
β β
β ββββββββββββββββββββ ββββββββββββββββββββββ ββββββββββββββββββ β
β β Public Routes β β Dashboard Routes β β Proxy Routes β β
β β (no auth) β β /api/* β β /v1/* β β
β β β β β β β β
β β OAuth callbacks β β JWT Middleware β β ProxyKey β β
β β /health β β validate + inject β β Middleware β β
β β β β Claims extension β β SHA-256 hash β β
β ββββββββββββββββββββ β β β DB lookup β β
β β Dashboard API β β β β
β β logs / stats / β β Provider β β
β β rules / keys / β β Handler β β
β β usage / pricing β β openai / β β
β ββββββββββββββββββββββ β anthropic / β β
β β copilot / β β
β β unified β β
β βββββββββ¬βββββββββ β
β β β
β βββββββββββββββββββββββββββββββΌβββββββββ β
β β Rule Engine β β
β β β β
β β ββββββββββββ ββββββββββββββββββββ β β
β β β Built-in β β DB Rules (GRL) β β β
β β β patterns β β user-defined β β β
β β β API keys β β regex patterns β β β
β β β password β β custom actions β β β
β β β SSH keys β ββββββββββββββββββββ β β
β β β JWT/AWS β β β
β β ββββββββββββ β β
β β β β
β β ALLOW βββΊ forward to provider β β
β β BLOCK βββΊ return 400 to client β β
β β REPLACEβββΊ redact + forward β β
β ββββββββββββββββββββββββββββββββββββββββ β
β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββ β
β β Storage Layer (MySQL) β β
β β β β
β β users β provider_keys (AES-256-GCM) β user_proxy_keys β β
β β request_logs β rules β usage_summaries β pricing β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββΌβββββββββββββββββββββ
βΌ βΌ βΌ
βββββββββββββββββ ββββββββββββββββββ ββββββββββββββββββββ
β OpenAI API β β Anthropic API β β Copilot API β
β GPT-4o / o1 β β Claude Sonnet β β GitHub Models β
βββββββββββββββββ ββββββββββββββββββ ββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Cost Worker (background / standalone binary) β
β β
β runs every N seconds β
β ββββββββββββββββββββββ β
β recalculate_usage() βββΊ request_logs βββΊ usage_summariesβ
β estimate cost per model from pricing config β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
API Client AI Proxy LLM Provider
β β β
βββ POST /v1/llm/chat βββββββΊβ β
β X-Proxy-Key: rpk_... β β
β βββ validate rpk_ key βββΊDB β
β βββ user_id ββββββββββββββββββ
β β β
β βββ Rule Engine βββββββββββββΊβ
β β scan body for PII β
β βββ ALLOW / BLOCK / REPLACE ββ
β β β
ββββ 400 if BLOCKED ββββββββββ β
β βββ GET provider key ββββΊDB β
β βββ forward request βββββββββΊβ
β βββ response βββββββββββββββββ
β βββ log + cost calc βββββΊDB β
ββββ response ββββββββββββββββ β
Dashboard User AI Proxy GitHub / Google
β β β
βββ GET /api/auth/oauth/conf βΊβ β
ββββ { client_id, redirect } ββ β
β β β
βββ redirect to provider βββββββββββββββββββββββββββββΊβ
ββββ callback ?code=... βββββββββββββββββββββββββββββββ
β β β
βββ GET /api/auth/google/cb ββΊβ β
β code=... βββ exchange code βββββββΊβ
β βββ access_token βββββββββ
β βββ GET /userinfo βββββββΊβ
β βββ email, name, id ββββββ
β βββ upsert user βββββΊDB β
ββββ { token: "eyJ..." } ββββββ β
β β β
βββ POST /api/* ββββββββββββββΊβ β
β Authorization: Bearer eyJ βββ validate JWT ββββββββΊβ
β β inject Claims ext. β
- Rust 1.75+ (
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh) - Node.js 18+ (
brew install nodeor download from nodejs.org) - MySQL 8.0+
cd ai-proxy
# Copy and edit environment config
cp .env.example .env
nano .env
# Generate encryption key
openssl rand -hex 32
# Run the proxy
cargo run --releasecd dashboard
# Install dependencies
npm install
# Run development server
npm run devServices will be available at:
- Dashboard: http://localhost:3000
- API Proxy: http://localhost:8080
All configuration is done via environment variables (.env file in ai-proxy/):
# Server
SERVER_HOST=0.0.0.0
SERVER_PORT=8080
# Database (MySQL required)
DATABASE_TYPE=mysql
DATABASE_URL=mysql://user:password@localhost:3306/aiproxy
# Security β generate with: openssl rand -hex 32
ENCRYPTION_KEY=your-64-char-hex-key
# Retention
RETENTION_DAYS=30
# OAuth / JWT β generate with: openssl rand -base64 32
JWT_SECRET=your-jwt-secret
JWT_EXPIRY_HOURS=24
# GitHub OAuth
GITHUB_CLIENT_ID=your_github_client_id
GITHUB_CLIENT_SECRET=your_github_client_secret
GITHUB_REDIRECT_URI=https://your-domain.com/auth/callback/github
# Google OAuth
GOOGLE_CLIENT_ID=your_google_client_id
GOOGLE_CLIENT_SECRET=your_google_client_secret
GOOGLE_REDIRECT_URI=https://your-domain.com/auth/callback/googleSee ai-proxy/.env.example for the full list with comments.
- MYSQL.md: MySQL setup and schema
- DEPLOYMENT.md: Complete deployment guide with GitHub Actions
- SECURITY.md: Security features and encryption details
# Route by provider code
curl -X POST https://llm-gateway-api.ironcode.cloud/v1/unified/chat/completions \
-H "Content-Type: application/json" \
-H "X-Proxy-Key: rpk_your_proxy_key" \
-H "X-Provider-Code: oai-prod" \
-d '{
"model": "gpt-4",
"messages": [{"role": "user", "content": "Hello"}]
}'# Automatically detect provider from model name
curl -X POST https://llm-gateway-api.ironcode.cloud/v1/unified/chat/completions \
-H "Content-Type: application/json" \
-H "X-Proxy-Key: rpk_your_proxy_key" \
-d '{
"model": "claude-3-opus-20240229",
"messages": [{"role": "user", "content": "Hello"}]
}'# OpenAI
curl -H "X-Proxy-Key: rpk_your_proxy_key" \
https://llm-gateway-api.ironcode.cloud/v1/openai/chat/completions
# Anthropic
curl -H "X-Proxy-Key: rpk_your_proxy_key" \
https://llm-gateway-api.ironcode.cloud/v1/anthropic/messages
# GitHub Copilot
curl -H "X-Proxy-Key: rpk_your_proxy_key" \
https://llm-gateway-api.ironcode.cloud/v1/copilot/chat/completionsReplace your existing API key with a proxy key (rpk_...) and point your tool at the gateway:
// .opencode.json
{
"$schema": "https://opencode.ai/config.json",
"provider": {
"iron-gateway": {
"npm": "@ai-sdk/openai-compatible",
"name": "Iron LLM Gateway",
"options": {
"baseURL": "https://llm-gateway-api.ironcode.cloud/v1/llm",
"apiKey": "rpk_your_proxy_key"
},
"models": {
"gpt-4o": { "name": "gpt-4o" },
"claude-sonnet-4-6": { "name": "claude-sonnet-4-6" }
}
}
}
}// ~/.continue/config.json
{
"models": [
{
"title": "GPT-4o (Gateway)",
"provider": "openai",
"model": "gpt-4o",
"apiKey": "rpk_your_proxy_key",
"apiBase": "https://llm-gateway-api.ironcode.cloud/v1/openai"
},
{
"title": "Claude Sonnet (Gateway)",
"provider": "anthropic",
"model": "claude-sonnet-4-6",
"apiKey": "rpk_your_proxy_key",
"apiBase": "https://llm-gateway-api.ironcode.cloud/v1/anthropic"
}
]
}export ANTHROPIC_API_KEY=rpk_your_proxy_key
export ANTHROPIC_BASE_URL=https://llm-gateway-api.ironcode.cloud/v1/anthropicOPENAI_BASE_URL=https://llm-gateway-api.ironcode.cloud/v1/openai
OPENAI_API_KEY=rpk_your_proxy_key
ANTHROPIC_BASE_URL=https://llm-gateway-api.ironcode.cloud/v1/anthropic
ANTHROPIC_API_KEY=rpk_your_proxy_keyAutomatically blocks or redacts:
- API keys (OpenAI, Anthropic, AWS, GitHub, etc.)
- Passwords and credentials
- Private keys (RSA, SSH, PGP)
- JWT tokens
- AWS access keys and secrets
All provider API keys stored in the database are encrypted with AES-256-GCM:
- Argon2 key derivation from
ENCRYPTION_KEY - Random nonce per encryption
- Keys never exposed through the proxy
- GitHub OAuth integration
- Google OAuth integration
- JWT-based session management
Configure multiple API keys per provider for automatic round-robin distribution:
# Add primary key
curl -X POST https://llm-gateway-api.ironcode.cloud/api/keys \
-H "Authorization: Bearer eyJ..." \
-H "Content-Type: application/json" \
-d '{"provider": "openai", "name": "Primary Key", "api_key": "sk-...", "code": "oai-prod"}'
# Add backup key (same code = same load-balance group)
curl -X POST https://llm-gateway-api.ironcode.cloud/api/keys \
-H "Authorization: Bearer eyJ..." \
-H "Content-Type: application/json" \
-d '{"provider": "openai", "name": "Backup Key", "api_key": "sk-...", "code": "oai-prod"}'All requests are logged with:
- Timestamp and latency
- Provider and model
- Input/output tokens
- Request/response bodies
- PII violations
- Client IP and user agent
To add a Copilot key, the gateway uses GitHub's device flow (no redirect required):
- Go to
/keysβ Add Key β select copilot - A one-time code is displayed β visit
github.com/login/deviceand enter it - The gateway polls GitHub and saves the access token linked to your account
rust-llm/
βββ ai-proxy/ # Rust backend
β βββ src/
β β βββ main.rs # Entry point
β β βββ config.rs # Configuration (env vars)
β β βββ auth/ # OAuth + JWT authentication
β β βββ proxy/ # Provider proxies (openai, anthropic, copilot, unified)
β β βββ rules/ # Rule engine & PII detection
β β βββ server/ # Axum routes & middleware
β β βββ storage/ # MySQL storage layer
β β βββ dashboard/ # Dashboard API handlers
β β βββ pricing.rs # Cost estimation (65+ models)
β β βββ encryption.rs # AES-256-GCM encryption
β βββ src/bin/
β β βββ worker.rs # Standalone cost worker binary
β βββ Cargo.toml
β βββ .env.example
βββ dashboard/ # Next.js frontend
β βββ src/
β β βββ app/ # App router pages
β βββ package.json
β βββ next.config.ts
βββ migrations/ # MySQL schema migrations
cd ai-proxy
cargo build # Debug build
cargo build --release # Release build
cargo run --release # Run proxy
cargo run --bin worker # Run cost worker
cargo test # Run tests
cargo clippy # Lint
cargo fmt # Formatcd dashboard
npm install # Install deps
npm run dev # Development
npm run build # Production build
npm start # Start prod server
npm run lint # Lint-
Configure GitHub Secrets:
DOCKER_USERNAME,DOCKER_PASSWORDSSH_HOST,SSH_USERNAME,SSH_PRIVATE_KEYDEPLOY_PATH
-
Push to main branch:
git push origin main
-
GitHub Actions will automatically:
- Build Docker images
- Push to Docker Hub
- Deploy to production server
- Run health checks
See DEPLOYMENT.md for complete setup instructions.
curl https://llm-gateway-api.ironcode.cloud/health# Rust application logs
RUST_LOG=debug cargo run# Get usage stats (requires JWT)
curl -H "Authorization: Bearer eyJ..." \
https://llm-gateway-api.ironcode.cloud/api/statsContributions are welcome! Please:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
- Rust: Follow
rustfmtdefaults, runcargo fmt - TypeScript: Follow project ESLint rules, run
npm run lint
MIT License - see LICENSE file for details.
Made with β€οΈ using Rust and TypeScript