AI Gateway
The AI Gateway is KnoxCall’s AI-native proxy layer. It sits between your applications and upstream AI providers (Anthropic and OpenAI are the configurable providers; Bedrock is supported only as a shape-translation target), providing:- Phantom tokens — short-lived DPoP-bound capability tokens; your application never holds a raw provider API key.
- Streaming PII redaction — Aho-Corasick + Presidio detector stack with a configurable hold-back buffer.
- Prompt injection firewall — built-in heuristic patterns + tenant-supplied regex/keyword rules; optional canary token injection detects system-prompt extraction.
- Budget enforcement — per-agent daily/monthly USD caps with configurable overage actions.
- Shape translation — automatic Anthropic ↔ OpenAI request/response translation when routes target a different provider format.
- Compliance packs — HIPAA Safe Harbor, GDPR, PCI-DSS, and SOC 2 packs install recognizers and audit-log alert rules in one operation.
Authentication
All AI Gateway proxy endpoints authenticate via phantom tokens — capability tokens minted for a specific agent. Send the token via any of the three accepted header schemes:DPoP header on every request.
Admin endpoints (gateway/agent CRUD, token minting) are part of the dashboard/control plane on the admin host. They require a session-authenticated request (session JWT) with the X-Tenant-ID header and an owner/admin role — not a tk_live_... API key.
Execute AI request
https://{slug}.knoxcall.com (sandbox: https://sandbox-{slug}.knoxcall.com), not api.knoxcall.com. Use the agent_url returned when the agent was created as the base URL.
Forwards the request to the agent’s configured primary route. The request body must be a valid JSON body for the upstream provider (Anthropic Messages API, OpenAI Chat Completions API, etc.).
If the agent has streaming_enabled and the request includes Accept: text/event-stream or "stream": true in the body, the response is streamed as SSE.
Request headers
Response headers
Firewall responses
When the prompt injection firewall blocks a request:HTTP 400. The firewall always runs regardless of whether a policy is attached (built-in heuristics cannot be disabled).
Shape translation
When the caller’s provider format differs from the route’s target provider format, the AI Gateway translates automatically:
Format is detected from the route’s
target_base_url (e.g. api.anthropic.com → Anthropic format). Response shapes are translated back to match the caller’s expected format on the buffered path.
Canary token injection
When a firewall policy hascanary_enabled: true, the gateway injects a kc_canary_<16hex> token into every system prompt before forwarding upstream. If the model echoes the token verbatim in its response (a sign of system-prompt extraction via prompt injection), the gateway:
- Emits an
ai_gateway.canary_leakaudit log entry atcriticalseverity. - Sets
firewall_outcome = "warn"on the usage record. - Fires any compliance-pack alert rules listening on
audit_action = 'ai_gateway.canary_leak'.
Compliance packs
Install compliance packs via the Packs API or from the Admin UI. Each pack installs:- PII recognizers — entity-type patterns for the detector stack.
- Alert rules —
ai_gateway_eventalerts that fire when specific audit actions appear.
hipaa-safe-harbor, gdpr, pci-dss, soc2.
OpenTelemetry export
SetOTEL_EXPORTER_OTLP_ENDPOINT to enable per-request span export with GenAI semantic conventions: