The AI Gateway for Enterprise
Route, govern, and monitor every AI request across your organization through a single secure gateway. One endpoint for every provider. Total visibility. Complete control.
Capabilities
Engineered for Enterprise AI
A single gateway that handles provider abstraction, identity, cost control, compliance, and routing across your entire AI stack.
One endpoint. Every provider. Total abstraction.
Helix Gateway sits between your users and 20+ LLM providers. Every request enters through one URL and exits to whatever provider you choose, based on rules you define. Your teams never touch a provider API key. Your tools never know the difference.
Switch providers without changing a line of code. Route the same model name to different backends per team. Fail over automatically when a provider goes down. All through configuration, not code.
- OpenAI, Anthropic, Bedrock, Azure, Vertex AI, Groq, Together, xAI, Ollama, and more
- OpenAI-compatible and Anthropic-compatible proxy endpoints
- Automatic model discovery syncs pricing, context windows, and capabilities hourly
- Wildcard model patterns for flexible provider mapping
- Streaming, embeddings, image generation, audio, and structured output support
Intelligent Routing
Requests hit the gateway and get routed to the best backend based on the strategy you choose. If that backend goes down, traffic shifts automatically. No human intervention. No downtime.
- Circuit breakers with open, closed, and half-open states
- P50 latency tracking and automatic health checks
- Multiple providers per model with automatic failover
Spend Tracking and Budgets
Every token has a price. Helix Gateway tracks costs at 1/10,000 cent precision across every request and rolls them up by team, user, model, and provider. Finance gets a real dashboard, not a monthly surprise.
# Budget enforcement
request claude-sonnet-4-6
user jane.doe
team engineering
budget $2,000/mo (hard)
used $847.22
this req $0.0038
status allowed- Hierarchical budgets at instance, team, and user level
- Hard enforcement blocks requests; soft mode warns and allows
- Daily, weekly, and monthly budget periods
- Billing export for accounting and chargeback
Enterprise SSO
Authenticate through your existing identity provider. No new credentials. No separate user database. Users log in the same way they log into everything else.
- OIDC, OAuth 2.0, LDAP, and Active Directory
- Google, Okta, Auth0, and Azure AD
- Multiple identity links per user
- Group-based automatic team assignment
- Session management with configurable expiration
Role-Based Access Control
Five built-in roles from instance admin to team member. Permissions are scoped per resource and per team. Control who can use which models down to the individual user.
- Instance admin, financial admin, model admin, team manager, member
- Per-resource Create, Read, Update, Delete, Proxy, Impersonate
- Per-team and per-user model allow and deny lists
- Role expiration with full assignment audit trail
- Inherited roles from team membership and explicit grants
Governance and Compliance
Every request is logged. Content policies filter sensitive data. Approval workflows gate high-risk operations. Retention rules enforce data lifecycle automatically.
- Full audit trail with actor, action, resource, and IP
- Content filtering with blocked pattern matching
- PII detection flags and compliance hold status
- Message approval workflows with review notes
- Data classification, export restrictions, and scheduled deletion
Developer-First API
The gateway exposes a full JSON:API v1.1 REST API for everything: users, teams, models, budgets, conversations, audit logs. Plus drop-in compatible proxy endpoints that work with every OpenAI and Anthropic SDK without modification.
- Drop-in replacement for OpenAI and Anthropic SDKs
- Personal, team, and admin-issued API keys with rotation
- WebSocket streaming and real-time notifications
- OpenAPI documentation with Scalar UI
- Request validation with standardized error responses
Webhooks and Events
The internal event bus publishes every significant action. Subscribe webhooks to any event and get delivery to Slack, Discord, or any HTTP endpoint. Failed deliveries retry with exponential backoff and auto-disable after persistent failures.
- Per-event subscription management
- Exponential backoff retries (30s, 2m, 10m, 1hr, 6hrs)
- Slack, Discord, raw JSON, and custom template formatters
- Auto-disable after 10 consecutive failures
- Full delivery history with response payloads
A complete AI chat experience your teams can use today
Helix Gateway is not just an API proxy. It ships with a full-featured chat interface built on HTMX and Tailwind. Teams can start using AI through the browser immediately while every interaction flows through your governance pipeline.
Conversations support branching, sharing, annotations, and a searchable artifacts gallery. Organize with folders and tags. Flag messages for review. Share conversations with public read-only links when collaboration demands it.
- Conversation forking and branching with DAG-based message inheritance
- Public share links with granular access control
- Message reactions, flagging, edit history, and text annotations
- Auto-indexed artifacts gallery for images, documents, and generated files
- Full-text search across conversation titles and content
- Slash commands and built-in tools (web search, image generation, weather)
conversation: Q4 Planning Analysis
model: claude-sonnet-4-6
user: jane.doe (engineering)
branch: main > cost-analysis
messages: 24
artifacts: 3 (2 charts, 1 CSV)
shared: team-visible
tags: planning, q4, finance
# Pipeline trace for last message:
auth SSO (Okta)
rbac team_member
policy no PII detected
budget $12.40 / $500
route anthropic
cost $0.0091
audit loggedArchitecture
From Zero to Governed AI in Minutes
No agents to install. No SDK changes. No vendor lock-in. Just point, configure, and go.
Deploy a single binary
Helix Gateway ships as one binary with zero external dependencies. Run it behind your firewall, in your VPC, or on bare metal. Configure your LLM provider keys, point it at your identity provider, and start it.
- Single binary, no runtime dependencies
- SQLite, Postgres, or MySQL for storage
- Full config via YAML or environment variables
$ helixgateway serve \
--config gateway.yaml
INFO listening on :8080
INFO providers: 4 configured
INFO models: 47 discovered
INFO SSO: OIDC (Okta) readyPoint your tools at the gateway
Change one environment variable. Every OpenAI and Anthropic-compatible tool, SDK, and agent framework works instantly. Claude Code, Cursor, Copilot, LangChain, custom apps. No code changes.
- Drop-in OpenAI and Anthropic API compatibility
- Works with any tool that accepts a base URL
- Personal and team API keys for authentication
# That's it. One variable.
export OPENAI_BASE_URL=\
https://gateway.corp.internal/v1
# Every tool now routes through
# Helix Gateway automatically.Governance activates automatically
Every request is authenticated via SSO, authorized against RBAC policies, checked against budgets, routed to the optimal provider, and logged for audit. No manual steps. No gaps.
- Every request authenticated, authorized, and logged
- Budget enforcement with hard and soft limits
- Real-time cost tracking at microcent precision
POST /v1/chat/completions 200 OK
# Request pipeline:
auth jane.doe via Okta SSO
rbac role: team_member
budget $12.40 / $500.00 monthly
route anthropic (lowest-cost)
model claude-sonnet-4-6
cost $0.0038
audit loggedThe Business Case
AI Spending Without Visibility is Just Waste
Most enterprises have no idea how much they spend on AI, who is using it, or whether they are compliant. Helix Gateway fixes that.
How many AI accounts exist across your organization right now?
What is your actual monthly AI spend across every team and tool?
What percentage of AI requests are logged and auditable today?
Stop the bleeding on AI costs
Without centralized controls, AI spend grows silently. Every team buys their own API keys. Every developer picks their own model. Nobody knows the total bill until it arrives.
Helix Gateway gives finance teams a single dashboard for every dollar spent on AI across the entire organization. Track costs by team, user, model, and provider in real time. Set budgets that actually enforce.
- Real-time spend tracking by team, user, model, and provider
- Daily, weekly, and monthly budget periods with configurable limits
- Automatic cost-optimized routing picks the cheapest capable model
- Billing export for accounting and chargeback workflows
- Microcent precision prevents cost rounding from hiding waste
# Monthly budget report
team budget used
engineering $2,000 $847.22
data-sci $5,000 $3,201.88
marketing $500 $489.10
exec-team $1,000 $124.50
total $8,500 $4,662.70Complete audit trail on every AI interaction
Regulators and auditors want to know who accessed what model, with what data, and when. Helix Gateway logs every request end-to-end. No gaps, no blind spots.
Content filtering catches sensitive data before it leaves your network. Approval workflows gate high-risk operations. Retention policies enforce data lifecycle rules automatically.
- Full request and response logging with actor, IP, and timestamp
- Data classification levels and export restriction enforcement
- PII detection flags and compliance hold status
- Content filtering with blocked pattern matching
- Approval workflows for sensitive or high-risk requests
- Retention policies with scheduled data deletion
- Request ID correlation across the full audit chain
No more rogue API keys floating around
When every developer creates their own provider accounts, you lose visibility and control. Credentials end up in .env files, Slack threads, and git repos.
Helix Gateway authenticates every request through your corporate identity stack. Provider API keys live on the gateway server and never touch a developer machine.
- SSO via OIDC, LDAP, Active Directory, and OAuth providers
- Google, Okta, Auth0, and Azure AD out of the box
- RBAC with five built-in roles and per-resource permissions
- Team and user-scoped API keys with rotation and revocation
- Group-based automatic team assignment from LDAP and AD
- Multiple identity links per user for cross-provider consolidation
- Provider credentials stay on the server, never on developer machines
AI governance your auditors will actually trust
Deploying AI without governance is a liability. Every untracked request is a compliance risk. Every unmanaged API key is a security exposure. Every unbudgeted dollar is investor confidence lost.
Helix Gateway provides the controls, audit trails, and accountability that boards and regulators require, without slowing down the teams that generate value.
- Single chokepoint for all AI traffic with centralized policy enforcement
- Hierarchical budget controls prevent runaway spend at every level
- Full accountability: every request tied to a real user via SSO
- Runs behind your firewall with no data leaving your network
- On-prem deployment in your VPC or private cloud
- Open source, auditable, and free of vendor lock-in
Self-service AI access without the chaos
Your developers need access to LLMs. Your security team needs controls. Your finance team needs visibility. These requirements are not in conflict. They just need the right abstraction layer.
Helix Gateway gives platform teams a single control plane for AI access across the entire org, with the flexibility to let individual teams move fast within guardrails.
- Per-team model allow and deny lists control who uses what
- Intelligent routing across five strategies including cost and latency
- Circuit breakers and automatic failover across providers
- Drop-in compatibility with OpenAI and Anthropic SDKs
- Webhooks to Slack, Discord, or any HTTP endpoint for alerts
- Full REST API with JSON:API v1.1 and OpenAPI documentation
- WebSocket streaming for real-time monitoring
Every month without governance, the problem compounds
Shadow AI proliferates
Developers sign up for personal accounts. API keys scatter across teams. Nobody has a complete picture of what models are in use or what data is being sent to them.
Costs grow unchecked
Without budgets or routing optimization, teams default to the most expensive models. The monthly bill arrives as a surprise. Chargeback is impossible because there is no attribution.
Compliance exposure builds
Regulated data flows to third-party APIs with no audit trail. When the auditor asks who sent what to which model and when, the answer is "we don't know."
Security incidents become inevitable
Leaked API keys. Credentials in source control. No rate limiting. No content filtering. One careless request away from a data breach that makes headlines.
Get Started
Your developers are already using AI.
The question is whether you control it.
Helix Gateway deploys in minutes, works with every tool your teams already use, and gives you complete visibility from day one. Single binary. No vendor lock-in. Open source.