AI Gateway

What an LLM Gateway Actually Does: A Guide for AI Infrastructure Teams

What an LLM Gateway Actually Does: A Guide for AI Infrastructure Teams
An LLM gateway is a reverse proxy purpose-built for model API traffic. Bifrost is the open-source implementation built for sub-millisecond overhead, full governance, and no vendor lock-in.

When an application sends a request to an LLM provider, it passes through a chain of concerns that have no equivalent in standard API infrastructure: the token economy affects cost at every hop, streaming responses hold connections open for seconds or minutes, provider rate limits are per-key and per-minute rather than per-IP, and the content of a prompt is a security surface that HTTP middleware was never designed to inspect. An LLM gateway handles all of these at the infrastructure layer, before a single token is billed. Bifrost, the high-performance open-source LLM gateway built in Go by Maxim AI, is the implementation reference for teams that need these capabilities with 11 microseconds of added overhead at 5,000 RPS and no external service dependency.

What an LLM Gateway Does on Every Request

An LLM gateway intercepts every model API call your application makes. On each request, it executes a deterministic pipeline in this order:

  1. Authenticate the caller using a virtual key, API key header, or bearer token
  2. Check governance rules: budget remaining, rate limit headroom, model allowlist membership
  3. Select a provider and model based on routing rules, weights, and fallback chains
  4. Apply input policies: content guardrails, PII detection, prompt injection scanning
  5. Forward the request to the upstream provider using the gateway-held credential
  6. Handle the response: streaming pass-through, output policy checks, semantic cache population
  7. Write telemetry: token counts, latency, cost, policy decisions, caller identity

Every one of these steps runs in-process in Bifrost, with no round-trip to an external service except the model call itself. The caller's application code sees a single OpenAI-compatible endpoint. Provider API keys never leave the gateway. The application only holds a virtual key. The full request flow documentation covers how each stage is implemented at the architecture level.

The Gartner Market Guide for AI Gateways 2025 projects that 70% of software engineering teams building multimodel applications will use AI gateways by 2028, up from 25% in 2025. The driver is that each step in the pipeline above represents a class of production failures that accumulates quickly without a centralized enforcement point.

The Request Lifecycle in Detail

Authentication and Credential Isolation

The LLM gateway holds all provider API keys. Applications authenticate using virtual keys, gateway-issued credentials that carry scoped permissions but no provider secrets. This eliminates credential sprawl: rotating a compromised provider key means updating one record in the gateway, not hunting down environment variables across services. Revoking an application's access means deactivating its virtual key.

Virtual keys also carry the governance context for the request: which providers and models the caller can access, what budget remains, and what rate limits apply.

Routing, Failover, and Load Balancing

Once authenticated, the gateway applies routing logic. Bifrost supports weighted routing across multiple provider configurations within a single virtual key: 60% of traffic to OpenAI, 40% to a Bedrock endpoint, with automatic failover to the Bedrock path if the OpenAI call returns 5xx errors or times out.

Load balancing across API keys for the same provider distributes request volume across the provider's per-key rate limit buckets, effectively pooling the combined throughput of multiple keys without any application-layer logic. Automatic fallbacks apply exponential backoff and retry sequencing, including cross-provider failover where a failure on one provider routes to a pre-configured backup on a different provider.

This is the layer that makes multi-provider deployments operationally viable. Without it, every provider failure requires application-level handling, which means every team that calls an LLM must re-implement the same retry and fallback logic.

Governance: Budgets, Rate Limits, and Model Allowlists

The gateway is the only layer in the stack that sees every LLM call from every application. It is therefore the only layer that can enforce organization-wide cost and access policy reliably.

Budget enforcement runs at three levels: the virtual key (per-application or per-developer), the team (aggregate for a department), and the customer (organization-wide cap). All applicable budgets are checked independently on each request. When any budget exhausts, the gateway returns HTTP 402 before the token reaches a provider. Budgets reset on configurable windows (daily, weekly, monthly) with calendar-aligned or rolling options.

Rate limiting runs on two independent dimensions: request frequency and token throughput. A virtual key can carry 1,000 requests per minute alongside 2 million tokens per hour, with each dimension tracked and enforced separately. This matters for agentic workloads where a single session can generate many requests with small prompts, or few requests with very large context windows. For a full breakdown of how these dimensions compare across LLM gateway implementations, the AI gateway buyer's guide covers governance depth as a standalone evaluation criterion.

Model allowlists attach to each provider configuration within a virtual key: "allowed_models": ["claude-sonnet-4-6", "claude-haiku-4-5-20251001"]. A request asking for a model not in the allowlist returns HTTP 403 before any token is consumed. Platform teams use this to enforce tiered access: lower-cost models for high-volume batch jobs, premium models only for approved workflows.

Semantic Caching

LLM API costs compound on repeated similar queries. A customer support application that answers the same category of questions hundreds of times per day sends hundreds of API calls where a small cache would serve most of them.

Semantic caching stores responses by vector embedding and returns cached results for queries that fall within a configurable similarity threshold of a prior query. Standard HTTP caches operate on exact string match; semantic caching matches on meaning, which recovers significant cost savings in conversational and Q&A workloads. The cache check runs in-process on every request and adds no network round-trip.

Content Guardrails

OWASP ranks prompt injection as the top security risk for LLM applications as of 2025, and sensitive information disclosure as the second. Both risks live in the content of prompts and completions, a layer that standard API gateways have no visibility into.

Bifrost's guardrails validate both prompt inputs and model outputs inline, before they transit the gateway in either direction. Organizations configure rules using CEL expressions and attach provider profiles from AWS Bedrock Guardrails, Azure Content Safety, Google Model Armor, GraySwan Cygnal, and Patronus AI. Native in-process regex and secrets detection run with no external service call, adding no round-trip latency. Violations return HTTP 446 (blocked) or 246 (modified) with structured violation detail for downstream handling.

Observability

Enterprise LLM API spend passed $8.4 billion in 2025 and most teams have limited visibility into how it is distributed across applications, teams, and model choices. The gateway is the only layer that sees every call, making it the natural source of truth for AI infrastructure observability.

Bifrost captures per-request telemetry (provider, model, token counts at input and output, latency, cost, caller identity, and policy outcomes) without any instrumentation in application code. This telemetry feeds native Prometheus metrics and OpenTelemetry traces directly to Grafana, Datadog, New Relic, and any OTLP-compatible collector. Every request produces a structured log entry regardless of whether the application developer added any logging.

MCP and Agent Traffic

In agentic architectures, a single user request triggers multiple LLM calls interleaved with tool invocations through the Model Context Protocol. Each tool call is an execution surface that requires its own authentication, access control, and audit record.

Bifrost extends the same governance model to tool traffic: it acts as both an MCP client (connecting to external tool servers on behalf of agents) and an MCP server (exposing configured tools to MCP-compatible clients). Tool filtering per virtual key applies a deny-by-default allowlist to every tool call. LLM tokens and tool call counts appear in the same audit log, giving infrastructure teams a unified view of what each agent session actually consumed.

Deployment Considerations for Infrastructure Teams

An LLM gateway sits in the critical path of every model call, which means its operational properties matter directly.

Latency overhead is the first consideration. A gateway that adds 200ms per call compounds across multi-step agent chains. Bifrost benchmarks at 11 microseconds of added latency at 5,000 RPS in sustained load tests on standard cloud instances, making it a transparent layer for even latency-sensitive workloads.

State management affects correctness and scalability. Bifrost holds all governance state in memory (provider configs, virtual key permissions, budget counters, rate limit state) for sub-millisecond policy evaluation without database round-trips. The OSS build handles approximately 3,000 to 5,000 RPS on a single instance with a Postgres backend for persistence. Bifrost Enterprise uses a RAFT-based clustering protocol to synchronize in-memory governance state across nodes in real time, enabling horizontal scaling with consistent enforcement.

Deployment model determines the data perimeter. For regulated industries and teams with data residency requirements, in-VPC deployment keeps all request bodies, telemetry, and audit logs within the organization's private network. Cloud-managed gateways cannot offer this guarantee.

Drop-in migration determines adoption friction. Bifrost exposes an OpenAI-compatible API on a single endpoint. Migrating an existing application that uses the OpenAI SDK requires changing one environment variable: the base URL. No application code changes, no SDK swaps. The drop-in replacement guide covers migration for OpenAI, Anthropic, Bedrock, and Google GenAI SDK users.

Evaluating an LLM Gateway

Infrastructure teams evaluating LLM gateways should assess on these dimensions before selecting:

  • Latency overhead at production RPS: not demo load, sustained benchmark
  • Governance depth: hierarchical budgets, token and request rate limits, model allowlists, per-credential access control
  • MCP and agent support: tool-level access control, unified audit logs across LLM and tool calls
  • Deployment options: self-hosted, in-VPC, on-premises, air-gapped
  • Compliance evidence: immutable audit logs, SOC 2, GDPR, HIPAA
  • Migration path: drop-in SDK compatibility vs. required code changes

The LLM Gateway Buyer's Guide maps each of these dimensions to a structured evaluation framework with specific questions for each capability area. For teams evaluating Bifrost against specific infrastructure requirements, the resources hub covers benchmarks, governance, and the MCP gateway in full detail.

Getting Started

Bifrost deploys as a Docker container or binary. The gateway setup guide covers first provider configuration, virtual key creation, and a first authenticated request. For enterprise requirements including clustering, RBAC, SSO integration, and in-VPC deployment, Bifrost Enterprise is available with a 14-day trial.

To see how Bifrost fits into an existing AI infrastructure stack, book a demo with the Bifrost team.

Read next