AI Gateway
The Curate-Me AI Gateway is the control plane between your application and LLM providers. You keep your existing SDK, swap the base URL, add a Curate-Me key, and every request gets governance, routing, cost tracking, and auditability before it reaches the model.
The gateway sits upstream of agent harnesses — frameworks like LangChain, CrewAI, OpenAI Agents, and OpenClaw that orchestrate tool-calling agents. Regardless of which harness your team uses, the gateway applies consistent governance policies, tracks costs per harness, and provides a single audit trail across all of them.
What changes in your app
# Before
OPENAI_BASE_URL=https://api.openai.com/v1
# After
OPENAI_BASE_URL=https://api.curate-me.ai/v1/openai
X-CM-API-Key: cm_sk_xxxYou still send normal provider payloads. The gateway preserves standard JSON responses and streaming SSE behavior.
What the gateway adds
| Layer | What it does |
|---|---|
| Governance | Applies rate limits, budget controls, model access checks, PII scanning, content safety, and HITL approval gates |
| Routing | Resolves model aliases, matches the correct provider, and supports provider-scoped base URLs |
| Observability | Adds request IDs, spend headers, retry metadata, usage logs, and health visibility |
| Resilience | Retries transient upstream failures, exposes idempotency keys, and protects against provider outages |
| Operations | Supports stored provider secrets, admin APIs, usage dashboards, approval queues, and runner-aware cost controls |
Endpoint patterns
| Pattern | Example | Best for |
|---|---|---|
| Provider-namespaced base URL | https://api.curate-me.ai/v1/openai | OpenAI-compatible SDKs |
| Anthropic base URL | https://api.curate-me.ai/v1/anthropic | Anthropic SDKs |
| Generic OpenAI-compatible endpoint | POST /v1/chat/completions | Direct HTTP or custom clients |
| Generic Anthropic endpoint | POST /v1/messages | Direct HTTP or Anthropic-style payloads |
| Model discovery | GET /v1/models | Listing routable models through the gateway |
Supported providers
50+ providers across built-in and custom routes:
| Provider tier | Built-in providers |
|---|---|
| Core (Tier 1) | OpenAI, Anthropic, Google, DeepSeek, Perplexity |
| OpenClaw favorites (Tier 2) | Moonshot, MiniMax, ZAI, Cerebras, Qwen |
| Developer staples (Tier 3) | Groq, Mistral, xAI, Together, Fireworks, Cohere, OpenRouter |
| Extended (Tier 4) | SambaNova, AI21, Reka, Baichuan, Yi, StepFun, Jina, Ollama, vLLM |
See the full list on the Providers & Routing page.
Authentication
Every proxy request authenticates to Curate-Me with your gateway key
(cm_sk_...). The upstream provider key is resolved separately:
| Credential | Purpose |
|---|---|
X-CM-API-Key: cm_sk_... | Authenticates your request to Curate-Me. The gateway also accepts this same key in Authorization: Bearer cm_sk_..., so SDKs that only expose an api_key field still work — set api_key to your cm_sk_ key. |
| Stored provider secret (recommended) | Store your provider key once via the dashboard Provider Secrets flow or the admin API. The gateway looks it up per request — you never send it from your app. |
X-Provider-Key: <provider-key> | Send your provider key inline on each request instead of storing it. Only used when no stored secret exists. |
Heads up: Don’t put a provider key (like
sk-...) in the SDK’sapi_keyfield when you rely on stored secrets — the SDK forwards it asAuthorization: Bearer <provider-key>, which the gateway treats as an inline provider key and forwards upstream, shadowing your stored secret. Put yourcm_sk_gateway key inapi_keyinstead, or send the provider key explicitly viaX-Provider-Key.
Common response headers
| Header | Meaning |
|---|---|
X-CM-Request-ID | Gateway request ID for tracing, support, and log lookup |
X-CM-Cost | Estimated request cost in USD |
X-CM-Daily-Cost | Current daily spend for the org |
X-CM-Daily-Budget | Active daily budget used for governance decisions |
X-RateLimit-Limit | Requests allowed in the current rate-limit window |
X-RateLimit-Remaining | Requests left in the window |
X-RateLimit-Reset | Unix timestamp when the window resets |
X-Idempotency-Key | Stable key used for retry-safe upstream execution |
X-Process-Time | Gateway processing time in seconds |
Quick examples
OpenAI SDK
from openai import OpenAI
client = OpenAI(
# Your Curate-Me gateway key — set it as api_key AND in the header.
# Your OpenAI provider key is resolved from your stored Provider Secret.
base_url="https://api.curate-me.ai/v1/openai",
api_key="cm_sk_xxx",
default_headers={"X-CM-API-Key": "cm_sk_xxx"},
)
response = client.chat.completions.create(
model="gpt-4o",
messages=[{"role": "user", "content": "Hello"}],
)Anthropic SDK
import anthropic
client = anthropic.Anthropic(
# Your Curate-Me gateway key — set it as api_key AND in the header.
# Your Anthropic provider key is resolved from your stored Provider Secret.
base_url="https://api.curate-me.ai/v1/anthropic",
api_key="cm_sk_xxx",
default_headers={"X-CM-API-Key": "cm_sk_xxx"},
)
message = client.messages.create(
model="claude-sonnet-4-5-20250929",
max_tokens=1024,
messages=[{"role": "user", "content": "Hello"}],
)cURL
curl https://api.curate-me.ai/v1/openai/chat/completions \
-H "Content-Type: application/json" \
-H "X-CM-API-Key: cm_sk_xxx" \
-H "X-Provider-Key: $OPENAI_API_KEY" \
-d '{
"model": "gpt-4o",
"messages": [{"role": "user", "content": "Hello"}]
}'Local development
cd services/backend
poetry install
poetry run uvicorn src.main_gateway:app --reload --port 8002Then point your SDK at http://localhost:8002/v1/openai, http://localhost:8002/v1/anthropic, or another provider path.