Gateway API Reference
Complete reference documentation for the Curate-Me AI Gateway API. The gateway is a reverse proxy that sits between your application and LLM providers, applying governance policies, tracking costs, and providing full observability with zero code changes.
Base URL
| Environment | Base URL |
|---|---|
| Production | https://api.curate-me.ai |
| Local development | http://localhost:8002 |
Authentication
All proxy endpoints require a Curate-Me API key (X-CM-API-Key header) and a provider API key (via X-Provider-Key header, Authorization: Bearer, or stored secrets). See Authentication for details.
Endpoint overview
Proxy endpoints
These endpoints accept requests in the same format as the upstream provider and proxy them through the governance chain.
| Method | Endpoint | Provider | Description |
|---|---|---|---|
POST | /v1/chat/completions | OpenAI | OpenAI-compatible chat completions |
POST | /v1/messages | Anthropic | Anthropic-compatible messages |
POST | /v1/google/chat/completions | Google Gemini | Gemini via OpenAI-compatible format |
POST | /v1/deepseek/chat/completions | DeepSeek | DeepSeek via OpenAI-compatible format |
GET | /v1/models | All | List available models |
Health and monitoring endpoints
| Method | Endpoint | Auth | Description |
|---|---|---|---|
GET | /health | None | Liveness probe (always 200) |
GET | /v1/health | None | Health check with component status |
GET | /v1/health/detailed | None | Comprehensive health with metrics and alerts |
GET | /v1/providers/health | None | Per-provider circuit breaker status |
HITL approval endpoints
| Method | Endpoint | Auth | Description |
|---|---|---|---|
GET | /v1/approvals/{id}/status | API Key | Poll approval status |
GET | /gateway/admin/approvals | Admin | List pending approvals |
POST | /gateway/admin/approvals/{id}/approve | Admin | Approve a pending request |
POST | /gateway/admin/approvals/{id}/reject | Admin | Reject a pending request |
Admin endpoints
| Method | Endpoint | Auth | Description |
|---|---|---|---|
GET | /gateway/admin/policies | Admin | List governance policies |
POST | /gateway/admin/policies | Admin | Create or update a policy |
DELETE | /gateway/admin/policies/{org_id} | Admin | Delete a policy |
GET | /gateway/admin/usage | Admin | Get usage statistics |
GET | /gateway/admin/usage/daily | Admin | Daily cost breakdown |
GET | /gateway/admin/usage/export | Admin | Export usage as CSV |
POST | /gateway/admin/secrets | Admin | Store a provider secret |
GET | /gateway/admin/secrets | Admin | List stored secrets (metadata only) |
POST | /gateway/admin/secrets/rotate | Admin | Rotate a provider secret |
DELETE | /gateway/admin/secrets/{provider} | Admin | Revoke a provider secret |
GET | /gateway/admin/billing/summary | Admin | Monthly billing summary |
POST | /gateway/admin/model-aliases | Admin | Create a model alias |
GET | /gateway/admin/model-aliases | Admin | List model aliases |
POST | /gateway/admin/provider-targets | Admin | Create a provider target |
GET | /gateway/admin/provider-targets | Admin | List provider targets |
Request format
All requests and responses use JSON. Set the Content-Type header on requests with a body:
Content-Type: application/jsonResponse headers
Every proxied response includes governance metadata headers:
| Header | Description |
|---|---|
X-CM-Request-ID | Unique request identifier for tracing |
X-CM-Cost | Estimated cost for this request (USD) |
X-CM-Daily-Cost | Cumulative daily spend for the organization (USD) |
X-CM-Daily-Budget | Daily budget limit for the organization (USD) |
X-RateLimit-Limit | Maximum requests allowed per minute |
X-RateLimit-Remaining | Requests remaining in the current window |
X-RateLimit-Reset | Unix timestamp when the rate limit window resets |
X-Request-ID | Request ID (same as X-CM-Request-ID) |
X-Gateway-Org | Organization ID associated with the API key |
X-Idempotency-Key | Idempotency key for retry-safe calls |
X-Process-Time | Server-side processing time in seconds |
Conditional headers
These headers appear only when applicable:
| Header | Condition | Description |
|---|---|---|
X-CM-Approval-ID | HITL triggered | Approval ID for polling |
X-CM-Key-Deprecated | Key rotated | "true" when using a deprecated key |
X-CM-Grace-Remaining-Hours | Key rotated | Hours remaining in the grace period |
X-CM-Suggested-Model | Model deprecated | Recommended replacement model |
X-CM-Version-Warning | Model deprecated | Human-readable deprecation warning |
Deprecation | Model deprecated | RFC 8594 deprecation date |
Sunset | Model deprecated | RFC 8594 sunset date |
X-Gateway-Retry-Attempts | Upstream retried | Number of retry attempts |
X-Gateway-Retry-Delay-Ms | Upstream retried | Total retry delay in milliseconds |
Retry-After | Rate limited | Seconds until the rate limit resets |
API-Version | Always | API version negotiated for this request |
Error format
All errors follow the OpenAI-compatible error format:
{
"error": {
"message": "Human-readable error description",
"type": "error_type",
"param": null,
"code": "error_code"
}
}See the Error Reference for a complete list of error types and codes.
Rate limits
Rate limits are enforced per organization. Default limits vary by subscription tier:
| Tier | Requests per minute |
|---|---|
| Free | 10 |
| Starter | 60 |
| Pro | 300 |
| Team | 1,000 |
| Enterprise | 5,000 |
SDKs
The gateway is compatible with any standard LLM SDK. Just change the base URL:
# Python (OpenAI SDK)
from openai import OpenAI
client = OpenAI(
base_url="https://api.curate-me.ai/v1/openai",
default_headers={"X-CM-API-Key": "cm_sk_xxx"},
)// TypeScript (OpenAI SDK)
import OpenAI from 'openai';
const client = new OpenAI({
baseURL: 'https://api.curate-me.ai/v1/openai',
defaultHeaders: { 'X-CM-API-Key': 'cm_sk_xxx' },
});See also the dedicated Python SDK and TypeScript SDK pages for the curate-me and @curate-me/sdk packages.
Interactive documentation
The gateway exposes auto-generated OpenAPI documentation:
- Swagger UI:
https://api.curate-me.ai/docs - ReDoc:
https://api.curate-me.ai/redoc
For local development, use http://localhost:8002/docs.