Gateway lifecycle

How Panicly authenticates, evaluates, logs, and forwards model traffic
View as Markdown

Panicly’s gateway is not a thin proxy. It is an auth layer, quota layer, rules layer, control layer, logging layer, and provider-forwarding layer.

Request sequence

1

Receive provider-compatible request

The client sends a request to /v1/chat/completions, /v1/responses, /v1/embeddings, /v1/completions, /v1/messages, /v1/models, /v1/panicly/models, or a provider namespace such as /v1/openrouter/*.

2

Authenticate the Panicly key

The gateway accepts a key through Authorization or x-panicly-key, then verifies it against stored key prefix and SHA-256 hash.

3

Evaluate plan and quota

The gateway checks workspace plan tier, included monthly volume, credit-backed capacity, and any configured usage offset.

4

Evaluate policy

Network Controls, Region Rules, model rules, Kill Switch, burst protection, abuse detection, token guard, and loop guard can block before upstream spend.

5

Forward or block

Approved traffic is forwarded to the connected provider with Panicly auth headers stripped and provider auth headers inserted.

6

Log evidence

Panicly attempts to record route, provider, model, country, decision, reason, tokens, cost estimate, and timestamp.

Core endpoint contract

Response
1{
2 "id": "chatcmpl_panicly_example",
3 "object": "chat.completion",
4 "created": 1779993600,
5 "model": "openrouter/auto",
6 "choices": [
7 {
8 "index": 0,
9 "message": {
10 "role": "assistant",
11 "content": "Panicly blocks risky model traffic before it can create upstream spend."
12 },
13 "finish_reason": "stop"
14 }
15 ]
16}

Request

modelstringRequired
Provider model identifier.
messageslist of objectsRequired
max_tokensintegerOptional
Maximum tokens requested from the provider.
temperaturedoubleOptional

Authentication fields

Authorization
header

Use Bearer pk-live-... for live traffic or Bearer pk-dev-... for development traffic.

x-panicly-key
header

Alternative direct key header for applications that cannot easily set a bearer token.

model
stringRequired

Provider model identifier, such as openrouter/auto or a connected provider-specific model.

Provider namespaces

Panicly can infer a provider from the model name or use a provider namespace such as /v1/openai/*, /v1/anthropic/*, /v1/openrouter/*, /v1/google/*, or /v1/vercel/*.