Gateway lifecycle

How Panicly authenticates, evaluates, logs, and forwards model traffic

Gateway lifecycle

How Panicly authenticates, evaluates, logs, and forwards model traffic

Panicly’s gateway is not a thin proxy. It is an auth layer, quota layer, rules layer, control layer, logging layer, and provider-forwarding layer.

Request sequence

Receive provider-compatible request

The client sends a request to /v1/chat/completions, /v1/responses, /v1/embeddings, /v1/completions, /v1/models, or a provider namespace such as /v1/openrouter/*.

Authenticate the Panicly key

The gateway accepts a key through Authorization or x-panicly-key, then verifies it against stored key prefix and SHA-256 hash.

Evaluate plan and quota

The gateway checks workspace plan tier, included monthly volume, credit-backed capacity, and any configured usage offset.

Evaluate policy

Network Controls, Region Rules, model rules, Sentry Mode, burst protection, abuse detection, token guard, and loop guard can block before upstream spend.

Forward or block

Approved traffic is forwarded to the connected provider with Panicly auth headers stripped and provider auth headers inserted.

Log evidence

Panicly attempts to record route, provider, model, country, decision, reason, tokens, cost estimate, and timestamp.

Core endpoint contract

Response

1 {
2   "id": "chatcmpl_panicly_example",
3   "object": "chat.completion",
4   "created": 1779993600,
5   "model": "openrouter/auto",
6   "choices": [
7     {
8       "index": 0,
9       "message": {
10         "role": "assistant",
11         "content": "Panicly blocks risky model traffic before it can create upstream spend."
12       },
13       "finish_reason": "stop"
14     }
15   ]
16 }

Request

modelstringRequired

Provider model identifier.

messageslist of objectsRequired

max_tokensintegerOptional

Maximum tokens requested from the provider.

temperaturedoubleOptional

Authentication fields

Authorization

header

Use Bearer pk_live_... or Bearer pk_test_....

x-panicly-key

header

Alternative direct key header for applications that cannot easily set a bearer token.

model

stringRequired

Provider model identifier, such as openrouter/auto or a connected provider-specific model.

Two gateway implementations exist

The repository currently has gateway logic in both apps/api/src/routes/gateway.ts and apps/web/src/app/v1/[...path]/route.ts. Treat behavior as duplicated until the active deployment path is verified.

Panicly’s gateway is not a thin proxy. It is an auth layer, quota layer, rules layer, control layer, logging layer, and provider-forwarding layer.

Request sequence

Receive provider-compatible request

The client sends a request to /v1/chat/completions, /v1/responses, /v1/embeddings, /v1/completions, /v1/models, or a provider namespace such as /v1/openrouter/*.

Authenticate the Panicly key

The gateway accepts a key through Authorization or x-panicly-key, then verifies it against stored key prefix and SHA-256 hash.

Evaluate plan and quota

The gateway checks workspace plan tier, included monthly volume, credit-backed capacity, and any configured usage offset.

Evaluate policy

Network Controls, Region Rules, model rules, Sentry Mode, burst protection, abuse detection, token guard, and loop guard can block before upstream spend.

Forward or block

Approved traffic is forwarded to the connected provider with Panicly auth headers stripped and provider auth headers inserted.

Log evidence

Panicly attempts to record route, provider, model, country, decision, reason, tokens, cost estimate, and timestamp.

Core endpoint contract

Response

1 {
2   "id": "chatcmpl_panicly_example",
3   "object": "chat.completion",
4   "created": 1779993600,
5   "model": "openrouter/auto",
6   "choices": [
7     {
8       "index": 0,
9       "message": {
10         "role": "assistant",
11         "content": "Panicly blocks risky model traffic before it can create upstream spend."
12       },
13       "finish_reason": "stop"
14     }
15   ]
16 }

Request

modelstringRequired

Provider model identifier.

messageslist of objectsRequired

max_tokensintegerOptional

Maximum tokens requested from the provider.

temperaturedoubleOptional

Authentication fields

Authorization

header

Use Bearer pk_live_... or Bearer pk_test_....

x-panicly-key

header

Alternative direct key header for applications that cannot easily set a bearer token.

model

stringRequired

Provider model identifier, such as openrouter/auto or a connected provider-specific model.

1	curl -X POST https://panicly.vercel.app/v1/chat/completions \
2	-H "Authorization: Bearer <token>" \
3	-H "Content-Type: application/json" \
4	-d '{
5	"model": "openrouter/auto",
6	"messages": [
7	{
8	"role": "user",
9	"content": "Write one sentence about protected AI spend."
10	}
11	],
12	"max_tokens": 64
13	}'

1	curl -X POST https://panicly.vercel.app/v1/chat/completions \
2	-H "Authorization: Bearer <token>" \
3	-H "Content-Type: application/json" \
4	-d '{
5	"model": "openrouter/auto",
6	"messages": [
7	{
8	"role": "user",
9	"content": "Write one sentence about protected AI spend."
10	}
11	],
12	"max_tokens": 64
13	}'

1	{
2	"id": "chatcmpl_panicly_example",
3	"object": "chat.completion",
4	"created": 1779993600,
5	"model": "openrouter/auto",
6	"choices": [
7	{
8	"index": 0,
9	"message": {
10	"role": "assistant",
11	"content": "Panicly blocks risky model traffic before it can create upstream spend."
12	},
13	"finish_reason": "stop"
14	}
15	]
16	}