VaultPlane Gateway separates the path that carries traffic from the brain that decides what is allowed. The same split that infrastructure teams know as data plane and control plane.
Agents and applications send model and tool calls to the Gateway instead of straight to a provider.
Ingress, inline plugins, cache, policy check, and connectors route each call on the wire.
Commercial APIs and self-hosted models, reached with failover and routing.
Defines and distributes policy to the data plane. Policy comes from the Registry: which servers and skills are trusted, and the rules that apply.
Every call emits an OpenTelemetry trace and metrics: model, tokens, cost, latency, and outcome.
Applications point at the Gateway through a unified, provider-agnostic API. Swapping a direct provider call for a Gateway call is a base-URL change, not a rewrite. From that moment, every request is governed and observable.
The data plane is the request path. It authenticates the caller with a virtual key, runs inline plugins (guardrails, redaction, routing), checks cache, evaluates policy, and forwards the call to a provider with streaming pass-through so governance does not add a latency tax. It keeps serving traffic even when the control plane is unreachable.
Commercial APIs and self-hosted models sit behind one interface. The Gateway handles routing rules and automatic failover, so an outage at one provider does not stop the application.
Telemetry is native, not bolted on. The Gateway emits OpenTelemetry traces and metrics over OTLP, so the data lands in the observability backend you already run. Every call is attributable by app and team for cost accounting.
The control plane is where trust is defined. The VaultPlane Registry scores and certifies servers and skills and sets policy; the control plane distributes that policy to every data-plane node, which enforces it on the wire and reports back what happened. Define once, enforce everywhere, see everything.