Tenant Management

A tenant represents an isolated gateway endpoint. Each team, project, or application gets its own tenant with a unique URL, API key, and configuration.

Tenant Configuration

API Key Lifecycle

Generation

API keys are generated as omp-<64 hex chars>. The key is shown once at creation time. The stored value is SHA-256(key) — the plaintext is never persisted.

Rotation

Clicking Rotate Key on a tenant immediately invalidates the old key and generates a new one. The new key is shown once and must be copied before closing the modal.

Custom Keys

Opt-in: enter a custom key (minimum 16 characters). The custom key is stored encrypted (AES-256-GCM) and validated at request time the same way as generated keys.

Lifetime & Expiry

Keys can be configured with an expiry period. On creation or rotation, keyExpiresAt = now + keyLifetimeDays x 86400s. At the gateway, every request checks:

keyEnabled === false  ->  401  { error: "api_key_disabled" }
keyExpiresAt < now   ->  401  { error: "api_key_expired" }

Keys with no expiry (keyLifetimeDays = 0) never expire.

Enable / Disable

A key can be disabled without deleting it. The UI shows a warning modal before disabling — any active clients using the key will immediately start receiving 401 errors.

Model Access Control

Each tenant can restrict which models are accessible via the gateway using three modes:

all (default)

All models from assigned providers are available. No filtering applied.

whitelist

Only models explicitly listed are accessible. Requests to any other model return an error.

list: ["gpt-4o", "gpt-4o-mini", "claude-sonnet-4-6"]
-> Only these 3 models work for this tenant

blacklist

All models are accessible except those explicitly listed.

list: ["claude-opus-4-6", "o3"]
-> These expensive models are blocked; everything else works

The model access config can be set by:

• Admin / maintainer: via the Tenants page → Models tab
• tenant-admin: via the My Tenant page → Model Access tab (self-service)

Model Aliases

Tenants can define aliases that map client-facing model names to actual provider model IDs:

{
  "gpt-4": "gpt-4o",
  "fast":  "gpt-4o-mini",
  "smart": "claude-opus-4-6"
}

Clients using the tenant endpoint can reference model: "smart" and the request is transparently forwarded to claude-opus-4-6.

Routing Configuration

Each tenant has its own routing configuration:

{
  "classifierProvider": "<provider-id>",
  "classifierModel":    "gpt-4o-mini",
  "defaultModel":       "gpt-4o",
  "forceAutoRoute":     false,
  "overrides": {
    "visionUpgrade":          true,
    "confidenceFallback":     true,
    "confidenceThreshold":    0.65,
    "domainGate":             true,
    "conversationTurnUpgrade": true,
    "frustrationUpgrade":     true,
    "outputLengthUpgrade":    true
  }
}

See Routing for full details on how routing works.

Tenant-Admin Self-Service

Users with the tenant-admin role can manage their assigned tenants without admin access:

My Tenant page

• Model Access tab — switch between all/whitelist/blacklist, select models via checkboxes grouped by provider
• Generate Config tab — generate ready-to-paste configs for Continue, OpenCode, Cursor, Claude Code, Open WebUI, Python SDK, Node.js SDK

Tenant Portal API

Admins and maintainers also have access to these endpoints and see all tenants via /mine.

Generate Config

The Generate Config button (code icon) per tenant opens a modal with configuration snippets for popular tools. The endpoint URL and API key placeholder are pre-filled; the user just needs to substitute their actual key.