Skip to main content
The Trident gateway is a transparent proxy that sits between your agent and the LLM provider. Every request your agent makes passes through the gateway, which does two things simultaneously: it runs the runtime firewall to scan prompts and outputs for threats in real time, and it automatically captures the full trace — messages, tool calls, latency, and token counts — without any additional SDK instrumentation. For most teams, adding the gateway is the fastest path to complete runtime visibility and active threat blocking, requiring only a one-line base URL change.

Gateway endpoints

Replace your LLM provider’s base URL with the corresponding Trident gateway endpoint:
ProviderTrident gateway endpoint
OpenAIhttps://app.usetrident.dev/api/public/gateway/openai/v1
Anthropichttps://app.usetrident.dev/api/public/gateway/anthropic/v1
Your existing API key for the underlying provider is stored on your Trident project (see the Gateway settings page) and is used by Trident to forward requests on your behalf. Trident never logs or returns your provider API keys.

Enable the gateway

Authenticate gateway requests using HTTP Basic auth with your Trident project key pair — the same publicKey:secretKey credentials you use for the REST API. Pass the Base64-encoded pair in the Authorization header. Optionally, include x-vouch-agent to tag which agent is making the request. 
import OpenAI from 'openai';

const tridentAuth = Buffer.from(
  `${process.env.TRIDENT_PROJECT_PUBLIC_KEY}:${process.env.TRIDENT_PROJECT_SECRET_KEY}`
).toString('base64');

const client = new OpenAI({
  apiKey: 'trident-gateway',
  baseURL: 'https://app.usetrident.dev/api/public/gateway/openai/v1',
  defaultHeaders: {
    'Authorization': `Basic ${tridentAuth}`,
    'x-vouch-agent': 'my-agent-id',
  },
});

Required and optional headers

Pass these headers on every request to the gateway. Your HTTP client’s defaultHeaders (or equivalent) is the most convenient place to set them once.
HeaderRequiredDescription
AuthorizationYesHTTP Basic auth credentials. Encode your project key pair as Base64(publicKey:secretKey) and pass as Basic <encoded>.
x-vouch-agentNoAn identifier for the specific agent making the request. Can be any string — use a stable, human-readable name like customer-support-agent. When set, traces and findings are scoped to that agent in the dashboard.

Store your provider API keys

Before routing requests through the gateway, save your LLM provider API keys in Settings → Gateway. Trident encrypts and stores them server-side, then uses them to forward your requests to OpenAI or Anthropic. You never need to pass provider keys in gateway requests — Trident handles that automatically.

Blocked requests

When the firewall blocks a request, the gateway returns an HTTP 451 response instead of forwarding the call to the LLM provider. The response body is a JSON object: 
{
  "error": "blocked_by_vouch_firewall",
  "verdict": {
    "is_valid": false
  }
}
Your agent should handle 451 responses from the gateway gracefully. Inspect the error field to distinguish a firewall block from a malformed request error (400) or an authentication failure (401).

Firewall scan modes

The gateway supports two scan modes:
ModeLatency overheadHow to enable
Fast (default)~10–50msActive by default for all projects
Full~150–300msContact Trident support to enable
Fast mode uses regex-based and keyword-pattern matching to catch the highest-confidence threats with minimal latency impact. Full mode runs a deeper ML-based scan pipeline with higher accuracy and a broader set of detectors.
Routing requests through the gateway adds latency to every LLM call your agent makes. Fast mode adds approximately 10–50ms; full mode adds approximately 150–300ms. Measure the impact on your agent’s end-to-end response time and factor it into your SLA planning before enabling the gateway in production.