Provider & Model Restrictions
API keys can be configured with provider and model allow-lists to control access. These are enforced by the proxy before the request reaches the upstream provider.
Provider restrictions
If your key has a provider allow-list (e.g. ["openai", "anthropic"]), requests to other providers are rejected:
{"error": "AISpendOps: Provider not allowed by API key policy"}
A key with ["*"] allows all providers.
Model restrictions
If your key has a model allow-list, the proxy checks the model field in your request body. Models are specified in provider:pattern format with optional trailing wildcard:
| Pattern | Matches |
|---|---|
* | All models on all providers |
openai:gpt-4.1 | Exact match only |
openai:gpt-4* | Any OpenAI model starting with gpt-4 |
anthropic:claude-sonnet-4* | Any Anthropic model starting with claude-sonnet-4 |
If the model is not allowed:
{"error": "AISpendOps: Model not allowed by API key policy"}
info
Model checking only applies to requests with a JSON body containing a model field. Endpoints that don't send a model (e.g. GET /v1/models) are not affected.