Gateway Overview
The Rivano gateway is a self-hosted HTTP proxy that sits between your application and any LLM provider. It enforces policies, detects PII, logs every request as a trace, and forwards traffic to the configured provider — all without requiring any changes to your application code.
When to use the gateway
| Scenario | Recommendation |
|---|---|
| You need data to stay on your network | Self-hosted gateway (no prompt data leaves your infra) |
| You’re in an air-gapped or regulated environment | Self-hosted gateway with cloud: section omitted |
| You want governance without code changes | Self-hosted or managed gateway |
| You’re building a prototype or SaaS product | Managed cloud endpoint (no gateway to run) |
The gateway can run fully offline — the cloud: section in rivano.yaml is optional. When omitted, policies and traces are stored and evaluated locally, with no data sent to api.rivano.ai.
Quick start
Install the gateway:
npm install -g @rivano/gatewayCreate a rivano.yaml:
gateway:
port: 8080
providers:
openai:
apiKey: "sk-..."
middleware:
pii: true
injection: true
audit: stdoutStart the gateway:
rivano-gateway start
# Gateway running on http://localhost:8080Point your OpenAI SDK at it:
OPENAI_BASE_URL=http://localhost:8080/openai/v1 node your-app.jsYour application works exactly as before — the gateway is fully transparent to the OpenAI SDK.
Architecture
Your App
│
▼ HTTP (OpenAI-compatible)
Rivano Gateway (localhost:8080)
│
├── Rate limiter
├── PII detector
├── Injection scorer
├── Policy evaluator (loads from control plane or local config)
│
▼ HTTP
LLM Provider (OpenAI, Anthropic, ...)
│
▼
Rivano Gateway (response pipeline)
│
├── PII redactor (if policy fires)
├── Response logger
│
▼
Your AppHybrid mode
When you include the cloud: section in rivano.yaml, the gateway syncs with the Rivano control plane:
- Policies are loaded from and pushed to the control plane
- Traces are forwarded to
api.rivano.aifor storage and visualization in the dashboard - Agent definitions are kept in sync
Prompt and response content never leaves your network in hybrid mode — only metadata (token counts, latency, policy outcomes, trace IDs) is sent to the control plane.
Hybrid mode gives you the best of both worlds: data residency with full dashboard visibility. Use it unless your environment prohibits all external network calls.
Request and response headers
The gateway adds these headers to every response it forwards back to your application:
| Header | Description |
|---|---|
X-Rivano-Provider | Which provider handled the request |
X-Rivano-Latency | Total gateway latency in milliseconds |
X-Rivano-Trace-Id | Trace ID for this request |
Related
- Gateway Configuration — Full rivano.yaml reference
- Gateway Middleware — Middleware pipeline and toggles
- Gateway Providers — Configure multiple providers and routing
- Gateway Deployment — Production setup, Docker, health checks