API Documentation

AnuraGate is an OpenAI-compatible proxy. Point your existing SDK at AnuraGate and all requests are routed, secured, and tracked automatically.

# Replace your base URL — that's it
OPENAI_BASE_URL=https://your-gate-instance.vercel.app/v1

# Or use curl directly
curl https://your-gate-instance.vercel.app/v1/chat/completions \
  -H "Authorization: Bearer gk_your_virtual_key" \
  -H "Content-Type: application/json" \
  -d '{"model":"gpt-4o","messages":[{"role":"user","content":"Hello"}]}'

Request Headers

Headers you can send with your proxy requests to control AnuraGate behavior.

AuthorizationrequiredBearer gk_...

Your AnuraGate virtual key. Used for authentication, budget tracking, and policy evaluation.

x-gate-session-idstring

Attach a session ID to group requests for circuit breaker tracking. If omitted, each request is independent.

x-gate-snapshottrue

Force a git snapshot webhook for this request, even if the key doesn't have snapshots enabled by default.

x-gate-audittrue

Force a double-check AI audit for this specific request, regardless of key-level audit config.

x-gate-no-cachetrue

Bypass the smart cache and always forward to the upstream provider.

Response Headers

Headers AnuraGate adds to every proxy response.

x-gate-cost0.0023

Estimated cost of this request in USD, calculated from token usage and the model's pricing.

x-gate-cachedtrue | false

Whether this response was served from AnuraGate's smart cache.

x-gate-provideropenai | anthropic | google

Which upstream provider handled this request.

x-gate-redacted3

Number of PII/secret items redacted from the request. Only present if redaction occurred.

x-gate-policy-blockedtrue

Present when a policy rule blocked the request before it reached the LLM.

x-gate-session-killedtrue

Present when the request triggered a circuit breaker and the session was terminated.

x-gate-snapshot-idstring

The snapshot ID returned by the webhook, if a snapshot was captured.

x-gate-audit-iddaudit_...

The audit result ID. Use this to look up the full audit verdict in the audit trail.

x-gate-audit-risklow | medium | high | critical

Risk level from the double-check AI audit, if one was performed.

Error Codes

AnuraGate returns standard HTTP status codes with structured error bodies.

{
  "error": {
    "message": "Daily spend limit exceeded for this key",
    "type": "gate_error",
    "code": "budget_exceeded"
  }
}
StatusCodeDescription
401invalid_keyVirtual key is missing, invalid, or disabled.
403model_not_allowedThe requested model is not in the key's allowed models list.
403policy_blockedA policy rule blocked this request content.
429rate_limitedThe key has exceeded its RPM (requests per minute) limit.
429budget_exceededDaily spend cap reached for this virtual key.
429session_killedThe session was terminated by a circuit breaker.
451audit_blockedDouble-check AI flagged the response as high/critical risk (blocking mode).
502provider_errorThe upstream provider returned an error.
503no_provider_keyNo provider API key configured for the requested model's provider.

Webhook Events

Configure a webhook URL in your dashboard to receive real-time notifications. Pro and Enterprise plans only.

POST https://your-webhook.example.com/gate
Content-Type: application/json

{
  "event": "budget.alert",
  "teamId": "org_abc123",
  "keyName": "my-key",
  "data": {
    "currentSpend": 4.12,
    "dailyLimit": 5.00,
    "percentUsed": 82.4
  },
  "timestamp": "2026-02-18T10:30:00.000Z"
}
budget.alert

Fired when a key reaches 80% of its daily spend limit.

budget.exceeded

Fired when a key hits 100% of its daily spend limit and requests are being blocked.

session.killed

Fired when a circuit breaker terminates a session (cost, token, duration, or request limit exceeded).

loop.detected

Fired when loop detection identifies repeated requests or cost spikes.

policy.blocked

Fired when a policy rule blocks a request.

audit.flagged

Fired when double-check AI flags a response as medium risk or above.

Snapshot Protocol

Git snapshots capture your codebase state at the moment of each AI request. Configure a snapshot endpoint URL in your virtual key settings.

Request (from AnuraGate to your endpoint)

POST https://your-snapshot-endpoint.example.com/snapshot
Content-Type: application/json

{
  "action": "snapshot",
  "virtualKey": "my-key",
  "sessionId": "sess_abc123",
  "model": "gpt-4o",
  "timestamp": "2026-02-18T10:30:00.000Z"
}

Expected Response

{
  "snapshotId": "snap_abc123",
  "commitHash": "a1b2c3d4",
  "branch": "main",
  "diffSummary": "+42 -15 across 3 files"
}

Your endpoint should create a git stash or commit, then return the snapshot metadata. AnuraGate will store the snapshot ID in the request log and include it in the x-gate-snapshot-id response header.

Audit Headers

When double-check AI runs, these headers are added to the response.

x-gate-audit-iddaudit_1708234567_a1b2c3

Unique ID for this audit. Look it up in the Audit Trail dashboard tab.

x-gate-audit-risklow | medium | high | critical

Overall risk assessment from the audit LLM.

x-gate-audit-passedtrue | false

Whether the audit passed. In blocking mode, a failed audit returns HTTP 451.

Blocking vs. Async Mode

In async mode, the audit runs in the background after the response is sent. The audit headers will still be present but the response is never blocked. In blocking mode, AnuraGate waits for the audit to complete before returning the response. If the audit fails (risk = high or critical), the response is replaced with an HTTP 451 error.

Presets API

Apply one-click security presets to configure all your keys at once.

Apply a Preset

POST /api/dashboard/security/presets
Content-Type: application/json
Cookie: (Clerk session)

{
  "presetId": "standard",
  "keys": ["my-key-1", "my-key-2"]  // optional — omit for all keys
}

// Response
{
  "success": true,
  "presetId": "standard",
  "applied": 5,
  "skipped": 0,
  "errors": []
}
relaxed

Free tier: Basic PII redaction only. No policies, session tracking, or audit features.

standard

Pro tier: Full PII + secret detection, default blocklists, circuit breakers with loop detection.

strict

Enterprise tier: Maximum protection — response scanning, blocking AI audit, tight session limits, auto-kill.

Tool Integrations API

Connect third-party tools (WhatsApp, Slack, GitHub) to AnuraGate. All events pass through the same security pipeline — redaction, policies, and audit logging — without ever storing user credentials.

Webhook Relay

For services with native webhook support. Configure the third-party service to POST events to your integration's webhook URL.

POST /v1/tools/webhook/{slug}

# Headers set by the third-party service:
X-Slack-Signature: v0=abc...     # Slack
X-Hub-Signature-256: sha256=...  # GitHub
X-Hub-Signature-256: sha256=...  # WhatsApp Business

# AnuraGate verifies the signature, normalizes the event,
# runs security pipeline, and forwards to your forwardUrl.

# Response:
{ "ok": true }

Outbound Tool Proxy

Send actions through tools via AnuraGate. For watcher-based tools, actions are queued. For webhook-based tools with token passthrough, requests are proxied directly.

POST /v1/tools/proxy
x-gate-key: gk-your-key
x-gate-tool-token: xoxb-...  # Only for direct API calls

{
  "tool": "slack",
  "action": "send_message",
  "params": {
    "channel": "#general",
    "text": "Hello from AnuraGate!"
  },
  "integrationId": "ti_..."
}

# Response (watcher-based):
{ "ok": true, "actionId": "act_...", "status": "queued" }

# Response (token passthrough):
{ "ok": true, "data": { ... } }

Supported Tools

whatsapp-web

WhatsApp Web via AnuraGate Watcher (self-hosted). Events: message.received, message.sent, message.ack, group.join, etc.

whatsapp-business

WhatsApp Business Cloud API via webhook relay. Events: message.text, message.image, message.status.*, etc.

slack

Slack Events API via webhook relay. Events: message, reaction_added, member_joined_channel, app_mention, etc.

github

GitHub Webhooks via webhook relay. Events: push, pull_request.*, issues.*, issue_comment.created, etc.

Tool Webhook Events

Subscribe to these events via the Webhooks dashboard to get notified about tool activity.

tool.event.received

An inbound tool event was processed (or blocked) by AnuraGate.

tool.integration.created

A new tool integration was added.

tool.integration.disabled

A tool integration was disabled.

tool.integration.deleted

A tool integration was deleted.

tool.health.watcher_offline

An AnuraGate Watcher agent stopped sending heartbeats.

tool.health.error_spike

An integration's error rate exceeded 50%.

tool.health.stale

An integration hasn't received events for over 1 hour.

Watcher API

The AnuraGate Watcher is a self-hosted daemon that maintains connections to services like WhatsApp Web. Session tokens stay on your machine — only events are sent to AnuraGate cloud for security processing.

Heartbeat

POST /v1/tools/watcher/heartbeat
x-gate-key: gk-your-key

{ "integrationId": "ti_..." }

# Response:
{
  "ok": true,
  "integrationId": "ti_...",
  "heartbeat": "2026-02-18T12:00:00.000Z",
  "nextHeartbeatIn": 30
}

Push Event

POST /v1/tools/watcher/event
x-gate-key: gk-your-key

{
  "integrationId": "ti_...",
  "event": {
    "id": "evt_1",
    "tool": "whatsapp-web",
    "eventType": "message.received",
    "timestamp": "2026-02-18T12:00:00Z",
    "source": { "id": "+1234567890", "name": "John", "type": "user" },
    "content": { "text": "Hello!", "metadata": {} },
    "raw": {}
  }
}

# Response:
{
  "ok": true,
  "blocked": false,
  "forwarded": true,
  "securityActions": ["redacted:2"],
  "latencyMs": 45
}

Poll Outbound Actions

GET /v1/tools/watcher/outbound?integrationId=ti_...
x-gate-key: gk-your-key

# Response:
{
  "ok": true,
  "actions": [
    {
      "id": "act_...",
      "integrationId": "ti_...",
      "action": "send_message",
      "params": { "chatId": "...", "text": "Hello!" },
      "status": "processing",
      "createdAt": "2026-02-18T12:00:00Z"
    }
  ]
}

Report Action Result

POST /v1/tools/watcher/outbound
x-gate-key: gk-your-key

{
  "actionId": "act_...",
  "integrationId": "ti_...",
  "success": true,
  "result": { "messageId": "..." }
}

# Response:
{ "ok": true }

Plan Limits

Free

1 integration, 100 events/day, 50 outbound/day, no watcher agents

Pro ($29/mo)

5 integrations, 5,000 events/day, 2,500 outbound/day, 1 watcher agent

Enterprise ($99/mo)

Unlimited integrations, events, outbound actions, and watcher agents

Watcher SDK

The AnuraGate Watcher SDK (@gate/watcher) is a self-hosted package that connects third-party services (like WhatsApp Web) to AnuraGate. Session tokens stay on your machine — AnuraGate never stores credentials. You can use it as a CLI tool or embed it directly into your Node.js application with a plug-and-play UI widget.

1. Create an Integration

Go to the AnuraGate Dashboard → Integrations and create a new integration. Select WhatsApp Web as the tool and Watcher as the mode. You will receive an integrationId and your existing virtual key (gk-…) is used to authenticate.

2. Install the SDK

npm install @gate/watcher

3. Backend Setup (Node.js)

Add the watcher to your existing Express / HTTP server. This is all the server-side code you need — five lines:

const express = require("express");
const { GateWatcher, widgetMiddleware } = require("@gate/watcher");

const app = express();

// Serve the widget JS from the SDK
app.use(widgetMiddleware());

// Create the watcher
const watcher = new GateWatcher({
  gateKey:        "gk-your-virtual-key",
  integrationId:  "ti_your-integration-id",
});

// Start the server, then attach the watcher
const server = app.listen(3000);
watcher.attach(server);

// Events (optional)
watcher.on("qr",    () => console.log("QR ready"));
watcher.on("ready", () => console.log("WhatsApp connected"));
watcher.on("message", (msg) => console.log("Message from", msg.from));

watcher.start();

4. Frontend Setup (Any Page)

Drop the widget into any page served by your Express app. No framework required — the SDK provides all styles and logic:

<div id="whatsapp"></div>
<script src="/gate-watcher/widget.js"></script>
<script>GateWatcher.mount('#whatsapp')</script>

This renders a card with a "Connect WhatsApp" button. Clicking it opens a modal with a QR code. Once scanned, the card updates to show the connected status.

5. Widget Options

GateWatcher.mount('#whatsapp', {
  wsPath: '/ws/whatsapp',   // WebSocket path (default)
  theme:  'light',          // 'light' or 'dark'
})

6. React Components

For React apps, import the customer-facing QR component or the full admin panel:

import { GateWatcherQR } from "@gate/watcher/react";

// Clean QR-only flow for end users
<GateWatcherQR
  wsUrl="ws://localhost:3000/ws/whatsapp"
  onReady={() => console.log("Connected!")}
/>

// Or the full admin panel with event feed
import { GateWatcherPanel } from "@gate/watcher/react";
<GateWatcherPanel wsUrl="ws://localhost:3000/ws/whatsapp" />

7. CLI Mode

For quick testing or headless environments, run the watcher from the command line. Create a .env file and run:

# .env
GATE_KEY=gk-your-virtual-key
GATE_INTEGRATION_ID=ti_your-integration-id

# Run
npx @gate/watcher

The QR code will be displayed in the terminal. Set WEB_PORT=3001 in your .env to also launch a local web panel for scanning.

How It Works

Events

The watcher pushes every WhatsApp event to AnuraGate cloud via POST /v1/tools/watcher/event. AnuraGate runs your security pipeline (redaction, policies, audit) and forwards processed events to your configured forward URL.

Outbound

To send messages, your app calls POST /v1/tools/proxy. AnuraGate queues the action, and the watcher polls for it. Execution happens locally — tokens never leave your machine.

Heartbeat

The watcher sends heartbeats every 30s to POST /v1/tools/watcher/heartbeat. If heartbeats stop, AnuraGate marks the integration as offline and fires a tool.health.watcher_offline webhook.

Security

All events pass through AnuraGate's security layers: PII redaction, policy enforcement, and audit logging. Blocked events are logged but not forwarded.