Access Control for AI Gateway Models

You can add models to AI Gateway by adding provider accounts like OpenAI, Anthropic, Bedrock etc through the Integrations page. Each model provider can have multiple models within and you can configure access control at the provider account level.

Provider Accounts in AI Gateway

Access Management for Teams and Users

Understanding Access Levels

TrueFoundry provides two permission levels when granting access to provider accounts:

  1. Provider Account Manager
    • Can modify provider account settings
    • Can add or remove models
    • Can manage access permissions for others
  2. Provider Account User
    • Can use all models within the provider account
    • Cannot change provider account settings
    • Cannot modify access permissions

When you assign these permissions to teams or individual users, everyone in that team (or the specific user) will receive the corresponding level of access.

Granting Access to Provider Accounts

When you grant a team or user access to a provider account, they automatically gain access to all models associated with that account. This simplifies permission management when working with multiple models from the same provider.

You can grant access to users and teams via the edit form as shown in the following demo:

Using Personal Access Tokens (PATs)

To access models through the API, users need to generate a Personal Access Token from the Access page. These tokens authenticate API requests and enforce the user’s access permissions.

Generating Personal Access Tokens

When you provide access to a user, all their Personal Access Tokens (PATs) automatically inherit access to the provider account and its models. This ensures consistent access across all of a user’s applications and integrations.

Access Management for Virtual Accounts

Why Use Virtual Accounts

Virtual accounts provide a more secure and maintainable approach for applications that need to access LLMs through the gateway:

  • Persistence: Virtual accounts remain valid even if employees leave the company
  • Separation of concerns: Application access is not tied to individual users
  • Auditability: Easier to track which applications are using which models

Configuring Virtual Account Access

Similar to user access, virtual accounts can be granted either manager or user access to provider accounts. This gives the virtual account access to all models within that provider account.

You can grant access to virtual accounts via the virtual account form as shown in the following demo:

Best Practices for Virtual Account Access

  • Create separate virtual accounts for different applications or services
  • Grant only the necessary level of access (prefer user access over manager access)