[ OSS GOVERNANCE ]
Bifrost OSS includes comprehensive governance features for access control, cost management, and routing - all free and open source.
Primary governance entity providing authentication, access control, budgets, and rate limits per consumer. Support for multiple header formats (OpenAI, Anthropic, Gemini-compatible).
OSSWeighted load balancing across providers with automatic failover. Model and provider restrictions per virtual key with API key-level binding for environment separation.
OSSIndependent cost tracking at Customer → Team → Virtual Key → Provider levels. Costs calculated from the model catalog and deducted across all applicable tiers automatically.
OSSToken and request-based throttling at provider and virtual key levels. Flexible reset durations from 1 minute to 1 month with automatic enforcement.
OSSAllow-list controls for Model Context Protocol tools per virtual key. Fine-grained permissions with wildcard support and automatic header generation.
OSSEnforce custom HTTP headers on every request for tenant isolation, audit trails, and routing metadata. Case-insensitive validation with 400 rejection.
OSS[ VIRTUAL KEYS ]
Virtual keys authenticate requests and enforce access control, budgets, and rate limits per consumer.
Restrict which AI models users can access
Limit access to specific AI providers
Independent cost tracking per virtual key
Token and request-based throttling
Bind to specific provider keys
Instantly enable or disable access
x-bf-vk
sk-bf-*
Native Bifrost
Authorization
Bearer
OpenAI-compatible
x-api-key
sk-ant-*
Anthropic-compatible
x-goog-api-key
AI*
Gemini-compatible
[ INTELLIGENT ROUTING ]
Distribute traffic across providers with configurable weights and automatic fallback chains.
Automatically optimizes traffic distribution across providers and keys based on real-time performance metrics.
Create fallback chains ordered by weight when primary providers fail or hit rate limits
Whitelist specific provider-model combinations with empty array defaulting to catalog detection
Restrict VKs to specific provider API keys for environment separation (dev/test/prod)
[ HIERARCHICAL BUDGETS ]
Independent cost tracking at Customer, Team, Virtual Key, and Provider levels with automatic deduction across all tiers.
Top-level organization with independent budget
Department-level budget within customer
Individual access token budget
Per-provider spending limits
All Applicable Budgets Must Pass
When a transaction occurs, the same cost deducts from every relevant level simultaneously. A single exhausted budget at any tier blocks the entire request.
[ ENTERPRISE GOVERNANCE ]
Plug into your existing identity provider. Every user, role, and action is tracked end-to-end for full regulatory visibility.
Fine-grained permissions with custom roles across Bifrost resources. Pre-configured Admin, Developer, and Viewer roles plus unlimited custom roles.
EnterpriseOpenID Connect with Okta and Microsoft Entra. Automatic role assignment from IdP groups with highest-privilege logic for multi-group users.
EnterpriseAutomatic team creation from identity provider groups. Hierarchical structure from customer through team to individual user levels.
EnterpriseIndividual authentication and budget allocation. Personal access tracking with per-user budget enforcement.
EnterpriseAccess, usage, data, and compliance-focused reporting. Audit trails and report generation for security posture and regulatory health.
EnterpriseSOC 2 Type II, GDPR, ISO 27001, and HIPAA compliance. Automated controls with risk assessment and regulatory reporting.
Enterprise[ ROLE-BASED ACCESS CONTROL ]
Start with Admin, Developer, and Viewer. Create custom roles as your team structure evolves.
Users receive only the permissions they need for their job function, reducing security vulnerabilities and preventing accidental misconfigurations.
Assign roles once instead of configuring individual permissions. New team members inherit appropriate access automatically through role assignment.
Demonstrate to auditors exactly who has what access. Audit logs track permission changes over time for compliance frameworks like SOC 2 Type II and GDPR.
Create tailored roles for QA teams, security auditors, or compliance officers. Custom roles adapt to your organizational structure.
Full control over all Bifrost resources and configurations
Platform engineers, security adminsManage technical resources without administrative privileges
Engineering teams, DevOpsRead-only access for monitoring and compliance
Finance, compliance, executives[ CONFIGURATION ]
Visual dashboard for configuring virtual keys, budgets, routing, and RBAC
Programmatic management via endpoints at /api/governance/*
Declarative file-based configuration for GitOps workflows
Interactive terminal setup for managing governance settings from your workflow
[ USE CASES ]
Isolate tenants with virtual keys, enforce per-tenant budgets, and track usage with required headers. Automatic cost allocation across customers.
Department-level budgets with team-specific provider access. SSO integration syncs teams from Okta/Entra with automatic role assignment.
Hierarchical budgets prevent runaway spending. Weighted routing sends 80% of traffic to cost-effective providers with automatic failover to premium options.
MCP tool filtering restricts which tools agents can access. Virtual key permissions ensure agents only call approved models and providers.
Required headers enforce audit trails. RBAC controls who can configure guardrails. Comprehensive logs support SOC 2 Type II, HIPAA, GDPR requirements.
Bind virtual keys to dev/staging/prod API keys. Developers use test keys with lower budgets while production gets dedicated high-limit keys.
[ BIFROST FEATURES ]
Everything you need to run AI in production, from free open source to enterprise-grade features.
01 Governance
SAML support for SSO and Role-based access control and policy enforcement for team collaboration.
02 Adaptive Load Balancing
Automatically optimizes traffic distribution across provider keys and models based on real-time performance metrics.
03 Cluster Mode
High availability deployment with automatic failover and load balancing. Peer-to-peer clustering where every instance is equal.
04 Alerts
Real-time notifications for budget limits, failures, and performance issues on Email, Slack, PagerDuty, Teams, Webhook and more.
05 Log Exports
Export and analyze request logs, traces, and telemetry data from Bifrost with enterprise-grade data export capabilities for compliance, monitoring, and analytics.
06 Audit Logs
Comprehensive logging and audit trails for compliance and debugging.
07 Vault Support
Secure API key management with HashiCorp Vault, AWS Secrets Manager, Google Secret Manager, and Azure Key Vault integration.
08 VPC Deployment
Deploy Bifrost within your private cloud infrastructure with VPC isolation, custom networking, and enhanced security controls.
09 Guardrails
Automatically detect and block unsafe model outputs with real-time policy enforcement and content moderation across all agents.
[ SHIP RELIABLE AI ]
Change just one line of code. Works with OpenAI, Anthropic, Vercel AI SDK, LangChain, and more.
[ FREQUENTLY ASKED QUESTIONS ]
OSS includes virtual keys, budgets, rate limits, routing, MCP tool filtering, and required headers - sufficient for most production workloads. Enterprise adds RBAC with SSO (Okta/Entra), user-level governance, team synchronization, comprehensive audit logs, and compliance frameworks (SOC 2 Type II, HIPAA, GDPR, ISO 27001).
Budgets cascade from Customer → Team → Virtual Key → Provider. All applicable budgets must pass for a request to proceed. When a transaction occurs, the same cost deducts from every relevant level simultaneously. A single exhausted budget at any tier blocks the entire request. Read more about Budgets.
Yes. Virtual keys support API key restrictions, allowing you to bind VKs to specific provider API keys. Create separate VKs for dev (using test keys with low budgets) and production (using dedicated high-limit keys) for complete environment separation.
Configure weights per provider (e.g., 80% Azure, 20% OpenAI). Bifrost normalizes weights to sum 1.0 and distributes traffic proportionally. When a provider fails or hits rate limits, Bifrost creates fallback chains ordered by weight for automatic failover.
Requests return specific HTTP status codes: 402 for budget exceeded, 429 for rate limits exceeded. Virtual keys remain functional for other operations but block LLM requests until budgets reset (based on configured duration) or rate limit windows expire.
When a user belongs to multiple Okta/Entra groups mapped to different Bifrost roles, the system automatically assigns the highest privilege role. For example, if a user is in both viewer and admin groups, they receive admin permissions.
