Bifrost Governance | Virtual Keys, Budgets & Enterprise RBAC

Comprehensive governance for LLM access with virtual keys, budgets, rate limits, routing, MCP tool filtering, and enterprise RBAC with SSO integration.

OSS Governance Features

  • OSSVirtual keys. Primary governance entity providing authentication, access control, budgets, and rate limits per consumer. Support for multiple header formats (OpenAI, Anthropic, Gemini-compatible).
  • OSSIntelligent routing. Weighted load balancing across providers with automatic failover. Model and provider restrictions per virtual key with API key-level binding for environment separation.
  • OSSHierarchical budgets. Independent cost tracking at Business Units → Team → Virtual Key → Provider levels. Costs calculated from the model catalog and deducted across all applicable tiers automatically.
  • OSSRate limits. Token and request-based throttling at provider and virtual key levels. Flexible reset durations from 1 minute to 1 month with automatic enforcement.
  • OSSMCP tool filtering. Allow-list controls for Model Context Protocol tools per virtual key. Fine-grained permissions with wildcard support and automatic header generation.
  • OSSRequired headers. Enforce custom HTTP headers on every request for tenant isolation, audit trails, and routing metadata. Case-insensitive validation with 400 rejection.

Enterprise Governance Features

  • EnterpriseRole-based access control. Fine-grained permissions with custom roles across Bifrost resources. Pre-configured Admin, Developer, and Viewer roles plus custom roles.
  • EnterpriseSSO integration. OpenID Connect with Okta, Zitadel, Keycloak, and Microsoft Entra. Automatic role assignment from IdP groups with highest-privilege logic for multi-group users.
  • EnterpriseTeam synchronization. Automatic team creation from identity provider groups. Hierarchical structure from Business Units through team to individual user levels.
  • EnterpriseUser-level governance. Individual authentication and budget allocation. Personal access tracking with per-user budget enforcement.
  • EnterpriseComprehensive audit logs. Access, usage, data, and compliance-focused reporting. Audit trails and report generation for security posture and regulatory health.
  • EnterpriseCompliance frameworks. SOC 2 Type II, GDPR, ISO 27001, and HIPAA compliance. Automated controls with risk assessment and regulatory reporting.

Virtual Key Capabilities

  • Model filtering. Restrict which AI models users can access
  • Provider control. Limit access to specific AI providers
  • Budget management. Independent cost tracking per virtual key
  • Rate limiting. Token and request-based throttling
  • API key restrictions. Bind to specific provider keys
  • Status control. Instantly enable or disable access
HeaderFormatProvider
x-bf-vksk-bf-*Native Bifrost
AuthorizationBearerOpenAI-compatible
x-api-keysk-ant-*Anthropic-compatible
x-goog-api-keyAI*Gemini-compatible

Routing Features

  • Adaptive load balancing. Automatically optimizes traffic distribution across providers and keys based on real-time performance metrics.
  • Automatic failover. Create fallback chains ordered by weight when primary providers fail or hit rate limits
  • Provider restrictions. Whitelist specific provider-model combinations with empty array defaulting to catalog detection
  • API key binding. Restrict VKs to specific provider API keys for environment separation (dev/test/prod)

Governance Deep Dive

Virtual keys, hierarchical budgets, weighted routing with automatic failover, and how production teams enforce per-consumer controls without slowing developers. [Read Full Article]

Hierarchical Budgets

Independent cost tracking at Customer, Team, Virtual Key, and Provider levels with automatic deduction across all tiers.

  • Level 1: Customer. Top-level organization with independent budget
  • Level 2: Team. Department-level budget within customer
  • Level 3: Virtual Key. Individual access token budget
  • Level 4: Provider Config. Per-provider spending limits

Role-Based Access Control Benefits

  • Principle of least privilege. Users receive only the permissions they need for their job function, reducing security vulnerabilities and preventing accidental misconfigurations.
  • Simplified user management. Assign roles once instead of configuring individual permissions. New team members inherit appropriate access automatically through role assignment.
  • Audit-ready access tracking. Demonstrate to auditors exactly who has what access. Audit logs track permission changes over time for compliance frameworks like SOC 2 Type II and GDPR.
  • Custom roles for specialized teams. Create tailored roles for QA teams, security auditors, or compliance officers. Custom roles adapt to your organizational structure.

Three Pre-Configured Roles

  • Admin. Full control over all Bifrost resources and configurations. Use case: Platform engineers, security admins.
  • Developer. Manage technical resources without administrative privileges. Use case: Engineering teams, DevOps.
  • Viewer. Read-only access for monitoring and compliance. Use case: Finance, compliance, executives.

SSO Providers

  • Okta. OIDC web application; Custom bifrostRole attribute; Group-to-role mappings; Authorization Code + Refresh Token
  • Microsoft Entra. App registration in Azure Portal; Three-tier app roles (Admin/Developer/Viewer); Group claims for team sync; Client secret authentication

Use Cases

  • Multi-tenant SaaS platforms. Isolate tenants with virtual keys, enforce per-tenant budgets, and track usage with required headers. Automatic cost allocation across customers.
  • Enterprise team management. Department-level budgets with team-specific provider access. SSO integration syncs teams from Okta/Entra with automatic role assignment.
  • Cost control & optimization. Hierarchical budgets prevent runaway spending. Weighted routing sends 80% of traffic to cost-effective providers with automatic failover to premium options.
  • AI agent security. MCP tool filtering restricts which tools agents can access. Virtual key permissions ensure agents only call approved models and providers.
  • Regulatory compliance. Required headers enforce audit trails. RBAC controls who can configure guardrails. Comprehensive logs support SOC 2 Type II, HIPAA, GDPR requirements.
  • Environment separation. Bind virtual keys to dev/staging/prod API keys. Developers use test keys with lower budgets while production gets dedicated high-limit keys.

Configuration Methods

  • Web UI. Visual dashboard for configuring virtual keys, budgets, routing, and RBAC
  • REST API. Programmatic management via endpoints at /api/governance/*
  • config.json. Declarative file-based configuration for GitOps workflows
  • Bifrost CLI. Interactive terminal setup for managing governance settings from your workflow

Open Source & Enterprise

OSS Features

  • 01Model Catalog. Access 8+ providers and 1000+ AI models through a unified interface. Also supports custom deployed models.
  • 02Budgeting. Set spending limits and track costs across teams, projects, and models.
  • 03Provider Fallback. Automatic failover between providers ensures 99.99% uptime for your applications.
  • 04MCP Gateway. Centralize all MCP tool connections, governance, security, and auth. Your AI can safely use MCP tools with centralized policy enforcement. [MCP Gateway resource]
  • 05Virtual Key Management. Create different virtual keys for different use cases with independent budgets and access control.
  • 06Unified Interface. One consistent API for all providers. Switch models without changing code.
  • 07Drop-in Replacement. Replace your existing SDK with just one line change. Compatible with OpenAI, Anthropic, LiteLLM, Google GenAI, LangChain, and more. [Drop-in replacement docs]
  • 08Built-in Observability. Out-of-the-box OpenTelemetry support. Built-in dashboard for quick visibility without complex setup.
  • 09Community Support. Active Discord community with responsive support and regular updates.

Enterprise Features

  • 01Governance. SAML support for SSO and role-based access control with policy enforcement for team collaboration. [Governance resource]
  • 02Adaptive Load Balancing. Automatically optimizes traffic distribution across provider keys and models based on real-time performance metrics.
  • 03Cluster Mode. High availability deployment with automatic failover and load balancing. Peer-to-peer clustering where every instance is equal.
  • 04Alerts. Real-time notifications for budget limits, failures, and performance issues on Email, Slack, PagerDuty, Teams, Webhook, and more.
  • 05Log Exports. Export and analyze request logs, traces, and telemetry data from Bifrost with enterprise-grade data export for compliance, monitoring, and analytics.
  • 06Audit Logs. Comprehensive logging and audit trails for compliance and debugging.
  • 07Vault Support. Secure API key management with HashiCorp Vault, AWS Secrets Manager, Google Secret Manager, and Azure Key Vault integration.
  • 08VPC Deployment. Deploy Bifrost within your private cloud infrastructure with VPC isolation, custom networking, and enhanced security controls. [Enterprise deployment resource]
  • 09Guardrails. Automatically detect and block unsafe model outputs with real-time policy enforcement and content moderation across all agents. [Guardrails resource]

FAQ

What is the difference between OSS and Enterprise governance?

OSS includes virtual keys, budgets, rate limits, routing, MCP tool filtering, and required headers - sufficient for most production workloads. Enterprise adds RBAC with SSO (Okta/Entra), user-level governance, team synchronization, comprehensive audit logs, and compliance frameworks (SOC 2 Type II, HIPAA, GDPR, ISO 27001).

How do hierarchical budgets work?

Budgets cascade from Customer to Team to Virtual Key to Provider. All applicable budgets must pass for a request to proceed. When a transaction occurs, the same cost deducts from every relevant level simultaneously. A single exhausted budget at any tier blocks the entire request. Read more about Budgets. [Read more about Budgets]

Can I enforce different provider access for dev vs. production?

Yes. Virtual keys support API key restrictions, allowing you to bind VKs to specific provider API keys. Create separate VKs for dev (using test keys with low budgets) and production (using dedicated high-limit keys) for complete environment separation.

How does weighted routing work with automatic failover?

Configure weights per provider (e.g., 80% Azure, 20% OpenAI). Bifrost normalizes weights to sum 1.0 and distributes traffic proportionally. When a provider fails or hits rate limits, Bifrost creates fallback chains ordered by weight for automatic failover. [automatic failover]

What happens when a virtual key exceeds its budget or rate limit?

Requests return specific HTTP status codes: 402 for budget exceeded, 429 for rate limits exceeded. Virtual keys remain functional for other operations but block LLM requests until budgets reset (based on configured duration) or rate limit windows expire.

How does SSO integration handle users in multiple groups?

When a user belongs to multiple Okta/Entra groups mapped to different Bifrost roles, the system automatically assigns the highest privilege role. For example, if a user is in both viewer and admin groups, they receive admin permissions.