Secure Your Gateway
Authentication integration with the Helicone platform
To deploy a secure AI Gateway, you have two options:
- Secure Network Deployment - Deploy in a secure network (VPN, private cloud) where network-level access control provides security
- Public Network with Authentication - Deploy on a public network and use Helicone authentication to secure your gateway
If you’re deploying in a secure network with proper access controls, you can skip the rest of this guide. Authentication is only required for public deployments or when you need user-level access control.
The AI Gateway integrates with Helicone to provide secure authentication for your AI requests. When enabled, the gateway requires valid Helicone API keys for all requests, ensuring only authorized users can access your provider API keys.
Quick Start
Set your Helicone API key
Add your Helicone API key as an environment variable:
Enable Helicone authentication
Create or update your ai-gateway-config.yaml:
Start the gateway
Test with authentication
Now you must include your Helicone API key in the request.
✅ Your request is authenticated and routed to the provider!
Security Warning: Without authentication enabled or limited network access, anyone with access to your AI Gateway can use your provider API keys. Enable Helicone authentication to secure your deployment.
Authentication Usage
When authentication is enabled (authentication: true), include your Helicone API key with every request:
The gateway validates keys in real-time through a persistent WebSocket connection to Helicone’s control plane. Keys are cached locally for resilience during network issues.
For complete configuration options, see the Configuration Reference.
Use Cases
Use case: Production deployment requiring authentication.
Environment variables:
Result: All requests require valid Helicone API keys for access.
Use case: Production deployment requiring authentication.
Environment variables:
Result: All requests require valid Helicone API keys for access.
Use case: Using a self-hosted Helicone instance with custom endpoints.
Environment variables:
Use case: Deployment within a secure network (VPN, private cloud) where network-level access control provides security.
Result: No authentication required. Network security controls access.
How Authentication Works
When enabled, the AI Gateway connects to Helicone’s control plane for real-time authentication validation.
WebSocket Connection
Gateway establishes persistent connection to Helicone control plane with automatic reconnection and exponential backoff
API Key Sync
Authorized API keys and user data are cached locally for fast validation and resilience during network issues
Request Validation
Incoming requests are validated against cached keys with graceful degradation - cached keys continue working during temporary connectivity issues
Access Control
Only requests with valid Helicone API keys are allowed through to your provider APIs
Security
Access Control: Requests without valid Helicone API keys are rejected with 401 Unauthorized. Your provider API keys (OpenAI, Anthropic, etc.) remain secure in the gateway environment and are never transmitted to Helicone.
Secure Communication: All data transmission to Helicone uses TLS encryption for secure key validation.
Coming Soon
The following authentication integrations are planned for future releases:
| Provider | Description | Version |
|---|---|---|
| AWS Secrets Manager | Secure API key storage and rotation with AWS IAM integration | v1 |
| Azure Key Vault | Microsoft Azure’s cloud key management service | v1 |
| Google Secret Manager | Google Cloud’s secure secret storage solution | v1 |
| Kubernetes Secrets | Native Kubernetes secret integration for containerized deployments | v1 |