Overview
The AI Firewall is a gateway at guardrails.vulnetix.com. You point an LLM client
at it instead of at the provider, and every call your organisation makes runs
through the same policy.
What happens to a request
In order. Any step can end the request, and each one has its own error code so you can tell them apart — see the error reference.
- Provider resolution. The first path segment names the provider
(
/openai/...,/anthropic/...). An unknown one is a404; one your organisation has denied is a403. - Surface check. The provider must serve the API you just called. Asking
Anthropic for
/v1/chat/completionsis a404that tells you to use/v1/messages— see Base URLs & request surfaces. - Authentication. The credential you send is your organisation’s Vulnetix API key, not a provider key. This never fails open: if the backend is unreachable the request is refused, not waved through.
- Provider policy. Your organisation’s allow/deny list for that vendor.
- Model policy. Deny lists always block. If you have any allow entry for a provider, that provider flips into allowlist mode and everything else is refused.
- Guardrails. Your content rules run in priority order, lowest first — block, redact, or flag. A block short-circuits.
- Key injection. Your provider key is decrypted from the vault, injected into the upstream request, and the call is forwarded. Your Vulnetix credential is stripped and never reaches the provider.
- Response relay. Streamed or not, the provider’s response is relayed back untouched.
What it never does
- It never logs your prompts or completions. Not by default, not when logging is switched on, not ever. See Zero data retention.
- It never inspects responses. Guardrails run on what you send, not on what comes back. This is a real limitation and we do not paper over it — see Guardrail limitations.
- It never marks up your tokens. You keep your own billing relationship with every provider. That is also why it can be free.
- It never pools your keys. Your provider key is encrypted under an encryption context bound to your organisation and that provider. The ciphertext decrypts nowhere else.
What it does not have
No rate limits, no budgets, no spend caps, no cost tracking, no automatic failover between providers, and no retries. If you need those today, the firewall is not where you will find them. Limitations & roadmap is the honest list.
Next
Read your two keys — it is the single most common thing to get wrong — then run the quickstart.