Overview

The AI Firewall is a gateway at guardrails.vulnetix.com. You point an LLM client at it instead of at the provider, and every call your organisation makes runs through the same policy.

What happens to a request

In order. Any step can end the request, and each one has its own error code so you can tell them apart — see the error reference.

  1. Provider resolution. The first path segment names the provider (/openai/..., /anthropic/...). An unknown one is a 404; one your organisation has denied is a 403.
  2. Surface check. The provider must serve the API you just called. Asking Anthropic for /v1/chat/completions is a 404 that tells you to use /v1/messages — see Base URLs & request surfaces.
  3. Authentication. The credential you send is your organisation’s Vulnetix API key, not a provider key. This never fails open: if the backend is unreachable the request is refused, not waved through.
  4. Provider policy. Your organisation’s allow/deny list for that vendor.
  5. Model policy. Deny lists always block. If you have any allow entry for a provider, that provider flips into allowlist mode and everything else is refused.
  6. Guardrails. Your content rules run in priority order, lowest first — block, redact, or flag. A block short-circuits.
  7. Key injection. Your provider key is decrypted from the vault, injected into the upstream request, and the call is forwarded. Your Vulnetix credential is stripped and never reaches the provider.
  8. Response relay. Streamed or not, the provider’s response is relayed back untouched.

What it never does

  • It never logs your prompts or completions. Not by default, not when logging is switched on, not ever. See Zero data retention.
  • It never inspects responses. Guardrails run on what you send, not on what comes back. This is a real limitation and we do not paper over it — see Guardrail limitations.
  • It never marks up your tokens. You keep your own billing relationship with every provider. That is also why it can be free.
  • It never pools your keys. Your provider key is encrypted under an encryption context bound to your organisation and that provider. The ciphertext decrypts nowhere else.

What it does not have

No rate limits, no budgets, no spend caps, no cost tracking, no automatic failover between providers, and no retries. If you need those today, the firewall is not where you will find them. Limitations & roadmap is the honest list.

Next

Read your two keys — it is the single most common thing to get wrong — then run the quickstart.