Quickstart
You need two things from the AI Firewall dashboard: your organisation UUID and your Vulnetix API key. Both are on the page after you sign in.
1. Install and log in
brew install vulnetix/tap/vulnetix # or see the install page for other platforms
vulnetix auth login
vulnetix auth login authenticates you so you can manage policy. It is not the
credential your apps will send — see your two keys.
2. Store a provider key in the vault
export OPENAI_API_KEY=sk-proj-...
vulnetix ai-firewall key set openai --from-env OPENAI_API_KEY
The key is encrypted with AWS KMS on the way in and cannot be read back. Your applications will never carry it again.
--from-env or --stdin over --key. A literal key on the command line
lands in your shell history.3. Wire a client
vulnetix ai-firewall install claude-code
That writes the base URL and key reference into ~/.claude/settings.json. Swap
claude-code for codex, continue, aider, or shell — or omit the name to
wire every client the CLI detects on your machine. See
coding agents.
4. Verify
vulnetix ai-firewall status
You are looking for your provider showing a stored key, your client showing as
wired, and no error-level checks. See status & checks.
1. Store a provider key
Go to the dashboard, open the BYOK tab, and paste your provider key. It is encrypted on save and cannot be viewed again — only replaced or removed.
2. Point a client at the gateway
Only two settings change. Nothing else about your code does.
import os
from openai import OpenAI
client = OpenAI(
base_url=f"https://guardrails.vulnetix.com/openai/{os.environ['VULNETIX_ORG_UUID']}/v1",
api_key=os.environ["VULNETIX_API_KEY"],
)
resp = client.chat.completions.create(
model="gpt-4o-mini",
messages=[{"role": "user", "content": "Say hello"}],
)
print(resp.choices[0].message.content)
Note the api_key is your Vulnetix key, not your OpenAI key. The OpenAI key
is in the vault; the gateway injects it for you.
3. Check it is actually going through the firewall
Trip a guardrail on purpose. Add a rule that blocks anything containing hunter2:
vulnetix ai-firewall policy guardrail canary \
--rule-type blocked_pattern --action block --pattern 'hunter2' --priority 1 --enable
Then send it. You should get a 403, not a completion:
{
"error": {
"message": "request blocked by AI firewall policy: content matched pattern for policy \"canary\"",
"type": "policy_violation",
"code": "request_blocked",
"blocked_by": "canary"
}
}
If you get a completion instead, your client is not going through the gateway.
What to read next
- Your two keys — if you hit a
401, the answer is here. - Base URLs & request surfaces — required reading before you configure anything by hand.
- Guardrails — the firewall does nothing useful until you write a policy.