Stop free scraping • Control LLM costs • Monetize AI agent traffic
Default Protection (cryptographic capability verification) is always-on for non-PUBLIC routes. Then choose: Observe, Control, or Charge.
Fully managed control plane + per-tenant gateway configs + enterprise-safe separation by default
Protection is the starting state. Economics are configurable.
Drop-in: one DNS change, or use *.satgate.cloud instantly.
Free tier includes unlimited observation • No credit card required
Protection is the foundation. Choose your economic policy per route.
Always-on for non-PUBLIC routes
Every protected route requires valid credentials (Macaroons). Capabilities, caveats, delegation, and revocation—built into the protocol, not bolted on.
verify → allow → meter/log
Perfect for audit logs and FinOps visibility.
verify → enforce budget → allow
Enforce strict budgets and spending caps.
verify → payment proof → allow
Monetize via L402 or Fiat billing.
PUBLIC is the explicit opt-out for probes (/healthz), docs, and webhooks. Everything else is protected by default.
Separate trust boundaries, auditable config lifecycle, and per-tenant isolation built in.
The "Badge Office." Sits offline from your traffic. Translates platform identities (Kubernetes tokens, AWS roles, OIDC logins) into standardized SatGate Macaroons. This happens once—when the agent starts up.
The "Bouncer." Sits in the traffic path. Checks what you hold (the Macaroon), not who you are. Because Macaroons are self-contained and cryptographically signed, the Gateway enforces policy without calling home—no egress, no latency.
Private API for /cloud/* + admin. Never exposed to public internet.
Mint: identity → policy → capability token (with caveats + delegation)
Public gateway endpoint. Only proxies tenant traffic. No admin access, no config mutations.
Request Flow (Data Plane)
Request→Verify capability→Apply policy→UpstreamDefault Protection happens at the data plane; control plane defines policy + collects telemetry
{tenant}.satgate.cloud → resolved config → fail-closedFour steps to protect your API. No code changes required.
Define routes with economic policies. PUBLIC for probes/docs, protected for everything else. SatGate Mint (optional): agents badge-in via K8s/AWS/OIDC to get tokens automatically—no API keys.
routes:
- path: /healthz
policy: public # explicit opt-out
- path: /docs/*
policy: public
- path: /v1/*
policy: observe # meter only
- path: /premium/*
policy: charge # L402Apply when ready. Version history + audit log. Rollback if needed.
v3 (applied) ← current v2 (available) v1 (available) Audit: who, when, diff
Use *.satgate.cloud or your custom domain. Traffic flows through SatGate.
# Your domain api.yoursite.com CNAME → satgate.cloud # Or use ours yourapp.satgate.cloud
Real-time: verified vs challenged. Enable Charge policy when ready for revenue.
Verified: 1,203 requests Challenged: 12,847 (402s) Metered: $847 usage → Enable Charge policy?
SatGate Mint issues tokens at startup. Gateway verifies them on every request—no identity lookups on the hot path.
Manual token issuance also available via Dashboard or API. Mint is optional for automated agent provisioning.
When you choose the Charge policy, pick your settlement mechanism. Same gateway, same protection, different payment rails.
Track usage per tenant/team/project. No end-user payment—meter (Observe) or enforce budgets (Control) internally.
Standard billing workflows via card or invoice. Same gateway enforcement, enterprise procurement-friendly.
Sub-second settlement, no chargebacks, per-request pricing. Perfect for developer APIs, AI agents, and micropayments.
Start with Observe or Control, enable Charge when ready—per route, per tenant.
Pick the model that fits your ops, security, and data residency requirements.
Fully managed gateway + fully-managed control plane
Point DNS to SatGate. We run everything. Zero ops—live in minutes.
For internal traffic, deploy gateway in your VPC (Hybrid).
Fully-managed control plane + gateway in your VPC
Policies + dashboard in SatGate Cloud; data plane runs in your network. Payloads never leave your VPC.
Enterprise default—security + convenience.
You run both planes
Full control. Deploy control plane + gateway in your own infra. Air-gapped, on-prem, or private cloud.
For regulated industries (finance, gov, healthcare).
Fully-managed control plane + multi-tenant management.
Looking to self-host? Community OSS includes Default Protection + Charge (L402) — free forever.
SaaS (fully managed gateway + control plane)
SaaS or Hybrid • Fully-managed control plane + choice of gateway
+$9 per additional 100k Control/Charge requests
Self-Host or Hybrid • You run both planes, or we manage the control plane
Fully-managed control plane (SatGate Cloud) includes: dashboard, config versioning (save/apply/rollback), tenant isolation, audit logs, billing/metering, FleetOps diagnostics.
Charge policy fee: 2% of revenue processed • Instant payouts +1% • Weekly payouts free
Only applies when SatGate is the settlement processor (hosted billing). Self-settle = $0 fee.
Two free offerings: Community OSS (self-host) includes Default Protection + Charge (L402). Cloud Free (hosted control plane) includes Default Protection + Observe. Upgrade to Cloud Pro for Control + Charge (Fiat402 + L402) + multi-tenant + dashboard.
1 Observe ingest (unlimited): Stream as much traffic as you want through Observe policy. We meter and log everything in real-time. Fair-use rate limits apply to protect infrastructure. Retention is 3 days (Cloud Free) or 90 days (Cloud Pro).
2 Control/Charge requests: Billable requests are those that pass through Control (budget enforcement) or Charge (payment) policies. Observe-only traffic is unmetered. Blocked/challenged (401/402/403/429) traffic doesn't count toward quota.
No credit card required. Stop bots in minutes.
By signing up, you agree to our Terms of Service
Not sure? Most sites have gateable endpoints even if the UI is HTML. Contact us and we'll help you identify them.
Yes, for all non-PUBLIC routes. Every protected route requires valid cryptographic credentials (Macaroons). PUBLIC is the explicit opt-out—use it for health probes, docs, and webhooks.
Three ways: (1) Dashboard/API for manual issuance, (2) SatGate Mint for auto-provisioning via workload identity (K8s ServiceAccount, AWS IAM, OIDC)—agents badge-in and get tokens automatically, or (3) Delegation—parent tokens can mint restricted child tokens for agent swarms.
Default Protection is the baseline verification (valid credential required). Observe is your economic policy choice—it meters and logs all traffic for FinOps visibility without blocking. Control enforces budgets; Charge requires payment.
No! Most users start with Observe (meter everything) or Control (enforce budgets) internally. Enable Charge with L402 or Fiat402 when you're ready to monetize externally.
SatGate Cloud adds the control plane: multi-tenant dashboard, config versioning with save/apply workflow, audit logs, per-tenant limits, billing integration, and enterprise deployment modes. The gateway is the data plane that enforces your policies.
Request data flows through the gateway (data plane) which you can self-host. Config and metadata live in the control plane—SaaS-hosted by default, or self-hosted/on-prem for enterprise.
When you choose the Charge policy, pick your settlement: L402 uses Lightning Network for instant micropayments; Fiat402 uses Stripe for card/invoice billing. Observe and Control policies use internal metering without end-user payment.
When you enable Charge with L402, your users pay via Lightning—a fast Bitcoin payment layer. They scan a QR code or use a browser wallet like Alby. Payment typically confirms in under a second. You receive payouts to your Lightning wallet.
Only for L402 settlement (to receive payouts). For Observe, Control, or Fiat402 policies, no wallet is needed. When you're ready, we'll guide you through setup—it takes about 2 minutes.
Only if you enable Charge with L402 settlement. Popular wallets include Alby (browser extension—great for developers), Phoenix, and Wallet of Satoshi. Setup takes 2 minutes. Many AI/crypto users already have wallets.
Lightning payments either succeed or fail immediately—no pending state. If payment fails, the customer simply retries. No partial charges, no cleanup needed.
Effectively no. Lightning supports payments as small as 1 satoshi (≈$0.001). This enables true micropayments that aren't possible with credit cards.
Yes. SSRF-safe upstream validation, config audit logging, per-tenant isolation, HttpOnly session cookies, and multiple deployment modes (SaaS, self-hosted, hybrid, air-gapped).
Everything you need to integrate SatGate into your applications.
Get your first API call flowing in under 5 minutes. Start with Observe mode — free and unlimited.
Create your account and add your upstream API. The onboarding wizard guides you through it.
Define which paths to protect. Start with Observe — it meters all traffic for free:
routes:
- path: /api/*
policy: observe # Meter & log all traffic (free)
- path: /premium/*
policy: control # Enforce budgets
- path: /healthz
policy: public # No auth requiredGo to Dashboard → Tokens → Create Token. You'll get a capability token:
sg_cap_v1_abc123xyz789...Use your token in the Authorization header:
$ curl -H "Authorization: Bearer sg_cap_v1_abc123..." \
https://your-project.satgate.cloud/api/data
{"data": "Your API response here!"}View real-time usage analytics, per-route metrics, and audit logs. Upgrade to Control (budgets) or Charge (monetization) when ready.
Use capability tokens for Observe/Control policies. SDKs handle token management automatically.
from satgate import SatGateClient
# Initialize with your capability token
client = SatGateClient(
gateway_url="https://your-project.satgate.cloud",
token="sg_cap_v1_abc123..." # From Dashboard → Tokens
)
# All requests are automatically authenticated
response = client.get("/api/data")
print(response.json())
# Works with any HTTP method
client.post("/api/submit", json={"key": "value"})pip install satgate
import { SatGateClient } from '@satgate/sdk';
// Initialize with your capability token
const client = new SatGateClient({
gatewayUrl: 'https://your-project.satgate.cloud',
token: 'sg_cap_v1_abc123...' // From Dashboard → Tokens
});
// All requests are automatically authenticated
const response = await client.get('/api/data');
console.log(response.data);
// Works with any HTTP method
await client.post('/api/submit', { key: 'value' });npm install @satgate/sdk
# Observe/Control mode — use capability token
curl -H "Authorization: Bearer sg_cap_v1_abc123..." \
https://your-project.satgate.cloud/api/data
# Charge mode (L402) — for monetized routes
# 1. Get invoice from 402 response
# 2. Pay Lightning invoice
# 3. Use L402 token with preimage
curl -H "Authorization: L402 MACAROON:PREIMAGE" \
https://your-project.satgate.cloud/premium/dataCommon responses and what they mean for each policy mode.
Request verified and proxied to upstream. For Observe, usage is metered. For Control, budget is decremented. For Charge, payment was verified.
No valid capability token provided. Go to Dashboard → Tokens → Create a new token. Make sure to include Authorization: Bearer sg_cap_... header.
Route uses Charge policy. For L402: pay the Lightning invoice in the response, then retry with the L402 token. For Fiat402: complete the payment challenge.
Route uses Control policy and budget limit reached. Top up the budget in Dashboard, or wait for the budget period to reset.
Token doesn't have permission for this route. Check token scopes/caveats, or create a new token with appropriate permissions.
Gateway couldn't reach your upstream. Check: upstream URL is correct, upstream is running, no firewall blocking the connection.