Docs/HTTP API Routes

HTTP API Routes

Protect any REST or GraphQL API with SatGate's economic firewall — authentication, budget enforcement, and cost tracking for every request.

What are HTTP routes?

An HTTP route maps an incoming request path to an upstream API. SatGate acts as a reverse proxy — agents send requests to SatGate, which validates their token, tracks spend against their budget, and forwards the request to your upstream API.

This works for any HTTP API: OpenAI, Anthropic, internal microservices, third-party SaaS, or custom backends. If it speaks HTTP, SatGate can protect it.

HTTP Routes vs MCP Upstreams

HTTP Routes
  • Traditional REST/GraphQL APIs
  • Cost tracked per request
  • You define routes explicitly (path → upstream)
  • API keys and headers forwarded to upstream
  • Works with any HTTP service
MCP Upstreams
  • AI tool servers (MCP protocol)
  • Cost tracked per tool call
  • Tools discovered automatically from upstream
  • Supports SSE, Streamable HTTP, and stdio transports
  • Works with Cursor, Claude, and MCP-compatible agents

Both use the same economic controls: macaroon tokens, budgets, enforcement modes, and delegation.

Adding a route

Navigate to Routes & Config in the dashboard. Click Add Route to create a new HTTP route.

Required fields

Path

The URL path agents will call through SatGate. Example: /openai/

Upstream URL

The base URL of the API you're protecting. Example: https://api.openai.com. Must be the base URL only — SatGate appends the request path.

Optional fields

API Key

If the upstream requires an API key, add it here. Keys are encrypted at rest (AES-256-GCM) and never visible to agents, other users, or SatGate staff. Only your gateway decrypts the key at runtime to inject it into the Authorization header on upstream requests. Your agents only need their SatGate capability token.

Custom Headers

Additional headers to forward to the upstream (e.g., X-Custom-Header: value).

Strip Prefix

Remove the route path prefix before forwarding. If your route is /openai/ and strip prefix is enabled, a request to /openai/v1/chat/completions forwards as /v1/chat/completions.

Economic policy

Each route can have an economic policy that controls how agents are charged:

Observe (Shadow)

All traffic passes. Spend is logged but not enforced. Start here.

Control (Enforce)

Budget enforcement active. Requests that would exceed an agent's budget are denied with HTTP 402 before reaching the upstream.

Charge (L402)

Per-request micropayments via Lightning Network. Full economic gating.

Example: Protecting OpenAI

A common use case is proxying OpenAI's API through SatGate so agents get budget-controlled access without seeing your OpenAI API key:

yaml
# Route configuration
path: /openai/
upstream: https://api.openai.com
stripPrefix: true   # /openai/v1/chat/completions → /v1/chat/completions
apiKey: sk-proj-...  # Your OpenAI key (stored encrypted)

# Economic policy
policy:
  kind: control
  pay:
    mode: fiat402
    enforceBudget: true
    costCredits: 10  # 10 credits per request (50 budget = 5 calls)

With this config, an agent calling /openai/v1/chat/completions through SatGate:

  1. Presents its SatGate capability token (macaroon)
  2. SatGate validates the token and checks the budget
  3. If budget allows, forwards the request to https://api.openai.com/v1/chat/completions with your API key
  4. Deducts 10 credits from the agent's budget
  5. Returns the OpenAI response to the agent

Example: Internal microservice

yaml
# Route configuration
path: /api/internal/users/*
upstream: https://users-service.internal:8080
stripPrefix: true

# Economic policy  
policy:
  kind: observe  # Shadow mode — log everything, block nothing

Key differences from direct API access

FeatureDirect API AccessThrough SatGate
API keysShared with every agentStored in SatGate, never exposed
Budget controlNonePer-agent, per-route budgets
Audit trailDIY loggingAutomatic — every request logged
RevocationRotate API key (breaks all agents)Revoke one agent's token instantly
DelegationNot possibleAgents create scoped sub-agent tokens

Tips

  • Upstream URL must be base URL onlyhttps://api.openai.com, not https://api.openai.com/v1/chat. SatGate appends the request path.
  • Start with Observe mode — see real traffic patterns before enabling enforcement. The Shadow Report shows you exactly what would be blocked.
  • Use strip prefix for clean routing — keeps your upstream URLs simple and lets you namespace routes by team or project.
  • One API key per route — different routes can use different upstream keys. This is how you segment access to shared APIs.

Next steps

Configure Routes →Enforcement Modes →Per-Agent Budgets →MCP Upstreams →