Docs/YAML Configuration

YAML Configuration Reference

Complete reference for gateway.yaml configuration file.

Start the gateway with: satgate --config gateway.yaml. All fields have sensible defaults. Only routes and upstreams are required.

Top-Level Structure

version: 1
server:
  listen: ":8080"
admin:
  rootKey: "your-admin-key"
  separateListener: ":9090"   # Optional: run admin API on separate port
  rateLimitPerMinute: 60
lightning:
  enabled: false              # Enable for L402 Charge mode
upstreams:
  my-api:
    url: "https://api.example.com"
routes:
  - path: /api/v1
    upstream: my-api
    policy:
      kind: capability        # public | capability | l402

Server Configuration

server:
  listen: ":8080"             # Address to bind
  tlsCert: ""                 # TLS certificate path (optional)
  tlsKey: ""                  # TLS key path (optional)
  readTimeout: "30s"          # HTTP read timeout
  writeTimeout: "30s"         # HTTP write timeout

Upstream Configuration

upstreams:
  openai:
    url: "https://api.openai.com"
    headers:                   # Headers added to upstream requests
      Authorization: "Bearer sk-..."
    timeout: "30s"             # Request timeout
    retries: 2                 # Retry count on failure
  internal-api:
    url: "http://localhost:3000"
    stripPrefix: true          # Remove matched route prefix

Route Configuration

routes:
  - path: /v1/chat            # URL path prefix to match
    upstream: openai           # Target upstream name
    methods: ["POST"]          # Allowed HTTP methods (optional)
    policy:
      kind: capability         # public | capability | l402
      pay:
        mode: "fiat402"        # fiat402 | l402
        enforceBudget: true    # Enforce credit budget limits
        costCredits: 10        # Credits charged per request
    rateLimit:
      requestsPerMinute: 100   # Per-token rate limit

Mint (Trust Broker) Configuration

mint:
  enabled: true
  rootKey: "mint-root-key"     # Root key for minting macaroons
  defaultTtl: "1h"             # Default token TTL
  maxTtl: "24h"                # Maximum allowed TTL
  policyDirectory: "./policies"  # Load policies from YAML files
  identityProviders:
    - type: oidc
      name: "my-idp"
      enabled: true
      issuer: "https://idp.example.com"
      audience: "satgate"
      jwksUri: "https://idp.example.com/.well-known/jwks.json"

Cloud Platform (Enterprise)

cloud:
  enabled: true
  databaseUrl: "postgres://..."  # Postgres connection string
  sessionSecret: "..."           # Session encryption key
  baseUrl: "https://cloud.satgate.io"
  stripe:
    secretKey: "sk_live_..."
    webhookSecret: "whsec_..."

Redis (High Availability)

redis:
  url: "redis://localhost:6379"  # Redis connection URL
  prefix: "satgate:"            # Key prefix for namespacing
  tls: false                    # Enable TLS

Notifications

notifications:
  channels:
    - type: slack
      webhookUrl: "https://hooks.slack.com/..."
    - type: discord
      webhookUrl: "https://discord.com/api/webhooks/..."
    - type: email
      smtp:
        host: "smtp.gmail.com"
        port: 587
        username: "alerts@example.com"
        password: "..."

MCP Proxy

# MCP proxy routes are configured alongside regular routes.
# The gateway detects MCP JSON-RPC traffic automatically.
routes:
  - path: /mcp
    upstream: mcp-server
    policy:
      kind: capability
      pay:
        mode: "fiat402"
        enforceBudget: true
    mcp:
      costProfile:             # Per-tool cost overrides
        "search_database": 20  # 20 credits per call
        "send_email": 50       # 50 credits per call
        "*": 10                # Default: 10 credits