BLACKSHIELD

Public Guide

Set Up AI Gateway for Your Team

Connect one approved provider key, create a client for your IDE or automation, test the gateway, and apply a simple policy pack your team can understand. Audience: Tenant admins, security leads, and workspace owners. Typical setup time: 15-20 minutes.

reference

Use this if

Connect one approved provider key, create a client for your IDE or automation, test the gateway, and apply a simple policy pack your team can understand.

Audience
Tenant admins, security leads, and workspace owners
Typical time
15-20 minutes

Before You Begin

  • Choose the first provider, IDE, or automation flow you want to pilot through AI Gateway.
  • Confirm which MCP tools users are allowed to see and which provider slugs are approved.
  • Collect the callback URL or client setup details your IDE or agent expects before you create the client.

Guide walkthrough

Step 1

Connect one provider first

Start with a single provider your team already trusts so the rollout is easy to validate.

  • Add one AI Provider Connection for the provider your pilot team is allowed to use.
  • Use a dedicated provider key for BlackShield instead of a personal key shared between people.
  • Name the connection clearly so users know when they should pick it.

What success looks like

Name the connection clearly so users know when they should pick it.

Step 2

Create a client for the tool your team uses

Give each IDE, MCP client, or service principal its own AI Gateway client so access is easy to rotate or disable.

  • Create a public client for sign-in flows or a confidential client for headless automation.
  • Add the callback URL your IDE or agent requires before you hand the client to end users.
  • Limit each client to the provider connections and MCP tools that team actually needs.

What success looks like

Limit each client to the provider connections and MCP tools that team actually needs.

Step 3

Test the gateway before broad rollout

Run one low-risk test first so you can confirm auth, policy behavior, and activity logging.

  • Set the MCP endpoint to `/api/v1/mcp` and the inference endpoint to `/api/v1/ai-gateway/openai/v1/chat/completions`.
  • Sign in with the new client or exchange client credentials for a short-lived token.
  • Run `tools/list` or a simple read-only prompt, then confirm the event appears in AI Gateway activity.

What success looks like

Run `tools/list` or a simple read-only prompt, then confirm the event appears in AI Gateway activity.

Step 4

Apply a simple starting policy

Keep the first policy pack easy to explain. Start with allowlists and visibility controls before you add stricter blocking.

  • Use `approved_providers` to allow only provider slugs such as `openai` or `anthropic`.
  • Use `hidden_tools` to remove MCP tools teams should not even see in their client.
  • Use `blocked_destinations` for hosts you do not want prompts sent to, and lower `per_minute_request_limit` for a smaller pilot.
  • Stay in advisory until the pilot team sees the warnings you expect, then move to enforce.

What success looks like

Stay in advisory until the pilot team sees the warnings you expect, then move to enforce.

What success looks like

  • The pilot client can authenticate and only sees the providers and tools you intended to allow.
  • Gateway activity shows a successful test request and any warnings or denies you expected from policy.
Set Up AI Gateway for Your Team | BlackShield Docs