Scopegate
🤖

Secure OpenRouter Access for AI Agents

OpenRouter provides a unified API to dozens of LLM providers — OpenAI, Anthropic, Google, Meta, and more. When your AI agents call other models through OpenRouter, costs can spiral fast and API keys can leak. ScopeGate wraps OpenRouter access with budget limits and model restrictions so your agents stay within bounds.

The Problem

An agent with unrestricted OpenRouter access can call any model at any price point — including expensive models like GPT-5 or Claude Opus at scale — and rack up hundreds of dollars in minutes. It can also expose your OpenRouter API key to downstream systems, access usage data from other projects, or bypass rate limits by spawning parallel requests.

Granular Permissions

Specific model access

Restrict the agent to a whitelist of approved models, blocking access to all others.

Example

Agent can call GPT-5-mini and Claude Haiku but cannot use GPT-5, Claude Opus, or any other premium model.

Budget caps

Set a maximum spend per hour, day, or month that the agent cannot exceed.

Example

Agent has a $10/day budget cap — once reached, all API calls are blocked until the next day.

No API key exposure

Proxy all requests through ScopeGate so the underlying OpenRouter API key is never visible to the agent.

Example

Agent sends requests to a ScopeGate MCP endpoint — the real OpenRouter key stays in ScopeGate's vault.

Request rate limiting

Cap the number of API calls the agent can make per minute to prevent runaway loops.

Example

Agent is limited to 30 requests per minute, preventing infinite retry loops from draining your budget.

Use Cases

  • Multi-model research agent that queries different LLMs for comparison within a fixed budget
  • Content generation pipeline that uses a specific cheap model for drafts and a better model for editing
  • Customer support agent that routes queries to approved models without exposing API credentials
  • Testing harness that evaluates prompt performance across models with strict per-run cost limits

How It Works

1

Connect via OAuth

Authorize ScopeGate to access the service on your behalf. We never store raw credentials — only scoped OAuth tokens.

2

Set granular permissions

Choose exactly which resources, actions, and data your AI agent can access. Lock down everything else.

3

Get your MCP endpoint

Receive a unique MCP endpoint URL. Plug it into any AI agent — it can only do what you allowed.

Related Integrations

🐙

GitHub

Control AI agent access to GitHub repos. Enforce read-only code access, block admin actions, and prevent secrets exposure.

💬

Slack

Restrict AI agent access to specific Slack channels. Enable read-only mode, block DM access, and rate-limit message posting.

📊

Google Sheets

Control AI agent access to Google Sheets. Enforce read-only mode, restrict to specific spreadsheets, and prevent formula or structure changes.

Secure your OpenRouter access

Set up granular permissions for your AI agents in minutes. Free tier includes 1 project, 5 endpoints, and 1,000 requests per month.

View on GitHub