—

⚡ How It Works

SkyeGateFS27 is a metered sovereign proxy. You own the private lane credentials, vendor posture, and clearance model. Clients get gate-issued keys that route through the parent gate so you can enforce auth, track vendors, meter usage, and keep the margin.

All keys, usage, billing, and audit data live in Neon Postgres (via @netlify/neon). No Redis. No external services unless you add Stripe.

1. Customers Tab

What it shows: All registered customers — email, plan, monthly cap, active status, key count, and whether they have a Netlify token set (for SkyeGate Push).

How to use:

• Click Refresh to reload the list
• Click any row to select that customer — their ID auto-fills into the Keys, Usage, Billing, Devices, and Exports tabs
• Use Set Netlify token to store an encrypted deploy token for the selected customer (used by SkyeGate Push)

2. Create Customer + Master Key

What it does: Creates a new customer record AND immediately issues them a master API key.

Steps:

1. Enter their email
2. Set the plan name (e.g. "starter", "pro", "enterprise") — this is just a label
3. Set the monthly cap in cents (2000 = $20/month spend limit)
4. Click Create + Issue Master Key
5. ⚠️ The raw key (kx_live_…) appears once. Copy it immediately and send to the client. You cannot retrieve it later — only the hash is stored.

3. Keys (Sub-keys / Rotate / Revoke)

What it does: Manage all keys for a customer. Create sub-keys with custom limits, rotate compromised keys, or revoke access instantly.

Key concepts:

• Sub-keys inherit the customer's cap but can have their own overrides (lower cap, different RPM, restricted providers/models)
• Rotate = creates a new key with the same settings, revokes the old one. Use when a key is compromised
• Revoke = immediate cutoff. The key stops working instantly
• Cap override: If set, this key has its own separate spend cap (in cents) independent of the customer cap
• Allowed providers/models: Restrict which AI providers or specific models this key can access
• Max devices: How many unique install_ids can use this key simultaneously

4. Usage

What it shows: Detailed usage breakdown for a customer in a specific month — total cap, extra credits, amount spent, total tokens, and every individual API call.

How to use:

1. Enter or select a Customer ID
2. Set the month (YYYY-MM format, defaults to current)
3. Click Load usage

The summary cards show Cap / Extra / Spent / Tokens. The table below shows every individual gateway call with provider, model, input/output tokens, and cost in cents.

5. Billing & Controls

Customer policy — change a customer's plan name, monthly cap, active status, device limits, provider/model allowlists. Click Save to apply.

Top-ups:

• Manual top-up: Adds extra_cents to the customer's balance for the current month (use when a client pays you directly)
• Stripe checkout: Creates a Stripe checkout session. Requires STRIPE_SECRET_KEY and STRIPE_WEBHOOK_SECRET env vars

Invoice snapshots: Load or create a JSON invoice record for the month. Useful for record-keeping.

6. Devices

What it shows: Every unique device (install_id) that has used a customer's keys. Shows first-seen, last-seen, user-agent, and revocation status.

If a customer sets require_install_id = true, every request must include an x-install-id header. Devices are auto-registered up to max_devices_per_key. You can revoke individual devices here.

7. Exports & Invoices

Download CSV exports of usage data:

• Events CSV — every individual API call with timestamps, tokens, cost
• Summary CSV — aggregated monthly summary
• Invoice CSV — formatted for billing/accounting

Filter by customer, month, and optionally a specific key.

8. SkyeGate Push (Deploy Proxy)

What it is: A deployment pipeline that lets clients push sites to Netlify through your gateway. Each deploy is tracked, metered, and invoiced.

Workflow:

1. Register a project — give it an ID, name, and the Netlify Site ID it deploys to
2. Client pushes files via the chunked upload pipeline
3. Track deploys in Deploy history and chunk uploads in Chunk jobs
4. Generate invoices per month with Generate Invoice

The client's Netlify token (set in Customers tab) is used for deploys. If not set, falls back to your NETLIFY_AUTH_TOKEN.

9. GitHub Push

What it is: Push code to GitHub repositories through the gateway. Clients store their GitHub PAT (encrypted), and the gateway handles ZIP-based pushes to any branch.

Steps:

1. Set PAT — save the client's GitHub personal access token (stored encrypted in DB)
2. Load Repos — see all repos the token has access to
3. Load Jobs — view recent ZIP push operations and their status

OAuth flow also available at /.netlify/functions/github-oauth-start.

10. Embeddings Lane (Semantic RAG)

What it is: A complete embeddings pipeline built into the gateway. Generate vector embeddings from any supported provider, store them in pgvector (Neon), and run semantic similarity search — all authenticated through the same kx_live_… key.

Why it matters: This is true semantic RAG. Your clients do not need separate vendor keys, a separate vector database, or a retrieval pipeline. Everything goes through one gateway with metered billing.

Workflow:

1. Choose a lane + model (kaixu-embed-standard recommended for cost/performance)
2. Paste or send text(s) → they get embedded and optionally stored in a collection
3. Use Semantic Search to query your stored vectors with natural language
4. Pipe search results into your chat completions for grounded, RAG-powered responses

Supported lanes:

• kAIxu Standard - kaixu-embed-standard (1536d), kaixu-embed-large (3072d), kaixu-embed-legacy (1536d)
• kAIxu Compact - kaixu-embed-compact (768d), kaixu-embed-compact-v2 (768d)
• kAIxu Performance - kaixu-embed-performance (1024d), kaixu-embed-lite (512d)

Collections: Each collection is a logical namespace. You can have "support-docs", "product-catalog", "knowledge-base", etc. Each tracks its model and dimensions so queries always use the right model.

11. Integration

Quick-reference for API endpoints and request/response formats. Share this with clients so they know how to call the gateway.

• Non-stream: POST /.netlify/functions/gateway-chat — returns full response
• Stream (SSE): POST /.netlify/functions/gateway-stream — returns Server-Sent Events

Both endpoints accept the same normalized request body with provider, model, messages, max_tokens, temperature. Auth via Authorization: Bearer kx_live_… header.

12. Monitor

What it does: Real-time and historical view of gateway events — errors, warnings, rate-limited requests, slow responses, and audit entries.

How to use:

• Start Live — polls for new events every few seconds
• Filter by level (error/warn/info), kind, function name, app name, or request ID
• Click a row to see the full JSON payload in a modal
• Prune — delete old events to keep the table clean

Tip: have your clients tag requests with x-kaixu-app: MyApp so you can filter by app.

🔑 Quick Reference

🚀 Typical Workflow (New Client)

1. Go to Create tab → enter email, set plan + cap → click Create
2. Copy the kx_live_… key and send it to the client securely
3. Client adds Authorization: Bearer kx_live_… to their API calls
4. Client hits /.netlify/functions/gateway-chat or gateway-stream
5. Monitor usage in the Usage tab
6. Adjust caps/limits in Billing & Controls as needed
7. If a key is compromised → Keys tab → Rotate
8. End of month → Exports tab → download invoice CSV

🤖 Self-Service Key Generator

Clients can request their own starter key at /request-key without needing you to be involved.

• They enter their email → get a kx_live_… key instantly
• Defaults: $20/month cap, 10 RPM, 3 max devices, starter plan
• Abuse guard: max 5 keys per email per hour
• If they already had a key, the old one is revoked and a new one issued
• You can customize defaults with DEFAULT_SELFSERVE_* env vars

The client still shows up in your Customers tab. You can upgrade their plan, change caps, or issue sub-keys anytime.