Documentation Index
Fetch the complete documentation index at: https://docs.arouter.ai/llms.txt
Use this file to discover all available pages before exploring further.
ARouter Guardrails let organization admins enforce policies that apply to all API keys and all requests within their organization. Guardrails operate at the gateway layer — before any request reaches an upstream provider.
What Guardrails Enforce
| Control | Description |
|---|
| Model allow-list | Restrict which models members can use |
| Provider allow-list | Restrict which providers requests can route to |
| Spending limits | Per-key and per-organization budget caps |
| Rate limits | Request rate limits per key or member |
| Data policies | ZDR enforcement, data collection restrictions |
Spending Limits
Set a hard credit limit on any API key. Requests that would exceed the limit are rejected with a 402 error.
Via Dashboard
Go to API Keys → Edit Key → set Credit Limit.
Via API
curl -X PATCH https://api.arouter.ai/api/v1/keys/{key_hash} \
-H "Authorization: Bearer lr_admin_xxxx" \
-H "Content-Type: application/json" \
-d '{"limit_usd": 50.00}'
| Field | Type | Description |
|---|
limit_usd | number | Maximum cumulative spend in USD. null = unlimited. |
{
"error": {
"code": 402,
"message": "Credit limit exceeded for this API key.",
"metadata": {
"limit_usd": 50.00,
"used_usd": 50.01
}
}
}
Rate Limits
Restrict requests per minute or per day per API key.
Via API
curl -X PATCH https://api.arouter.ai/api/v1/keys/{key_hash} \
-H "Authorization: Bearer lr_admin_xxxx" \
-H "Content-Type: application/json" \
-d '{
"rate_limit": {
"requests_per_minute": 60,
"requests_per_day": 1000
}
}'
| Field | Type | Description |
|---|
requests_per_minute | integer | Max requests per minute. null = unlimited. |
requests_per_day | integer | Max requests per day. null = unlimited. |
429 Too Many Requests.
Model Allow-Lists
Restrict an API key to a specific set of models. Requests to other models are rejected.
Via Dashboard
Go to API Keys → Edit Key → Allowed Models.
Via API
curl -X PATCH https://api.arouter.ai/api/v1/keys/{key_hash} \
-H "Authorization: Bearer lr_admin_xxxx" \
-H "Content-Type: application/json" \
-d '{
"allowed_models": [
"openai/gpt-5.4",
"anthropic/claude-sonnet-4.6",
"google/gemini-2.5-flash"
]
}'
allowed_models returns:
{
"error": {
"code": 403,
"message": "Model 'openai/o3' is not permitted for this API key."
}
}
Provider Allow-Lists
Restrict which providers requests can route to. Combine with model allow-lists for fine-grained control.
curl -X PATCH https://api.arouter.ai/api/v1/keys/{key_hash} \
-H "Authorization: Bearer lr_admin_xxxx" \
-H "Content-Type: application/json" \
-d '{
"allowed_providers": ["OpenAI", "Anthropic"]
}'
Data Policy Enforcement
Enforce Zero Data Retention (ZDR) for all requests made with a key:
curl -X PATCH https://api.arouter.ai/api/v1/keys/{key_hash} \
-H "Authorization: Bearer lr_admin_xxxx" \
-H "Content-Type: application/json" \
-d '{"enforce_zdr": true}'
enforce_zdr: true, ARouter only routes to providers that have signed Zero Data Retention agreements. See ZDR for details.
Guardrail Hierarchy
Policies are applied in this order (most restrictive wins):
Organization defaults
└── API Key overrides
└── Per-request provider object
Viewing Policy Violations
All guardrail rejections are logged in the Activity page with:
- Timestamp
- API key used
- Rejection reason (
rate_limit_exceeded, model_not_allowed, credit_limit_exceeded, provider_not_allowed)
- Request metadata (model, tokens if applicable)
Enterprise Controls
For enterprise organizations, additional controls are available:
- Organization-wide model allow-lists — Apply to all keys in the org automatically
- Member-level budget allocation — Assign individual spending budgets to team members
- Audit logs — Full request audit trail for compliance
Contact support@arouter.ai for enterprise Guardrails configuration.
