Architecture
Use this page to understand how OngoingAI Gateway handles proxy traffic and trace persistence.
Use this concept when
- You are planning deployment architecture or rollout order.
- You need a shared model for platform, security, and application teams.
- You need to reason about proxy reliability when storage is degraded.
Request path
- A client sends traffic to a provider route such as
/openai/...or/anthropic/.... - Auth middleware validates gateway access when
auth.enabled=true. - Capture middleware records request and response metadata.
- Reverse proxy middleware forwards the request to the configured provider upstream.
- The gateway strips its own auth header before upstream forwarding.
- The provider response streams back through the gateway to the client.
Trace path
- Capture middleware builds a trace record from the proxied exchange.
- The trace writer enqueues trace records into a bounded async queue.
- The trace store persists records to
sqliteorpostgres. - API routes read stored traces and aggregates for analytics responses.
Design properties
- Upstream provider credentials are pass-through and are not persisted as raw key material.
- Protected routes fail closed for auth and tenant-scope uncertainty.
- Trace persistence is asynchronous to avoid coupling proxy latency to storage.
- Streaming responses preserve provider ordering and chunk delivery semantics.
Failure boundaries
- If auth checks fail, protected routes return
401,403, or503. - If trace queue capacity is reached, traces can be dropped while proxy forwarding continues.
- If trace persistence fails, errors are logged and proxy forwarding continues.
- If config or storage initialization fails at startup, gateway startup exits.