Visibility & control
prxy.monster makes AI agent work visible and controllable. This page describes both halves.
Visibility — what every call exposes
Every routed call produces a receipt. Every receipt carries:
- Identity —
tenant_id,project_id,agent_id,environment,api_key_id,user_id,iam_principal(Bedrock). - Provider attribution — wire
provider(anthropic / openai / google / aws_bedrock / openrouter / groq),upstream_providerwhen routed,model_id,region,aws_account_id. - Outcome —
receipt_type,status,http_status,error_class,error_code,error_message_hash. - Tokens + cost —
input_tokens,output_tokens,cache_read_tokens,cache_write_tokens,cost_estimated_usdwithcost_estimate_confidence,pricing_table_id,pricing_version,pricing_effective_at. - Pipeline metadata —
routing_decision,policy_decision,cache_status,module_chain[],settlement_protocol. - Hashes + payload capture mode — four canonical sha-256 hashes of client-request, provider-request, provider-response, client-response;
payload_capturemode (hash_only/encrypted_at_rest/none). - Visibility —
private/public_demo/public_minimal/public_redacted/public_full. - Signature —
signing_algorithm,signing_key_id,signature(Ed25519 over JCS-canonical body).
The receipt is the call’s audit trail. The lair operator dashboard surfaces the same data through /dashboard/transactions, /dashboard/cost, /dashboard/agents, and /dashboard/projects (CSV export available).
Control — what you can enforce
prxy gives you four built-in control surfaces:
1. Per-project budgets
Configure monthly_budget_usd and enforcement_mode per project:
| Mode | Behavior |
|---|---|
off (default) | Descriptive only. Dashboard shows MTD vs budget; gateway doesn’t gate calls. |
warn | Continues serving; stamps x-prxy-budget-warning: true + budget headers; receipt records policy_decision: 'transformed'. |
hard_fail | Returns 429 project_budget_exceeded once MTD ≥ budget. Pipeline emits a signed blocked receipt with policy_decision: 'blocked' for the audit trail. |
Configure via lair /dashboard/admin/projects or the admin endpoint.
2. Payload capture
payload_capture is a per-api_key setting:
| Mode | What’s stored | Cache eligible | Decryptable? |
|---|---|---|---|
hash_only (default) | sha-256 of canonical request + response | yes | n/a — no plaintext |
encrypted_at_rest (opt-in) | sealed envelope under customer X25519 pubkey | no (cache bypassed) | yes, with customer’s private key |
none (compliance opt-out) | nothing beyond receipt hashes | no | n/a |
See Payload capture for the encryption envelope details.
3. Provider routing + BYOK
Provider keys resolve in this order:
- Header
x-provider-key. - User BYOK row in
user_provider_keys(encrypted at rest). - Env fallback (
ANTHROPIC_API_KEY,OPENAI_API_KEY,GOOGLE_API_KEY,GROQ_API_KEY,OPENROUTER_API_KEY, AWS chain for Bedrock).
The router module can pick a model per request (cheapest-first, fallback chain, or q-learning). Fallback strategy is recorded on the receipt as routing_decision.
4. Module chain
You compose the pipeline per api_key via PRXY_PIPE. Order matters. Each module runs pre-call (request transformation, cache lookup, budget gate, MCP pruning) and/or post-call (cache write, pattern forging, token counting). Every module that ran ends up on the receipt’s module_chain.
Anonymous sandbox
The sandbox is a controlled visibility surface for evaluation. Sessions:
- Persist
anon_key_hash+ip_hash+ counters; the bare anon token is never stored at rest. - Cap the number of calls per session (
request_limit). - Emit receipts with
visibility: public_demo,environment: demo. - Hide tenant / project / agent / IP / trace IDs on the public receipt page.
What you cannot control (today)
- The provider’s own internal logging — when a request leaves the gateway and reaches Anthropic / OpenAI / Bedrock, those providers may have their own retention.
- The HTTP transport between client and gateway — the gateway sees what arrives at the wire.
prxy controls everything from the wire to the receipt. Beyond the wire is the provider’s contract with you.