Skip to main content
Security on a hosted AI gateway is a partnership. OrcaRouter enforces guarantees on the path it owns; you make the decisions that only you can make. This page is the honest map of that boundary — what the gateway handles, what you handle, and how to maximize the coverage you get.

1. The two-column split

The table below organizes responsibility by area. Every row on the left is a customer-observable guarantee — something you can verify by reading logs, compliance reports, or the console. Every row on the right is a decision only you can make, because it depends on your data, your infrastructure, and your policies.
AreaOrcaRouter handlesYou handle
IdentityIssues and validates API keys; enforces model, IP, and spend-cap scopes bound to each key; workspace RBAC (read / Developer / Admin).Creates keys with appropriate scopes; manages workspace membership and role assignments; rotates your own upstream or provider secrets on your cadence.
ContentScreens prompt and response text through Guardrails — blocks, masks, or flags PII, secrets, injection patterns, and unsafe output on every gateway-crossing request.Authors and tunes guardrail policies (the gateway enforces what you configure, not a default opinion); classifies your own data sensitivity to choose which PII entities and patterns to cover.
ActionsEvaluates every tool call, MCP dispatch, and outbound destination that crosses the gateway against your Firewall policy — allow, deny, sanitize, hold for approval, or cap cost.Configures the firewall policies; routes model-mediated tools and MCP servers through the gateway so the firewall can see them; reviews held approvals.
NetworkEnforces egress rules on outbound destinations reported by tools through the gateway; blocks SSRF and data-exfiltration destinations when your policy says so.Secures your own infrastructure and network perimeter outside the gateway path; handles tools that make their own network calls entirely in-process without reporting egress to the gateway.
CredentialsStores connected-service credentials encrypted; masks them on read; never exposes plaintext in logs or the console.Supplies the credentials and decides which integrations to connect; rotates them when upstream providers require.
AuditProduces an audit trail of every policy match, firewall verdict, and approval decision, correlated to the agent run that caused it; compliance reports are Ed25519-signed and publicly verifiable.Reviews the audit trail and acts on it; sets your own retention and review cadence.
ComplianceRegion-stamped compliance evidence — signed reports are stored and served under your declared region (us / eu / uk / ap / cn / global); a 30-day deletion grace window followed by PII scrub.Declares the compliance residency region; triggers deletions when required by your compliance obligations.

2. The single most important boundary

The Firewall enforces on gateway-crossing calls only. A tool your agent executes entirely inside its own process — one that never calls https://api.orcarouter.ai and never reports an egress destination — is outside the gateway’s view. This is not a gap in enforcement; it is a precise statement about scope: the gateway is the audited path, not a kernel-level syscall interceptor.The practical implication: route the calls that matter through the gateway. MCP dispatch via the Firewall MCP gateway and tool calls evaluated via the evaluate hook are both governed. A shell script your agent runs directly, without touching the gateway, is yours to secure at the infrastructure level.

3. How to maximize what the gateway can do for you

Four things shift the most coverage from the “yours” column to the “gateway handles” column:
  1. Route MCP servers and model-mediated tools through the gateway. Register your MCP servers under Firewall → MCP servers and point your agent at https://api.orcarouter.ai/api/v1/firewall/mcp. Every tools/call the model emits then crosses the gateway and is subject to your firewall policy. Tools your agent runs in-process that never cross the gateway remain outside enforcement — route them in or add your own controls.
  2. Give each agent a scoped key. Issue one API key per agent identity, bound to the models it legitimately uses, the IPs it runs from, a spend cap, and an explicit firewall policy. A shared key shared across agents makes auditing ambiguous and makes least-privilege impossible.
  3. Start from the Secure Agents baseline. Apply the balanced autonomy level first — it audits risky actions and flags PII in one step with one-click undo. Watch the Firewall events and Guardrails matches feed for a week to see what your agents actually do, then tighten toward tight for the surfaces that matter. See Securing AI agents.
  4. Declare your compliance residency region. Signed compliance reports are stamped and stored by region, and a report is only served under a matching declared region. Set it in compliance settings to match your obligations.

4. Where to go next

How OrcaRouter inspects requests

The enforcement path in detail — what the gateway sees, when, and in what order.

Agent Firewall

The action-layer reference — policies, rules, verdicts, and the MCP gateway.

Guardrails

The content-layer reference — PII, secrets, injection, and external vendors.

The control stack

All four layers — keys, guardrails, firewall, and audit — as one diagram.
The gateway enforces what you configure on the path it owns. The decision about what to configure, what to route through, and how to classify your data is yours — and this page is the map for making those decisions clearly.