Security, taken seriously.
Your keys, your data, your perimeter. Every credential is encrypted at rest with an APP_KEY you control. Every admin action is audited. Every external URL is SSRF-validated.
What we ship by default
Self-hosting means you control the operational reality. Here's what the box ships with on day one.
Encrypted at rest
Provider API keys, OAuth tokens, MCP server tokens, webhook signing secrets — all encrypted with the Laravel APP_KEY you supply via env. Compromise the DB without the key and you have ciphertext.
SSRF guard everywhere
API Gateway proxy URLs, webhook delivery URLs, MCP Gateway upstreams, OAuth token endpoints — all validated against loopback, RFC1918, link-local, IPv6 unique-local, and cloud metadata at create AND request time.
Audit log
Every admin action and management-API call lands in audit_logs with actor, target, severity, IP, metadata. Read the question "what did we send last quarter" out of one table.
Reversible PII redaction
Tokenize emails / phones / IBANs / SSNs / IPs / custom regex before the LLM call. Restore on response. The LLM never sees the real value; your user does.
Secret scanner
18 well-known credential patterns (AWS, GitHub, Slack, OpenAI, Stripe, JWT, private keys, …). Block-mode 422 (without echoing the match — secrets never re-leak via error logs).
Kill-switches
Two admin-flippable toggles disable the management REST API and the MCP control plane respectively. Both default off in Community — admins consciously enable each surface.
BSL 1.1 — source-available
PromptGate is published under the Business Source License 1.1. You can:
- Run it for any commercial or non-commercial purpose at your own infrastructure
- Read the full source, build from it, and patch it for your needs
- Self-host indefinitely
What is prohibited is wrapping it as a competing managed-service offering. After 4 years the same code automatically converts to Apache 2.0.
Reproducible by inspection
The Community Edition has no telemetry, no analytics calls, no licence checks. The gateway makes outbound calls only to the provider URLs you configure.
- Public source on GitHub
- Public Docker image on Docker Hub — built from a tagged commit
- No closed binaries, no obfuscated bundles
- Audit any version; build your own image from source if you prefer
Layered controls
No single layer is the only thing standing between a compromised API token and an exfiltrated secret.
- 1
Request validation
Every request body is shape-validated. Malformed payloads get 422 before the gateway opens any connections downstream.
- 2
Authentication
Bearer-token auth with project-scoped permissions. Tokens are SHA-256 hashed at rest; the plaintext is shown exactly once at issuance. Per-token rate limits cap abuse blast-radius.
- 3
Guardrails
PII filter, prompt-injection patterns, keyword blocklist, content length, reversible redaction, secret scanner — all configurable per project, all running on the inbound prompt before the provider sees a byte.
- 4
SSRF guard
Resolves every outbound URL and rejects non-public IPs (RFC1918 / link-local / cloud metadata) at create AND dispatch time. Defense against DNS rebinding.
- 5
Anomaly detector
5-minute MAD-based detector watches error rate, p95 latency, and spend per endpoint. Webhook fires on detection. Insider-threat / runaway script catches itself.
- 6
Audit + retention
Every admin action and every management-API call records actor, target, IP, metadata. Daily prune respects edition retention (7d gateway logs, 30d audit, 14d webhook deliveries on Community).
Found a vulnerability?
Email us privately first. Don't open a public issue — coordinate disclosure so a fix lands before the world knows.
We aim to acknowledge within 2 business days and ship a fix on a coordinated timeline.