What Is an LLM Gateway and How Request Routing, Fallback, and Unified Auth Work Under the Hood

ELI5
An LLM gateway is middleware that sits between your application and multiple AI provider APIs. It handles routing, fallback, unified authentication, and cost tracking through a single interface — without your application knowing which model answered.
An LLM gateway sounds like a solution looking for a problem — middleware that distributed systems theory demands but production pressure rarely validates. That description survives exactly until a provider starts returning cascading errors and an application fails not because any model broke, but because the code had no concept of routing around the failure. The LLM Gateway pattern was designed for that failure mode specifically; the mechanism is more structurally elegant than most infrastructure solutions to a messy problem.
One API Surface, Multiple Providers Underneath
The simplest accurate description of an LLM gateway is a middleware process that presents a single, OpenAI-compatible API surface to your application while forwarding requests to whatever provider or model your routing policy designates. Your application sends one format; the gateway translates, routes, and streams back the response. What your application code doesn’t see — and by design shouldn’t need to see — is which provider actually answered, or how many retries it took to get there.
That single-surface property has consequences that go well beyond developer convenience. Provider-agnostic application code isn’t just cleaner; it’s structurally different. Swapping models, running cost experiments across providers, or migrating off a deprecated API becomes a configuration change in the gateway, not a code change across your services.
What is an LLM gateway?
An LLM gateway is middleware that centralizes request routing, authentication, Fallback Strategy, token tracking, and observability for LLM API traffic into a single control point — replacing the per-provider integration logic that teams otherwise scatter across application code (TrueFoundry Blog).
The architecture has three logical planes that are worth keeping distinct in your mental model:
Control plane: Where routing policies, model configurations, Virtual Keys, budget caps, and retry logic live. This is configuration, evaluated once; it doesn’t participate in the hot path of each request.
Data plane: The request path itself — receiving an API call from your application, applying the routing policy, forwarding to the target provider, and streaming the response back. The gateway participates in every request here. Overhead varies significantly by implementation: TrueFoundry Blog estimates a typical ~3–10ms per request; Portkey, a TypeScript-based gateway, reports under 1ms at a 122 KB binary footprint (Portkey’s GitHub); Bifrost, a Go-based implementation, measures 11 microseconds at 5,000 RPS (Maxim AI). Context and load conditions drive those differences.
Observability plane: Token counts, latency measurements, cost attribution, and request logs. Without this plane, LLM Cost Management in a multi-provider environment means reconstructing usage from four separate provider dashboards after the fact.
Virtual keys are central to the authentication model. Rather than distributing real provider API keys across teams and services, the gateway issues its own identifiers — virtual keys that proxy the real credentials stored encrypted in gateway configuration. Each virtual key carries independent budget caps, rate limits (RPM and TPM), model restrictions, and expiry dates, per LiteLLM Docs. The application authenticates to the gateway; the gateway authenticates to providers using credentials the application never sees.
Not credentials. Capabilities — scoped, auditable, and revocable without touching provider accounts.
How does an LLM gateway route requests and handle failover between AI providers?
The routing decision happens before any provider receives a request. When a call arrives, the gateway evaluates a routing policy — a configuration-defined set of rules that maps request characteristics to a target model or provider. Simple policies route all traffic to a primary model. More sophisticated ones split traffic by cost tier, user segment, latency budget, or the presence of specific metadata in the request.
Failover — what happens when the primary target fails — is where the separation of concerns produces the most visible return. The standard mechanism: a provider returns a 5xx status code or the connection times out, the gateway marks that provider unavailable, and re-routes the request to the next target in the configured fallback chain. That sequence happens inside the gateway; the application receives either a successful response or a final error once retries are exhausted. It never observes the intermediate failure, never holds state about which providers are currently healthy, and never implements retry logic (TrueFoundry Blog).
The exact flow:
- Provider fails via 5xx response or timeout
- Gateway marks provider as failed
- Request re-routes to next configured provider
- Retries continue up to the configured maximum
- On exhaustion: gateway returns error to application
The contrast with client-side retry logic is structural, not cosmetic. With client-side retries, fallback handling lives inside the application — interleaved with business logic, tested inconsistently across services, and difficult to modify without a code deployment. Externalizing it to the gateway makes fallback behavior a policy: expressed in configuration, applied uniformly, changed without touching application code.
Semantic Caching adds a second dimension to the routing decision. Requests whose embeddings fall within a configured similarity threshold of a cached request receive cached responses immediately — no provider call required. This layer reduces costs by 20–40% compared to direct API calls on workloads with recurring query patterns, per Kong’s blog, because many production queries are semantically equivalent even when phrased differently.
Tokens vs. HTTP: Where Standard API Gateways Hit Their Limits
Standard API Gateway tools — Kong, Nginx, AWS API Gateway — were built for HTTP workloads with well-defined payload structures and request-response cycles. LLM interactions break four assumptions those tools rely on. The gap isn’t about architectural sophistication; it’s about what these systems were designed to measure and what they treat as opaque data.
What is the difference between an LLM gateway and a standard API gateway?
Four specific capabilities distinguish an LLM gateway from a standard API gateway, per Kong’s blog:
Token counting. HTTP-based rate limiting operates on requests — one request, one unit. LLM cost management requires counting tokens, which vary per request by content, model, and tokenizer. A standard gateway sees a single HTTP response body; an LLM gateway parses the token usage fields the provider returns and attributes them per key, per model, per time window. This is the prerequisite for any cost governance that doesn’t rely entirely on reading provider invoices.
Streaming management. LLMs return responses as Server-Sent Events (SSE) streams — persistent connections that emit tokens incrementally over time. Standard API gateways handle request-response cycles; they either buffer the entire SSE response (eliminating the latency benefit of streaming) or pass it through as an opaque byte stream with no visibility into content. An LLM gateway understands the SSE protocol, applies token counting and content inspection mid-stream, and forwards events without introducing buffering delays.
Content-level security. A standard gateway inspects HTTP headers and payload size. An LLM gateway can inspect the semantic content of requests and responses — applying prompt injection detection, PII redaction, and content policy enforcement on the text itself. That requires understanding the message structure, not just the HTTP envelope.
Semantic caching. Standard cache keys are computed from request hashes — two requests asking “what’s the weather in Berlin?” and “current Berlin weather?” produce different hashes and hit the origin twice. Semantic caching uses embedding similarity to recognize these as equivalent and return a single cached result. Standard API gateways have no concept of this layer.
The practical consequence in 2026 is that enterprise teams adding LLM infrastructure are deploying LLM gateways alongside existing API gateways, not replacing them. Each handles what it was built to handle.
Among self-hosted options, as of mid-2026: LiteLLM (Python, 100+ LLMs, MIT license, v1.90.0 released June 26, 2026 with six new providers and OpenTelemetry v2 — LiteLLM Docs) and Portkey (TypeScript, 1,600+ LLMs across 45+ providers, Apache 2.0 since Gateway 2.0 — Portkey Blog) are the most widely deployed. Managed-only alternatives include Cloudflare AI Gateway (free tier included with Cloudflare accounts — Maxim AI) and OpenRouter (aggregated provider access with per-token transparent pricing).
LiteLLM’s wide adoption makes the security situation below worth stating plainly: a gateway that holds all your provider credentials is a high-value attack target.
Security & compatibility notes:
- LiteLLM Command Injection (CVE-2026-42271): CISA KEV-listed vulnerability enabling MCP injection, with active exploits in the wild. Fix: upgrade to v1.83.7+ and Starlette v1.0.1 (CSA Labs).
- LiteLLM SQL Injection (CVE-2026-42208): Pre-auth SQL injection in the proxy, exploited within 36 hours of public disclosure. Fix: v1.83.7+ (The Hacker News).
- LiteLLM Supply Chain (March 2026): Versions 1.82.7 and 1.82.8 contained malicious code exfiltrating cloud credentials, SSH keys, and Kubernetes secrets. Remove these versions immediately (LiteLLM Blog).
- LiteLLM Auth Bypass Chain (June 2026): CVE-2026-47101 (auth bypass) + CVE-2026-47102 (privilege escalation) + CVE-2026-40217 (sandbox escape). Chained, they allow low-privilege users to take over gateway servers. Fix: v1.90.0+ (The Hacker News).

What the Architecture Predicts
Understanding the gateway mechanism generates specific predictions about where it helps and where it introduces constraint.
If you have a single LLM provider and no multi-model routing requirement, a gateway adds infrastructure overhead without proportional return — the fallback chain has nowhere to fall to. If you have three or more providers in active use, the gateway becomes the only component with simultaneous visibility across all of them.
If your workloads involve repetitive queries — customer support at scale, document Q&A pipelines, code explanation tools — semantic caching can eliminate a substantial fraction of provider calls. If your queries are high-entropy and rarely repeat, the cache layer adds latency without reducing costs. The 20–40% reduction (Kong’s blog) is a property of query distribution, not a guarantee.
If your security model requires that application services never hold real provider credentials, virtual keys make that constraint enforceable by construction. Revoking a service’s access means deleting its virtual key in the gateway — not hunting through environment variables scattered across a fleet of services.
Rule of thumb: Add an LLM gateway when you have multiple active providers, meaningful cost exposure from token volume, or an organizational need to separate credential management from application code. A single provider with low query volume doesn’t generate enough routing complexity to justify the operational dependency.
When it breaks: The gateway is a critical path dependency — if it fails, all LLM traffic fails with it. High-availability deployments require the same operational discipline as any other critical infrastructure: redundant instances, circuit breakers on the gateway itself, and monitoring that doesn’t rely solely on the models it serves. The 2026 LiteLLM vulnerability chain demonstrates a second failure mode specific to gateways: because they aggregate provider credentials, a compromised gateway can expose every provider account simultaneously. Hardened configuration, not tutorial defaults, is the baseline.
The Data Says
The LLM gateway separates provider complexity from application logic at the network layer — routing decisions, fallback chains, and credential management become policy in the gateway rather than logic in the application. Semantic caching reduces provider spend 20–40% on workloads with repetitive query patterns. The open-source space is operationally mature in 2026 but under active exploitation: self-hosted gateways that aggregate provider credentials require security-hardened deployments and current versions.
AI-assisted content, human-reviewed. Images AI-generated. Editorial Standards · Our Editors