Security
How FinOps AI Gateway protects credentials, enforces access control, and isolates tenant data.
FinOps AI Gateway runs as a managed Monetize360 service. Security is built into the platform — tenant isolation, encrypted credentials, and token-based access for applications.
Tenant isolation
Each Monetize360 tenant has its own database. FinOps configuration, virtual keys, budgets, routing rules, and inference logs are stored only in your tenant — never shared across customers.
Application authentication
Applications never receive upstream provider API keys. Instead:
- An administrator creates a virtual key in Finops Config.
- Monetize360 issues a signed JWT for that key.
- Applications send the JWT in the
Authorization: Bearerheader (or supported alternative headers). - The gateway validates the token, resolves the tenant, and enforces governance before calling any provider.
See Connect Your Apps for integration details.
Provider credentials
Provider API keys are stored encrypted in your tenant and used only by the gateway service. Rotate keys in Model Provider → Keys without redeploying applications.
Governance enforcement
Every request is checked against active policy before reaching an upstream model:
Blocked requests return clear errors — test enforcement safely in the Simulator.
Audit and telemetry
Inference activity is logged to your tenant for Telemetry Data and dashboard reporting. Use export and history features for compliance review.
Access control
Access to Finops Config itself is controlled by Monetize360 role-based permissions. Only authorized administrators can create virtual keys, view provider credentials, or change routing policy.
Contact your Monetize360 administrator for SSO, role assignments, and data residency questions specific to your deployment.