Skip to content

Glossary

API key — a cloak_… token issued from the portal. Identifies a tenant and a capability scope.

Arbitrage — the gateway’s strategy of routing each request to the cheapest healthy provider that can serve the requested model class.

BYOK — Bring Your Own Keys. The tenant connects their own provider account; CloakAPI stores the upstream key encrypted and decrypts it in-memory only for the duration of a single request.

Capability — a fine-grained model allowlist scope (e.g. gpt-4o, claude-sonnet-4-6). API keys are issued with one or more capabilities.

Chain hashsha256(canonical_json(previous_envelope)). Anchors each receipt to the previous one for the same tenant.

Detector — a tokeniser plug-in that recognises a specific PII pattern (email, phone, IBAN, …). The set of active detectors is part of the receipt — auditors can see which detectors fired.

JTI — JWT ID. Unique receipt identifier (random hex in v2 envelopes, UUID v7 in client-signed v3 envelopes).

JWKS — JSON Web Key Set. Public list of CloakAPI signing keys; served at https://api.cloakapi.io/api/.well-known/cloakapi-receipt-pubkeys.jwks.

KID — Key ID. Identifies which signing key sealed a receipt; matches a kid in the JWKS.

OpenReceipt — the open protocol for signed AI gateway receipts. Spec at signedreceipts.org. CloakAPI is the reference implementation.

Org / sub-org — top-level tenant; partner mode allows nested sub-organisations with their own quotas, rate limits, and balances.

Provider — an upstream LLM service (OpenAI, Anthropic, Google Gemini, xAI Grok, DeepSeek, self-hosted local via Ollama / LocalAI, or any provider you connect with your own key — BYOK — such as OpenRouter, Perplexity, or Mistral). The gateway routes requests across providers according to the routing table.

Receipt — a signed receipt envelope sealed onto every gateway response (and, on the client-side ways, client-signed before egress). Verifiable months later — gateway-signed receipts against the public JWKS; client-signed v3 receipts fully offline via the embedded attester key.

Tokenisation — substitution of customer-PII strings with opaque tokens (<EMAIL_482>) before requests leave the tenant’s perimeter. The mapping table lives in the tenant’s local store; CloakAPI never sees it.