Settings
The Settings page consolidates system-wide configuration into a single form. Changes take effect after clicking Save Settings.
Custom Labels
Rename the hierarchy labels shown throughout the admin UI. By default the two middle tiers are called Organizations and Departments; use this card to relabel them to match your terminology (e.g. “Teams” / “Projects”).
Rate Limiting
Global rate limits protect the gateway and upstream providers from excessive traffic. Three limits can be configured (set a value to 0 for unlimited):
| Setting | Description |
|---|---|
| Requests per Minute | Maximum requests per minute (maxRequestsPerMinute). |
| Requests per Day | Maximum requests per day (maxRequestsPerDay). |
| Tokens per Day | Maximum total tokens processed per day (maxTokensPerDay). |
These are system-wide defaults. Per-API-key rate limits (configured on the API Keys page) override these for their respective scopes.
Caching
The gateway includes a semantic cache that stores and reuses responses for similar prompts, reducing latency and cost.
| Setting | Description |
|---|---|
| Enabled | Toggle semantic caching on or off (cachingEnabled). |
| TTL (seconds) | How long cached responses remain valid (cacheTTLSeconds). |
The cache similarity threshold is a deployment-time setting (CACHE_SIMILARITY_THRESHOLD, default 0.96), not a field on this page — see Environment Variables.
Default Routing Strategy
Select the system-wide default routing strategy. This applies to any request that does not match a specific routing config on the Routing page. All ten strategies are available:
- Priority
- Round Robin
- Weighted
- Least Latency
- Least Cost
- Free Tier First
- Task Optimized
- Cost Optimized
- Failover
- Random
See the Routing Configuration page for detailed descriptions of each strategy.
Allowed Providers
Select which provider slugs are available for use in the gateway. Unchecked providers are excluded from routing. The selectable list:
openai, anthropic, google-gemini, azure-openai, mistral, cohere, groq, together-ai, perplexity, deepseek, fireworks, replicate, ai21, huggingface, xai, cerebras, sambanova, stability, assemblyai, elevenlabs, comfyui, ollama, vllm, lmstudio, localai, llamacpp, whisper-local
Leave all checked to allow any of these provider types.
Allowed Models
Restrict which model IDs can be used through the gateway. Enter one model ID per line (e.g. gpt-4o, claude-sonnet-4-6). Leave the field empty to allow all models.
This acts as an allowlist — only models listed here will be routable. Combined with per-provider model registrations, this gives you two layers of control over which models are accessible.
SSO Configuration
Single Sign-On can be enabled and configured directly from the Settings page. Toggle Enable Single Sign-On and select a provider type — SAML 2.0 or OpenID Connect (OIDC).
OIDC (OpenID Connect)
| Field | Description |
|---|---|
| Issuer URL | The OIDC discovery endpoint (e.g. https://accounts.google.com). |
| Client ID | OAuth client identifier. |
| Client Secret | OAuth client secret (leave blank to keep the current value). |
| Scopes | Space-separated OIDC scopes (default: openid email profile). |
SAML 2.0
| Field | Description |
|---|---|
| IdP SSO URL | The identity provider’s single sign-on entry point. |
| IdP Entity ID | The issuer identifier from your identity provider. |
| IdP Signing Certificate | The X.509 certificate in PEM format used to verify SAML assertions. |
SIEM Integration
Export audit logs to an external Security Information and Event Management system. Select a SIEM type and configure the connection:
| SIEM Type | Value | Endpoint Example |
|---|---|---|
| Splunk HEC | splunk | https://splunk:8088/services/collector |
| Elasticsearch / ELK | elk | https://elasticsearch:9200 |
| Webhook | webhook | https://webhook.example.com/audit |
Additional fields:
- Auth Token — Authentication credential for the SIEM endpoint.
- Batch Size — Number of events per batch (1 to 1,000; default: 100).
Use the Test Connection button to verify connectivity before saving. The test result displays inline as success or failure.
Danger Zone (Super-Admin)
Super-admins see a Danger Zone card that can reset all system data while preserving your own user account, tenants, and roles. An optional toggle preserves provider configurations. Resetting requires typing RESET ALL DATA to confirm and calls POST /api/super-admin/system/reset. This cannot be undone.
Saving Changes
All settings on this page are saved atomically via PUT /api/admin/settings. The Save Settings button is disabled while a save is in progress to prevent duplicate submissions.