Open Source

The AI Gateway
your team needs

Ziri is a self-hosted proxy that sits between your apps and AI providers. Govern access, control costs, and enforce policies — without changing a line of application code.

$ docker run -p 8080:8080 zstrike/ziri

Getting Started → View on GitHub

Your Apps

Frontend

Backend API

AI Agent

Ziri Gateway

✓ Authenticate

✓ Rate limit

✓ Evaluate policy

✓ Track cost

AI Providers

OpenAI

Anthropic

+ more

Your team is spending thousands on AI APIs. But who's using what?

When developers use LLM APIs directly, anyone with a key can use any model, costs spiral unpredictably, there's no audit trail, and you can't enforce rules. Ziri fixes this by acting as a smart gateway every request must pass through.

Everything you need to govern AI

Centralized control over every AI API request, without changing how your applications are built.

Policy-based access control

Define who can use what, when. Cedar policies give you granular, declarative control over every AI request.

permit(principal, action == Action::"chat", resource == Model::"gpt-4o") when { context.hour >= 9 && context.hour <= 17 };

API key management

Per-user keys with automatic rotation. No more sharing raw provider keys across your team.

Per-user rate limiting

Sliding window throttling per user. Prevent runaway scripts from burning through your budget.

Cost tracking

Daily and monthly spend summaries per user and team. Set spend caps before budgets run out.

Audit logs

Full record of every authorization decision. Know who accessed which model, when, and why.

Web-based Admin UI

Manage keys, policies, users, and view usage from a browser. Bundled with the gateway — no separate install, no extra infrastructure.

Role-based access

Admin, Viewer, User Admin, Policy Admin. The right level of access for every team member.

How it works

Every AI request flows through five stages. Your apps don't change — they just point to Ziri instead of OpenAI or Anthropic directly.

Validate Key

Identify the user

Rate Limit

Check request quota

Policy Check

Evaluate Cedar rules

Forward

Send to provider

Track & Log

Record cost & decision

Deploy in minutes with Docker

Ziri ships as a single Docker image. Run it anywhere — your cloud, your datacenter, your laptop. The Admin UI is bundled, no separate setup required.

Single Docker image, self-hosted and fully under your control
Admin UI bundled — manage everything from a browser
OpenAI-compatible API — just change the base URL

View documentation →

$ docker run -p 8080:8080 zstrike/ziri

✓ Gateway listening on :8080

✓ Admin UI ready at :8080/admin

✓ 3 Cedar policies loaded

Incoming request from user-alice

Model: gpt-4o

✓ API key validated

✓ Rate limit: 47/100 remaining

✓ Policy: PERMIT

✓ Cost tracked: $0.03

→ Forwarded to OpenAI (124ms)

// Only allow GPT-4 during business hours

permit(

principal,

action == Action::"chat",

resource == Model::"gpt-4o"

) when {

context.hour >= 9 &&

context.hour <= 17

};

// Cap daily spend per user

forbid(

principal,

action,

resource

) when {

principal.dailySpend > 50.00

};

Declarative Cedar policies

Define access rules in Cedar — the same policy language used by AWS. Readable, testable, and version-controlled alongside your code.

Restrict models by user, team, or time of day
Set per-user daily and monthly spend caps
Block specific actions while allowing others
Version control policies alongside your code

Policy reference →

First-class SDK for Node.js

The @ziri/sdk npm package gives you programmatic control over keys, policies, usage, and more.

Manage API keys programmatically
Query usage and cost data
CRUD operations on Cedar policies
Full TypeScript support

SDK documentation →

import { Ziri } from '@ziri/sdk';

const ziri = new Ziri({

baseUrl: 'http://localhost:8080',

adminKey: process.env.ZIRI_ADMIN_KEY

});

// Create an API key for a user

const key = await ziri.keys.create({

userId: 'alice',

rateLimit: 100,

dailySpendCap: 50.00

});

// Check usage for a user

const usage = await ziri.usage.get({