ODOCK.AI
Management

Management

Virtual API keys, smart routing, budgets, quotas, reservations, and usage records.

Management

Management is the runtime control layer for Odock. It answers five practical questions for every gateway call:

  • Who is calling?
  • Which models or MCP servers can the caller use?
  • Should the request go directly to the requested model or be routed to another candidate?
  • Is there enough budget or quota capacity for the request?
  • How can the organisation monitor what happened after the call?

This section is written for organisation users who manage applications, teams, and API keys. If you need to connect providers or create model records first, start with Models & MCP. If you need request safety, content filtering, or plugin behavior, see Guardrails, Security Engine, and Plugins.

What Management Controls

Management sits between your application and the upstream model or MCP server.

The virtual API key is the runtime identity. The gateway uses it to find the organisation, optional team, optional user, explicit model/MCP grants, key-level policies, routing rules, and cost controls.

The Runtime Principal

Every request is evaluated with a principal. A principal is the identity chain attached to the API key:

API key typePrincipal chainTypical use
ORGANISATIONOrganisation -> API keyShared backend service, central integration, CI job.
TEAMOrganisation -> Team -> API keyTeam-owned product, workflow, or deployment.
USEROrganisation -> User -> API keyPersonal automation, testing, notebook, or developer workflow.

The key type does not automatically grant model or MCP access. A team-scoped key still needs explicit model access. A user-scoped key still needs explicit MCP access. Scope affects attribution and the budgets, quotas, and policies that are checked.

How Scope Is Inherited

Management rules are additive. The gateway checks every active rule that matches the request's principal. A request must satisfy all of them.

For budgets and quotas, "most specific" does not mean "only the most specific rule wins." It means more specific owners can add tighter limits, but broader organisation or team limits still protect the shared pool. For example, a team key can be stopped by the organisation monthly budget, the team weekly token quota, or the key's own daily cost budget.

Runtime Lifecycle

At a high level, a gateway request moves through these phases:

  1. The application sends a request with an Odock virtual API key.
  2. The gateway authenticates the key and checks expiry/revocation.
  3. The gateway resolves organisation, team, user, and API-key context.
  4. IP and rate-limit policies are evaluated.
  5. The request body is decoded and the requested model or MCP server is resolved.
  6. The gateway checks that the key has explicit access to the model or MCP server.
  7. Smart routing may choose a candidate model or fallback chain.
  8. Budget and quota capacity is reserved before the upstream call.
  9. Guardrails, SafetySec modules, and plugins run at their configured phases.
  10. The gateway calls the upstream provider or MCP server.
  11. Actual tokens, bytes, latency, status, routing attempts, and cost are recorded.
  12. Budget and quota reservations are settled or released.

For endpoint request formats, see Native Models call and Unified Multi Model Endpoint Call.

What To Configure First

Use this order for a practical production setup:

  1. Confirm the provider, model, and MCP resources exist in Models & MCP.
  2. Create a virtual API key for the application or workflow.
  3. Grant model access and MCP access to the key.
  4. Add IP and rate-limit policies if the key is used from predictable infrastructure.
  5. Add budgets to protect spend.
  6. Add quotas to protect request volume, token volume, errors, cost, or latency.
  7. Enable organisation routing and configure API-key routing when you need failover or model distribution.
  8. Test with the AI Playground or a direct API call.
  9. Monitor Usage Records, budget windows, quota windows, and routing attempts.

UI Map

In the organisation workspace, the management pages are available from the sidebar:

PageUse it for
API KeysCreate keys, reveal once, rotate, revoke, grant model/MCP access, edit policies, configure routing, review usage, attach budgets and quotas.
BudgetsCreate cost ceilings by organisation, team, user, or API key and monitor spending windows.
QuotasCreate numeric limits by metric and monitor quota windows.
Usage RecordsAudit individual requests, including status, latency, provider, model, token usage, cost, and routing details.
SettingsEnable or disable smart routing for the organisation and manage organisation-level policies.

Monitoring Loop

Management is not only setup. It is a feedback loop.

Review usage records after each rollout. They show whether requests used the expected key, model, provider, route, and cost profile. Budget and quota pages then show how that request-level activity accumulates inside the active time windows.

Pages In This Section

  • Virtual API Keys: runtime credentials, scope, access grants, policies, rotation, and monitoring.
  • Routing: organisation routing switch, API-key routing policies, model-type routing, native endpoint fallback, and multi-model routing.
  • Budgets: spend ceilings, owner inheritance, reservation and settlement, schedule windows, and monitoring.
  • Quotas: request/token/error/cost/latency limits, reservation and settlement, metric windows, and monitoring.

Endpoints

Understand how applications call configured models and MCP servers through the Odock gateway.

Virtual API Keys

Runtime credentials for applications that call Odock.

On this page

ManagementWhat Management ControlsThe Runtime PrincipalHow Scope Is InheritedRuntime LifecycleWhat To Configure FirstUI MapMonitoring LoopPages In This Section