Skip to content
agentic control plane Beta

Frequently asked questions

What is an Agentic Control Plane?

An Agentic Control Plane is the trust, identity, and governance layer between LLM runtimes (ChatGPT, Claude, custom agents) and your backend services. It ensures every AI-initiated action is identified (bound to a real user), authorized (checked against policies), and auditable (logged with identity and context).

What problem does it solve?

AI apps have three parties — the user, the LLM, and your backend — but no shared identity layer. The user authenticates with the LLM, then the LLM calls your backend with a shared API key. Your backend can’t tell who the request is for, what they’re allowed to do, or who to hold accountable. This is the Three-Party Problem.

How is this different from an API gateway?

Traditional API gateways (Kong, Apigee, AWS API Gateway) handle HTTP traffic management — routing, TLS, basic rate limiting. They don’t understand the three-party problem. They can’t bind LLM-forwarded requests to the originating user, enforce per-user policies on tool calls, or produce identity-attributed audit trails for AI actions. An ACP handles the AI-specific governance layer. Full comparison →

How is this different from an LLM gateway?

LLM gateways (Portkey, LiteLLM, OpenRouter) focus on model routing — choosing the cheapest or fastest provider, handling fallbacks, caching responses. They sit between your app and the LLM. An ACP sits between the LLM and your backend. Different layer, different problem. Full comparison →

Do I need to replace my existing infrastructure?

No. An ACP complements your existing API gateway, LLM gateway, and agent framework. It adds the governance layer that none of them provide. You can adopt it incrementally — start with identity verification and add policy enforcement, rate limiting, and audit logging over time.

What is GatewayStack?

GatewayStack is the open-source reference implementation of the Agentic Control Plane pattern. It’s built as six composable npm modules for Node.js/Express, each handling one governance concern: identity, content safety, policy, rate limits, routing, and audit. Architecture →

Can I use just one module?

Yes. Each module works standalone. Most teams start with identifiabl (identity verification) and add layers as their governance requirements grow. Getting started →

What identity providers are supported?

Any OIDC-compliant provider issuing RS256 access tokens: Auth0, Okta, Entra ID (Azure AD), Keycloak, Google, and others. The identifiabl module verifies tokens against the provider’s JWKS endpoint.

Does it work with MCP and OpenAI Apps SDK?

Yes. GatewayStack has native support for both the Model Context Protocol (MCP) and OpenAI’s Apps SDK (ChatGPT Actions). The reference implementation includes MCP server and ChatGPT Action connectors.

Is it production-ready?

The open-source modules are published on npm and tested (135 tests across 17 files). For teams that need managed infrastructure, Agentic Control Plane Cloud provides a multi-tenant gateway with dashboard, integrations, and audit UI.

What’s the license?

MIT. All six modules and the monorepo are MIT licensed. Use them freely in commercial and open-source projects.

How long does implementation take?

The identity module (identifiabl) adds to an existing Express app in under 10 minutes. Full pipeline integration with all six modules typically takes 1-2 days for a single app, mostly spent configuring your identity provider and defining scope allowlists. If you’re deploying the reference gateway, it runs on Cloud Run in under 5 minutes.

What’s the latency overhead?

The identity verification and policy enforcement pipeline adds 2-5ms per request in typical deployments. The heaviest operation is the JWKS fetch on cold start, which is cached after first use. PII detection adds ~1ms for regex-based scanning. Rate limit checks are in-memory and sub-millisecond.

Does this work with Python, Go, or only Node.js?

The GatewayStack modules are Node.js / TypeScript. However, the gateway runs as a standalone service — your backend can be written in any language. It receives the verified user identity via the x-user-uid HTTP header (and optionally the full token claims). If you need a non-Node control plane, the -core packages export pure functions you can use as reference implementations.

Can I deploy on-prem?

Yes. GatewayStack is open source and runs anywhere Node.js runs — Cloud Run, ECS, Kubernetes, bare metal, or your local machine. There are no external dependencies beyond your OIDC identity provider. For teams that need a managed option, Agentic Control Plane Cloud provides a hosted multi-tenant gateway.

What identity providers are supported beyond Auth0?

Any OAuth 2.0 / OIDC-compliant provider that issues RS256 JWTs. This includes Auth0, Okta, Azure AD (Entra ID), AWS Cognito, Firebase Auth, Keycloak, and Google. The identifiabl module discovers JWKS endpoints automatically via the standard .well-known/openid-configuration URL.