WebLLM

Gateway System

An open protocol for proxying LLM requests—self-host or use WebLLM's hosted gateway

Open Gateway Protocol

The gateway protocol is open and anyone can run a gateway. WebLLM Gateway is our hosted implementation, but you can self-host for full control over your data and infrastructure.

Gateways are optional—most users connect directly to providers via the browser extension or their own API keys. Gateways are useful when you want to provide AI access to website visitors without requiring them to configure anything.

Architecture Overview
DEVDeveloperGATEWAYGateway ServerUSER APPUser's BrowserSecret KeyAccess TokenRequest + Token
1

Dev configures gateway with secret key + API keys

2

Dev generates access token locked to origin domain

3

User app sends requests with token for inference

Token-Origin Binding

Each access token is cryptographically bound to specific origins. When a request arrives:

1.Gateway extracts token: wlm-abc123.eyJ...
2.Verifies JWT signature with secret key
3.Checks Origin header against token's domains[]
4.Validates quota not exceeded
5.Proxies request to provider (OpenAI, Anthropic, etc.)

Allowed

Token domains: ["myapp.com", "*.myapp.com"]

Requests from myapp.com or staging.myapp.com

Rejected

Origin: evil-site.com

Token stolen and used from different domain

Security Parameters

Quota Limits
ParameterOptionsDescription
quota.typerequests | tokensCount API requests or LLM tokens consumed
quota.limitnumberMaximum allowed per period (e.g., 1000)
quota.periodhour | day | month | lifetimeWhen quota resets
Domain Restrictions
ParameterExampleDescription
domains["myapp.com"]Exact domain match
domains["*.myapp.com"]Wildcard: any subdomain
domains[] (empty)Allow all origins (not recommended)
Token Expiration
ParameterTypeDescription
expUnix timestamp (ms)Token expires after this time
expiresInmillisecondsConvenience: expires N ms from creation

Usage Example

Self-Hosted Gateway

Run your own gateway server for full control over data and infrastructure.

1

Clone the repository

git clone https://github.com/webllm-org/webllm
2

Configure your server

Set up API keys and gateway settings in your environment

3

Deploy and register

Add your gateway URL to the available gateway services

Self-hosted benefits:

  • - Full data sovereignty - requests never leave your infrastructure
  • - Custom rate limiting and logging
  • - Integration with internal auth systems
  • - No dependency on external gateway services

Learn More

Access Modes

Understanding Public, Token-Gated, and API-Key access modes

Learn about access modes
Federation

Connect gateways together for distributed inference

Explore federation
Self-Hosting

Deploy your own gateway for full control

View deployment guide

Get Started

Create a Gateway

Use the console to create and configure your gateway

Open Console
API Reference

Full documentation for gateway token API

View API Docs