The admin API runs on a separate API Gateway REST API with a Cognito authorizer, decoupled from the inference path (ALB). This two-plane architecture (see ADR-014 ) ensures admin endpoints get consistent auth enforcement without duplicating JWT validation in each Lambda handler.
Enable it with:
Plane Transport Auth Traffic Pattern Inference ALB with validate_token ALB-native JWT validation High-volume, latency-sensitive Admin API Gateway REST API Cognito Authorizer (COGNITO_USER_POOLS) Low-volume, correctness-sensitive
The ALB continues handling /v1/chat/completions and /v1/messages. All admin endpoints listed below are served by API Gateway.
All admin endpoints require a JWT with the admin scope. Obtain one via:
curl -X POST " ${ COGNITO_TOKEN_ENDPOINT } " \
-H " Content-Type: application/x-www-form-urlencoded " \
-d " grant_type=client_credentials&client_id=${ CLIENT_ID }&client_secret=${ CLIENT_SECRET }&scope=https://gateway.internal/admin "
Method Path Description GET/teamsList registered teams POST/teamsRegister a new team GET/teams/{id}Get team details PUT/teams/{id}Update team configuration DELETE/teams/{id}Deregister a team
Method Path Description GET/budgetsList all budgets POST/budgetsCreate a budget GET/budgets/{id}Get budget and current usage PUT/budgets/{id}Update a budget DELETE/budgets/{id}Delete a budget
Method Path Description GET/pricingList all pricing entries (DynamoDB overrides + static defaults) GET/pricing/{provider}/{model}Get pricing for a specific model PUT/pricing/{provider}/{model}Create or update a pricing override DELETE/pricing/{provider}/{model}Remove override, revert to static default
Method Path Description GET/routingList routing configurations POST/routingCreate a routing rule GET/routing/{id}Get routing rule details PUT/routing/{id}Update a routing rule DELETE/routing/{id}Delete a routing rule
Method Path Description GET/usage/{team}Current period usage, budget utilization, per-model breakdown GET/usage/{team}/historyMonthly usage history
Each admin endpoint is backed by a dedicated Lambda function:
Path Lambda Purpose /teamsteam_registrationSelf-service onboarding /budgetsbudget_adminBudget CRUD /routingrouting_configRouting rule management — renders the agentgateway backend config /pricingpricing_adminDynamic pricing overrides /usageusage_apiReal-time usage self-service
Each path prefix has a {proxy+} child resource for sub-paths, with ANY methods and AWS_PROXY Lambda integrations.