Skip to content

Admin API

The admin API runs on a separate API Gateway REST API with a Cognito authorizer, decoupled from the inference path (ALB). This two-plane architecture (see ADR-014) ensures admin endpoints get consistent auth enforcement without duplicating JWT validation in each Lambda handler.

Enable it with:

enable_admin_api = true

PlaneTransportAuthTraffic Pattern
InferenceALB with validate_tokenALB-native JWT validationHigh-volume, latency-sensitive
AdminAPI Gateway REST APICognito Authorizer (COGNITO_USER_POOLS)Low-volume, correctness-sensitive

The ALB continues handling /v1/chat/completions and /v1/messages. All admin endpoints listed below are served by API Gateway.


All admin endpoints require a JWT with the admin scope. Obtain one via:

Terminal window
curl -X POST "${COGNITO_TOKEN_ENDPOINT}" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&client_id=${CLIENT_ID}&client_secret=${CLIENT_SECRET}&scope=https://gateway.internal/admin"

MethodPathDescription
GET/teamsList registered teams
POST/teamsRegister a new team
GET/teams/{id}Get team details
PUT/teams/{id}Update team configuration
DELETE/teams/{id}Deregister a team
MethodPathDescription
GET/budgetsList all budgets
POST/budgetsCreate a budget
GET/budgets/{id}Get budget and current usage
PUT/budgets/{id}Update a budget
DELETE/budgets/{id}Delete a budget
MethodPathDescription
GET/pricingList all pricing entries (DynamoDB overrides + static defaults)
GET/pricing/{provider}/{model}Get pricing for a specific model
PUT/pricing/{provider}/{model}Create or update a pricing override
DELETE/pricing/{provider}/{model}Remove override, revert to static default
MethodPathDescription
GET/routingList routing configurations
POST/routingCreate a routing rule
GET/routing/{id}Get routing rule details
PUT/routing/{id}Update a routing rule
DELETE/routing/{id}Delete a routing rule
MethodPathDescription
GET/usage/{team}Current period usage, budget utilization, per-model breakdown
GET/usage/{team}/historyMonthly usage history

Each admin endpoint is backed by a dedicated Lambda function:

PathLambdaPurpose
/teamsteam_registrationSelf-service onboarding
/budgetsbudget_adminBudget CRUD
/routingrouting_configRouting rule management — renders the agentgateway backend config
/pricingpricing_adminDynamic pricing overrides
/usageusage_apiReal-time usage self-service

Each path prefix has a {proxy+} child resource for sub-paths, with ANY methods and AWS_PROXY Lambda integrations.