The AI Gateway is a core service that owns the Designer AI chat surface. It streams AI assistant responses to the browser over Server-Sent Events (SSE) and routes chat requests to the config-time agents.
Dependencies
Before setting up the AI Gateway, ensure you have the following dependencies in place:- MongoDB for storing conversation context
- Keycloak (or compatible OAuth2 provider) for authentication and authorization
- SpiceDB for fine-grained, workspace-level authorization on AI interactions
- AI Platform β the config-time agents the gateway routes chat requests to
Infrastructure prerequisites
Configuration
Authorization configuration
The AI Gateway validates incoming tokens with the JWT public key mechanism and authenticates to other FlowX services with a dedicated service account (themainIdentity client registration) in the service-accounts realm:
AI Platform routing
The AI Gateway forwards chat requests to the config-time agents and the planner. In Kubernetes these default to the in-cluster service names β override them only for custom networking or mixed deployments.MongoDB configuration
CAS lib configuration (SpiceDB)
Logging configuration
Secrets management
Ingress and CORS
The AI Gateway is exposed on the admin host because the Designer connects to it directly from the browser. Because it streams chat responses over SSE, the ingress must allow long-lived connections β the FlowX deploy chart raises the default proxy read/send timeouts for this service so streams are not cut mid-flight.CORS configuration
Allowed methods, allowed headers, and credential handling are baked into the serviceβs
application.yaml with safe defaults. For the complete route reference and Gateway API HTTPRoute configuration, see the ingress configuration guide.
Deployment
Helm values example
The AI Gateway requires ingress to be enabled because the Designer connects to it from the browser to open AI chat streams.
Verify your setup
The AI Gateway pod is running and healthy:
kubectl get pods -l app=ai-gatewayThe health endpoint returns HTTP 200:
curl http://ai-gateway:8080/actuator/healthSpiceDB connection is established β check pod logs for successful CAS client initialization
AI chat opens in the Designer and streams a response without the connection dropping
Troubleshooting
AI chat stream drops mid-response
AI chat stream drops mid-response
Solutions:
- Confirm the ingress proxy read/send timeouts are raised for the AI Gateway route (SSE needs long-lived connections)
- Check that no intermediate proxy buffers or closes the SSE stream
- Review pod logs for upstream errors from the config-time agents
AI chat returns a CORS error in the browser
AI chat returns a CORS error in the browser
Solutions:
- Add the Designer origin to
APPLICATION_CORS_ALLOWORIGIN - Verify the request reaches the AI Gateway on the admin host
SpiceDB connection failures
SpiceDB connection failures
Solutions:
- Verify SpiceDB is running and reachable at the configured host and port
- Check that the SpiceDB token is correct
- Ensure network policies allow gRPC traffic to SpiceDB on port
50051
Related resources
AI Platform setup
Config-time agents and AI infrastructure
SpiceDB Configuration
Fine-grained authorization setup
IAM Configuration
Identity and access management setup
Ingress configuration
Routing and CORS reference

