Skip to main content
The AI Gateway is a core service that owns the Designer AI chat surface. It streams AI assistant responses to the browser over Server-Sent Events (SSE) and routes chat requests to the config-time agents.

Dependencies

Before setting up the AI Gateway, ensure you have the following dependencies in place:
  • MongoDB for storing conversation context
  • Keycloak (or compatible OAuth2 provider) for authentication and authorization
  • SpiceDB for fine-grained, workspace-level authorization on AI interactions
  • AI Platform β€” the config-time agents the gateway routes chat requests to

Infrastructure prerequisites


Configuration

Authorization configuration

The AI Gateway validates incoming tokens with the JWT public key mechanism and authenticates to other FlowX services with a dedicated service account (the mainIdentity client registration) in the service-accounts realm:
Upgrading from 5.1.x? Remove the legacy opaque-token env vars: SECURITY_OAUTH2_REALM, SECURITY_OAUTH2_CLIENT_CLIENTID, SECURITY_OAUTH2_CLIENT_CLIENTSECRET, and SECURITY_OAUTH2_SERVICEACCOUNT_ADMIN_*. These belong to the removed introspection model and prevent the service from starting on 5.9.x. See the authentication and IAM migration guide for the full list.

AI Platform routing

The AI Gateway forwards chat requests to the config-time agents and the planner. In Kubernetes these default to the in-cluster service names β€” override them only for custom networking or mixed deployments.
Starting with 5.9.2, AI Platform services are deployed under their plain names β€” the ai-platform- prefix is dropped. The defaults below reflect the new names. If you upgrade the core services and the AI Platform chart separately, or you overrode these variables with the old prefixed names, align them β€” mixed naming breaks AI features. See the 5.9.2 deployment guidelines.

MongoDB configuration


CAS lib configuration (SpiceDB)


Logging configuration


Secrets management


Ingress and CORS

The AI Gateway is exposed on the admin host because the Designer connects to it directly from the browser. Because it streams chat responses over SSE, the ingress must allow long-lived connections β€” the FlowX deploy chart raises the default proxy read/send timeouts for this service so streams are not cut mid-flight.

CORS configuration

Allowed methods, allowed headers, and credential handling are baked into the service’s application.yaml with safe defaults. For the complete route reference and Gateway API HTTPRoute configuration, see the ingress configuration guide.

Deployment

Helm values example

The AI Gateway requires ingress to be enabled because the Designer connects to it from the browser to open AI chat streams.

Verify your setup

The AI Gateway pod is running and healthy: kubectl get pods -l app=ai-gateway
The health endpoint returns HTTP 200: curl http://ai-gateway:8080/actuator/health
SpiceDB connection is established β€” check pod logs for successful CAS client initialization
AI chat opens in the Designer and streams a response without the connection dropping

Troubleshooting

Solutions:
  1. Confirm the ingress proxy read/send timeouts are raised for the AI Gateway route (SSE needs long-lived connections)
  2. Check that no intermediate proxy buffers or closes the SSE stream
  3. Review pod logs for upstream errors from the config-time agents
Solutions:
  1. Add the Designer origin to APPLICATION_CORS_ALLOWORIGIN
  2. Verify the request reaches the AI Gateway on the admin host
Solutions:
  1. Verify SpiceDB is running and reachable at the configured host and port
  2. Check that the SpiceDB token is correct
  3. Ensure network policies allow gRPC traffic to SpiceDB on port 50051

AI Platform setup

Config-time agents and AI infrastructure

SpiceDB Configuration

Fine-grained authorization setup

IAM Configuration

Identity and access management setup

Ingress configuration

Routing and CORS reference
Last modified on July 9, 2026