Configuration reference
Each app you create has its own configuration, edited from Dashboard → Apps → (your app). The guided setup walks you through the required steps; this page is the reference for what every setting does.
Auth provider
How the proxy verifies the end user behind each request. Pick one per app:
- Firebase: verifies the Firebase ID token in the
Authorizationheader against your Firebase project ID. The project number is additionally used for App Check. - Supabase: verifies the Supabase access token against your project URL and publishable (anon) key. Both are safe to ship in your app.
App Check
Optional Firebase App Check verification that blocks requests not coming from your genuine app. It needs only the Firebase project number (no app IDs) and supports enforce (block) or audit (observe) mode. Full details in the App Check guide.
User tiering
Choose how an app's users are tiered. This is asked right after auth:
- Basic: no RevenueCat. Every user shares one policy and the proxy simply keeps your provider key off the device. The policy Category stays on
Free. - RevenueCat entitlements: the proxy maps each user to a category (
free,trial,paid,expired,blocked) from their RevenueCat subscription, so you can grant different models and budgets per tier. Requires a RevenueCat V1 secret key (legacy REST key,sk_…) and a user-ID mapping (Firebase UID, Supabase user ID, or RevenueCat app user ID). Public SDK keys and v2 keys without REST access are rejected.
Policies
A policy decides what a category of users may do. Policies are keyed by(category, provider, model, endpoint type):
- Allowed models: the canonical
provider/modelidentities this tier may call. - Endpoint type: chat completions, responses, embeddings, image generation, or audio transcription.
- Budgets & limits: per-user cost-per-day / cost-per-month and request-per-day / request-per-month ceilings, plus an optional max tokens per request. Free (zero-cost) models are exempt from the cost-estimate gate.
- Limit behavior: when a limit is hit, either
blockthe request orfallbackto a cheaper model you nominate. - Enabled: a policy must be enabled to count toward go-live and to take effect.
Data logging
Off by default. Opt in to encrypted request and/or response payload logging for short retention windows when you need to debug or audit traffic. Token counts, cost, latency, and status are always recorded for usage analytics; this setting controls only the raw payloads.
PostHog analytics
Optional. Send server-side $ai_generation events to your PostHog project for model, token, cost, latency, user, and app analytics. No client SDK required.
Provider keys
Your upstream model keys (OpenAI, Anthropic, etc.), encrypted at rest. They are account-level and shared across all your apps, managed once under Dashboard → Provider Keys. On Pro and Max you can add per-app overrides when a specific app needs its own key.