Team-wide provider allowlist on AI Gateway
TL;DR · AI 摘要
Vercel 的 AI Gateway 新增团队级提供商白名单功能,确保流量仅路由至批准的 AI 服务提供商。
核心要点
- AI Gateway 的白名单功能在网关级别强制执行,防止开发者使用未批准的提供商。
- 白名单默认禁用新提供商,避免因集成新供应商导致批准列表无声扩展。
- 支持多种 API 格式,包括 AI SDK、OpenAI Chat Completions API 和 Anthropic Messages API。
结构提纲
按章节快速跳转。
AI Gateway 新增功能,确保流量仅路由至批准的提供商。
开发者无法绕过白名单限制,确保集中控制和可审计性。
白名单启用后,新提供商默认禁用,避免无声扩展。
白名单功能兼容多种 API 格式,包括 AI SDK 和 OpenAI API。
- ·配置方法
通过 AI Gateway 设置页面启用白名单功能并管理提供商列表。
思维导图
用一张图看清主题之间的关系。
查看大纲文本(无障碍 / 无 JS 友好)
- 团队级提供商白名单
金句 / Highlights
值得收藏与分享的关键句。
开发者无法绕过白名单限制,确保集中控制和可审计性。
白名单启用后,新提供商默认禁用,避免无声扩展。
支持多种 API 格式,包括 AI SDK、OpenAI Chat Completions API 和 Anthropic Messages API。
2 min read
May 28, 2026
AI Gateway now supports a team-wide provider allowlist. Teams can restrict which providers can serve requests, so traffic only routes to approved providers. The allowlist applies to every request through AI Gateway, including Bring Your Own Key (BYOK) traffic.
Regulated teams typically vet AI providers across multiple dimensions with security and legal sign-off, ending up with a vendor set that reflects the specific requirements of their org. The allowlist turns that approved-vendor list into a routing guarantee:
- Enforcement happens at the gateway level, not at the request level. A developer on the team cannot route traffic to a provider the org hasn't approved.
- This restriction also applies to coding agents. Even if an agent omits or modifies request-level provider filters, AI Gateway still blocks unapproved providers.
- Only team owners can modify the provider allowlist, keeping control centralized and auditable.
- New providers are disabled by default once the allowlist is on, so the approved set doesn't silently expand when AI Gateway integrates a new vendor.
[Link to heading](https://vercel.com/changelog/team-wide-provider-allowlist-on-ai-gateway#how-to-configure)How to configure
Toggle on Provider Allowlist in the AI Gateway **Settings** tab. All current providers are allowed by default, so existing traffic is unaffected. Disable any providers your team shouldn't use.
The allowlist filters by provider, not by model. AI Gateway falls back to other allowed providers for the same model if the initial provider fails. The allowlist also functions as an and with other restrictions applied to the team, like Zero Data Retention (ZDR) or request-level filtering.
For example, if a team has disabled DeepSeek in their allowlist and a request pins routing to only the DeepSeek provider:
import { streamText } from 'ai';const result = streamText({ model: 'deepseek/deepseek-v4-pro', prompt, providerOptions: { gateway: { only: ['deepseek'], }, },});
Removes all routing options except for the DeepSeek provider
Since DeepSeek is not in the allowlist, AI Gateway rejects the request.
{ "error": { "type": "no_providers_available", "message": "Your team has restricted access to this provider. Contact the owner of the account for more details. Providers considered: deepseek" }}
Error when accessing provider that is not in the allowlist
Provider Allowlist works across every API format supported by AI Gateway, including AI SDK, OpenAI Chat Completions API, and Anthropic Messages API.
Read the provider allowlist documentation for more information. For other account-level security and compliance functionality, check the Zero Data Retention and Disallow Prompt Training documentation.