Keyless,
Identity-Aware Access
to Any AI.
NetBird replaces long-lived AI API keys with network-layer access tied to your identity provider, so teams reach any LLM provider or gateway with full auditability, cost control, and policy enforcement.
Tunnel-only access.
NetBird wraps your AI gateway in a private WireGuard network with no public ingress — reachable only through policy-gated encrypted tunnels tied to your OIDC IdP (Okta, Entra, Google). Drop a user from the group or disable their policy, and access drops within seconds.
Learn moreNo shared API keys.
Every request carries the real caller's identity — email or agent name plus IdP group memberships — stamped by NetBird as headers for LiteLLM, Cloudflare, or any gateway. Audit logs name real people, costs attribute to the right team, and per-group limits enforce themselves, all driven by your IdP instead of a static API key.
Spend caps, rate limits, full audit.
No gateway, or want spend controls inside NetBird itself? Attach token and dollar caps to any policy, per group or individual. Every request hits the access log with identity, model, tokens, cost, latency, and status — attribute spend, catch runaway agents, and stream it all to your SIEM.
Universal access plane.
The same overlay that fronts your AI gateway fronts everything else too — databases, internal servers, staging, any private resource. Agents and users connect directly over encrypted peer-to-peer WireGuard tunnels: one identity-aware network across cloud, on-prem, and hybrid, governed by your policies.
Learn more