Drop-in OpenAI redirect
Govern every OpenAI call without changing application code.
The single highest-leverage integration in Trinitite. You change one environment variable. Every call your application makes to OpenAI now routes through a Guardian, returns governed output (with already-applied JSON Patches if it was corrected), and writes a Glass Box Ledger receipt.
Prerequisites
- A Trinitite API key (
tk_test_…ortk_live_…). - A vaulted provider credential — see Provider Credentials. The Guardian uses your vaulted OpenAI key to make the upstream call; your application never holds the upstream secret.
export TRINITITE_API_KEY="tk_test_••••••"
export TRINITITE_PROVIDER_CRED="cred_openai_prod"
The change
- OPENAI_BASE_URL=https://api.openai.com/v1
+ OPENAI_BASE_URL=https://api.trinitite.ai/v1/proxy
- OPENAI_API_KEY=sk-••••••
+ OPENAI_API_KEY=$TRINITITE_API_KEY
That's it. Restart your application; every call now goes through the Guardian.
Optional headers
| Header | Purpose |
|---|---|
X-Trinitite-Credential-Id | Pin a specific vaulted provider credential (default: tenant default). |
X-Trinitite-Guardian | Pin a specific Guardian (default: tenant default for the route). |
X-Trinitite-NHI | Attribute the call to a specific Non-Human Identity (recommended). |
X-Trinitite-Idempotency-Key | Make retries safe (deduplicate within 24h). |
curl https://api.trinitite.ai/v1/proxy/chat/completions \
-H "Authorization: Bearer $TRINITITE_API_KEY" \
-H "X-Trinitite-Credential-Id: $TRINITITE_PROVIDER_CRED" \
-H "X-Trinitite-Guardian: pii-redactor" \
-H "X-Trinitite-NHI: nhi_billing_assistant" \
-H "Content-Type: application/json" \
-d '{
"model": "gpt-4o",
"messages": [
{"role": "user", "content": "Summarize the pinned customer record."}
]
}'
What you get back
For most calls, exactly the OpenAI response shape you'd expect. For a corrected call, the Guardian transparently applies its patches before the response leaves the proxy. For a blocked call, you get a 403 with a structured Trinitite error envelope.
// blocked example
{
"error": {
"code": "guardian_blocked",
"guardian": "pii-redactor",
"reason": "Output contained an unredactable secret pattern.",
"ledger_id": "lg_01HZ2N6T...",
"documentation_url": "https://trinitite.ai/docs/faq#errors"
}
}
Verify the receipt
curl "$TRINITITE_BASE/v1/logs/lg_01HZ2N6T..." \
-H "Authorization: Bearer $TRINITITE_API_KEY"
Returns the full Glass Box Ledger receipt — input hash, policy hash, outcome, corrections (if any), governance hash, and the Merkle proof anchor.
What's next
→ Cookbook: Govern an MCP tool call — the next layer of governance for agentic apps.
→ Migration: from OpenAI Moderation API — side-by-side cutover.
→ Trust Center — how vaulted credentials are stored.