Skip to main content
This guide will help you implement enterprise-grade security, observability, and governance for OpenWebUI using Portkey. While OpenWebUI supports various provider plugins, Portkey provides a unified interface for all your LLM providers, offering comprehensive features for model management, cost tracking, observability, and metadata logging. For IT administrators deploying centralized instances of OpenWebUI, Portkey enables essential enterprise features including usage tracking, access controls, and budget management. Let’s walk through implementing these features step by step.

Understanding the Implementation

When implementing Portkey with OpenWebUI in your organization, we’ll follow these key steps:
  1. Basic OpenWebUI integration with Portkey
  2. Setting up organizational governance using Virtual Keys and Configs
  3. Managing user access and permissions
If you’re an individual user just looking to use Portkey with OpenWebUI, you only need to complete Steps 1 and 2 to get started.

Official Portkey Manifold Pipe

We now ship an officially supported OpenWebUI pipe that encapsulates Portkey best practices out of the box. Copy it directly from the expandable snippet below or grab the raw file with one click.
portkey_manifold_pipe.py

1. Install the Portkey Manifold Pipe

Set up the official pipe once and OpenWebUI will immediately surface Portkey as a selectable provider.
  1. Download portkey_manifold_pipe.py or copy it from the accordion above.
  2. Drop the file into your OpenWebUI pipes/ directory (for Docker installs this is typically /app/backend/data/pipes/).
  3. Restart OpenWebUI so the new pipe is registered.
  4. In the OpenWebUI interface, open the Pipe dropdown and choose PORTKEY.

2. Configure Your Pipe Valves

Open the Valves panel for the PORTKEY pipe to align it with your Portkey workspace.

Portkey API Key

  • PORTKEY_API_KEY (required): Generate an API key from the Portkey dashboard and paste it here. The pipe uses it as a Bearer token for every request.
  • PORTKEY_API_BASE_URL (optional): Leave the default https://api.portkey.ai/v1 unless you are routing through a self-hosted or region-specific Portkey deployment.

Model Discovery & Curation

  • AUTO_DISCOVER_MODELS: When enabled, the pipe calls GET {BASE_URL}/models and auto-populates the OpenWebUI dropdown with every model your workspace can access.
  • PORTKEY_MODELS: Provide a comma-separated list such as @openai/gpt-4o-mini, @anthropic/claude-3-5-sonnet to spotlight specific models or supplement the auto-discovered list.

Metadata & Compliance Controls

  • FORWARD_USER_INFO_HEADERS: Forward the standard X-OpenWebUI-User-* headers to Portkey for downstream audit trails.
  • SEND_METADATA_HEADER: Keep this enabled to emit structured x-portkey-metadata headers containing name, id, email, role, and chat_id whenever OpenWebUI shares that context.

Streaming & Networking

  • STREAM_FORMAT: Choose how you want streamed responses returned to OpenWebUI. auto intelligently normalizes SSE payloads, jsonl emits plain JSON per line, and sse forwards raw data: lines unchanged.
  • REQUEST_TIMEOUT_SECS, RETRIES_NON_STREAM, RETRY_BACKOFF_FACTOR: Increase these for long-running, non-streaming requests or stricter resiliency policies. Retries only apply to non-streamed calls.

Bring Your Portkey Governance

  • Virtual Keys: Create dedicated keys in the Virtual Keys dashboard to enforce budget limits, rate limits, and provider-level segmentation. Pair each department or environment with its own key.
  • Configs (optional): Reference reusable configs that bundle advanced routing, fallbacks, and retry logic. Here is a simple template that adds five retry attempts on server errors:
Store configs in Portkey’s Config Library and reference them inside valve metadata or the request payload to unlock advanced orchestration. Explore more patterns in the Configs documentation.

3. How the Pipe Works

  • Model IDs: OpenWebUI prefixes model IDs with the pipe filename. The pipe automatically cleans this up before sending requests to Portkey.
  • Routing: Every chat request is proxied to POST {PORTKEY_API_BASE_URL}/chat/completions with streaming enabled by default. Add "stream": false to fall back to buffered responses (the pipe will honour retry policies for non-streaming calls).
  • User Context: When enabled, OpenWebUI user attributes flow through as headers and structured metadata so you can filter logs, attribute spend, and enforce policy in Portkey.
  • Resilience: Non-stream requests reuse a retry-enabled session with exponential backoff for status codes such as 429, 500, or 503.

Example Workflow

  1. Paste your Portkey API key into the valve panel and toggle any metadata headers you need.
  2. Let the pipe auto-discover models or manually curate the dropdown with PORTKEY_MODELS.
  3. Select a model, start chatting, and monitor the live traffic inside Portkey’s dashboards.
For deeper usage patterns—including multi-tenant governance—continue with the sections below.

4. Set Up Enterprise Governance for OpenWebUI

Why Enterprise Governance? If you are using OpenWeb UI inside your orgnaization, you need to consider several governance aspects:
  • Cost Management: Controlling and tracking AI spending across teams
  • Access Control: Managing which teams can use specific models
  • Usage Analytics: Understanding how AI is being used across the organization
  • Security & Compliance: Maintaining enterprise security standards
  • Reliability: Ensuring consistent service across all users
Portkey adds a comprehensive governance layer to address these enterprise needs. Let’s implement these controls step by step. Enterprise Implementation Guide

Step 1: Implement Budget Controls & Rate Limits

Virtual Keys enable granular control over LLM access at the team/department level. This helps you:
  • Set up budget limits
  • Prevent unexpected usage spikes using Rate limits
  • Track departmental spending

Setting Up Department-Specific Controls:

  1. Navigate to Virtual Keys in Portkey dashboard
  2. Create new Virtual Key for each department with budget limits and rate limits
  3. Configure department-specific limits

Step 2: Define Model Access Rules

As your AI usage scales, controlling which teams can access specific models becomes crucial. Portkey Configs provide this control layer with features like:

Access Control Features:

  • Model Restrictions: Limit access to specific models
  • Data Protection: Implement guardrails for sensitive data
  • Reliability Controls: Add fallbacks and retry logic

Example Configuration:

Here’s a basic configuration to route requests to OpenAI, specifically using GPT-4o:
Create your config on the Configs page in your Portkey dashboard. You’ll need the config ID for connecting to OpenWeb UI’s setup.
Configs can be updated anytime to adjust controls without affecting running applications.

Step 3: Implement Access Controls

Create User-specific API keys that automatically:
  • Track usage per user/team with the help of virtual keys
  • Apply appropriate configs to route requests
  • Collect relevant metadata to filter logs
  • Enforce access permissions
Create API keys through:Example using Python SDK:
For detailed key management instructions, see our API Keys documentation.

Step 4: Deploy & Monitor

After distributing API keys to your team members, your enterprise-ready OpenWeb UI setup is ready to go. Each team member can now use their designated API keys with appropriate access levels and budget controls. Apply your governance setup using the integration steps from earlier sections Monitor usage in Portkey dashboard:
  • Cost tracking by department
  • Model usage patterns
  • Request volumes
  • Error rates

Enterprise Features Now Available

OpenWeb UI now has:
  • Departmental budget controls
  • Model access governance
  • Usage tracking & attribution
  • Security guardrails
  • Reliability features

Portkey Features

Now that you have enterprise-grade Zed setup, let’s explore the comprehensive features Portkey provides to ensure secure, efficient, and cost-effective AI operations.

1. Comprehensive Metrics

Using Portkey you can track 40+ key metrics including cost, token usage, response time, and performance across all your LLM providers in real time. You can also filter these metrics based on custom metadata that you can set in your configs. Learn more about metadata here.

2. Advanced Logs

Portkey’s logging dashboard provides detailed logs for every request made to your LLMs. These logs include:
  • Complete request and response tracking
  • Metadata tags for filtering
  • Cost attribution and much more…

3. Unified Access to 1600+ LLMs

You can easily switch between 1600+ LLMs. Call various LLMs such as Anthropic, Gemini, Mistral, Azure OpenAI, Google Vertex AI, AWS Bedrock, and many more by simply changing the virtual key in your default config object.

4. Advanced Metadata Tracking

Using Portkey, you can add custom metadata to your LLM requests for detailed tracking and analytics. Use metadata tags to filter logs, track usage, and attribute costs across departments and teams.

Custom Metata

5. Enterprise Access Management

Budget Controls

Set and manage spending limits across teams and departments. Control costs with granular budget limits and usage tracking.

Single Sign-On (SSO)

Enterprise-grade SSO integration with support for SAML 2.0, Okta, Azure AD, and custom providers for secure authentication.

Organization Management

Hierarchical organization structure with workspaces, teams, and role-based access control for enterprise-scale deployments.

Access Rules & Audit Logs

Comprehensive access control rules and detailed audit logging for security compliance and usage tracking.

6. Reliability Features

Fallbacks

Automatically switch to backup targets if the primary target fails.

Conditional Routing

Route requests to different targets based on specified conditions.

Load Balancing

Distribute requests across multiple targets based on defined weights.

Caching

Enable caching of responses to improve performance and reduce costs.

Smart Retries

Automatic retry handling with exponential backoff for failed requests

Budget Limits

Set and manage budget limits across teams and departments. Control costs with granular budget limits and usage tracking.

7. Advanced Guardrails

Protect your Project’s data and enhance reliability with real-time checks on LLM inputs and outputs. Leverage guardrails to:
  • Prevent sensitive data leaks
  • Enforce compliance with organizational policies
  • PII detection and masking
  • Content filtering
  • Custom security rules
  • Data compliance checks

Guardrails

Implement real-time protection for your LLM interactions with automatic detection and filtering of sensitive content, PII, and custom security rules. Enable comprehensive data protection while maintaining compliance with organizational policies.

FAQs

You can update your Virtual Key limits at any time from the Portkey dashboard:1. Go to Virtual Keys section2. Click on the Virtual Key you want to modify3. Update the budget or rate limits4. Save your changes
Yes! You can create multiple Virtual Keys (one for each provider) and attach them to a single config. This config can then be connected to your API key, allowing you to use multiple providers through a single API key.
Portkey provides several ways to track team costs:
  • Create separate Virtual Keys for each team
  • Use metadata tags in your configs
  • Set up team-specific API keys
  • Monitor usage in the analytics dashboard
When a team reaches their budget limit:
  1. Further requests will be blocked
  2. Team admins receive notifications
  3. Usage statistics remain available in dashboard
  4. Limits can be adjusted if needed

Next Steps

Join our Community
For enterprise support and custom features, contact our enterprise team.
Last modified on April 8, 2026