Keyless, Identity-Aware Access to Any AI
NetBird replaces long-lived AI API keys with network-layer access tied to groups in your identity provider. Verified identity flows into LiteLLM, Cloudflare, and other gateways for audit, cost attribution, and policy enforcement.
Agent Network
Keyless, Identity-Aware Access to Any AI.
NetBird replaces long-lived AI API keys with network-layer access tied to groups in your identity provider. Verified identity flows into LiteLLM, Cloudflare, and other gateways for audit, cost attribution, and policy enforcement.
Deploy NetBirdRequest a demo
Scroll
Reachability
Tunnel-only access.
NetBird wraps your AI gateway in a private WireGuard network with no public ingress — reachable only through policy-gated encrypted tunnels tied to your OIDC IdP (Okta, Entra, Google). Drop a user from the group or disable their policy, and access drops within seconds.
Engineering
384 Users
Marketing
66 Users
Agents
192 Agents
NetBird Proxy
https://ai.netbird
LiteLLM
AI Gateway
Identity
No shared API keys.
Every request carries the real caller's identity — email or agent name plus IdP group memberships — stamped by NetBird as headers for LiteLLM, Cloudflare, or any gateway. Audit logs name real people, costs attribute to the right team, and per-group limits enforce themselves, all driven by your IdP instead of a static API key.
~/.zshrc
diff
Claude Code configuration
−export ANTHROPIC_API_KEY="sk-ant-9xK4mP2nQ7rZ..."
−export ANTHROPIC_BASE_URL="https://api.anthropic.com"
+export ANTHROPIC_BASE_URL="https://ai.netbird"
No API key in the config. Identity is stamped by the NetBird proxy and forwarded to the gateway as headers or metadata.
Governance
Spend caps, rate limits, full audit.
No gateway, or want spend controls inside NetBird itself? Attach token and dollar caps to any policy, per group or individual. Every request hits the access log with identity, model, tokens, cost, latency, and status — attribute spend, catch runaway agents, and stream it all to your SIEM.
Engineering → Claude Code· Policy
Token Limit
Group: 100k · Individual: 10k · resets every 1d
Budget Limit
Group: $10000 · Individual: $500 · resets every 30d
Access LogStatus
Time
User / Agent
Model
Tokens
Cost
Status
14:32:08
S
User
gpt-5.5
1,240
$0.0124
200
S
User · 14:32:08
200
gpt-5.5
1,240 · $0.0124
14:32:01
D
data-extractor
Agent
claude-opus-4.7
8,512
$0.0851
200
D
data-extractor
Agent · 14:32:01
200
claude-opus-4.7
8,512 · $0.0851
14:31:54
M
User
gpt-5.5
2,104
$0.0421
200
M
User · 14:31:54
200
gpt-5.5
2,104 · $0.0421
14:31:47
C
crm-sync
Agent
gpt-5.5
—
—
429
↳ Budget exceeded
C
crm-sync
Agent · 14:31:47
429
gpt-5.5
— · —
↳ Budget exceeded
Beyond AI
Universal access plane.
The same overlay that fronts your AI gateway fronts everything else too — databases, internal servers, staging, any private resource. Agents and users connect directly over encrypted peer-to-peer WireGuard tunnels: one identity-aware network across cloud, on-prem, and hybrid, governed by your policies.
Engineering
384 Users
Agents
192 Agents
Marketing
66 Users
Database
Postgres
CRM
Internal
Engineering
384 Users
Agents
192 Agents
Marketing
66 Users
Database
Postgres
CRM
Internal
Set up your Agent Network in under 10 minutes.
Get Started Free