Skip to documentation

Gateway contract · 0.1.0-draft

Tensor Cortex Gateway API reference

An OpenAI-compatible request surface for policy-governed chat, documented independently from where—or whether—a public service is available.

Access: approved deployment only

Source reviewed:

Availability boundary

This page documents the reviewed Gateway interface for deployment-scoped pilots and private-alpha environments. It does not announce a public production endpoint, self-service API keys, or general availability. Do not send requests to api.tensor.cx or any example hostname unless an approved deployment explicitly provides that base URL.

Base URL and authentication

Every request uses the installation-specific HTTPS base URL and a scoped, revocable Tensor Cortex service-account key. The key resolves one application and its allowed logical profiles before the Gateway reads product data or calls a provider.

TC_API_BASE_URL=https://ai.company.example
TC_API_KEY=<deployment-issued-scoped-key>

Example-domain rule: ai.company.example is reserved for documentation. It is not a Tensor Cortex service and will not execute the request.

Endpoints

Gateway API endpoints and their contracts
Method Path Contract
GET /v1/models Lists only logical profiles authorized for the authenticated caller.
POST /v1/chat/completions Executes non-streaming JSON or SSE streaming chat through one authorized logical profile.

Chat-completions request

The model field is a logical Tensor Cortex profile such as automatic, private, or coding. It is not a physical provider model ID. Physical provider, deployment, and credential selection remain behind the policy and routing boundary.

curl "$TC_API_BASE_URL/v1/chat/completions" \
  -H "Authorization: Bearer $TC_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "automatic",
    "messages": [
      {"role": "user", "content": "Summarize this incident."}
    ],
    "stream": false
  }'

Request fields

Chat-completions request fields and constraints
Field Required Boundary
model Yes Authorized logical profile; 1–64 lowercase letters, numbers, dots, underscores, or hyphens.
messages Yes At least one system, developer, user, assistant, or tool message within deployment limits.
stream No Defaults to false; true returns SSE when policy permits streaming.
stream_options.include_usage No Requests an optional final usage chunk for a stream.
tools and tool_choice No Supports function-tool definitions and normalized tool-call messages within the published adapter contract.
n No Only 1 is accepted; the current contract returns one canonical choice.
store No When present, must be false; a caller cannot enable provider-side storage.

Unknown fields and unsupported values fail before provider execution. A caller may provide trusted metadata headers only when its key has the corresponding scope; caller-supplied application, data-class, request-group, or end-user values never grant authorization or weaken policy.

Response contract

A successful non-streaming response uses the OpenAI-compatible chat-completion envelope. The returned model remains the logical profile; the physical provider and deployment are not exposed on this surface.

{
  "id": "chatcmpl_tc_example",
  "object": "chat.completion",
  "created": 1784246400,
  "model": "automatic",
  "choices": [
    {
      "index": 0,
      "message": {"role": "assistant", "content": "..."},
      "finish_reason": "stop"
    }
  ]
}

Response metadata

Gateway response metadata headers
Header Meaning
X-TC-Request-ID Safe request identifier for support and audit correlation.
X-TC-Profile Logical profile used for the request.
X-TC-Route-Class Simplified security boundary such as private, approved_cloud, or restricted.
X-TC-Fallback Whether a compliant fallback was selected before client-visible streaming began.
RateLimit-* The most restrictive applicable request limit, remaining count, and reset interval.

Safe error behavior

Gateway HTTP error statuses and meanings
Status Meaning
400Invalid request shape or parameter.
401Missing, invalid, expired, or revoked service-account key.
403Policy denied the request or no compliant deployment is allowed.
404The logical profile is unknown, disabled, or not visible to the caller.
413Request body, context, or configured input limit exceeded.
422Capability or token requirements cannot be satisfied.
429An applicable user, team, application, or service-account limit was exceeded.
503No valid publication, compliant deployment, or required fail-closed dependency is available.
504No compliant provider completed within the allowed timeout budget.

Error bodies use an OpenAI-compatible error envelope and carry the same request ID. Safe messages exclude prompt content, provider response bodies, credentials, candidate names, and physical model identity.

Compatibility limits

  • The committed contract covers GET /v1/models and POST /v1/chat/completions; it is not a claim of full OpenAI API endpoint or extension parity.
  • Text chat, streaming, function tools, tool calls, normalized finish reasons, and optional streaming usage are in scope. Provider-specific extensions and uncommon multimodal parts require explicit compatibility evidence.
  • Fallback is permitted only inside the same policy-approved candidate set and never after the first client-visible streaming event.
  • When effective policy requires durable audit before delivery or encrypted content capture, streaming fails before provider execution and the client must retry with stream=false. The safe error code is streaming_requires_durable_audit.
  • Gateway responses are not cached. A repeated request performs a new policy, route, and provider execution.

Privacy and execution boundary

Gateway prompts and responses are not durably stored by default and are not response-cached. Metadata-only audit records identity and resource references, profile and policy versions, data class, route and fallback decisions, token counts, latency, health, and estimated cost—not prompt or response bodies.

An approved deployment controls provider credentials and egress. Prompt content is sent only after authentication, classification, policy enforcement, and route approval. Provider terms, retention, training, region, and subprocessor status remain deployment-specific facts; a provider brand alone does not establish them.

Need an installation-specific base URL?

Discuss the exact deployment, identity, provider, and compatibility boundary in a reviewed pilot.

Request a pilot