NetBird Agent Network - Keyless, Identity-Aware Access for AI Gateways
Agent Network<br>Keyless,<br>Identity-Aware Access<br>to Any AI.<br>NetBird replaces long-lived AI API keys with network-layer access tied to groups in your identity provider. Verified identity flows into LiteLLM, Cloudflare, and other gateways for audit, cost attribution, and policy enforcement.<br>Deploy NetBirdRequest a demo
Engineering<br>384 Users
Policy
LiteLLM<br>AI Gateway
Scroll
Reachability<br>Tunnel-only access.<br>NetBird wraps your AI gateway in a private WireGuard network with no public ingress — reachable only through policy-gated encrypted tunnels tied to your OIDC IdP (Okta, Entra, Google). Drop a user from the group or disable their policy, and access drops within seconds.
Revoke Access<br>Revoke Access
Engineering<br>384 Users
Marketing<br>66 Users
Agents<br>192 Agents
NetBird Proxy<br>https://ai.netbird
LiteLLM<br>AI Gateway
Identity<br>No shared API keys.<br>Every request carries the real caller's identity — email or agent name plus IdP group memberships — stamped by NetBird as headers for LiteLLM, Cloudflare, or any gateway. Audit logs name real people, costs attribute to the right team, and per-group limits enforce themselves, all driven by your IdP instead of a static API key.
~/.zshrc<br>diff<br># Claude Code configuration<br>−export ANTHROPIC_API_KEY="sk-ant-9xK4mP2nQ7rZ..."<br>−export ANTHROPIC_BASE_URL="https://api.anthropic.com"<br>+export ANTHROPIC_BASE_URL="https://ai.netbird"
No API key in the config. Identity is stamped by the NetBird proxy and forwarded to the gateway as headers or metadata.
Governance<br>Spend caps, rate limits, full audit.<br>No gateway, or want spend controls inside NetBird itself? Attach token and dollar caps to any policy, per group or individual. Every request hits the access log with identity, model, tokens, cost, latency, and status — attribute spend, catch runaway agents, and stream it all to your SIEM.
Engineering → Claude Code· Policy
Token Limit<br>Group: 100k · Individual: 10k · resets every 1d
Budget Limit<br>Group: $10000 · Individual: $500 · resets every 30d
Access LogStatus<br>Time<br>User / Agent<br>Model<br>Tokens<br>Cost<br>Status
14:32:08<br>sarah.chen@acme.io<br>User
gpt-5.5<br>1,240<br>$0.0124<br>200
sarah.chen@acme.io<br>User · 14:32:08
200
gpt-5.5<br>1,240 · $0.0124
14:32:01<br>data-extractor<br>Agent
claude-opus-4.7<br>8,512<br>$0.0851<br>200
data-extractor<br>Agent · 14:32:01
200
claude-opus-4.7<br>8,512 · $0.0851
14:31:54<br>marcus.lee@acme.io<br>User
gpt-5.5<br>2,104<br>$0.0421<br>200
marcus.lee@acme.io<br>User · 14:31:54
200
gpt-5.5<br>2,104 · $0.0421
14:31:47<br>crm-sync<br>Agent
gpt-5.5<br>429<br>↳ Budget exceeded
crm-sync<br>Agent · 14:31:47
429
gpt-5.5<br>— · —
↳ Budget exceeded
Beyond AI<br>Universal access plane.<br>The same overlay that fronts your AI gateway fronts everything else too — databases, internal servers, staging, any private resource. Agents and users connect directly over encrypted peer-to-peer WireGuard tunnels: one identity-aware network across cloud, on-prem, and hybrid, governed by your policies.
Engineering<br>384 Users
Agents<br>192 Agents
Marketing<br>66 Users
Database<br>Postgres
CRM<br>Internal
Engineering<br>384 Users
Agents<br>192 Agents
Marketing<br>66 Users
Database<br>Postgres
CRM<br>Internal
Set up your Agent Network in under 10 minutes.<br>Get Started Free