Frequently asked questions

RenLayer is an enterprise governance platform for AI agents. It runs as a transparent proxy between your agents and LLM providers, giving security, platform, and finance teams real-time visibility, policy enforcement, data leak prevention, and cost optimization — without changing your application code.

RenLayer is built for enterprises, SMBs, and startups running AI agents in production. Typical users are security engineers, platform and DevOps teams, ML/LLM leads, and finance teams that need to audit, control, and budget agent usage across OpenAI, Anthropic, Google, AWS Bedrock, Azure, and other LLM providers.

Observability tools passively record what your agents do. RenLayer is an inline governance layer: it blocks policy violations, redacts PII, enforces cost caps, and optimizes prompts in real time during the request — not just reports on them afterward. You get observability and enforcement in a single layer.

No. RenLayer does not replace your agent framework. It works alongside LangChain, LlamaIndex, CrewAI, Mastra, the Vercel AI SDK, the OpenAI Agents SDK, and any custom implementation. RenLayer sits between your agents and the LLM API to govern what they send and receive.

Yes. RenLayer ships with a built-in Data Loss Prevention engine that scans every request using 16+ detectors — credit cards, SSNs, email addresses, phone numbers, Stripe keys, AWS access and secret keys, GCP service accounts, GitHub and Slack tokens, private RSA/EC keys, and high-entropy strings — and blocks or redacts sensitive data before it reaches the LLM provider. Custom regex detectors are supported.

Yes. RenLayer inspects agent inputs and outputs in real time, detecting injection patterns, jailbreak attempts, and tool-call anomalies. Suspicious requests are blocked before they reach your models or downstream business services.

It depends on the deployment tier you choose. In fully managed SaaS, request bodies transit the proxy but full payloads are not persisted — only a 512-byte preview and cryptographic hashes. In Hybrid mode, full bodies stay on your infrastructure and only metadata (token counts, costs, policy matches, severity levels) crosses the network to RenLayer over mTLS. In fully on-premises deployments, nothing leaves your VPC.

RenLayer uses a bring-your-own-keys model. Your LLM provider API keys transit through the proxy to the provider (in SaaS mode) or stay entirely on your infrastructure (in Hybrid and on-prem modes). RenLayer API keys are stored as SHA-256 hashes — never plaintext — and support agent scoping, expiry, and revocation.

Point your LLM client at the RenLayer proxy URL and add three headers: X-Target-URL for the upstream provider, X-Agent-ID, and X-Session-ID. There is no SDK to install and no client code to rewrite. Most teams are integrated end-to-end in under 24 hours with guidance from our engineering team.

RenLayer supports OpenAI, Azure OpenAI, Anthropic, Google Vertex AI and Gemini, AWS Bedrock, Cohere, Mistral, and HuggingFace. Because the proxy forwards requests at the HTTP layer rather than wrapping an SDK, new providers can be added without changes on the client side.

Yes. RenLayer is framework-agnostic. Any agent framework that lets you configure the base URL of the LLM API — LangChain, LlamaIndex, CrewAI, Mastra, the Vercel AI SDK, the OpenAI Agents SDK, or a custom client — can route through RenLayer with a base URL change.

Less than 10 milliseconds per request in production deployments. The proxy performs enrichment, logging, and optimization asynchronously after the response is streamed, so clients never wait on governance logic.

Yes. RenLayer offers three deployment models: fully managed SaaS, Hybrid (proxy on your infrastructure, control plane hosted by RenLayer), and fully on-premises (proxy, API, console, and database in your VPC) for air-gapped environments. Signed Docker images, a Helm chart, and Terraform modules for AWS, GCP, and Azure are provided.

RenLayer is fail-open by design. If the proxy is disabled or removed, your agents keep working — they simply stop being governed until it is re-enabled. This lets platform teams roll out RenLayer with zero production risk.

RenLayer applies automatic, lossless request compression — JSON minification, whitespace normalization, and empty-field removal — plus prompt cache optimization. For Anthropic it inserts ephemeral cache_control markers on long system messages; for OpenAI and Azure it reorders messages to maximize prefix cache hits. Each request logs original bytes, optimized bytes, and the savings percentage so you can measure impact per agent and per model.

No. All optimizations are lossless. Compression removes formatting characters and empty fields without altering semantic content, and prompt cache markers only change how the provider caches the request. You can disable any optimization per agent or per request if you want to run A/B comparisons.

Yes. Policies can block, alert, or throttle based on estimated request cost, provider, model, agent ID, or response size. You can set daily and monthly caps to prevent runaway spend from misconfigured agents, and allocate budget per team or per environment.

RenLayer is built to help your AI agents comply with GDPR, CCPA, and the EU AI Act. Built-in features include structured audit trails for every request, data residency in Europe, mTLS 1.3 with per-tenant ECDSA certificates rotated every 90 days, configurable retention, and DLP detectors that block or redact personal and sensitive data before it reaches the LLM provider.

Every request produces a structured JSON log with 60+ fields: execution ID, agent ID, provider, model, input and output token counts, estimated cost, latency breakdown, policy matches, PII findings with severity, anomaly scores, and session context. Logs can be exported to PostgreSQL, OpenTelemetry (Datadog, Grafana, Jaeger, Splunk, New Relic, AWS X-Ray), Prometheus, or via webhooks to SIEM systems.

Log retention is configurable per deployment. In Hybrid and on-premises setups you can match retention to your internal policies. In managed SaaS, retention is set per plan and discussed during onboarding with our team.

Yes. All control-plane traffic uses mTLS 1.3 with mutual authentication using per-tenant ECDSA P-256 certificates rotated every 90 days. Data at rest is encrypted in managed storage, and certificates on disk are stored with 0600 permissions.

Yes. A self-hosted Community edition is free to run. The Scan tier (fully managed SaaS) is free for small volumes. Paid plans start with Team and scale to Enterprise with annual agreements and on-prem options.

RenLayer is priced primarily by governed requests, not by seat. Team plans bundle a monthly request volume with overage pricing; Enterprise plans are annual contracts with usage-based billing, dedicated support, and optional on-premises deployment.

Apply to the RenLayer Design Partner Program. Design partners get free deployment in Shadow Mode (log-only, zero production impact), integration in under 24 hours, direct access to our founders, and early access to every feature we ship.