Skip to content
/ dripline Public

Reverse-proxy API gateway designed specifically for SaaS application endpoints that incur usage-based LLM costs.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

segfaultscribe/dripline

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

44 Commits
src
src
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
bun.lock
bun.lock
 
 
design.md
design.md
 
 
package.json
package.json
 
 
tsconfig.json
tsconfig.json
 
 

Repository files navigation

Dripline: Reverse-Proxy Usage Enforcement for SaaS Applications

Dripline is an opinionated reverse-proxy gateway built for SaaS products that incur usage-based costs like having an LLM endpoint. It enforces per-user hard limits before upstream execution, preventing surprise bills and abuse.

It is not a generic API gateway, it is a cost-control layer.

Problem

Endpoints that host services like llms can be usage-priced and unpredictable. A single abusive user or integration bug can generate unexpected costs. Traditional gateways optimize for throughput and latency, not deterministic cost enforcement.

Dripline ensures that no user exceeds their configured daily quota before a cost-incurring endpoint is executed.

Architecture

Dripline runs as a reverse proxy with strict separation between:

Data Plane

  • Authenticates API keys
  • Resolves end-user identity
  • Detects metered endpoints
  • Enforces daily usage limits
  • Proxies requests upstream
  • Records usage analytics

Control Plane

  • Create and revoke end users
  • Issue API keys
  • Inspect per-user usage
  • View system-wide usage summary

Request Lifecycle

Request enters gateway -> API key resolves to internal end-user identity -> Metered endpoint detection -> Atomic usage check + increment (daily window) -> If allowed -> proxied upstream -> If limit exceeded -> 429 returned before upstream call

Enforcement happens before LLM execution.

Core Capabilities (MVP)

  • Per-end-user usage attribution
  • Deterministic daily hard limits (UTC window)
  • Atomic DB-backed enforcement
  • Reverse proxy with timeout handling
  • Upstream error attribution
  • Restart-safe persistence
  • Admin control plane

Usage is currently request-based (1 request = 1 unit). Token-based metering is planned.

Key Design Decisions

Reverse Proxy Enforcement

Limits are enforced pre-execution to guarantee cost control.

Fail-Closed Model

If enforcement cannot complete, the request is blocked.

Synchronous Limit Check

Correctness is prioritized over availability.

Internal Identity Model

All enforcement uses internal UUIDs. External IDs are mapped but never trusted for enforcement.

Fixed Daily Windows (MVP)

Chosen for predictability and operational simplicity.

What This Is Not

  • a generic API manager
  • an enterprise plugin gateway
  • a billing engine
  • a token-parsing middleware (yet)

Tech Stack

Bun · TypeScript · Elysia · SQLite (Postgres-ready)

Development Status

Core enforcement and proxy layer operational.

About

Reverse-proxy API gateway designed specifically for SaaS application endpoints that incur usage-based LLM costs.

Topics

typescript sqlite dependency-injection gateway reverse-proxy middleware-pipeline bun usage-tracking elysia admin-controls

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages