Skip to main content
The LLM Gateway provides several layers of authentication to ensure that only authorized users and AI agents can access your commerce capabilities.

Gateway Authentication

This controls who can call the gateway’s tools. It is primarily used when you are hosting your own gateway instance.

API Keys

You can configure a list of valid API keys. The gateway will look for these in the Authorization header. 
const gateway = new LLMGateway({
  auth: {
    apiKeys: [process.env.INTERNAL_API_KEY]
  }
});

JWT (JSON Web Tokens)

For web-based integrations, you can use JWTs to authenticate users who are already logged into your storefront.

User Authentication

When an LLM calls a tool like create_order, you often need to know the identity of the end-user.
  1. Anonymous: Most shopping starts anonymously with just a sessionId.
  2. Linked: You can link a sessionId to a specific userId in your system after the user logs in via a secure link.

Merchant Authentication (Multi-vendor)

In a marketplace or hub environment, each merchant might have their own credentials. The gateway handles this via “Backend Credentials” stored securely in your database or managed by the Better Data Cloud.

Signal Tags

For the highest level of security in conversational commerce, the Better Data platform supports Signal Tags. These are authenticated physical or digital tags that provide a “hardware-backed” proof of proximity or ownership, often used for reordering or premium support.

Security Best Practices

  • Rotate Keys: Regularly rotate your gateway API keys.
  • HTTPS Only: Never run the gateway over unencrypted HTTP.
  • Limit Scopes: Only give your AI agents access to the tools they absolutely need. e.g., an “Information Agent” likely doesn’t need the delete_order capability.