Infrastructure

Trust-Weighted API Gateway

Dynamic rate limiting and access control that adapts based on agent trust scores. Higher trust equals higher limits. Zero trust equals zero access.

Rate Limit Strategies

Fixed Window

Classic fixed-window rate limiting with trust multiplier.

Sliding Window

Smooth sliding window for consistent rate enforcement.

Token Bucket

Token bucket algorithm allowing controlled bursting.

Trust Weighted

Rate limits dynamically adjusted based on DRD trust score.

Creating Routes

gateway.ts

import { DRD } from '@drd/sdk';

const drd = new DRD({ apiKey: process.env.DRD_API_KEY });

await drd.gateway.createRoute({
  path: '/api/data/query',
  method: 'POST',
  targetService: 'https://data-service.internal',
  rateLimitStrategy: 'trust_weighted',
  trustScoreThreshold: 60,
  config: {
    baseRateLimit: 100,
    trustMultiplier: 2.0,
    burstAllowance: 20,
  },
});

Trust Score Impact

The trust-weighted strategy dynamically adjusts rate limits based on the requesting agent's current DRD trust score.

trust-formula.txt

effective_limit = base_limit * (trust_score / 100) * trust_multiplier

Examples:
  Agent with score 90: 100 * 0.9 * 2.0 = 180 req/min
  Agent with score 50: 100 * 0.5 * 2.0 = 100 req/min
  Agent with score 20: 100 * 0.2 * 2.0 =  40 req/min
  Agent below threshold (60): BLOCKED

Trust Tiers

The gateway maps DRD Trust Scores to four tiers, each with different rate limits, concurrency caps, and endpoint access levels.

Government

Score 90-100

Rate Limit:10,000 req/min

Concurrency:500

Burst:2,000

Priority:Highest - dedicated queue

Access:All endpoints including admin APIs

Gold

Score 75-89

Rate Limit:5,000 req/min

Concurrency:200

Burst:1,000

Priority:High - priority queue

Access:All standard endpoints + federation APIs

Silver

Score 50-74

Rate Limit:1,000 req/min

Concurrency:50

Burst:200

Priority:Normal - shared queue

Access:Standard endpoints only

Bronze

Score 0-49

Rate Limit:100 req/min

Concurrency:10

Burst:20

Priority:Low - throttled queue

Access:Read-only endpoints, no write operations

Dynamic Tier Assignment

Tier assignment updates in real time as trust scores change. If an agent's score drops below a tier boundary mid-request, existing connections are honored but new requests use the lower tier limits.

Gateway Rules

Define custom gateway rules to override default tier behavior for specific endpoints, agent types, or conditions.

drd-gateway.yaml

# drd-gateway.yaml
rules:
  # Allow higher limits for content protection endpoints
  - match:
      path: "/v1/content/protect/*"
      tier: ["gold", "government"]
    action:
      rateLimit: 15000  # Override to 15k req/min
      priority: "highest"

  # Restrict write operations for at-risk agents
  - match:
      method: ["POST", "PUT", "DELETE"]
      trustScore:
        lt: 50
    action:
      deny: true
      message: "Write operations require trust score >= 50"

  # Geo-fencing: block non-EU traffic for GDPR endpoints
  - match:
      path: "/v1/compliance/gdpr/*"
      geo:
        notIn: ["EU"]
    action:
      deny: true
      message: "GDPR endpoints restricted to EU regions"

  # Circuit breaker: rate limit agents with high error rates
  - match:
      errorRate:
        gt: 0.10  # >10% error rate
        window: "5m"
    action:
      rateLimit: 10  # Drastically reduce limit
      alert: true

Rule Evaluation Order

Rules are evaluated top-to-bottom. The first matching rule wins. Place more specific rules before general rules. Deny rules take precedence over allow rules at the same specificity level.

Rate Limit Headers

Every gateway response includes standard rate limit headers so agents can self-throttle.

Header	Description
X-RateLimit-Limit	Maximum requests per minute for current tier
X-RateLimit-Remaining	Requests remaining in current window
X-RateLimit-Reset	Unix timestamp when the window resets
X-DRD-Trust-Tier	Current trust tier (bronze/silver/gold/government)
X-DRD-Trust-Score	Agent's current DRD Trust Score (0-100)
Retry-After	Seconds to wait before retrying (only on 429)

REST API

GET /v1/gateway/config

curl "https://api.drd.io/v1/gateway/config" \
  -H "Authorization: Bearer drd_ws_sk_live_Abc123..."

# Response
{
  "ok": true,
  "data": {
    "tiers": {
      "government": { "minScore": 90, "rateLimit": 10000, "concurrency": 500 },
      "gold": { "minScore": 75, "rateLimit": 5000, "concurrency": 200 },
      "silver": { "minScore": 50, "rateLimit": 1000, "concurrency": 50 },
      "bronze": { "minScore": 0, "rateLimit": 100, "concurrency": 10 }
    },
    "rulesCount": 4,
    "updatedAt": "2026-02-14T12:00:00Z"
  }
}

GET /v1/gateway/stats

curl "https://api.drd.io/v1/gateway/stats?window=1h" \
  -H "Authorization: Bearer drd_ws_sk_live_Abc123..."

# Response
{
  "ok": true,
  "data": {
    "window": "1h",
    "totalRequests": 145230,
    "byTier": {
      "government": { "requests": 52000, "avgLatencyMs": 12, "errorRate": 0.001 },
      "gold": { "requests": 48000, "avgLatencyMs": 18, "errorRate": 0.003 },
      "silver": { "requests": 38000, "avgLatencyMs": 25, "errorRate": 0.008 },
      "bronze": { "requests": 7230, "avgLatencyMs": 45, "errorRate": 0.015 }
    },
    "rateLimited": 342,
    "denied": 18,
    "circuitBroken": 2
  }
}

SDK Example

gateway-sdk.ts

import { DRDClient } from "@drd-io/sdk";

const drd = new DRDClient({
  apiKey: process.env.DRD_API_KEY!,
  workspace: process.env.DRD_WORKSPACE!,
});

// Get current gateway configuration
const config = await drd.gateway.getConfig();
console.log("Tiers:", JSON.stringify(config.tiers, null, 2));

// Update tier thresholds
await drd.gateway.updateTier("gold", {
  minScore: 80,
  rateLimit: 6000,
  concurrency: 250,
});

// Add a custom gateway rule
await drd.gateway.rules.create({
  match: {
    path: "/v1/content/protect/*",
    tier: ["gold", "government"],
  },
  action: {
    rateLimit: 15000,
    priority: "highest",
  },
});

// Get real-time gateway statistics
const stats = await drd.gateway.stats({ window: "1h" });
console.log(`Total requests: ${stats.totalRequests}`);
console.log(`Rate limited: ${stats.rateLimited}`);

Next Steps

Monitoring

Monitor gateway traffic

Learn more →

DRD Score

Understand trust scoring

Learn more →

Agent Sandbox

Isolate gateway access

Learn more →

Webhooks

Subscribe to gateway events for real-time updates

Learn more →

Infrastructure

Trust-Weighted API Gateway

Dynamic rate limiting and access control that adapts based on agent trust scores. Higher trust equals higher limits. Zero trust equals zero access.

Rate Limit Strategies

Fixed Window

Classic fixed-window rate limiting with trust multiplier.

Sliding Window

Smooth sliding window for consistent rate enforcement.

Token Bucket

Token bucket algorithm allowing controlled bursting.

Trust Weighted

Rate limits dynamically adjusted based on DRD trust score.

Creating Routes

gateway.ts

import { DRD } from '@drd/sdk';

const drd = new DRD({ apiKey: process.env.DRD_API_KEY });

await drd.gateway.createRoute({
  path: '/api/data/query',
  method: 'POST',
  targetService: 'https://data-service.internal',
  rateLimitStrategy: 'trust_weighted',
  trustScoreThreshold: 60,
  config: {
    baseRateLimit: 100,
    trustMultiplier: 2.0,
    burstAllowance: 20,
  },
});

Trust Score Impact

The trust-weighted strategy dynamically adjusts rate limits based on the requesting agent's current DRD trust score.

trust-formula.txt

effective_limit = base_limit * (trust_score / 100) * trust_multiplier

Examples:
  Agent with score 90: 100 * 0.9 * 2.0 = 180 req/min
  Agent with score 50: 100 * 0.5 * 2.0 = 100 req/min
  Agent with score 20: 100 * 0.2 * 2.0 =  40 req/min
  Agent below threshold (60): BLOCKED

Trust Tiers

The gateway maps DRD Trust Scores to four tiers, each with different rate limits, concurrency caps, and endpoint access levels.

Government

Score 90-100

Rate Limit:10,000 req/min

Concurrency:500

Burst:2,000

Priority:Highest - dedicated queue

Access:All endpoints including admin APIs

Gold

Score 75-89

Rate Limit:5,000 req/min

Concurrency:200

Burst:1,000

Priority:High - priority queue

Access:All standard endpoints + federation APIs

Silver

Score 50-74

Rate Limit:1,000 req/min

Concurrency:50

Burst:200

Priority:Normal - shared queue

Access:Standard endpoints only

Bronze

Score 0-49

Rate Limit:100 req/min

Concurrency:10

Burst:20

Priority:Low - throttled queue

Access:Read-only endpoints, no write operations

Dynamic Tier Assignment

Tier assignment updates in real time as trust scores change. If an agent's score drops below a tier boundary mid-request, existing connections are honored but new requests use the lower tier limits.

Gateway Rules

Define custom gateway rules to override default tier behavior for specific endpoints, agent types, or conditions.

drd-gateway.yaml

# drd-gateway.yaml
rules:
  # Allow higher limits for content protection endpoints
  - match:
      path: "/v1/content/protect/*"
      tier: ["gold", "government"]
    action:
      rateLimit: 15000  # Override to 15k req/min
      priority: "highest"

  # Restrict write operations for at-risk agents
  - match:
      method: ["POST", "PUT", "DELETE"]
      trustScore:
        lt: 50
    action:
      deny: true
      message: "Write operations require trust score >= 50"

  # Geo-fencing: block non-EU traffic for GDPR endpoints
  - match:
      path: "/v1/compliance/gdpr/*"
      geo:
        notIn: ["EU"]
    action:
      deny: true
      message: "GDPR endpoints restricted to EU regions"

  # Circuit breaker: rate limit agents with high error rates
  - match:
      errorRate:
        gt: 0.10  # >10% error rate
        window: "5m"
    action:
      rateLimit: 10  # Drastically reduce limit
      alert: true

Rule Evaluation Order

Rules are evaluated top-to-bottom. The first matching rule wins. Place more specific rules before general rules. Deny rules take precedence over allow rules at the same specificity level.

Rate Limit Headers

Every gateway response includes standard rate limit headers so agents can self-throttle.

Header	Description
X-RateLimit-Limit	Maximum requests per minute for current tier
X-RateLimit-Remaining	Requests remaining in current window
X-RateLimit-Reset	Unix timestamp when the window resets
X-DRD-Trust-Tier	Current trust tier (bronze/silver/gold/government)
X-DRD-Trust-Score	Agent's current DRD Trust Score (0-100)
Retry-After	Seconds to wait before retrying (only on 429)

REST API

GET /v1/gateway/config

curl "https://api.drd.io/v1/gateway/config" \
  -H "Authorization: Bearer drd_ws_sk_live_Abc123..."

# Response
{
  "ok": true,
  "data": {
    "tiers": {
      "government": { "minScore": 90, "rateLimit": 10000, "concurrency": 500 },
      "gold": { "minScore": 75, "rateLimit": 5000, "concurrency": 200 },
      "silver": { "minScore": 50, "rateLimit": 1000, "concurrency": 50 },
      "bronze": { "minScore": 0, "rateLimit": 100, "concurrency": 10 }
    },
    "rulesCount": 4,
    "updatedAt": "2026-02-14T12:00:00Z"
  }
}

GET /v1/gateway/stats

curl "https://api.drd.io/v1/gateway/stats?window=1h" \
  -H "Authorization: Bearer drd_ws_sk_live_Abc123..."

# Response
{
  "ok": true,
  "data": {
    "window": "1h",
    "totalRequests": 145230,
    "byTier": {
      "government": { "requests": 52000, "avgLatencyMs": 12, "errorRate": 0.001 },
      "gold": { "requests": 48000, "avgLatencyMs": 18, "errorRate": 0.003 },
      "silver": { "requests": 38000, "avgLatencyMs": 25, "errorRate": 0.008 },
      "bronze": { "requests": 7230, "avgLatencyMs": 45, "errorRate": 0.015 }
    },
    "rateLimited": 342,
    "denied": 18,
    "circuitBroken": 2
  }
}

SDK Example

gateway-sdk.ts

import { DRDClient } from "@drd-io/sdk";

const drd = new DRDClient({
  apiKey: process.env.DRD_API_KEY!,
  workspace: process.env.DRD_WORKSPACE!,
});

// Get current gateway configuration
const config = await drd.gateway.getConfig();
console.log("Tiers:", JSON.stringify(config.tiers, null, 2));

// Update tier thresholds
await drd.gateway.updateTier("gold", {
  minScore: 80,
  rateLimit: 6000,
  concurrency: 250,
});

// Add a custom gateway rule
await drd.gateway.rules.create({
  match: {
    path: "/v1/content/protect/*",
    tier: ["gold", "government"],
  },
  action: {
    rateLimit: 15000,
    priority: "highest",
  },
});

// Get real-time gateway statistics
const stats = await drd.gateway.stats({ window: "1h" });
console.log(`Total requests: ${stats.totalRequests}`);
console.log(`Rate limited: ${stats.rateLimited}`);

Next Steps

Monitoring

Monitor gateway traffic

Learn more →

DRD Score

Understand trust scoring

Learn more →

Agent Sandbox

Isolate gateway access

Learn more →

Webhooks

Subscribe to gateway events for real-time updates

Learn more →