governance block lets you seed all governance resources directly in config.json. On startup, Bifrost loads these into the configuration store. This is the recommended approach for GitOps workflows where governance state is managed as code.
In default split mode, file-backed governance resources seed or update the DB by hash while unrelated DB-only resources are preserved. With
source_of_truth: "config.json", only governance sub-sections that are explicitly present in the file are authoritative. Omit a sub-section to leave DB-managed rows alone; set it to an empty array only when you intend to remove stored rows for that sub-section. See Source of Truth & Reconciliation.Governance enforcement is always active in OSS - you do not need a plugin entry to enable it. To require a virtual key on every inference request, set
client.enforce_auth_on_inference: true. This is the global default, but a more specific inference-auth flag such as governance.auth_config.disable_auth_on_inference overrides it; if no specific override is set, client.enforce_auth_on_inference applies.Admin Authentication
Protect the Bifrost dashboard and management API with username/password auth:Virtual Keys
Virtual keys are issued to clients and act as scoped API tokens. Each key specifies which providers, models, and API keys the bearer is allowed to use.Virtual Key Fields
Provider Config Fields
Budgets
Budgets cap cumulative spend (in USD) for a virtual key or provider config over a rolling window:Rate Limits
Rate limits cap requests or tokens over a rolling window:
Attach a rate limit to a virtual key via
virtual_keys[].rate_limit_id, or to a provider config via virtual_keys[].provider_configs[].rate_limit_id.
Model Limits
governance.model_configs applies budgets and rate limits keyed on a model name, an optional provider, and a scope. This is the same data the Budget & Limits → Model Limits UI manages.

