LLM Providers

TapPass is a proxy in front of any LLM provider. Your agent talks to TapPass; TapPass talks to the provider after running the governance pipeline.

Shipped providers

Provider	Base URL (client-side)	Server-side env	EU residency
OpenAI	`https://tappass.example.com/v1`	`OPENAI_API_KEY`	On request
Anthropic	`https://tappass.example.com`	`ANTHROPIC_API_KEY`	On request
Azure OpenAI	`https://tappass.example.com/v1`	Azure endpoint + key	Native EU
Google Gemini	`https://tappass.example.com/v1`	`GOOGLE_API_KEY`	Native EU
AWS Bedrock	`https://tappass.example.com/v1`	AWS creds	Native EU
Ollama	`https://tappass.example.com/v1`	Local (no key)	Self-hosted
vLLM	`https://tappass.example.com/v1`	Self-hosted	Self-hosted
LM Studio	`https://tappass.example.com/v1`	Local (no key)	Self-hosted

How it works

Your client sends a request to TapPass with your tp_ key.
TapPass runs the full pipeline: authz, detection, policy, trust scoring, audit.
TapPass calls the configured provider with its sk_ key from the encrypted vault.
The response flows back through the pipeline (output detections, audit finalisation).

Your agent never sees the provider key. Rotation, budget caps, and model restrictions happen server-side in one place.

Request routing

Select a provider at call time by prefixing the model name:

agent.chat("Hello", model="openai/gpt-4o-mini")
agent.chat("Hello", model="anthropic/claude-3-5-sonnet-20241022")
agent.chat("Hello", model="azure/gpt-4o")
agent.chat("Hello", model="google/gemini-1.5-pro")
agent.chat("Hello", model="bedrock/anthropic.claude-3-sonnet")

Or let server-side routing policy decide (Rego routing.rego).

EU data residency

Set TAPPASS_EU_DATA_RESIDENCY=true on the server to restrict routing to EU-hosted providers (Azure West Europe, Gemini EU, Bedrock Ireland, etc.). Non-compliant models are blocked at the routing step.