GhostLLM

GhostLLM is an OpenAI-compatible API gateway that gives applications secure, programmatic access to AI models. It is primarily designed for machine-to-machine use — applications, scripts, and AI agents that need to call an LLM via API. GhostLLM acts as a drop-in replacement for the OpenAI API, so existing code requires minimal changes to route through it.

All requests pass through Dymium's security pipeline before reaching the AI provider. Security policies are configured per application (API key), so different applications can have different models, PII rules, prompt guardrails, and agent capabilities.

API Keys tab

The API Keys tab lists all GhostLLM applications. Each row shows:

Creating and configuring an API key

Click Create New API Key to open the configuration panel. The same panel is used for editing existing keys.

Application Name

A unique name for this GhostLLM application. This name becomes part of the runtime URL path:

https://{tenant}.llm.dymium.ai/{app_name}/v1/chat/completions

Authentication Type

• Static API Key — a secret key is generated and used as a Bearer token. The preferred URL format is /{app_name}/v1/..., but static-key apps also accept the legacy /v1/... path (where the app is inferred from the key).
• OIDC (Bearer Token) — clients present a JWT from a trusted identity provider. One or more OIDC Issuer URLs must be configured. The URL path must include the app name: /{app_name}/v1/....

For OIDC applications, you can add multiple issuer URLs and optionally click Use Portal Login Issuer to use the same issuer as portal logins.

Model Selection

Select which AI models this application can access. Only checked models will be available to clients — requests for a disabled model are rejected. Available models come from the providers configured at the tenant level (OpenAI, Anthropic, Google Gemini, Dymium Private Model, and Bring Your Own Model endpoints).

Agent Access

Enable the AI Agent to allow this application to query Ghost Databases in natural language. When enabled, you must assign at least one group to control which Ghost Databases the agent can access.

Additional agent capabilities can be toggled:

• Allow Web Search — the agent can search the web for current information
• Allow Image Generation — the agent can generate images (requires an OpenAI or Gemini API key configured at the tenant level)

Client Tools

When enabled, clients can pass MCP tool definitions in the tools parameter of API requests. This allows AI agents using GhostLLM to invoke external tools during their reasoning.

PII Detection

When enabled, personally identifiable information in prompts is automatically detected and substituted with synthetic placeholders before being sent to the AI provider. The AI processes the sanitized prompt, and original values are restored in the response returned to the caller.

System Prompt and Prompt Blocking

• System Prompt — an optional prompt prepended to every request, providing the LLM with organization-specific context or instructions.
• Prompt Blocking Guardrails — when enabled, an internal AI classifier evaluates each user prompt and rejects it if it matches a configured blocked category (e.g., medical advice, legal advice, harmful content). A Classifier Model can be selected from available providers.

Test tab

The Test tab is a built-in playground for verifying GhostLLM is working correctly.

1. Select an Auth Type (Static API Key or OIDC) and enter the key or token.
2. Optionally enter the GhostLLM App name (required for OIDC; optional for static key).
3. Choose an Endpoint: Chat Completions, Responses, or Models.
4. Select a Model. For models that support it, a Reasoning dropdown appears where you can select an effort level.
5. Type a prompt and click Send Test.

The response appears on the left. A ready-to-use curl command is generated on the right, which you can copy and use directly.

API endpoints

GhostLLM provides the following OpenAI-compatible endpoints:

All endpoints accept the standard Authorization: Bearer <token> header.