Docs · Concepts

The mental model.

RelayOne is four loosely-coupled layers operating on every AI request: gateway, policy, evidence, fleet. Once you can name the layer, you can find the dashboard, the API endpoint, and the part of the docs you want.

Gateway

The gateway is the network choke point. Every AI request from your organization passes through it. You can run it as the managed SaaS endpoint at gateway.relayone.ai, in your cloud account (BYOC), or on-prem. The gateway terminates the inbound connection, evaluates policy, optionally rewrites the payload, dispatches to the upstream model, and returns the response. It is the only RelayOne component on the request hot path.

A single deployment may run many gateways across regions and tenants. The collection is the fleet.

Policy

Policy is a function evaluated at multiple phases of the request lifecycle: ingress, identity, sovereignty, payload-scan, dispatch, response, evidence-emit. A policy is authored in the visual editor or in the YAML / CEL-compatible policy language; both compile to the same evaluation tree. Policies can:

  • Permit, reroute, rewrite, or block the request
  • Inject a credential or strip a header
  • Enforce a spend cap or rate limit
  • Require human-in-the-loop approval before dispatch

Policies are versioned. Atomic deployments propagate to the fleet within seconds. Every decision is recorded as a signed receipt and surfaced in the inspector.

Evidence

Every gateway transaction emits a chain of signed receipts: the policy decision, the dispatch event, the response metadata, the commerce receipt (if TrueCom is wired). Receipts are signed with per-node Ed25519 keys whose public roster is pinned in the bundle. An evidence bundle is a structured archive of receipts plus the chain-of-custody manifest, assembled on demand. Bundles are verifiable offline; an auditor does not need to call RelayOne to confirm authenticity.

Fleet

The fleet is the set of gateways under your control plane. Operationally you treat it as one object: deploy a policy and it propagates atomically; rotate a credential and it updates everywhere; query a tenant and you see its slice of the global picture. The fleet control plane handles deployment status, version drift detection, credential rotation, and tenant health.

Where the boundary is

RelayOne does not own your AI provider accounts; you connect your own OpenAI / Anthropic / Bedrock / vLLM credentials. RelayOne does not store your prompt content unless you explicitly opt in for debug. RelayOne is not in the data plane of your application beyond the gateway hop.

Adjacent products

  • RelayGate — the per-request programmable middleware (ContextWorkers). Strips PII inline, injects credentials, executes inline R1 agents. Talks to RelayOne for policy decisions.
  • R1 — the agent framework that runs as the internal target when a request must stay inside.
  • TrueCom — the commerce + receipts substrate. Co-signs RelayOne receipts when agent transactions occur.
  • Veritize — output verification, drift, and hallucination detection. Optionally attached to evidence.

None of these are required to run RelayOne. They make it more useful when present.