Admin guide

This guide walks tenant administrators through the operator portal. You will learn how to manage users, configure virtual keys, review billing, inspect audit logs, set up guardrails, and configure single sign-on.

Accessing the portal

Navigate to https://portal.operayde.com and sign in with your corporate identity provider. You must be a member of the tenant-admin group in your IdP to access administration features.

User management

Viewing users

Open Settings > Users to see everyone who has signed in to your tenant. Each row shows:

• Display name and email (from your IdP)
• Role (tenant-admin or tenant-user)
• Last active timestamp
• Number of API requests in the current billing period

Role assignment

Roles are derived from your IdP group membership. To change a user's role, update their group assignment in your identity provider. The change takes effect on their next sign-in.

Removing users

Operayde does not maintain a local user database. To revoke access, remove the user from the relevant IdP groups. Any virtual keys they created remain active until explicitly revoked.

Virtual key configuration

Virtual keys control API access to the gateway. Each key has a label, allowed models, rate limits, and an optional expiry.

Creating a key

1. Navigate to Keys > Create key.
2. Fill in the form:
   • Label — a human-readable name (e.g. "research-team-prod").
   • Allowed models — select which models this key can access.
   • RPM limit — maximum requests per minute.
   • TPD limit — maximum tokens per day.
   • Residency — regions this key is allowed to operate in.
   • Expiry — optional expiration date.
3. Click Create. The key secret is displayed once. Copy it and store it securely; it cannot be retrieved later.

Revoking a key

Open Keys, find the key, and click Revoke. Revocation is immediate. Any in-flight requests using the key will receive a 401 response.

Key best practices

• Create separate keys per team or application.
• Set the tightest RPM and TPD limits that your workload allows.
• Restrict each key to only the models it needs.
• Set expiry dates for contractor or temporary keys.
• Rotate keys quarterly.

Billing

Viewing invoices

Open Billing > Invoices to see your billing history. Each invoice shows:

• Billing period
• Total amount in your billing currency
• Line items: token usage, appliance-days, premium models
• Payment status

Usage dashboard

The Billing > Usage page shows real-time consumption:

• Requests per day/week/month
• Token consumption by model
• Active keys and their individual usage
• Appliance utilisation metrics

Updating billing details

Contact your Operayde account manager to update billing currency, payment method, or billing cycle. Tenant admins can update the billing email address under Settings > Billing.

Audit logs

Querying events

Open Audit to search the event log. Available filters:

• Date range — start and end timestamps.
• Actor — filter by user email or service account.
• Action — filter by action type (e.g. gateway.chat, config.update-tenant).
• Decision — filter by OPA policy decision (allow or deny).

Each event shows:

• Timestamp
• Actor
• Action
• Resource
• OPA decision and policy version
• Request metadata (model, token count, latency)

Exporting audit data

Click Export to download events as CSV or JSON. Exports respect the current filter selection. Large exports are generated asynchronously and delivered via download link.

Chain verification

Operayde maintains a Merkle chain over all audit events. The chain head hash is displayed at the top of the audit page. Click Verify chain to run an integrity check that confirms no events have been tampered with or deleted.

Guardrails

Guardrails are OPA policies that control what the gateway allows. Your tenant's guardrails are configured via policy flags.

PII redaction

By default, Operayde redacts common PII patterns (email addresses, phone numbers, credit card numbers, IBANs) before forwarding requests to cloud providers. Configure redaction under Settings > Guardrails > Redaction:

• Enable/disable redaction — turn redaction on or off.
• Disable specific patterns — e.g. disable email redaction for a customer-service use case.
• Add medical patterns — enable MRN and ICD-10 redaction for healthcare tenants.

Data residency

Under Settings > Guardrails > Residency, view and request changes to your allowed regions. Residency restrictions are enforced at the gateway: requests cannot be routed to regions outside your allowed set.

Model restrictions

Under Settings > Guardrails > Models, configure which models are available to your tenant. This is separate from per-key model restrictions; tenant-level restrictions apply to all keys.

Knowledge sources

If your plan includes RAG (retrieval-augmented generation), manage your knowledge bases under Knowledge:

1. Upload documents — PDF, DOCX, TXT, or HTML files.
2. Configure chunking — set chunk size and overlap for your use case.
3. Monitor indexing — track embedding progress and index size.
4. Test retrieval — run test queries to verify relevance.

Knowledge sources are stored and indexed entirely on your appliance. No document content leaves your network.

SSO configuration

Initial setup

SSO is configured during the deployment process. Your Operayde deployment engineer sets up the OIDC client in your IdP and configures the callback URL.

Changing identity providers

To switch IdPs (e.g. from Azure AD to Okta):

1. Open a support ticket from Settings > Support.
2. Provide the new IdP's OIDC discovery URL and client credentials.
3. The Operayde team configures the new connector and tests it.
4. The switchover happens during a maintenance window with zero downtime for end users.

Group mapping

Map your IdP groups to Operayde roles under Settings > SSO > Group mapping:

{
  "idp_group_admin": "tenant-admin",
  "idp_group_users": "tenant-user",
  "idp_group_bots": "tenant-service"
}

Changes to group mapping take effect on the next user sign-in.

Troubleshooting SSO