Focused Tool · Apache 2.0 · Single Binary

Auth for internal tools in 60 seconds.

Reverse proxy that adds API key auth, session login, rate limiting, and access logs to any service — without touching a line of application code. Set two environment variables. Done.

Install Gate Free Pro — $2.99/mo Docs GitHub
Quickstart

Running in under 60 seconds.

Install
curl -fsSL https://stockyard.dev/gate/install.sh | sh
Run (point at your app)
GATE_UPSTREAM=http://localhost:3000 GATE_ADMIN_KEY=secret gate

  Proxy:     http://localhost:8780 → http://localhost:3000
  Admin API: http://localhost:8780/gate/api
Issue an API key
curl -s -X POST http://localhost:8780/gate/api/keys \
  -H 'Authorization: Bearer secret' \
  -d '{"name":"alice"}'
# Returns sk-gate-... (shown once, save it)

# All requests to :8780 now require the key
curl -H 'Authorization: Bearer sk-gate-...' http://localhost:8780/your/path
See it
Gate startup output showing proxy configuration and key issuance
Gate dashboard showing API keys, users, and access log

Gate proxies every request through an auth check. No key, no access. The dashboard shows live access logs, key management, and user accounts.

Use cases

Three things developers use this for.

Lock down internal dashboards
Grafana, Metabase, or a custom admin panel — put Gate in front and no one gets in without a key or session. No code changes to the underlying app.
Rate limit a shared internal API
Multiple services hit one internal API. Gate enforces per-key limits and logs every request so you know who calls what and how often.
Add auth to a legacy service
Old service with no auth, can't be modified. Wrap it with Gate. Instant API key auth, access logs, and revocable keys without touching the service.
Why this exists

The moment you store users in someone else's cloud, you have accepted their terms, their pricing changes, and their uptime. Gate puts that decision back in your hands.

How it works

Deploy Gate as a systemd service, a Docker container, or a bare process. It reads PORT and DATA_DIR. The /api/health endpoint returns status for monitoring.

In practice

A consultant keeps Gate running on a home server. Client users stay on local disk, simplifying privacy in every contract.

Pricing

Free to run. Pro when you need more.

Free
$0
forever, self-hosted
Best for: solo devs protecting one service
  • 1 upstream
  • 5 users / API keys
  • API key auth (Bearer token)
  • Basic session auth (cookie)
  • Fixed rate limiting
  • Access logs
  • Basic admin API
  • Embedded SQLite storage
Get started →
Pro
$2.99
per month
Best for: teams with multiple internal services
  • Unlimited upstreams
  • Unlimited users and API keys
  • Per-route rate limits
  • CORS controls
  • Login endpoint (username + password → session)
  • Session duration controls
  • IP allow / deny lists
  • Log filtering and export
  • Multiple admin keys
  • Route-based protection rules
Scope

When Gate is the right tool.

Gate is for auth on internal services where you don't want to stand up Keycloak or write middleware. Free covers 1 upstream and 5 users — enough to protect a single internal tool. Pro ($2.99/mo) unlocks unlimited upstreams, users, per-route rate limits, IP lists, and log export.

Self-hosted auth proxy guide  ·  Gate vs Authelia  ·  Protect internal tools

The broader picture

When you need the full LLM control plane.

Stockyard Platform
Gate is a standalone auth proxy from the Stockyard family. Stockyard's full platform includes built-in authentication, team management, request tracing across 16 providers, cost control, and 25+ more tools in one binary.
Learn about Stockyard →
After you upgrade

How Pro gets activated.

When your payment goes through, you'll receive an email at the address you used at checkout. The email contains your license key — a string that starts with stockyard_.

Set it as an environment variable before starting Gate:

GATE_LICENSE_KEY=stockyard_your_key_here gate

  License:   Pro (your-email@example.com)
  Dashboard: http://localhost:8780/ui

That's it. Pro features unlock immediately on startup — no restart required after the first run, no account to log into, no phone-home check. The key is verified locally.

Didn't get the email?
Check your spam folder first. If it's not there after 5 minutes, email hello@stockyard.dev with your payment confirmation and we'll send the key manually.
FAQ
Does Gate work with browser apps?
Yes. Set GATE_CORS_ORIGINS for CORS headers. The POST /gate/login endpoint sets an HTTP-only cookie for browser clients. Pro adds session duration controls.
Can I run it behind a load balancer?
Yes. Gate is stateless except for the SQLite DB. Run one instance behind a reverse proxy or load balancer. For HA, point multiple instances at the same DATA_DIR on shared storage.
What happens at the user limit on Free?
The admin API returns an error when you try to create a sixth user. Existing users and keys keep working. Upgrade to Pro to remove the limit.
Does the upstream know Gate is in the path?
No. Gate proxies requests as-is. The upstream sees the original request headers (with auth headers stripped). It has no awareness of Gate.
What's the license?
Apache 2.0. Free to use, modify, and deploy.
Get started

Add auth to any internal tool in 60 seconds.

Single binary. No code changes required. Free to start.

Install Gate Free Upgrade to Pro

Part of Stockyard Complete — all 150 tools for $29/mo

Related
Comparisons
Gate vs Authelia · Gate vs OAuth2 Proxy · Gate vs Authentik · Gate vs Traefik Forward Auth
Related tools
Mirage · Barrage · Strongbox · Relay · Scout · Tally
Guide
Self-Hosted Auth Proxy