Build Your Own AI API Gateway: Authentication, Rate Limiting, and Billing Full-Stack Solution

Case Study: How a Singapore SaaS Team Cut AI Costs by 84%

A Series-A SaaS startup in Singapore building an AI-powered customer support platform was hemorrhaging money. Their engineering team had built a robust application, but every AI API call—thousands per minute during peak hours—was routing through a major US provider at $0.03 per 1K tokens. By month six, their AI inference bill hit $4,200 monthly, and latency was averaging 420ms during business hours. Their CTO described it as "watching money burn while users complained about slow responses."

After evaluating six alternatives, they migrated to HolySheep AI and deployed a custom API gateway they built in-house. Thirty days post-migration, the numbers told a dramatically different story: latency dropped to 180ms (57% improvement), and their monthly bill plummeted to $680. That's an 84% cost reduction.

This tutorial walks you through building that exact gateway from scratch—complete authentication, token-based rate limiting, usage-based billing, and seamless HolySheep integration.

Why Build Your Own AI Gateway?

Before diving into code, let's clarify the business logic. A self-hosted AI API gateway gives you:

• Centralized authentication — Manage API keys for all your LLM providers in one place
• Cost visibility — Track per-user, per-endpoint, per-model spending in real-time
• Rate limiting without provider constraints — Set your own rules regardless of upstream limits
• Multi-provider failover — Route traffic to backup providers when primary is degraded
• Data residency control — Keep sensitive requests within your infrastructure

Architecture Overview

Our gateway consists of four core components:

+------------------+     +-------------------+     +------------------+
|  Client App      | --> |  Your Gateway     | --> |  HolySheep AI    |
|  (anywhere)      |     |  (auth + limits)  |     |  api.holysheep   |
+------------------+     +-------------------+     +------------------+
        |                        |
        v                        v
+------------------+     +-------------------+
|  Redis           |     |  Billing DB       |
|  (rate limit)    |     |  (usage tracking) |
+------------------+     +-------------------+

Prerequisites

• Node.js 18+ or Python 3.10+
• Redis 6+ (for distributed rate limiting)
• PostgreSQL 14+ (for billing and user management)
• A HolySheep AI API key (free credits on signup)

Step 1: Project Setup and Dependencies

# Initialize Node.js project
mkdir ai-gateway && cd ai-gateway
npm init -y

Install production dependencies
npm install express ioredis pg jsonwebtoken
npm install bcryptjs uuid dotenv cors helmet

Install development dependencies
npm install -D nodemon jest

Create your .env file:

# .env
PORT=3000
HOLYSHEEP_API_KEY=YOUR_HOLYSHEEP_API_KEY
HOLYSHEEP_BASE_URL=https://api.holysheep.ai/v1
REDIS_URL=redis://localhost:6379
DATABASE_URL=postgres://user:pass@localhost:5432/ai_gateway
JWT_SECRET=your-super-secret-jwt-key-min-32-chars
RATE_LIMIT_REQUESTS=100
RATE_LIMIT_WINDOW_MS=60000

Step 2: Database Schema for User Management and Billing

-- migrations/001_initial_schema.sql

-- Users table with API key storage
CREATE TABLE users (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    email VARCHAR(255) UNIQUE NOT NULL,
    password_hash VARCHAR(255) NOT NULL,
    api_key VARCHAR(64) UNIQUE NOT NULL,
    is_active BOOLEAN DEFAULT true,
    created_at TIMESTAMP DEFAULT NOW(),
    updated_at TIMESTAMP DEFAULT NOW()
);

-- API key authentication table
CREATE TABLE api_keys (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    user_id UUID REFERENCES users(id) ON DELETE CASCADE,
    key_prefix VARCHAR(8) NOT NULL, -- First 8 chars for identification
    key_hash VARCHAR(255) NOT NULL, -- Full hash for verification
    name VARCHAR(100),
    is_active BOOLEAN DEFAULT true,
    last_used_at TIMESTAMP,
    created_at TIMESTAMP DEFAULT NOW()
);

-- Usage tracking for billing
CREATE TABLE usage_logs (
    id BIGSERIAL PRIMARY KEY,
    user_id UUID REFERENCES users(id),
    api_key_id UUID REFERENCES api_keys(id),
    model VARCHAR(50) NOT NULL,
    input_tokens INTEGER NOT NULL,
    output_tokens INTEGER NOT NULL,
    cost_usd DECIMAL(10, 6) NOT NULL,
    latency_ms INTEGER NOT NULL,
    endpoint VARCHAR(50) NOT NULL,
    created_at TIMESTAMP DEFAULT NOW()
);

-- Rate limit configuration per tier
CREATE TABLE rate_limit_tiers (
    id SERIAL PRIMARY KEY,
    tier_name VARCHAR(50) NOT NULL,
    requests_per_minute INTEGER NOT NULL,
    requests_per_day INTEGER NOT NULL,
    monthly_token_limit BIGINT,
    price_usd_monthly DECIMAL(10, 2) NOT NULL
);

-- User tier assignments
CREATE TABLE user_tiers (
    user_id UUID REFERENCES users(id) ON DELETE CASCADE,
    tier_id INTEGER REFERENCES rate_limit_tiers(id),
    expires_at TIMESTAMP,
    PRIMARY KEY (user_id)
);

-- Insert default tiers
INSERT INTO rate_limit_tiers (tier_name, requests_per_minute, requests_per_day, monthly_token_limit, price_usd_monthly)
VALUES 
    ('free', 10, 500, 100000, 0),
    ('starter', 60, 10000, 5000000, 29),
    ('pro', 300, 100000, 50000000, 99),
    ('enterprise', 1000, 1000000, NULL, 299);

Step 3: Core Gateway Server Implementation

// src/server.js
require('dotenv').config();
const express = require('express');
const cors = require('cors');
const helmet = require('helmet');
const { rateLimit } = require('express-rate-limit');
const { authenticateApiKey } = require('./middleware/auth');
const { trackUsage } = require('./middleware/usage');
const chatRouter = require('./routes/chat');
const embeddingsRouter = require('./routes/embeddings');
const billingRouter = require('./routes/billing');

const app = express();

// Security middleware
app.use(helmet());
app.use(cors({ origin: true, credentials: true }));
app.use(express.json({ limit: '10mb' }));

// Global rate limiting (before auth)
const globalLimiter = rateLimit({
    windowMs: parseInt(process.env.RATE_LIMIT_WINDOW_MS),
    max: parseInt(process.env.RATE_LIMIT_REQUESTS),
    standardHeaders: true,
    legacyHeaders: false,
    message: { error: 'Too many requests, please try again later.' }
});
app.use('/api/', globalLimiter);

// Health check (no auth required)
app.get('/health', (req, res) => {
    res.json({ status: 'healthy', timestamp: new Date().toISOString() });
});

// Routes with authentication
app.use('/v1/chat/completions', authenticateApiKey, trackUsage, chatRouter);
app.use('/v1/embeddings', authenticateApiKey, trackUsage, embeddingsRouter);
app.use('/v1/billing', authenticateApiKey, billingRouter);

// Error handling middleware
app.use((err, req, res, next) => {
    console.error([ERROR] ${err.message}, { stack: err.stack });
    const statusCode =
Related Resources
📚 AI API Tutorials
💰 View Pricing
📖 Developer Docs
🚀 Sign Up Free
Related Articles
Claude Projects vs GPTs: The Definitive Migration Playbook f
Triton Inference Server Enterprise Deployment: Multi-Model M
Migration Playbook: Downloading Incremental L2 Order Book Da