← Back to Compare
KnoxCall
KnoxCall
VS
Portkey
Portkey

KnoxCall vs Portkey

Portkey is one of the best production LLM gateways going — 1,600+ models behind one API, reliability routing, deep observability, guardrails, and virtual keys. But those virtual keys sit in Portkey’s encrypted vault, and Portkey is the process that holds and uses the real provider key to reach the model. KnoxCall attacks a different layer: the provider key is injected at the egress wire so it never enters your workload, and KnoxCall custodially rotates the underlying vendor child key — not just a store entry. Where Portkey wins on model coverage and observability, we say so.

KnoxCall Advantages

  • Provider key never enters your workload on the egress hot path — injected at the wire, no value-GET path back to it
  • Custodially rotates the underlying vendor child key (mints / verifies / deletes it), not just a virtual-key store entry
  • DPoP-bound short-lived tokens + RFC 8693 workload identity federation (OIDC token exchange)
  • Tokenization vaults: format-preserving tokens for PAN / SSN / email + one-shot Ephemeral Proxy
  • Encryption-as-a-Service: encrypt / decrypt / rewrap + JWT/RSA/ECDSA/Ed25519 signing with alg-confusion defence + BYOK
  • AI Gateway: capability keys, streaming PII redaction, prompt firewall + canary leak, per-agent budgets
  • Secrets, API proxy, crypto, tokenization and AI egress on one managed bill — minutes to set up

Portkey Advantages (honest)

  • Enormous model coverage — a unified API to 1,600+ language, vision, audio and image models
  • Best-in-class LLM observability: logs, traces, feedback, cost attribution per model / key / metadata
  • Mature reliability routing: load-balancing, automatic fallbacks, retries, timeouts, semantic caching
  • 60+ built-in AI guardrails plus custom guardrail hooks on the Enterprise tier
  • Real compliance certifications on Enterprise: SOC 2 Type 2, GDPR, HIPAA with custom BAAs, VPC hosting
  • Open-source, self-hostable gateway core with a large community

Feature Comparison

Credential Exposure (the core difference)

Scope: third-party outbound bearer keys (OpenAI, Anthropic, Stripe, Twilio). Portkey’s job is to hold and use the provider key to reach the model, and it does that well — but that means the live key sits in Portkey’s store and its serving process.

FeatureKnoxCallPortkey
Provider key never enters the process that reaches the model
Egress wire injection: KnoxCall attaches the real key at the outbound hop, your workload never holds it
Injected at egress; no value-GET path
Virtual key maps to the real key stored in Portkey’s vault; Portkey’s process uses it to call the model
Rotates the underlying VENDOR key, not just a store entry
Custodial rotation mints / verifies / deletes the provider’s own child key on a lease schedule
Rotates the real vendor key itself
~ Virtual keys ease rotation, but you still rotate at the provider yourself; the stored key is what you set
Guards / redacts request & response CONTENT
Filter, fix or block prompts and completions in flight
Streaming PII redaction + prompt firewall (Pro+)
60+ guardrails, its flagship strength
DPoP-bound short-lived token in the workload (not a long-lived key)
What the process actually holds, sender-constrained and revocable
Scoped, DPoP-bindable KnoxCall token
~ Workload holds a Portkey API key / virtual key; not DPoP sender-bound
Workload identity federation (OIDC token exchange, RFC 8693)
Swap a workload’s OIDC identity for a short-lived sender-constrained token
API-key / virtual-key auth, no OIDC exchange

AI Gateway Capabilities

FeatureKnoxCallPortkey
Unified API to many LLM providers
One endpoint in front of multiple model vendors
AI Gateway across major providers
1,600+ models — far broader coverage
Reliability routing (load-balance / failover / retries / semantic cache)
Keep requests flowing when a provider degrades
~ Basic failover; routing is not our headline
Mature: load-balancing, fallbacks, semantic cache
Streaming PII redaction on prompts & completions
Hold-back FSM redaction as tokens stream
FF3-1 + hold-back FSM (Pro+)
PII guardrails available
Prompt firewall + canary leak detection
Injection defence plus seeded canary tokens to catch exfiltration
Prompt firewall + canary (Pro+)
~ Prompt-injection guardrails; canary-leak not a stated feature
Per-agent budgets
Spend ceilings scoped to an agent / key
~ Recorded & surfaced, not hard-enforced yet
Budget & rate limits on virtual keys (granular on Enterprise)

Observability & Cost

FeatureKnoxCallPortkey
LLM logs, traces & per-request cost attribution
Deep visibility into every model call
Advanced Analytics (Pro+)
Best-in-class; the reason many teams pick Portkey
Real-time request analytics & geo
Metrics dashboards and world-map request view
Analytics + geo built in
LLM-focused observability
Alerting (Email + SMS + Slack)
Notify on anomalies and thresholds
Pro+ tiers
Alerts on Production tier
Log retention
How long request logs are kept
7–custom 7-day on Free, longer on paid tiers
3–30d 3d Dev, 30d Production, custom Enterprise

Secrets, Crypto & Data Protection (beyond the LLM gateway)

FeatureKnoxCallPortkey
General API proxying & secrets management
Not just LLMs — Stripe, Twilio, internal APIs
LLM gateway scope
Format-preserving tokenization (PAN / SSN / email)
Shape-mimicking tokens so downstream systems stay untouched
Tokenization vaults (Pro+)
Encryption-as-a-Service + JWT/RSA/ECDSA/Ed25519 signing
Encrypt / decrypt / rewrap with alg-confusion defence + BYOK
Crypto service (Pro+), BYOK on Enterprise
One-shot Ephemeral Proxy
Single-use outbound request without persisting the credential

Operations, Compliance & Setup

FeatureKnoxCallPortkey
Managed SaaS, one bill
No infrastructure to run
Hosted, plus self-host option
Self-hosted / open-source gateway core
Run the gateway yourself
KnoxCall is proprietary SaaS, not open source
Open-source gateway, large community
Formal compliance certifications
SOC 2, HIPAA, GDPR posture
~ SOC 2 aligned, Type II in progress; BAA available
SOC 2 Type 2, GDPR, HIPAA + BAAs on Enterprise
Setup time
Sign-up to production
Minutes
Minutes Also fast to integrate

In Depth

Portkey and KnoxCall look adjacent because both put a gateway in front of your LLM calls, but they are solving different problems. Portkey is a control panel for production AI: it unifies 1,600+ models behind one API, routes for reliability, and gives you observability and cost attribution that are genuinely best-in-class. If your pain is “we have twelve model providers and no single view of spend, latency, or failures,” Portkey is a superb answer. KnoxCall’s pain is narrower and deeper: where does the real provider key live, and can anything in my workload read it?

Portkey’s virtual keys are a real improvement over pasting raw provider keys everywhere — they store the provider key in an encrypted vault and hand your app a virtual reference plus budget and rate controls. But the model still has to be called with the real key, and the process that makes that call is Portkey’s. Portkey guards and redacts the content flowing through; the provider secret itself continues to live in Portkey’s store and serving process. KnoxCall moves the credential boundary instead of the content boundary: the provider key is injected at the egress wire and there is no value-GET path back to it, and custodial rotation mints, verifies and deletes the provider’s own child key on a lease schedule — so the underlying vendor secret rotates, not just a store entry.

When to choose Portkey

Be honest with yourself about the job. If your primary need is breadth of model coverage, world-class LLM observability, and mature reliability routing, Portkey is likely the better fit today, and we’ll say so plainly:

  • You call across many providers and want one API to 1,600+ models — KnoxCall’s AI Gateway covers the major ones, not that catalogue.
  • You live in the observability: per-request logs, traces, feedback, and cost attribution sliced by model, key, and metadata. This is Portkey’s flagship strength and the reason many teams adopt it.
  • You need load-balancing, automatic fallbacks, retries, and semantic caching as a first-class routing layer. KnoxCall does basic failover; routing is not our headline.
  • You need formal compliance certifications now — Portkey’s Enterprise tier carries SOC 2 Type 2, GDPR, and HIPAA with custom BAAs and VPC hosting. KnoxCall is SOC 2 aligned with Type II in progress and a BAA available; we are not yet certified.
  • You want to self-host an open-source gateway. Portkey’s core is open source; KnoxCall is proprietary managed SaaS.

Ownership note for procurement: Portkey was acquired by Palo Alto Networks, with the deal closed on 29 May 2026 (Palo Alto Networks press release). That may be a plus if you already standardize on Palo Alto, or a factor to weigh if you prefer an independent vendor. We make no claim about end-of-life or roadmap changes.

The honest residual on our own claim

Egress wire injection is not zero-residual, and we scope it tightly. The claim is specific: on the egress hot path, the real provider key never enters your workload — KnoxCall attaches it at the outbound hop and there is no endpoint that returns the value to your process. That genuinely removes the case where an RCE, a poisoned dependency, or a prompt-injected agent running printenv walks off with a long-lived vendor key.

What still lives in your workload is a KnoxCall token. It is short-lived, scoped to specific routes, audited on every call, DPoP-bindable, and revocable on demand — but until it is revoked it can route requests through the proxy. So this is a trust dependency and an extra network hop, the same tradeoff you accept with any federation or token-exchange layer, not a magic eliminator of compromise. The advantage is the difference between what leaks: a static vendor key valid for years versus a scoped, revocable proxy token. And note the boundary of the claim — it covers third-party outbound bearer keys, not your application’s own in-process encryption keys.

Two more honest limits worth stating: per-agent budgets on KnoxCall today are recorded and surfaced, not hard-enforced, and our KnoxCall SDKs are the six in our monorepo — not yet published to pip or npm. Migration of secrets into KnoxCall is import-only.

The clean way to think about it: many teams will run Portkey and KnoxCall. Keep Portkey for model breadth, routing, and observability; put KnoxCall on the credential boundary so the provider key never renders into the process at all and the underlying vendor key rotates itself. They are complementary far more than they are substitutes.

Pricing Comparison

KnoxCall

Free Forever$0
  • 1 Route
  • 100 API calls/month
  • 1 Secret · 1 Vault (1k tokens)
  • 2 Crypto Keys (AES)
  • 1 Inbound Webhook
  • Basic Analytics · 7-day retention
Starter$19/mo
  • 2 Routes
  • 10K API calls/month
  • 5 Vaults (50K tokens)
  • Ephemeral Proxy (100K ops/mo)
  • Basic Analytics (no Alerts / FPE / crypto / PII-redaction — Pro+)
Pro$99/mo
  • 25 Routes · 1M API calls/month
  • Email Alerts
  • 25 Vaults (1M tokens) · Format-Preserving Tokens
  • Streaming PII Redaction (FF3-1 + hold-back FSM)
  • Prompt Firewall + Canary Leak · 100K AI calls/mo
  • OIDC workload federation · Advanced Analytics
EnterpriseCustom
  • Unlimited Routes · Unlimited API calls
  • Unlimited Team
  • Unlimited Vaults / tokens / Crypto Keys
  • BYOK via tenant master key
  • Dedicated Fixed Outbound IP
  • Priority Support

Portkey

Open Source$0
  • Self-hosted gateway core
  • Routing, fallbacks, load-balancing, guardrails
  • Basic dashboard · community support
  • You run & operate the infrastructure
Developer$0
  • 10,000 recorded logs/month
  • 3-day log retention · 30-day metrics
  • Observability, universal API, key management
  • 3 prompt templates · community support
Production$49/mo
  • 100,000 recorded logs/month
  • +$9 per additional 100K requests
  • 30-day logs · 90-day metrics
  • RBAC, alerts, semantic caching, guardrails
EnterpriseContact Sales
  • 10M+ recorded logs/month · custom retention
  • SSO, custom guardrail hooks, granular budgets
  • SOC 2 Type 2, GDPR, HIPAA + custom BAAs
  • Private Cloud / VPC hosting · data isolation

Portkey pricing is log-volume based, not per-seat: Developer (free, 10K logs, 3-day retention), Production ($49/mo, 100K logs + $9/100K extra, 30-day retention), and custom Enterprise. Source: portkey.ai/pricing (verified July 2026). Portkey was acquired by Palo Alto Networks, deal closed 29 May 2026.

Frequently asked questions

Is KnoxCall a replacement for Portkey?

In most cases, no. Portkey is a production LLM gateway focused on model coverage, reliability routing, and observability, while KnoxCall works the credential boundary so the real provider key never enters your workload and the underlying vendor child key is rotated custodially. The two are complementary far more than they are substitutes, and many teams will run both.

Can I run KnoxCall alongside Portkey?

Yes. Keep Portkey for model breadth, routing, guardrails, and cost attribution, and put KnoxCall on the credential boundary so the provider key is injected at the egress wire instead of living in your process. Note that migration of secrets into KnoxCall is import-only.

When is Portkey the better choice?

Portkey is likely the better fit if you need one API to 1,600+ models, best-in-class LLM observability with per-request cost attribution, or mature reliability routing with load-balancing, automatic fallbacks, retries, and semantic caching. It also wins if you need formal compliance certifications now, since its Enterprise tier carries SOC 2 Type 2, GDPR, and HIPAA with custom BAAs and VPC hosting, or if you want to self-host an open-source gateway. KnoxCall is SOC 2 aligned with Type II in progress, and it is proprietary managed SaaS rather than open source.

How does KnoxCall's pricing model differ from Portkey's?

KnoxCall is tiered managed SaaS: a Free Forever plan, Starter at $19/mo, Pro at $99/mo, and a custom Enterprise tier. Portkey's pricing is log-volume based rather than per-seat: a free Developer tier with 10,000 recorded logs per month, Production at $49/mo for 100,000 logs plus $9 per additional 100K requests, and a custom Enterprise tier. Portkey also offers a free open-source gateway core that you self-host and operate yourself, which KnoxCall does not.

Keep Portkey’s observability. Take the provider key out of the process.

Run KnoxCall on the credential boundary so the real vendor key never enters your workload and rotates itself — while Portkey keeps doing routing, guardrails, and cost attribution. Complementary, not rip-and-replace.