Configuring Google Gemini CLI with AI Gateway¶

It is possible to proxy Google Gemini API calls through WSO2 API Manager using the AI Gateway, enabling tools such as Gemini CLI to access Google Gemini services through the AI Gateway.

By routing requests through the AI Gateway instead of invoking Google Gemini directly, you can apply security, traffic control, and governance policies such as guardrails, rate limiting, and monitoring. The Gateway acts as an intermediary, forwarding requests from Google Gemini CLI to Google Gemini while enforcing these controls.

This section provides step-by-step instructions for proxying Google Gemini API calls through WSO2 API Manager.

Prerequisites¶

Before continuing with the setup, make sure you have the following:

Google Gemini CLI installed
A Gemini API key

Step 1: Deploy the Google AI API in WSO2 API Manager¶

Log in to the Publisher Portal.
Navigate to the WSO2 API Manager Publisher portal:
https://<APIM-HOST>:<APIM-PORT>/publisher
Create a New AI API.
Create a new AI API by selecting Gemini as the AI service provider.
Configure the remaining settings as required.
Configure the Endpoint.
1. Navigate to Develop → API Configurations → Endpoints.
2. Create a new endpoint or edit the existing production endpoint.
3. Ensure the following configurations are set:
  - Endpoint URL: https://generativelanguage.googleapis.com
  - API Key: <GEMINI API KEY>
Configure the x-goog-api-key Header.
Gemini CLI sends the API key using the x-goog-api-key header. Instead of introducing a custom ApiKey header expected by APIM, configure the gateway to accept this existing header:
1. Navigate to Develop → API Configurations → Runtime.
2. Under Application Level Security, set the ApiKey Header to:
```
x-goog-api-key
```
Deploy and publish the Google AI API.

Step 2: Obtain an API Key from WSO2 API Manager¶

Log in to the Developer Portal.
Navigate to the WSO2 API Manager Developer portal:
https://<APIM-HOST>:<APIM-PORT>/devportal
Select the Google AI API you just published.
Subscribe to the API using an application of your choice.
Generate an API Key for the application and make sure to save it for later use.

Step 3: Configure Gemini CLI to Use the AI Gateway¶

Gemini relies entirely on environment variables for configuration.

Open a new terminal session.
Set Environment Variables.
Run the following commands, replacing placeholders with your values:
```
export GOOGLE_GEMINI_BASE_URL="<GEMINI AI API EXPOSED URL>"
export GEMINI_API_KEY="<WSO2 API KEY>"
```
Note

These environment variables must be set in the same session where the Gemini CLI is executed. Alternatively, they can be configured as permanent environment variables.

Configure SSL Certificate Trust¶

When using a local AI Gateway over HTTPS, Gemini CLI must be able to trust the certificate presented by the Gateway.

Note

If the WSO2 API Manager AI Gateway uses a valid CA-signed certificate, no additional certificate configuration is required.

If the Gateway uses a self-signed certificate, Gemini CLI may fail to connect due to certificate verification errors. In such cases, add the Gateway certificate to the certificate trust store used by Gemini CLI before running the client.

For more information, visit the Official Gemini CLI Documentation

Note

This is commonly required when testing with a locally running WSO2 API Manager Gateway.

To bypass SSL certificate validation during testing, run:

export NODE_TLS_REJECT_UNAUTHORIZED=0

Step 4: Run the Gemini CLI Client¶

Execute the Gemini CLI.

gemini

Requests will now be routed through the WSO2 API Manager AI Gateway.

Use case Examples¶

View API Analytics and Insights¶

By routing Gemini CLI requests through the WSO2 API Manager AI Gateway, you automatically gain access to built-in analytics and reporting capabilities.

WSO2 provides integrated analytics, powered by Moesif, and also supports integration with external tools such as the ELK stack (Elasticsearch, Logstash, Kibana) and Choreo Analytics.

For example, an admin could view the token usage by users and applications to identify overuse of the AI Agents.

For more information on Analytics, refer to the official WSO2 API Manager Documentation

Implement WSO2 AI Gateway Guardrails for Enhanced Control¶

WSO2 API Manager AI Gateway guardrails enable granular control over the data exchanged between Gemini CLI and the Google Gemini API.

By applying guardrails, you can enforce security and compliance policies.

For example, a PII Masking Regex Guardrail can be configured in the request flow to prevent Personally Identifiable Information (PII) from reaching the Google Gemini API. If a user submits a prompt containing PII, the guardrail evaluates the request against defined patterns and redacts them before they reach the Google Gemini API.

For more information on AI Guardrails, refer to the official WSO2 API Manager Documentation

Rate limiting at AI Gateway¶

WSO2 API Manager AI Gateway supports request-based and token-based rate limiting for AI APIs. This allows you to control Gemini CLI usage when requests are routed through the Gateway.

For example, you can create an AI subscription policy with a limited request count or total token count, and apply it when subscribing to the Gemini API. Once Gemini CLI invokes the API through that subscription, the Gateway enforces the selected quota automatically. If the configured limit is exceeded, subsequent requests are throttled until the quota resets.

This helps control token consumption and avoid unexpected costs.

The following screenshot illustrates Gemini CLI operating under a minute-level token limit, where requests are delayed until the quota is refreshed.

For more information on Rate Limiting, refer to the official WSO2 API Manager documentation

Multi-Model Routing¶

WSO2 API Manager AI Gateway supports multi-model routing, allowing you to dynamically route requests to different AI models based on defined conditions or strategies.

This is useful when working with Gemini CLI in scenarios such as fallback handling, load balancing, or cost optimization. Instead of sending all requests to a single model, the Gateway can intelligently distribute or reroute requests across multiple endpoints.

For example, the following screenshot illustrates Gemini CLI being proxied through WSO2 API Manager AI Gateway, where the user explicitly requests the gemini-3.1-pro-preview model. Since this model has exceeded its usage limits, the request fails.

With Multi-Model Routing configured using a Round Robin strategy across gemini-2.5-flash-lite and gemini-2.5-flash, the behavior changes. Even though Gemini CLI continues to request the gemini-3.1-pro-preview model, the AI Gateway dynamically routes the request to one of the available configured models. As a result, the request is successfully processed without requiring any changes on the client side.

For more information on Multi-Model Routing, refer to the official WSO2 API Manager documentation

Prompt Decorator¶

WSO2 API Manager AI Gateway supports Prompt Decorators, which allow you to modify or enrich prompts before they are sent to the backend AI provider. This is useful for enforcing consistent instructions, adding system-level context, or guiding model behavior without requiring changes in the client application.

As a simple example, you can configure a Prompt Decorator in the request flow to prepend a system instruction to all incoming prompts:

"You are operating behind an enterprise AI gateway. Follow these rules:\n1. Be concise and direct.\n2. Never output secrets, tokens, or credentials.\n3. When editing code, explain the change briefly.\n4. When unsure, state the assumption explicitly.\n5. At the end of every response, add the text: 'Routed through WSO2 AI Gateway'.\n\n"

Once configured, every request sent from Gemini CLI is automatically modified by the Gateway to include this instruction before being forwarded to the AI provider.

For more information on Prompt Management, refer to the official WSO2 API Manager documentation