Browse docs
--- title: "Workflows" description: "How workflow matching works, including user_path-first precedence and provider-name scoping." icon: "workflow" ---
Overview
Workflows are immutable workflow-policy versions stored in the gateway and matched per request.
They currently control gateway-owned behavior such as:
- cache
- audit logging
- usage tracking
- guardrails
- translated-route fallback
- budgets (Enterprise-gated; see Budgets)
Each request matches exactly one active workflow.
Scope Fields
Workflow scope is defined by these fields:
scope_provider_namescope_modelscope_user_path
scope_provider_name is the configured provider instance name, not the provider type.
Examples:
- provider type:
openai - provider name:
openai_primary
If you have multiple configured providers of the same type, workflows can target them independently by provider name.
Matching Precedence
Workflow matching is user-path first.
For a request with user_path=/team/team1/user, the gateway checks path-scoped candidates from deepest to root first:
provider_name + model + /team/team1/userprovider_name + /team/team1/user/team/team1/userprovider_name + model + /team/team1provider_name + /team/team1/team/team1provider_name + model + /teamprovider_name + /team/teamprovider_name + model + /provider_name + //provider_name + modelprovider_nameglobal
In practice:
- a deeper
user_pathworkflow beats a broader provider-only or provider+model workflow - within the same path depth, provider+model is more specific than provider-only
- if no path-scoped workflow matches, the gateway falls back to provider+model, then provider, then global
Examples
Path Inheritance
If you have:
- workflow A:
scope_user_path=/team - workflow B:
scope_user_path=/team/team1
and the API key uses user_path=/team/team1/user, workflow B wins.
If workflow B does not exist, workflow A wins.
Provider-Name Scoping
If you have two OpenAI providers:
openai_primaryopenai_backup
you can create separate workflows for:
scope_provider_name=openai_primaryscope_provider_name=openai_backup
Even though both have provider type openai, they are different workflow scopes.
API Example
Use the dashboard at Workflows for manual policy changes. Use the admin API when your deployment system needs to create or deactivate workflow policies.
For endpoint reference see the Admin API section.
Create a workflow scoped to one configured provider name, one real model ID, and one user-path subtree:
curl -X POST http://your-aurora-host/admin/api/v1/workflows \
-H "Authorization: Bearer $AURORA_MASTER_KEY" \
-H "Content-Type: application/json" \
-d '{
"scope_provider_name": "openai_primary",
"scope_model": "<model id from /admin/api/v1/models>",
"scope_user_path": "/team/alpha",
"name": "team-alpha-openai-primary",
"description": "Disable cache for this user path on the primary OpenAI provider",
"workflow_payload": {
"schema_version": 1,
"features": {
"cache": false,
"budget": true,
"audit": true,
"usage": true,
"guardrails": false,
"fallback": true
},
"guardrails": []
}
}'Notes
scope_modelrequiresscope_provider_namescope_user_pathis normalized to canonical slash form- managed API keys can override the request
X-aurora-User-Path; workflow matching uses the effective request user path - budget enforcement runs only in Enterprise profiles with the global budget feature enabled and the matched workflow's
budgetfeature set totrue; see Enterprise Overview