comparison
AgentKit Cloud vs AIProxy
AIProxy protects your provider key behind a proxy. AgentKit Cloud does that and runs the rest of the production layer: end-user identity, a hard per-user spend cap so one user cannot run up your bill, the agent loop, and tiers bound to RevenueCat that route free and paying users to different models.
AIProxy is a proxy that keeps AI provider keys out of mobile apps using split-key plus DeviceCheck.
| AgentKit Cloud | AIProxy | |
|---|---|---|
| Model providers | Anthropic, OpenAI, Gemini, and Apple on-device | Forwards to the providers you call |
| Provider keys off the device | Encrypted server-side; the app ships a publishable key | Keeps keys off the device |
| End-user identity verified per request | A JWT from your trusted issuer, checked every request | Device checks, not an end-user JWT |
| Hard spend cap per user | A hard ceiling per user and per project. Hit it, requests stop. | Per-device rate limits, not per user |
| Subscription-tier model routing | Bind tiers to RevenueCat entitlements | Not provided |
| Change models without an app update | Name a tier; remap it server-side | Server model overrides, no tier system |
| On-device option | Apple Foundation Models on-device, cloud when needed | Cloud only |
| In-app agent loop with tools, guards, undo | Runs in your app with guards, undo, and run limits | Swift clients, no agent loop |
| Device attestation | Optional App Attest binds requests to real devices | DeviceCheck, not App Attest |
| Backend to build and maintain | None. AgentKit Cloud is the backend. | Proxy only; build the rest yourself |
Beyond key protection
Keeping the key off the device is the start. AgentKit also verifies the end user and caps spend per user.
Tiers and entitlements
Map tiers to models and bind them to RevenueCat entitlements, so free and paying users route differently.
An agent SDK, not just clients
Tools, guards, undo, and run limits run in your app, beyond forwarding a request to a provider.