Smartflow 1.6 released — Any-to-any provider routing, Trace UI, Prometheus /metrics, OIDC SSO dashboard config, 2 bug fixes. Read release notes →
Smartflow Enterprise · Dashboard Walkthroughs

Your Complete Dashboard User Guide

Step-by-step walkthroughs with visual mockups for every key task in the Smartflow Enterprise Dashboard.

SSO Setup User Management Policies Compliance Cache Trace Logs Troubleshooting
1 Overview 2 SSO Setup 3 Users 4 Policies 5 Compliance 6 Cache 7 Trace Logs
1

Dashboard Overview

The main dashboard gives you a live view of your AI gateway — traffic volume, cache performance, active models, and system health — all in one place.

https://your-domain/dashboard/
Smartflow
Dashboard Traces Cache Policies Users
Total Requests
1,247
↑ all time
Cache Hit Rate
68%
↑ 12% this week
Policy Blocks
43
guardrails active
Avg Latency
312ms
1,840ms saved / req

Recent Activity

last 50 requests
gpt-4o — 284ms  CACHED
user: alice@corp.com · 142 tokens
claude-3-5-sonnet — 1.2s  POLICY CHECKED
user: bob@corp.com · 510 tokens
gpt-4o-mini — blocked  BLOCKED
Policy: PII_DETECTION — SSN pattern found
gpt-4o — 198ms  LIVE
user: carol@corp.com · 88 tokens
Access the dashboard at https://your-domain/dashboard/ — replace with your configured Caddy domain.
i
Total Requests

All-time cumulative count — includes archived logs. Never decreases even as old logs rotate out of Redis.

i
Cache Hit Rate

Percentage of requests served from the 4-phase semantic cache. Higher is better — reduces cost and latency.

i
Policy Blocks

Requests stopped by guardrail policies — PII detection, jailbreak attempts, off-topic queries, etc.

2

SSO & Identity Setup

Connect Smartflow to your identity provider so users authenticate with their corporate credentials. Supports Entra ID (Azure AD), LDAP/Active Directory, and trusted proxy headers.

Before you start: Have your Entra ID Tenant ID, Client ID, and Client Secret ready. For LDAP, you need your LDAP server URL and a service account DN and password.
https://your-domain/dashboard/sso_config.html
SSO Not Configured — Users are authenticating with local passwords only.
Entra ID / Azure AD LDAP / Active Directory Proxy Headers Test Connection

Microsoft Entra ID (Azure AD)

Tenant ID
Client ID (App Registration)
Client Secret
Mode
1

Navigate to SSO Configuration

From the dashboard top nav, click Users → SSO Config, or go directly to /dashboard/sso_config.html. You'll see a status banner showing whether SSO is currently configured.

2

Select your identity provider tab

Choose Entra ID / Azure AD for Microsoft environments, LDAP for on-premise Active Directory, or Proxy Headers if your load balancer/IdP injects a user identity header (e.g. X-User-Email, X-Auth-User).

3

For Entra ID: enter Tenant ID, Client ID, and Client Secret

In Azure Portal → App registrations → your app → Overview: copy the Application (client) ID and Directory (tenant) ID. Under Certificates & secrets, create a new Client Secret and paste it here. The secret is stored encrypted — it is not shown after save.

4

For LDAP: provide server URL and bind credentials

Enter your LDAP URL (e.g. ldap://dc01.corp.com:389 or ldaps://dc01.corp.com:636), the Base DN for user search (e.g. DC=corp,DC=com), and a read-only service account Bind DN and password. Smartflow uses this account only to validate user lookups.

5

Click "Test Connection" before saving

The test attempts a lightweight bind or token validation to confirm credentials are correct. A green success banner means the IdP is reachable and credentials are valid. Fix any errors before enabling.

6

Save & Enable SSO

Click Save & Enable SSO. The status banner at the top of the page turns green. From this point, every API request that arrives with a valid SSO token or identity header will have the authenticated user's identity (user_id, email, groups) attached to their trace log entry — enabling per-user auditing and policy targeting.

Passthrough vs Enforce: Use Passthrough during rollout — requests without SSO still go through, but SSO identities are captured when present. Switch to Enforce once all clients are updated to send tokens, to require authentication for every request.
Proxy Header mode: Only use this if your IdP or load balancer injects the header before requests reach Smartflow, and that path is not accessible to untrusted clients. Otherwise users could spoof their identity.
3

Adding & Managing Users

Create virtual API keys and user accounts, assign roles, and control which users can access the Smartflow proxy and management dashboard.

https://your-domain/dashboard/admin_users.html

Users & API Keys

User / KeyRoleStatusLast Seen
alice@corp.com
sk-sf-a1b2c3…		 admin active 2m ago
bob@corp.com
sk-sf-d4e5f6…		 user active 1hr ago
ci-pipeline
sk-sf-g7h8i9…		 service active 5min ago
dave@corp.com
sk-sf-j1k2l3…		 user suspended 3d ago

Add New User

Email / Identifier
Role
Rate Limit (req/min)
1

Open Admin Users

Navigate to /dashboard/admin_users.html or click Admin → Users from the top nav. You must be logged in as an admin role to access this page.

2

Click "+ Add User" and fill in the form

Enter the user's email or identifier. Choose a role: admin (full dashboard access), user (proxy access only), service (for CI/CD or applications — no dashboard login), or readonly (can view traces and stats but not change settings).

3

Set a rate limit

The rate limit controls how many requests per minute this user's API key can send through the proxy. Default is 60/min. For service accounts running batch jobs, set this higher (e.g. 500). For end users on shared plans, keep it lower.

4

Copy the generated API key immediately

After clicking Create & Generate Key, the virtual key (format: sk-sf-xxxxxx…) is shown once. Copy it now and share it securely with the user. You cannot retrieve it again — only regenerate it.

5

Users send this key as their OpenAI API key

Users replace OPENAI_API_KEY in their application with the Smartflow virtual key, and replace the API base URL with your Smartflow proxy URL. No other code changes are needed — Smartflow is a drop-in.

Key Vault: For bulk key management, advanced expiry, and department-level grouping, visit /dashboard/key_vault.html. This page lets you issue keys in bulk, set expiry dates, and tag keys to specific policy groups.
4

Creating & Managing Policies

Policies (guardrails) define rules for what the AI proxy will allow, flag, or block. You can create topic restrictions, PII detection rules, jailbreak filters, and output moderation policies.

https://your-domain/dashboard/policy_perfect_manager.html
Active Policies
PII_DETECTION
Blocks SSN, credit card, passport numbers
block
TOPIC_RESTRICTION
Only allow questions about HR, benefits, company policy
flag
JAILBREAK_GUARD
Detects prompt injection and system override attempts
block
OUTPUT_FILTER
Redact PII from model responses
allow+redact

New Policy

Policy Name
Action
Description
Applies To
1

Open Policy Manager

Navigate to /dashboard/policy_perfect_manager.html. The left panel shows all existing policies with their current enabled/disabled toggle. Green toggle = active, grey = disabled.

2

Click "+ New Policy" and choose an action

Actions determine what happens when the policy triggers: block — reject the request with an explanation; flag — allow but log for review; allow+log — pass through silently; allow+redact — pass but strip matched patterns from the response.

3

Write your policy rule

In the Policy Editor, define what triggers the policy. You can use keyword lists, regex patterns, semantic similarity topics (e.g. "questions about competitors"), or combine multiple conditions with AND/OR logic. For PII detection, pre-built patterns like SSN, CREDIT_CARD, PASSPORT are available as one-click presets.

4

Set who it applies to

Policies can target all users, a specific role (e.g. user but not admin), a named group (synced from your SSO groups), or specific API keys. Leave as "All users" for organisation-wide policies.

5

Save and use the toggle to enable/disable

Click Save Policy. The policy is immediately active if the toggle is on. You can quickly disable any policy without deleting it using the toggle — useful for testing or temporarily suspending a rule.

Policy Perfect Library: The Policy Library tab contains pre-built policy templates for common use cases — HIPAA/PHI protection, FERPA student data, financial data (SOX), legal privilege, and more. Import a template and customise rather than starting from scratch.
Test before enforcing: Use the Compliance Test page (Section 5) to verify a policy catches what you expect before deploying it to production. A poorly-tuned policy can block legitimate requests.
5

Testing Compliance

The Compliance Test tool lets you send a sample prompt through the policy engine without making a real AI call — see exactly which policies fire, what action would be taken, and why.

https://your-domain/dashboard/intelligent_compliance.html

Compliance Test Sandbox

Test Prompt
Simulated User Role
Apply Policy Group
BLOCKED — 1 policy triggered
PII_DETECTION — SSN pattern matched: 123-45-6789
Action: block · Confidence: 98% · Rule: REGEX: \b\d{3}-\d{2}-\d{4}\b

Passing example

"What is our company's parental leave policy?"
ALLOWED — no policies triggered
All 3 active policies checked. No matches. Request would proceed to AI provider.
1

Open the Compliance Test page

Go to /dashboard/intelligent_compliance.html or /dashboard/compliance.html. The Intelligent Compliance page offers a richer test environment with policy reasoning; the basic Compliance page is faster for quick checks.

2

Type or paste a test prompt

Enter the exact text a user would send. For testing PII policies, include realistic fake data (made-up SSNs like 123-45-6789, fake card numbers, etc.). For topic restriction testing, try prompts that are clearly off-topic.

3

Select the simulated user role

If your policies apply differently by role (e.g. admins bypass topic restrictions), select the role to simulate. This ensures you're testing the exact policy stack that a real user in that role would experience.

4

Click "Run Compliance Check" and read the result

A green ALLOWED result means no policies triggered and the request would proceed. A red BLOCKED result shows exactly which policy triggered, what pattern matched, the confidence score, and the action taken.

5

Tune if you get unexpected results

If a prompt you expect to pass is blocked, click the policy name in the result to jump directly to that policy's editor. Adjust the sensitivity threshold, exclusion list, or rule conditions, then retest. Iterate until the policy behaves correctly.

Bulk testing: Use the API endpoint POST /api/compliance/test to run hundreds of test prompts programmatically as part of a CI pipeline — ensuring policy regressions are caught before deployment.
6

Monitoring the Cache

Smartflow's 4-phase semantic cache stores AI responses and serves identical or semantically similar queries instantly — reducing cost and latency. The Cache Stats page shows you exactly what's hitting and missing.

https://your-domain/dashboard/cache_stats.html
Hit Rate
68%
345 hits / 507 total
Cached Entries
1,842
in Redis L1
Tokens Saved
2.1M
≈ $42 saved
Avg Latency Saved
1,840ms
per cache hit

Cache Layers

L1 Exact Match42% of hits
L2 Semantic (BERT KNN)31% of hits
L3 Model Compression18% of hits
L4 Predictive Pre-cache9% of hits

Actions

Similarity Threshold
1

Open Cache Stats

Navigate to /dashboard/cache_stats.html. Stats refresh automatically every 30 seconds. The four headline cards show your overall hit rate, total entries, cumulative token savings, and average latency reduction per hit.

2

Understand the 4 cache layers

L1 Exact: Byte-identical query → instant hit. L2 Semantic: BERT embedding KNN finds similar-meaning queries above your similarity threshold. L3 Compression: Semantically compressed version of a past response. L4 Predictive: Pre-cached answers for anticipated follow-up questions.

3

Adjust the similarity threshold

The default is 0.88. Higher values (closer to 1.0) = more conservative matching, fewer false hits. Lower values = more aggressive matching, higher hit rate but risk of serving slightly off-target cached answers. For factual/technical queries, keep at 0.88–0.92. For creative tasks, lower to 0.80.

4

Flush the cache when needed

Use Flush All Cache after a major knowledge base update so stale answers aren't served. Flush by Model is useful when you upgrade to a new model version — clear only that model's cached responses. Flush by User clears a specific user's cached context if they report stale answers.

MCP Cache: If you use MCP tool servers, there is a separate MCP tool call cache visible at /dashboard/mcp_manager.html → Cache tab. This caches MCP tool results independently of AI responses.
7

Trace Logs & Troubleshooting

Every request that passes through the Smartflow proxy generates a trace log entry. This is your primary tool for debugging issues, auditing user activity, and investigating policy decisions.

https://your-domain/dashboard/traces.html
TimeUserModelStatusTokensLatencyPolicy
14:32:01 alice@corp gpt-4o BLOCKED 12ms PII_DETECTION
14:31:44 bob@corp claude-3-5-sonnet CACHED 342 8ms
14:31:22 carol@corp gpt-4o LIVE 1,204 2,140ms
14:30:58 dave@corp gpt-4o-mini FLAGGED 88 310ms TOPIC_RESTRICTION
Request Detail — alice@corp · 14:32:01
Request IDreq_a1b2c3d4e5f6
User Identityalice@corp.com (SSO: Entra ID)
Model Requestedgpt-4o
Final StatusBLOCKED
Policy TriggeredPII_DETECTION — SSN pattern (confidence: 98%)
Stage Reachedpre-flight policy check (never sent to AI)
Total Latency12ms (blocked before AI call)
IP Address10.0.1.42 (internal)
1

Open the Traces page

Navigate to /dashboard/traces.html. Requests appear in reverse chronological order. Each row shows the time, authenticated user, model, outcome status, token count, latency, and any triggered policy name.

2

Understand the status indicators

CACHED Served from cache — no AI call made, very fast.
LIVE Sent to AI provider — normal request.
BLOCKED Rejected by policy — never reached the AI.
FLAGGED Allowed through but logged for review.
ERROR Proxy error or upstream provider error.

3

Click any row to see the full detail panel

The detail panel shows the exact user identity (including SSO source), the request ID (use this for support tickets), which policy triggered and at what confidence, the processing stage where the request was stopped, and full latency breakdown across each stage.

4

Key things to look for when troubleshooting

User reports "request blocked": Filter by their email, find the blocked request, check which policy triggered and the matched content.

High latency complaints: Filter for LIVE requests, sort by latency descending — look for outliers over 5s. Check whether they're hitting a slow model or a routing misconfiguration.

Cache not working: Filter for requests from the affected user — if all show LIVE with no CACHED results, check the similarity threshold and ensure the cache is enabled for their policy group.

Wrong user identity shown: The SSO source is shown in the detail. If it shows "unknown" or missing, SSO is not configured or the client isn't sending the identity header.

5

Use search and filters to narrow results

The search bar accepts a user email, model name, request ID, or partial text. The status dropdown filters to a specific outcome. The time range selector defaults to last 24 hours — extend to "All time" to search historical logs (sourced from both Redis and MongoDB archive).

Common Issues & Fixes

Request blocked unexpectedly

  1. Find the trace in Traces page
  2. Note the policy name that triggered
  3. Go to Policy Manager → find that policy
  4. Check the confidence threshold — lower it if too aggressive
  5. Add the specific phrase to the policy's allowlist
  6. Retest with Compliance Tester

Cache not hitting despite identical questions

  1. Open Cache Stats → check Similarity Threshold
  2. Lower threshold from 0.88 to 0.82 and test
  3. Check if the user's policy group has cache disabled
  4. Verify Redis is healthy (green on Cache Stats page)
  5. Check REDIS_URL env var is set correctly in the proxy container

User shows as "unknown" in traces

  1. Open SSO Config → check if SSO is enabled (green banner)
  2. Confirm client is sending the Authorization: Bearer <token> header
  3. For proxy header mode: confirm header name matches config exactly
  4. Check proxy container logs for "SSO validation" errors
  5. Re-test SSO connection from SSO Config page

Dashboard shows 0 for Total Requests

  1. Hard-refresh the browser (Ctrl/Cmd + Shift + R)
  2. Open browser console → check for failed /api/vas/logs call
  3. Confirm REDIS_URL and MONGODB_URL env vars are set
  4. SSH to server → check docker logs smartflow-api-server
  5. Verify vas:total_all_time key exists in Redis
Server-side log check: When the dashboard doesn't show what you expect, always check the live container logs for the relevant service. Key commands:
# Check proxy logs (policy decisions, routing, cache hits) docker logs smartflow-proxy --tail 100 -f # Check api-server logs (VAS logs, dashboard API calls) docker logs smartflow-api-server --tail 100 -f # Check compliance engine logs docker logs smartflow-compliance --tail 100 -f # Check Redis directly — count VAS log index entries docker exec smartflow-redis redis-cli -a "$REDIS_PASSWORD" SCARD vas_log_indices # Check the all-time request counter docker exec smartflow-redis redis-cli -a "$REDIS_PASSWORD" GET vas:total_all_time # Verify health endpoint (confirms service is running) curl -s http://localhost:7778/api/health | python3 -m json.tool