Should I choose LiteLLM or OpenRouter for a production agent stack?

I'd choose LiteLLM when workloads are heavy on one or two providers and the team can operate a Python service. I'd choose OpenRouter when the team needs broad multi-provider access behind one key, no proxy to operate, and can accept the gateway as a sub-processor.

Does either tool keep prompt data on my own infrastructure?

No. LiteLLM still sends prompts to the chosen model provider, and OpenRouter sends them through its edge plus the underlying provider. If data truly cannot leave the building, the answer is self-hosted inference on vLLM or TGI with open-weight models, not a gateway.

Do multiple OpenRouter or LiteLLM keys multiply my upstream Anthropic rate limit?

No. Anthropic enforces rate limits at the organization level, so all keys under the same org share the same pool. A gateway can only route traffic to a different model or provider pool, not expand an org-scoped Anthropic limit.

Is LiteLLM actually free once deployed in production?

The package is free, but the real cost stack includes compute for the proxy, Postgres for keys and budgets, optional Redis for rate-limit coordination, observability infra, and engineer time for on-call rotation and version upgrades. None of that is captured in the zero-dollar PyPI install.

Can I rely on OpenRouter's automatic failover for production agents?

Only if the application can tolerate the fallback target being a different model or provider with different tool-call schemas, streaming behavior, and error taxonomies. Mid-stream failures, partial completions, and in-flight tool calls remain painful, and tool-call replay against a fallback assumes equivalence the vendor does not promise.

How should I pin a LiteLLM version for production?

Pin the PyPI stable version explicitly (for example litellm==1.83.13) and source the version number from PyPI's unsuffixed entry. The GitHub /releases/latest URL currently resolves to a -nightly tag, so PyPI is the stable source of truth, not the GitHub releases page.

When does adding a gateway layer hurt rather than help an Anthropic-only stack?

When the gateway-layer controls (centralized auth across providers, cross-team budget enforcement, unified logging, policy enforcement at the proxy) are not independently required. In that case the gateway just adds latency, a failure mode, and a sub-processor, and the Anthropic SDK with prompt caching and Workspaces is the better default.

LiteLLM vs OpenRouter: Which Wins for Production AI Agents (2026)

The actual choice in front of me in Q1 2026: my agent stack was hardcoded to Anthropic, I needed multi-provider fallback for a customer demo on a two-day deadline, and Sonnet rate-limit pressure during business hours had already burned one staging run. LiteLLM (self-hosted Python proxy) or OpenRouter (hosted gateway). I ended up running both, LiteLLM in the primary stack, OpenRouter as the disaster-recovery path. This is what each one is genuinely good at, where each one bit me, and the case where I would pick a third option entirely.

TL;DR verdict

I choose OpenRouter when the stack needs one API key, no proxy to operate, broad multi-provider model access (confirm the live catalog count at openrouter.ai/models before quoting a number), and the team can accept the gateway as a sub-processor for prompt data. "No proxy to operate" is the right framing, not "no infra": the operator still owns client integration, key custody, network egress, retry and timeout policy, observability ingestion, and the security review covering OpenRouter plus the underlying model provider. I choose LiteLLM when prompts must flow only between the operator's VPC and the chosen model provider, the team can operate a Python service, and fine-grained per-key budgeting matters. The biggest hidden tradeoff: both still send prompts to the underlying model provider. Neither makes data "stay on your infrastructure" in any meaningful sense.

Operational comparison: data path, cost, governance, failover, observability, lock-in

Dimension	LiteLLM	OpenRouter
Deployment	Self-hosted (PyPI `litellm==1.83.13`, released April 24, 2026, verified)	Hosted SaaS, no install
Where prompts flow	From the operator, through the LiteLLM proxy, to the model provider. In any real deployment, also through whatever the proxy is wired to: proxy access logs, the budget/keys Postgres, Redis if rate-limit coordination is on, callbacks (Langfuse, OTel exporters, Helicone), backups, and the cloud account hosting the proxy	From the operator, through the OpenRouter edge, to the underlying provider
Sub-processors	The model provider, plus every system the proxy is wired to (cloud host, log store, Postgres, Redis, observability backend, backup target)	OpenRouter, plus the underlying model provider
Auth model	One unified API exposed by the proxy; the operator holds every provider key	Single OpenRouter key fans out to all providers
Model coverage	Whatever providers the operator wires up	Multi-provider catalog. I verify live counts against openrouter.ai/models before quoting a number
Pricing	Free OSS; the operator pays infra plus provider passthrough	Provider price shown by OpenRouter; the public page does not state one fixed surcharge, so I measure the invoice spread against my own provider invoices
Per-key budgets	Yes, native via the LiteLLM proxy's budget store (Postgres-backed). Caveats: budget state lives in Postgres, so multi-replica proxies need a shared DB or budgets diverge; if Redis is enabled it becomes a hot-path dependency too; budget checks are synchronous on the request path. Pin behavior against the current LiteLLM proxy budget docs	Yes, on Enterprise: "Set per-key credit limits with automatic daily, weekly, or monthly resets. Track usage in real-time and prevent unexpected spending." (verified)
ZDR (zero data retention)	Inherited from the chosen provider's settings, with the caveat that proxy logs, budget records, and callback exporters can still retain prompt or metadata unless each is configured for zero retention too	Single-click ZDR routing; "Route requests exclusively to providers with zero data retention policies" (verified)
Compliance posture	Inherited from the model provider for the model call itself, but the operator owns the controls on every other surface the proxy touches	"GDPR compatible, SOC-2 compliant" plus EU region locking (verified)
SLA	End-to-end availability is the proxy's own uptime, the upstream provider's availability, and the proxy's hard dependencies (Postgres, Redis, observability exporter) multiplied together	"OpenRouter is committed to being accretive to your uptime", no explicit % stated (verified)
Lock-in surfaces	API surface (LiteLLM-flavoured OpenAI-compatible request shape), `config.yaml` schema, budget DB schema in Postgres, callback wiring	OpenRouter-specific model slugs (e.g. `anthropic/claude-sonnet-4.6`), `HTTP-Referer` and `X-OpenRouter-Title` attribution headers, Enterprise observability and budget wiring
Failover	Whatever the operator builds into the proxy	"Edge deployed, with automatic failover for best-in-class uptime. With 50+ cloud providers at your back." (verified)
Observability	Operator-owned. The setup exercised in the companion repo is local Postgres logging plus a Langfuse callback	Unified reporting, "View and export all API requests across all users." (verified), plus trace broadcasting: "Broadcast traces to Langfuse, Datadog, Braintrust, and more. Monitor token usage, costs, and latency across all your AI requests." (verified)

Pricing reality

OpenRouter charges the underlying model price, plus whatever spread shows up between provider wholesale and the operator invoice. For Claude Sonnet 4.6 today, that's $3/M input tokens and $15/M output tokens (verified 2026-04-25), identical headline numbers to Claude Sonnet 4.5, also $3/M input tokens and $15/M output tokens (verified). Both expose a 1,000,000-token context window through OpenRouter. No public fixed surcharge was verified on a pricing page, so this page treats the invoice spread as a measured variable. If the spread matters to unit economics, measure it against actual invoices before committing.

LiteLLM is free as an open-source Python package. The real cost stack:

Compute to run the proxy. Sizing depends on sustained RPS, concurrent streaming connections, retry and fallback amplification, async logging throughput, Postgres and Redis round-trip latency for per-key budget checks, and the CPU cost of JSON parsing plus token accounting on every request. I size from a measured load test, then add headroom for failover scenarios where one upstream provider goes slow and connection counts spike.
Postgres for keys/budgets, plus Redis if rate-limit coordination is enabled.
LiteLLM OSS does not add a per-token gateway markup; effective cost still includes provider billing, retries and fallbacks, infra, storage, and egress. Hosted LiteLLM Cloud offerings have their own pricing.
Engineer time to operate it.

The arithmetic where OpenRouter wins is small-volume, multi-model workloads where standing up a proxy is more expensive than whatever spread shows up on invoices. The arithmetic where LiteLLM wins is high-volume single- or dual-provider stacks: any per-token gateway margin that gets bypassed becomes (margin_per_token × monthly_tokens) of cost retained. The calculation needs the measured spread and monthly token volume, run against the verified $3/M input tokens and $15/M output tokens Sonnet 4.6 prices.

Hidden cost on OpenRouter: most enterprise governance features (org SSO, programmatic API key management, ZDR routing, SOC-2 controls, EU region locking, trace broadcasting) sit behind the Enterprise tier. Named integration partners include Datadog, Langfuse, Weave, and S3 (verified), but the page lists the controls without publishing a price. If those controls are required, the evaluation becomes a sales-led enterprise evaluation rather than self-serve signup.

Hidden cost on LiteLLM: nothing about the package, but operators are now running a piece of infrastructure that sits in the critical path of every model call. PagerDuty rotation, on-call response, version upgrades. The PyPI versioning convention is worth knowing: pre-release tags like 1.83.13.dev1 carry the pre-release label, while the unsuffixed version is stable (verified). I pin exact production versions and avoid latest. The GitHub /releases/latest URL currently resolves to a -nightly tag (v1.83.13-nightly as of 2026-04-25, verified), so I treat PyPI as the stable source of truth.

Where OpenRouter wins

Broad model access behind one key. OpenRouter exposes a multi-provider catalog through a single key and a single slug format. In my stack, wiring the provider matrix directly was multi-day work because auth, streaming, and tool-call normalization all had to be tested per provider. With OpenRouter, the first integration against a new model collapses to a slug/config change. Production promotion is a separate gate. Before any new model goes live in an agent loop, I still validate tool-call argument shape and parallel-tool behavior, streaming delta format and stop-reason semantics, error taxonomy and retryability classification, p50/p95 latency under the agent's actual prompt distribution, rate-limit headers and backoff behavior, and the billing line items on a real invoice. OpenRouter shortens the wiring; it does not shorten the per-model validation matrix.
Managed failover, with caveats. OpenRouter advertises "automatic failover for best-in-class uptime" across "50+ cloud providers" (verified). Useful, but read the failure semantics carefully. Failover only helps if the application can tolerate the fallback target being a different model or provider, with different tool-call schemas, different streaming behavior, and different rate-limit and error taxonomies. Mid-stream failures, partial completions, and in-flight tool calls are the painful cases: any retry has to be idempotent at the agent layer, and tool-call replay against a fallback model assumes equivalence the vendor does not promise.
Compliance signing without operating the gateway. SOC-2, GDPR compatibility, EU region locking, and a DPA are on offer (verified), which moves some control evidence from "build it yourself" to vendor diligence. The remaining security-review work does not disappear: sub-processor enumeration, DPA and SOC-2 report review, ZDR routing verification, data-residency terms, retention and logging posture across providers, incident-notification commitments, and the SLA gap (no published uptime percentage) all still land on the security team.
Low-volume small-team workloads. One operator, no SRE rotation, prompt volume that does not justify a proxy: the spread against measured provider invoices is cheaper than the engineering and on-call time to operate LiteLLM.
Multi-provider model evaluation. Switching slugs gives a cleaner first-pass comparison because the request shape, auth, and slug format are uniform: anthropic/claude-sonnet-4.6 and anthropic/claude-sonnet-4.5 (verified, verified). A first pass is not a billing comparison. Production cost comparisons require identical prompts replayed to each candidate, captured usage including cached-token treatment and output length normalization, retry and fallback events accounted for separately, and reconciliation of OpenRouter line items against the provider's own invoice. The slug switch removes the integration friction; the reconciliation work remains.

Where LiteLLM wins

One or two providers at scale. LiteLLM OSS adds no per-token gateway margin, but total cost still includes infra, retries and fallbacks, storage, and operations. The proxy has a fixed baseline cost plus workload-scaled capacity cost: streaming connection count, Postgres and Redis round-trips, callback exporter throughput, and JSON parsing all scale with request volume and concurrency. At heavy single- or dual-provider volume the bypassed margin compounds linearly while the workload-scaled portion of the proxy footprint grows sub-linearly with batching and connection reuse, which is where the math starts to favour self-hosting. Anchor any sizing decision to a measured load test.
No third-party gateway transit. With LiteLLM in the operator's VPC, OpenRouter drops out of the sub-processor list as a gateway hop. The list does not collapse to one entry: the model provider remains a sub-processor, and the proxy itself drags in everything it is wired to (cloud account, proxy access logs, Postgres, Redis, callback exporters, backups). Each of those processes prompt content or prompt metadata and belongs in the DPA. The win over OpenRouter is removing the gateway as a counterparty, not removing sub-processors as a category.
Custom routing control. The LiteLLM proxy router exposes retry, fallback, and load-balancing as declarative config, but the keys live in two different namespaces and that distinction matters when writing config.yaml. Routing and request-level retry knobs sit under router_settings: routing_strategy, num_retries, and timeout. Provider cooldown behaviour sits under litellm_settings: allowed_fails and cooldown_time. Per-model fallbacks lists are configured alongside the model definitions. For anything beyond the declarative surface, the CustomRouter Python extension point lets operators subclass and inject their own selection logic. See the LiteLLM proxy reliability docs at https://docs.litellm.ai/docs/proxy/reliability and the companion repo at https://github.com/MPIsaac-Per/agentinfra-examples for a working config.yaml plus a custom router stub.
Owned observability, with the operational weight that comes with ownership. LiteLLM wires directly to Langfuse, OTel, or operator-managed Postgres logging tables with no reliance on a gateway's broadcast partners. The flip side is that every reliability, privacy, and cost property of that pipeline is now operator-owned: callback or exporter outages have to fail without taking the request path with them, queue backpressure needs a bounded buffer and a drop policy, payload redaction has to happen before data leaves the proxy, sampling rates and retention windows need explicit configuration, and the sink itself becomes another piece of infra on the on-call rotation.
Gateway-layer vendor-risk reduction, framed as exit optionality not cost certainty. OSS code in the operator's repo, in operator infra, on the operator's dependency lockfile. If the upstream project stalls, forking is possible, and that preserves an escape hatch a hosted gateway does not. The honest framing: forking transfers maintenance and security ownership to the operator (CVE patching, keeping pace with provider API drift, running CI and releases, owning incident response), and that ongoing maintenance bill has to be compared against the one-time cost of migrating off a hosted gateway. With OSS the operator gets to make the call; with a hosted gateway that has been sunset, the migration is the only option and the timeline belongs to the vendor.

Where neither wins, pick something else

For Anthropic-only shops running Claude Code or production agents through Anthropic's API directly. Adding a gateway layer adds latency, a failure mode, and a sub-processor for negligible benefit. Use the Anthropic SDK directly when the stack is single-provider, with prompt caching wired in and validated against the agent's actual prompt distribution, and Workspaces configured for per-team budgeting. Anthropic enforces rate limits at the organization level, and "Rate limits are applied separately for each model" (verified). Workspaces partition spend and rate governance below the org ceiling, they do not add capacity. Per the same docs, "Organization-wide limits always apply, even if Workspace limits add up to more" (verified). If the hope was that a gateway would unlock more upstream throughput, that is a different problem and neither Workspaces nor a gateway solves it.
For true on-prem inference. Both LiteLLM and OpenRouter still call out to a hosted model provider in the common case. For data-can-never-leave-the-building requirements, the answer is vLLM or TGI on operator-owned GPUs with an open-weight model.
For BYOK to OpenAI plus Anthropic as the only requirement. Portkey and Helicone are worth evaluating as alternatives. I evaluate them only when BYOK observability is the primary requirement; I do not treat either as the default replacement without scoring observability depth, pricing model, supported providers, self-host option, data-retention posture, and exit cost against LiteLLM and OpenRouter on the same axes.

Operational gotchas

1. "Multiple API keys" does not multiply the Anthropic rate limit. A common mistake when operators use OpenRouter or LiteLLM for fan-out: they assume creating N keys gives N× the upstream provider's rate limit. It does not. For Anthropic specifically, "Limits are set at the organization level" and "The API enforces service-configured limits at the organization level, but you may also set user-configurable limits for your organization's workspaces" (verified). All keys under the same org share the same pool. A gateway cannot increase an organization-scoped Anthropic rate-limit pool; it can only route traffic to a different model or provider pool. If the bottleneck is a provider rate limit, the gateway does not fix it. Multi-provider routing does.

2. The OpenRouter app-attribution headers are a quiet lock-in vector when they leak past the adapter. OpenRouter requires HTTP-Referer for app attribution: per the docs, it is required, and without it no app page is created and usage does not appear in rankings. For localhost development, "Apps using localhost URLs must also include X-OpenRouter-Title to be tracked." X-Title "is still supported for backwards compatibility." None of these headers exist in the underlying provider APIs. Kept encapsulated in a single client wrapper, swapping providers is a one-file change. The lock-in bites when those header names spread past the abstraction into route handlers, agent code, or per-feature instrumentation. Centralize the OpenRouter-specific bits in one adapter from day one.

3. LiteLLM's GitHub /releases/latest resolves to a nightly, not a stable release. I got bitten by this once. To pick a version for a Dockerfile, I opened https://github.com/BerriAI/litellm/releases/latest, copied the tag it resolved to (v1.83.13-nightly), and tried to pin that string in the image. That is not a valid PyPI version. The production rule I use now: pin the PyPI stable version explicitly (litellm==1.83.13, released April 24, 2026, verified), source the version number from PyPI (the unsuffixed entry), and use https://github.com/BerriAI/litellm/releases/tag/{version} for change-review reading rather than /releases/latest. As of 2026-04-25 the /latest URL still resolves to v1.83.13-nightly (verified).

4. "Data doesn't leave your infrastructure" is wrong for both. This claim gets repeated about LiteLLM and it is not true. With LiteLLM, prompts leave the operator's VPC and go to the chosen model provider, and that provider is a sub-processor under any privacy framework. With OpenRouter, prompts traverse OpenRouter's edge plus the model provider, so that is two sub-processors. ZDR is a real and useful feature ("Your prompts are never logged or used for training", verified), but it is a retention guarantee, not a residency one. Any DPA needs to enumerate sub-processors honestly.

5. OpenRouter has no published uptime SLA percentage. The Enterprise page commits only that "OpenRouter is committed to being accretive to your uptime" (verified). No 99.9% figure appears on the public page. Operators that need a contractual uptime number have to take that to a sales conversation.

Decision tree

Heavy monthly token volume against one or two providers, with measured invoice spread that exceeds the fully loaded proxy cost? Choose LiteLLM. The inputs needed: the spread measured against actual provider invoices for the model mix in use (anchored to the verified $3/M input tokens and $15/M output tokens Sonnet 4.6 prices, verified), the fully loaded cost of operating the proxy, and the monthly token volume the spread is being applied to. If (measured_spread × monthly_tokens) > fully_loaded_proxy_cost, LiteLLM pays for itself. Otherwise it does not.
Zero ops capacity and a need for broad multi-provider model access behind one key by tomorrow? Use OpenRouter for the demo path, then re-evaluate before production promotion.
Does the security review require enumerating every sub-processor that touches a prompt? LiteLLM can shorten the gateway path, but the sub-processor list still includes the model provider and any cloud, database, logging, backup, or observability systems that process prompt data. OpenRouter adds itself plus the model provider, plus any observability partners wired into trace broadcasting.
Need SOC-2 plus GDPR plus EU region locking on the gateway layer without building it? OpenRouter Enterprise (verified). Get the price quote first.
Anthropic-only stack? Default to the Anthropic SDK directly with prompt caching and Workspaces. Anthropic enforces limits at the organization level (verified), so workspace sub-limits give per-team budgeting below the org ceiling. The gateway adds a hop, so keep it only if the gateway-layer controls (centralized auth across providers, cross-team budget enforcement, unified logging, policy enforcement at the proxy) are independently required.

My honest call

If forced to pick today for a generic production agent stack, I'd choose LiteLLM, but only because my workloads are heavy on one or two providers and I have someone who can operate a Python service. I won't put a token-per-month threshold on where the call flips. I don't have a published OpenRouter surcharge to anchor the math, and the real break-even depends on three operator-specific numbers: the spread measured against actual provider invoices, the fully-loaded cost of running the proxy, and the engineer-hours otherwise spent wiring providers directly. The shape of the tradeoff: as monthly spend on one or two providers grows, the bypassed gateway margin compounds linearly while proxy infra cost stays roughly flat, so at some volume the proxy pays for itself. Below that volume, the markup is the cheapest engineer-hour available, and OpenRouter wins on time-to-first-call.

The case where I'd reverse the call regardless of volume: a small team launching fast, needing breadth of model choice, and willing to accept OpenRouter as a sub-processor. The markup buys days of integration work and a managed failover story operators would otherwise build themselves.

The wrong reason to pick either: "I want my data to stay on my infrastructure." Neither tool delivers that. That requirement points to self-hosted inference on vLLM or TGI, and it is a separate evaluation entirely: model quality against an open-weight checkpoint, GPU capacity planning and reservation costs, the serving stack, license review on the chosen weights, and a 24/7 operations posture for the inference tier. Score that as its own decision against its own criteria.