Skip to content

Add configurable upstream auth header handling#2

Open
jeeftor wants to merge 1 commit into
yatesdr:masterfrom
jeeftor:feature/configurable-upstream-auth
Open

Add configurable upstream auth header handling#2
jeeftor wants to merge 1 commit into
yatesdr:masterfrom
jeeftor:feature/configurable-upstream-auth

Conversation

@jeeftor

@jeeftor jeeftor commented Apr 24, 2026
edited
Loading

Copy link
Copy Markdown

Summary

This adds per-model upstream auth configuration so backends can receive a configured api_key either as:

  • Authorization: Bearer <api_key>
  • or <custom-header>: <api_key>

The default behavior remains unchanged for existing configs:

  • OpenAI-compatible backends default to Authorization: Bearer
  • Anthropic backends default to x-api-key with a raw key value

Config examples

Default bearer auth:

models:
  - name: gpt-4.1
    backend: https://api.openai.com/v1
    api_key: sk-your-key

Explicit bearer auth:

models:
  - name: openai-compatible
    backend: https://example.com/v1
    api_key: your-key
    auth_header_name: Authorization
    auth_scheme: bearer

Raw custom-header auth:

models:
  - name: custom-gateway
    backend: https://example.com/openai/v1
    api_key: your-key
    auth_header_name: x-provider-api-key
    auth_scheme: raw

Changes

  • add auth_header_name and auth_scheme model config fields
  • support auth_scheme values bearer and raw
  • centralize upstream auth header application
  • apply the same auth behavior across:
    • proxy forwarding
    • translated Responses requests
    • Messages requests
    • streaming paths
    • compact requests
    • count_tokens
    • health checks
    • context-window detection
    • internal vision subrequests
  • persist and round-trip the new fields in config save/admin paths
  • document the new config in config.yaml.example and docs/config-reference.md
  • add tests for default and custom auth behavior

Why

Some OpenAI-compatible backends expect API keys in a non-default header instead of Authorization: Bearer .... This change makes that configurable without duplicating secrets into arbitrary extra headers.

Backward compatibility

Existing configs continue to work unchanged.

Testing

  • go test ./internal/config ./internal/handler
  • focused go test ./internal/pipeline -run 'TestDescribeImage|TestProcessImage|TestDescribeImage_FallsBackToReasoningContent'

The broader internal/pipeline package still has unrelated environment-dependent PDF test failures.

Closes #1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

LiteLLM Proxy support

1 participant

@jeeftor