shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-02 20:48:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: add allow-byok option for ai-gateway (#24274)

Browse Source 
## Summary                  
Adds `--ai-gateway-allow-byok` deployment option to control whether
users can use Bring Your Own Key (BYOK) mode with AI Gateway.
When disabled (`--ai-gateway-allow-byok=false`), BYOK requests are
rejected with a 403 and a message directing the admin to enable the
flag. Centralized key authentication works regardless of this setting.
Defaults to `true` (BYOK allowed).

---------

Co-authored-by: Danny Kopping <danny@coder.com>
This commit is contained in:
Yevhenii Shcherbina
2026-04-15 14:16:49 -04:00
committed by GitHub
parent dd7397b42e
commit dd73ea54bd
13 changed files with 164 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/reference/api/general.md
Generated
+1
View File
@@ -179,6 +179,7 @@ curl -X GET http://coder-server:8080/api/v2/deployment/config \
"upstream_proxy_ca": "string"
},
"bridge": {
"allow_byok": true,
"anthropic": {
"base_url": "string",
"key": "string"
docs/reference/api/schemas.md
Generated
+5
View File
@@ -431,6 +431,7 @@
```json
{
"allow_byok": true,
"anthropic": {
"base_url": "string",
"key": "string"
@@ -476,6 +477,7 @@
| Name | Type | Required | Restrictions | Description |
|-------------------------------------|-----------------------------------------------------------------------------|----------|--------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `allow_byok` | boolean | false | | |
| `anthropic` | [codersdk.AIBridgeAnthropicConfig](#codersdkaibridgeanthropicconfig) | false | | Deprecated: Use Providers with indexed CODER_AIBRIDGE_PROVIDER_<N>_* env vars instead. |
| `bedrock` | [codersdk.AIBridgeBedrockConfig](#codersdkaibridgebedrockconfig) | false | | Deprecated: Use Providers with indexed CODER_AIBRIDGE_PROVIDER_<N>_* env vars instead. |
| `circuit_breaker_enabled` | boolean | false | | Circuit breaker protects against cascading failures from upstream AI provider rate limits (429, 503, 529 overloaded). |
@@ -1245,6 +1247,7 @@
"upstream_proxy_ca": "string"
},
"bridge": {
"allow_byok": true,
"anthropic": {
"base_url": "string",
"key": "string"
@@ -3279,6 +3282,7 @@ CreateWorkspaceRequest provides options for creating a new workspace. Only one o
"upstream_proxy_ca": "string"
},
"bridge": {
"allow_byok": true,
"anthropic": {
"base_url": "string",
"key": "string"
@@ -3868,6 +3872,7 @@ CreateWorkspaceRequest provides options for creating a new workspace. Only one o
"upstream_proxy_ca": "string"
},
"bridge": {
"allow_byok": true,
"anthropic": {
"base_url": "string",
"key": "string"
docs/reference/cli/server.md
Generated
+11
View File
@@ -1879,6 +1879,17 @@ Emit structured logs for AI Bridge interception records. Use this for exporting
Once enabled, extra headers will be added to upstream requests to identify the user (actor) making requests to AI Bridge. This is only needed if you are using a proxy between AI Bridge and an upstream AI provider. This will send X-Ai-Bridge-Actor-Id (the ID of the user making the request) and X-Ai-Bridge-Actor-Metadata-Username (their username).
### --aibridge-allow-byok
| | |
|-------------|-----------------------------------------|
| Type | <code>bool</code> |
| Environment | <code>$CODER_AIBRIDGE_ALLOW_BYOK</code> |
| YAML | <code>aibridge.allow_byok</code> |
| Default | <code>true</code> |
Allow users to provide their own LLM API keys or subscriptions. When disabled, only centralized key authentication is permitted.
### --aibridge-circuit-breaker-enabled
| | |