feat: add allow-byok option for ai-gateway (#24274)

## Summary Adds `--ai-gateway-allow-byok` deployment option to control whether users can use Bring Your Own Key (BYOK) mode with AI Gateway. When disabled (`--ai-gateway-allow-byok=false`), BYOK requests are rejected with a 403 and a message directing the admin to enable the flag. Centralized key authentication works regardless of this setting. Defaults to `true` (BYOK allowed). --------- Co-authored-by: Danny Kopping <danny@coder.com>
2026-06-03 04:58:23 +00:00 · 2026-04-15 14:16:49 -04:00
parent dd7397b42e
commit dd73ea54bd
13 changed files with 164 additions and 0 deletions
@@ -179,6 +179,7 @@ curl -X GET http://coder-server:8080/api/v2/deployment/config \
        "upstream_proxy_ca": "string"
      },
      "bridge": {
+        "allow_byok": true,
        "anthropic": {
          "base_url": "string",
          "key": "string"
@@ -431,6 +431,7 @@

 ```json
 {
+  "allow_byok": true,
  "anthropic": {
    "base_url": "string",
    "key": "string"
@@ -476,6 +477,7 @@

 | Name                                | Type                                                                        | Required | Restrictions | Description                                                                                                                                                                 |
 |-------------------------------------|-----------------------------------------------------------------------------|----------|--------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `allow_byok`                        | boolean                                                                     | false    |              |                                                                                                                                                                             |
 | `anthropic`                         | [codersdk.AIBridgeAnthropicConfig](#codersdkaibridgeanthropicconfig)        | false    |              | Deprecated: Use Providers with indexed CODER_AIBRIDGE_PROVIDER_<N>_* env vars instead.                                                                                      |
 | `bedrock`                           | [codersdk.AIBridgeBedrockConfig](#codersdkaibridgebedrockconfig)            | false    |              | Deprecated: Use Providers with indexed CODER_AIBRIDGE_PROVIDER_<N>_* env vars instead.                                                                                      |
 | `circuit_breaker_enabled`           | boolean                                                                     | false    |              | Circuit breaker protects against cascading failures from upstream AI provider rate limits (429, 503, 529 overloaded).                                                       |
@@ -1245,6 +1247,7 @@
    "upstream_proxy_ca": "string"
  },
  "bridge": {
+    "allow_byok": true,
    "anthropic": {
      "base_url": "string",
      "key": "string"
@@ -3279,6 +3282,7 @@ CreateWorkspaceRequest provides options for creating a new workspace. Only one o
        "upstream_proxy_ca": "string"
      },
      "bridge": {
+        "allow_byok": true,
        "anthropic": {
          "base_url": "string",
          "key": "string"
@@ -3868,6 +3872,7 @@ CreateWorkspaceRequest provides options for creating a new workspace. Only one o
      "upstream_proxy_ca": "string"
    },
    "bridge": {
+      "allow_byok": true,
      "anthropic": {
        "base_url": "string",
        "key": "string"