Add PASSTHROUGH_API_KEY option to forward incoming API keys

Author: jovermier

.env.example

@@ -29,6 +29,12 @@ OPENAI_BASE_URL="https://api.openai.com/v1"
 # BIG_MODEL="gemini-2.5-pro"
 # SMALL_MODEL="gemini-2.5-flash"
 
+# Optional: Pass through incoming API keys
+# When enabled, extracts API key from x-api-key or Authorization Bearer headers
+# and forwards it to upstream services instead of using static API keys above
+# Useful for multi-tenant environments with per-user quota tracking
+# PASSTHROUGH_API_KEY="false"
+
 # Example "just an Anthropic proxy" mode:
 # PREFERRED_PROVIDER="anthropic"
 # (BIG_MODEL and SMALL_MODEL are ignored in this mode)

README.md

@@ -45,6 +45,7 @@ A proxy server that lets you use Anthropic clients with Gemini, OpenAI, or Anthr
    *   `USE_VERTEX_AUTH` (Optional): Set to `true` to use Application Default Credentials (ADC) will be used (no static API key required). Note: when USE_VERTEX_AUTH=true, you must configure `VERTEX_PROJECT` and `VERTEX_LOCATION`.
    *   `VERTEX_PROJECT` (Optional): Your Google Cloud Project ID (Required if `PREFERRED_PROVIDER=google` and `USE_VERTEX_AUTH=true`).
    *   `VERTEX_LOCATION` (Optional): The Google Cloud region for Vertex AI (e.g., `us-central1`) (Required if `PREFERRED_PROVIDER=google` and `USE_VERTEX_AUTH=true`).
+   *   `PASSTHROUGH_API_KEY` (Optional): Set to `true` to extract API keys from incoming request headers (`x-api-key` or `Authorization Bearer`) and forward them to upstream services instead of using static API keys. Useful for multi-tenant environments with per-user quota tracking.
    *   `PREFERRED_PROVIDER` (Optional): Set to `openai` (default), `google`, or `anthropic`. This determines the primary backend for mapping `haiku`/`sonnet`.
    *   `BIG_MODEL` (Optional): The model to map `sonnet` requests to. Defaults to `gpt-4.1` (if `PREFERRED_PROVIDER=openai`) or `gemini-2.5-pro-preview-03-25`. Ignored when `PREFERRED_PROVIDER=anthropic`.
    *   `SMALL_MODEL` (Optional): The model to map `haiku` requests to. Defaults to `gpt-4.1-mini` (if `PREFERRED_PROVIDER=openai`) or `gemini-2.0-flash`. Ignored when `PREFERRED_PROVIDER=anthropic`.

server.py

@@ -92,6 +92,11 @@ def format(self, record):
 # Get OpenAI base URL from environment (if set)
 OPENAI_BASE_URL = os.environ.get("OPENAI_BASE_URL")
 
+# Option to pass through the incoming API key from request header to upstream
+# When enabled, the x-api-key or Authorization Bearer header from the incoming request is used instead of OPENAI_API_KEY
+# This enables per-user quota tracking when routing through a gateway
+PASSTHROUGH_API_KEY = os.environ.get("PASSTHROUGH_API_KEY", "False").lower() == "true"
+
 # Get preferred provider (default to openai)
 PREFERRED_PROVIDER = os.environ.get("PREFERRED_PROVIDER", "openai").lower()
 
@@ -1122,27 +1127,50 @@ async def create_message(
         # Convert Anthropic request to LiteLLM format
         litellm_request = convert_anthropic_to_litellm(request)
 
+        # Extract incoming API key from request header for passthrough mode
+        incoming_api_key = None
+        if PASSTHROUGH_API_KEY:
+            # Try x-api-key header first (Anthropic style), then Authorization Bearer
+            incoming_api_key = raw_request.headers.get("x-api-key")
+            if not incoming_api_key:
+                auth_header = raw_request.headers.get("authorization", "")
+                if auth_header.lower().startswith("bearer "):
+                    incoming_api_key = auth_header[7:]
+
+            # Basic validation - check if key is not empty and has reasonable length
+            if incoming_api_key and len(incoming_api_key.strip()) >= 10:
+                logger.debug("Passthrough mode: using API key from request header")
+            else:
+                incoming_api_key = None
+                logger.warning("Passthrough mode enabled but no API key found in request headers (expected x-api-key or Authorization Bearer)")
+
+        # Determine whether to use passthrough for logging consistency
+        use_passthrough = PASSTHROUGH_API_KEY and incoming_api_key
+
         # Determine which API key to use based on the model
         if request.model.startswith("openai/"):
-            litellm_request["api_key"] = OPENAI_API_KEY
+            # Use passthrough key if enabled, otherwise fall back to env var
+            litellm_request["api_key"] = incoming_api_key if use_passthrough else OPENAI_API_KEY
             # Use custom OpenAI base URL if configured
             if OPENAI_BASE_URL:
                 litellm_request["api_base"] = OPENAI_BASE_URL
-                logger.debug(f"Using OpenAI API key and custom base URL {OPENAI_BASE_URL} for model: {request.model}")
+                logger.debug(f"Using {'passthrough' if use_passthrough else 'OpenAI'} API key and custom base URL {OPENAI_BASE_URL} for model: {request.model}")
             else:
-                logger.debug(f"Using OpenAI API key for model: {request.model}")
+                logger.debug(f"Using {'passthrough' if use_passthrough else 'OpenAI'} API key for model: {request.model}")
         elif request.model.startswith("gemini/"):
             if USE_VERTEX_AUTH:
                 litellm_request["vertex_project"] = VERTEX_PROJECT
                 litellm_request["vertex_location"] = VERTEX_LOCATION
                 litellm_request["custom_llm_provider"] = "vertex_ai"
                 logger.debug(f"Using Gemini ADC with project={VERTEX_PROJECT}, location={VERTEX_LOCATION} and model: {request.model}")
             else:
-                litellm_request["api_key"] = GEMINI_API_KEY
-                logger.debug(f"Using Gemini API key for model: {request.model}")
+                # Use passthrough key if enabled, otherwise fall back to env var
+                litellm_request["api_key"] = incoming_api_key if use_passthrough else GEMINI_API_KEY
+                logger.debug(f"Using {'passthrough' if use_passthrough else 'Gemini'} API key for model: {request.model}")
         else:
-            litellm_request["api_key"] = ANTHROPIC_API_KEY
-            logger.debug(f"Using Anthropic API key for model: {request.model}")
+            # Use passthrough key if enabled, otherwise fall back to env var
+            litellm_request["api_key"] = incoming_api_key if use_passthrough else ANTHROPIC_API_KEY
+            logger.debug(f"Using {'passthrough' if use_passthrough else 'Anthropic'} API key for model: {request.model}")
 
         # For OpenAI models - modify request format to work with limitations
         if "openai" in litellm_request["model"] and "messages" in litellm_request: