Skip to content

Bitropy patches on v1.82.3-stable: passthrough credential priority + header security#2

Open
pkieszcz wants to merge 2 commits intov1.82.3-stable-basefrom
bitropy/v1.82.3-stable-patched
Open

Bitropy patches on v1.82.3-stable: passthrough credential priority + header security#2
pkieszcz wants to merge 2 commits intov1.82.3-stable-basefrom
bitropy/v1.82.3-stable-patched

Conversation

@pkieszcz
Copy link

@pkieszcz pkieszcz commented Mar 19, 2026

What this is

2 patches on top of upstream v1.82.3-stable that fix the Anthropic passthrough endpoint for Claude Code Max (OAuth) and BYOK scenarios.

This PR shows exactly what we changed — only 2 files, 2 commits.

Full documentation: PASSTHROUGH_PATCHES.md

Patches

1. Strip x-litellm-api-key from forwarded headers (security)

File: litellm/passthrough/utils.py (+1 line)

Without this, the x-litellm-api-key proxy auth header is forwarded to Anthropic, leaking credentials.

Upstream PR: BerriAI#20432 (open, unreviewed since Feb 2026)

2. Credential priority for Anthropic passthrough (critical)

File: litellm/proxy/pass_through_endpoints/llm_passthrough_endpoints.py (+19/-6 lines)

The upstream code always sends x-api-key: "{}".format(anthropic_api_key) as a custom header, which:

  • Sends literal x-api-key: None when no server ANTHROPIC_API_KEY is set
  • Overwrites client-provided credentials (OAuth tokens, BYOK keys) even when server key IS set

New behavior (credential priority):

Client sends Server has key Result
OAuth token (Claude Max) Any Client pays (Max subscription)
Own x-api-key (BYOK) Any Client pays (own API key)
Nothing Yes Company pays (server key)
Nothing No No credentials (Anthropic rejects)

Background

Testing

Tested locally on v1.82.4 (main-stable) with header inspection (request catcher) and real Anthropic API:

  • ✅ Claude Code Max (OAuth) passthrough
  • ✅ BYOK (client x-api-key) passthrough
  • ✅ Mixed mode (server key fallback)
  • ✅ Auth: wrong/missing litellm key rejected
  • ✅ x-litellm-api-key stripped from upstream requests
  • ✅ Spend tracking for streaming passthrough (v1.82.x fix)

Deploy

Image: europe-central2-docker.pkg.dev/bitropy-management/images/litellm:v1.82.3-stable-patched

Claude Code config

{
  "env": {
    "ANTHROPIC_BASE_URL": "https://ai.demo.internal.bitropy.io/anthropic",
    "ANTHROPIC_CUSTOM_HEADERS": "x-litellm-api-key: sk-<your-virtual-key>"
  }
}

⚠️ Use ANTHROPIC_CUSTOM_HEADERS, NOT ANTHROPIC_API_KEY. See PASSTHROUGH_PATCHES.md for why.

🤖 Generated with Claude Code

klaudworks and others added 2 commits March 19, 2026 09:18
@klaudworks @pkieszcz
fix(security): strip x-litellm-api-key from forwarded headers to upst…
cd77b7d 
…ream providers

Prevent x-litellm-api-key (LiteLLM's virtual key) from being leaked
to upstream providers when _forward_headers=True is used in passthrough
endpoints.
@pkieszcz
fix(passthrough): implement credential priority for Anthropic endpoint
f8a3865 
Client-provided credentials now take precedence over server credentials
in the /anthropic/ passthrough endpoint. This enables mixed mode where:

1. Client sends x-api-key → forwarded as-is (user pays via own API key)
2. Client sends Authorization → forwarded as-is (user pays via OAuth/Max)
3. No client credentials + server ANTHROPIC_API_KEY → server key used
4. No client credentials + no server key → no credentials forwarded

Previously the server always sent x-api-key (even literal "None" when
unconfigured), overwriting any client-provided credentials and breaking
Claude Code Max (OAuth) and BYOK scenarios.

Supersedes the simpler one-liner from d742c76 on v1.81.12-stable-patched.
Based on the approach from PR BerriAI#20429 (closed) and reverted PR BerriAI#14821.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tdi tdi tdi approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pkieszcz @tdi @klaudworks