From 4f3608b15aca406d7c4340c12a29b1e367e297c7 Mon Sep 17 00:00:00 2001 From: Yuneng Jiang Date: Fri, 8 May 2026 18:09:14 -0700 Subject: [PATCH] fix(proxy): point /metrics 401 at the opt-out flag Operators upgrading past 35bbca60b0 (which made /metrics auth default-on) see "Malformed API Key passed in. Ensure Key has 'Bearer ' prefix." with no hint that litellm_settings.require_auth_for_metrics_endpoint: false restores the previous unauthenticated behavior. Append that discovery hint to the existing 401 body so a Prometheus scraper that breaks after upgrade has a clear migration path. No behavior change. --- .../middleware/prometheus_auth_middleware.py | 5 ++++- .../test_prometheus_auth_middleware.py | 20 +++++++++++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/litellm/proxy/middleware/prometheus_auth_middleware.py b/litellm/proxy/middleware/prometheus_auth_middleware.py index cfc4cbd64b..7eb8ae83cb 100644 --- a/litellm/proxy/middleware/prometheus_auth_middleware.py +++ b/litellm/proxy/middleware/prometheus_auth_middleware.py @@ -79,7 +79,10 @@ class PrometheusAuthMiddleware: # Send 401 response directly via ASGI protocol error_message = getattr(e, "message", str(e)) body = json.dumps( - f"Unauthorized access to metrics endpoint: {error_message}" + f"Unauthorized access to metrics endpoint: {error_message} " + f"To allow unauthenticated access, set " + f"`litellm_settings.require_auth_for_metrics_endpoint: false` " + f"in your proxy_config.yaml." ).encode("utf-8") await send( { diff --git a/tests/test_litellm/proxy/middleware/test_prometheus_auth_middleware.py b/tests/test_litellm/proxy/middleware/test_prometheus_auth_middleware.py index 6cab5baee9..1d0c0f90fd 100644 --- a/tests/test_litellm/proxy/middleware/test_prometheus_auth_middleware.py +++ b/tests/test_litellm/proxy/middleware/test_prometheus_auth_middleware.py @@ -121,6 +121,26 @@ def test_invalid_auth_metrics(app_with_middleware, monkeypatch): assert "Unauthorized access to metrics endpoint" in response.text +def test_invalid_auth_metrics_includes_optout_hint(app_with_middleware, monkeypatch): + """ + The 401 body must tell operators how to restore the previous unauthenticated + behavior, otherwise a Prometheus scraper that worked pre-upgrade just sees + "Malformed API Key" with no actionable migration path. + """ + monkeypatch.setattr(litellm, "require_auth_for_metrics_endpoint", True) + monkeypatch.setattr( + "litellm.proxy.middleware.prometheus_auth_middleware.user_api_key_auth", + fake_invalid_auth, + ) + + client = TestClient(app_with_middleware) + response = client.get("/metrics") + + assert response.status_code == 401, response.text + assert "require_auth_for_metrics_endpoint" in response.text + assert "false" in response.text + + def test_metrics_auth_uses_real_auth_when_route_is_public( app_with_middleware, monkeypatch ):