Allow specifying token parameter (SHA256 of key) to /key/generate API
#10601
Conversation
This allows one to set the key hash to some known existing key hash in
order to import keys from one LiteLLM proxy instance to another.
```shell
$ litellm-proxy http request POST /key/generate --json '{"token": "692b37538c7685a2c0529572d7b8eae87f990e572216a00f79baaf2db8895e08"}'
{
...
"key": "(Unknown)",
"token": "692b37538c7685a2c0529572d7b8eae87f990e572216a00f79baaf2db8895e08",
...
"token_id": "692b37538c7685a2c0529572d7b8eae87f990e572216a00f79baaf2db8895e08",
...
}
```
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
```shell $ litellm-proxy keys generate \ --key-alias=my-key \ [email protected] \ --token=2d7fd3dcfa6fb7a5142fcf234fc3e2e9dc983ad34ba435824929e8bb5ab28ebc \ --key-name=some_key { "key_alias": "my-key", ... "user_id": "[email protected]", ... "key": "(Unknown)", "token": "2d7fd3dcfa6fb7a5142fcf234fc3e2e9dc983ad34ba435824929e8bb5ab28ebc", "key_name": "some_key", ... } ```
msabramo
changed the title
token parameter (SHA256 of key) to key generate api
msabramo
changed the title
token parameter (SHA256 of key) to key generate apitoken parameter (SHA256 of key) to /key/generate API
| "api_key" | ||
| ).startswith("sk-"): | ||
| values.update({"api_key": hash_token(values.get("api_key"))}) | ||
| api_key = values.get("api_key") |
There was a problem hiding this comment.
can you use _hash_token_if_needed in prox/utils.py here ?
There was a problem hiding this comment.
Hmmm, just tried that and it resulted in a circular import between utils.py and _types.py, so it's not a trivial change.
There was a problem hiding this comment.
Well I think I can move hash_token and _hash_token_if_needed to litellm.proxy._type and then utils.py can have:
from litellm.proxy._types import (
hash_token,
_hash_token_if_needed,
...
)However, in order to test this with make test-unit, I will need #10662 to be merged...
There was a problem hiding this comment.
Well, I'll just commit and push the change (3b2587a) and see if CI passes...
| @@ -88,6 +88,8 @@ def list( | |||
| @click.option("--spend", type=float, help="Maximum spend limit for this key") | |||
| @click.option("--duration", type=str, help="Duration for which the key is valid (e.g. '24h', '7d')") | |||
| @click.option("--key-alias", type=str, help="Alias/name for the key") | |||
| @click.option("--key-name", type=str, help="Display/abbreviation name for the key (separate from key_alias)") | |||
There was a problem hiding this comment.
can you add an example of this in your description eg. sk-12.....2oA
There was a problem hiding this comment.
Yep, check out 7eb128b.
| elif "key" in data_json and data_json["key"] is not None: | ||
| data_json["token"] = hash_token(data_json["key"]) | ||
| else: | ||
| data_json["token"] = f"sk-{secrets.token_urlsafe(LENGTH_OF_LITELLM_GENERATED_KEY)}" |
There was a problem hiding this comment.
it's not clear to me, why do we need this. I believe the code already generates the token if not provided
There was a problem hiding this comment.
You're right! All of this crap can be removed! 00e96f7
| # --- TOKEN HANDLING LOGIC --- | ||
| if "token" in data_json and data_json["token"] is not None: | ||
| data_json["token"] = data_json["token"] | ||
| elif "key" in data_json and data_json["key"] is not None: |
There was a problem hiding this comment.
I believe our existing code already does this. I don't think this is necessary.
There was a problem hiding this comment.
You're right! All of this crap can be removed! 00e96f7
|
Is this ready for review post-initial feedback? |
so that I can use `_hash_token_if_needed` in `UserAPIKeyAuth.check_api_key` in `_types.py`. addresses [comment](BerriAI#10601 (comment)) from @ishaan-jaff
addresses [comment](BerriAI#10601 (comment)) from @ishaan-jaff
addresses [comment](BerriAI#10601 (comment)) from @ishaan-jaff
This is ready now, as I addressed @ishaan-jaff's comments. Note the LiteLLM Mock Tests seem to be timing out after 8 minutes. I think merging #10484 will fix this. |
|
Ready for review @ishaan-jaff |
This could be useful if you have multiple LiteLLM proxy instances or you are migrating from one to another and want to reuse existing key hashes. For example in the example below, John already has a key on some LiteLLM proxy that has a SHA256 hash of
60980d9c682a44cecdb4462f512b57e48fc63288680725962e87b9f764eae47aand we want to enable that same key to work in a new LiteLLM proxy. We can do that by generating a key but specifying thetokenparameter to equal that existing hash:The output of the above is:
{ "key_alias": "john-key-1", ... "user_id": "john", "team_id": "team123", ... "key": "(Unknown)", "token": "60980d9c682a44cecdb4462f512b57e48fc63288680725962e87b9f764eae47a", "key_name": "Unknown key with hash 60980d9c682a44cecdb4462f512b57e48fc63288680725962e87b9f764eae47a", ... "token_id": "60980d9c682a44cecdb4462f512b57e48fc63288680725962e87b9f764eae47a", ... "created_at": "2025-05-07T00:26:42.890000Z", "updated_at": "2025-05-07T00:26:42.890000Z" }Relevant issues
Pre-Submission checklist
Please complete all items before asking a LiteLLM maintainer to review your PR
tests/litellm/directory, Adding at least 1 test is a hard requirement - see detailsmake test-unitType
🆕 New Feature
Changes