Forward Client Headers to LLM API
Control which model groups can forward client headers to the underlying LLM provider APIs.
Overviewβ
By default, LiteLLM does not forward client headers to LLM provider APIs for security reasons. However, you can selectively enable header forwarding for specific model groups using the forward_client_headers_to_llm_api setting.
How it Worksβ
LiteLLM does not forward all client headers to the LLM provider. Instead, it uses an allowlist approach β only headers matching specific rules are forwarded. This ensures sensitive headers (like your LiteLLM API key) are never accidentally sent to upstream providers.
Header Allowlist Rulesβ
The following rules determine which headers are forwarded (see _get_forwardable_headers in litellm/proxy/litellm_pre_call_utils.py):
| Rule | Example | Forwarded? |
|---|---|---|
Headers starting with x- | x-trace-id, x-custom-header, x-request-source | Yes |
anthropic-beta header | anthropic-beta: prompt-caching-2024-07-31 | Yes |
Headers starting with x-stainless-* | x-stainless-lang, x-stainless-arch | No (causes OpenAI SDK issues) |
| Standard HTTP headers | Authorization, Content-Type, Host | No |
| Other provider headers | Accept, User-Agent | No |
Additional Header Mechanismsβ
| Mechanism | Description | Reference |
|---|---|---|
x-pass- prefix | Headers prefixed with x-pass- are always forwarded with the prefix stripped, regardless of settings. E.g., x-pass-anthropic-beta: value β anthropic-beta: value. Works for all pass-through endpoints. | Source code |
openai-organization | Forwarded only when forward_openai_org_id: true is set in general_settings. | Forward OpenAI Org ID |
| User information headers | When add_user_information_to_llm_headers: true, LiteLLM adds x-litellm-user-id, x-litellm-org-id, etc. | User Information Headers |
| Vertex AI pass-through | Uses a separate, stricter allowlist: only anthropic-beta and content-type. | Source code |
Configurationβ
Enable Globallyβ
general_settings:
forward_client_headers_to_llm_api: true
Forward LLM Provider Authentication Headersβ
New in v1.82+: By default, LiteLLM strips authentication headers like x-api-key, x-goog-api-key, and api-key from client requests for security (these are typically used to authenticate with the proxy itself). However, you can enable forwarding of these LLM provider authentication headers to allow Bring Your Own Key (BYOK) scenarios where clients send their own API keys to the LLM provider.
Configurationβ
Add forward_llm_provider_auth_headers: true to your general_settings:
general_settings:
forward_client_headers_to_llm_api: true
forward_llm_provider_auth_headers: true # π Enable BYOK
Which Headers Are Forwardedβ
When forward_llm_provider_auth_headers: true, the following LLM provider authentication headers are preserved and forwarded:
| Header | Provider | Example |
|---|---|---|
x-api-key | Anthropic, Azure AI, Databricks | x-api-key: sk-ant-api03-... |
x-goog-api-key | Google AI Studio | x-goog-api-key: AIza... |
api-key | Azure OpenAI | api-key: your-azure-key |
ocp-apim-subscription-key | Azure APIM | ocp-apim-subscription-key: your-key |
The proxy's Authorization header (used for proxy authentication) is never forwarded to LLM providers, even with this setting enabled. This ensures your proxy authentication remains secure.
Use Case: Client-Side API Keys (BYOK)β
This feature enables scenarios where:
- Clients bring their own LLM provider API keys instead of using keys configured in the proxy
- Multi-tenant applications where each tenant has their own Anthropic/OpenAI account
- Development environments where developers use their personal API keys through a shared proxy
Example: Anthropic BYOKβ
# proxy_config.yaml
model_list:
- model_name: claude-sonnet-4
litellm_params:
model: anthropic/claude-sonnet-4-20250514
# No api_key configured! Will use client's key
general_settings:
forward_client_headers_to_llm_api: true
forward_llm_provider_auth_headers: true # Enable BYOK
For Claude Code with /login and your own Anthropic key, see Claude Code BYOK. Use ANTHROPIC_CUSTOM_HEADERS="x-litellm-api-key: sk-12345" to pass your LiteLLM key while your Anthropic key (from /login) is forwarded as x-api-key.
Client request:
curl -X POST "http://localhost:4000/v1/messages" \
-H "Authorization: Bearer sk-proxy-auth-123" \ # Proxy authentication (stripped)
-H "x-api-key: sk-ant-api03-YOUR-KEY..." \ # Client's Anthropic key (forwarded!)
-H "Content-Type: application/json" \
-d '{
"model": "claude-sonnet-4",
"messages": [{"role": "user", "content": "Hello"}],
"max_tokens": 100
}'
Example: Google AI Studio BYOKβ
model_list:
- model_name: gemini-pro
litellm_params:
model: gemini/gemini-1.5-pro
# No api_key configured
general_settings:
forward_client_headers_to_llm_api: true
forward_llm_provider_auth_headers: true
Client request:
curl -X POST "http://localhost:4000/v1/chat/completions" \
-H "Authorization: Bearer sk-proxy-auth-123" \
-H "x-goog-api-key: AIza..." \
-d '{
"model": "gemini-pro",
"messages": [{"role": "user", "content": "Hello"}]
}'
Security Considerationsβ
When to Use This Feature:
- Internal tools where you trust all clients
- Development/testing environments
- Multi-tenant apps with proper client authentication
- Scenarios where you want clients to use their own API keys
When NOT to Use:
- Public APIs where you don't trust all clients
- When you want centralized billing/cost control
- When you need to enforce rate limits at the proxy level
Backward Compatibilityβ
For backward compatibility, if you have forward_client_headers_to_llm_api: true but don't explicitly set forward_llm_provider_auth_headers, the behavior is:
- Default: LLM provider auth headers are NOT forwarded (safe default)
- Explicit
true: LLM provider auth headers ARE forwarded (BYOK enabled)
# Safe default - auth headers NOT forwarded
general_settings:
forward_client_headers_to_llm_api: true
# BYOK enabled - auth headers ARE forwarded
general_settings:
forward_client_headers_to_llm_api: true
forward_llm_provider_auth_headers: true # π Opt-in required
Enable for a Model Groupβ
Add the forward_client_headers_to_llm_api setting under model_group_settings in your configuration:
model_list:
- model_name: gpt-4o-mini
litellm_params:
model: openai/gpt-4o-mini
api_key: "your-api-key"
- model_name: "wildcard-models/*"
litellm_params:
model: "openai/*"
api_key: "your-api-key"
litellm_settings:
model_group_settings:
forward_client_headers_to_llm_api:
- gpt-4o-mini
- wildcard-models/*
Supported Model Patternsβ
The configuration supports various model matching patterns:
1. Exact Model Namesβ
forward_client_headers_to_llm_api:
- gpt-4o-mini
- claude-3-sonnet
2. Wildcard Patternsβ
forward_client_headers_to_llm_api:
- "openai/*" # All OpenAI models
- "anthropic/*" # All Anthropic models
- "wildcard-group/*" # All models in wildcard-group
3. Team Model Aliasesβ
If your team has model aliases configured, the forwarding will work with both the original model name and the alias.
Forwarded Headersβ
When enabled for a model group, LiteLLM forwards the following types of headers:
Custom Headers (x- prefix)β
- Any header starting with
x-(exceptx-stainless-*which can cause OpenAI SDK issues) - Examples:
x-custom-header,x-request-id,x-trace-id
Provider-Specific Headersβ
- Anthropic:
anthropic-betaheaders - OpenAI:
openai-organization(when enabled viaforward_openai_org_id: true)
User Information Headers (Optional)β
When add_user_information_to_llm_headers is enabled, LiteLLM adds:
x-litellm-user-idx-litellm-org-id- Other user metadata as
x-litellm-*headers
Security Considerationsβ
β οΈ Important Security Notes:
- Sensitive Data: Only enable header forwarding for trusted model groups, as headers may contain sensitive information
- API Keys: Never include API keys or secrets in forwarded headers
- PII: Be cautious about forwarding headers that might contain personally identifiable information
- Provider Limits: Some providers have restrictions on custom headers
Example Use Casesβ
1. Request Tracingβ
Forward tracing headers to track requests across your system:
curl -X POST "https://your-proxy.com/v1/chat/completions" \
-H "Authorization: Bearer your-key" \
-H "x-trace-id: abc123" \
-H "x-request-source: mobile-app" \
-d '{
"model": "gpt-4o-mini",
"messages": [{"role": "user", "content": "Hello"}]
}'
2. Custom Metadataβ
Pass custom metadata to your LLM provider:
curl -X POST "https://your-proxy.com/v1/chat/completions" \
-H "Authorization: Bearer your-key" \
-H "x-customer-id: customer-123" \
-H "x-environment: production" \
-d '{
"model": "gpt-4o-mini",
"messages": [{"role": "user", "content": "Hello"}]
}'
3. Anthropic Beta Featuresβ
Enable beta features for Anthropic models:
curl -X POST "https://your-proxy.com/v1/chat/completions" \
-H "Authorization: Bearer your-key" \
-H "anthropic-beta: tools-2024-04-04" \
-d '{
"model": "claude-3-sonnet",
"messages": [{"role": "user", "content": "Hello"}]
}'
Complete Configuration Exampleβ
model_list:
# Fixed model with header forwarding
- model_name: byok-fixed-gpt-4o-mini
litellm_params:
model: openai/gpt-4o-mini
api_base: "https://your-openai-endpoint.com"
api_key: "your-api-key"
# Wildcard model group with header forwarding
- model_name: "byok-wildcard/*"
litellm_params:
model: "openai/*"
api_base: "https://your-openai-endpoint.com"
api_key: "your-api-key"
# Standard model without header forwarding
- model_name: standard-gpt-4
litellm_params:
model: openai/gpt-4
api_key: "your-api-key"
litellm_settings:
# Enable user info headers globally (optional)
add_user_information_to_llm_headers: true
model_group_settings:
forward_client_headers_to_llm_api:
- byok-fixed-gpt-4o-mini
- byok-wildcard/*
# Note: standard-gpt-4 is NOT included, so no headers forwarded
general_settings:
# Enable OpenAI organization header forwarding (optional)
forward_openai_org_id: true
Testing Header Forwardingβ
To test if headers are being forwarded:
- Enable Debug Logging: Set
set_verbose: truein your config - Check Provider Logs: Monitor your LLM provider's request logs
- Use Webhook Sites: For testing, you can use webhook.site URLs as api_base to see forwarded headers
Troubleshootingβ
Headers Not Being Forwardedβ
- Check Model Name: Ensure the model name in your request matches the configuration
- Verify Pattern Matching: Wildcard patterns must match exactly
- Review Logs: Enable verbose logging to see header processing
Provider Errorsβ
- Invalid Headers: Some providers reject unknown headers
- Header Limits: Providers may have limits on header count/size
- Authentication: Ensure forwarded headers don't conflict with authentication
Related Featuresβ
- Request Headers - Complete list of supported request headers
- Response Headers - Headers returned by LiteLLM
- Team Model Aliases - Configure model aliases for teams
- Model Access Control - Control which users can access which models
API Referenceβ
The header forwarding is controlled by the ModelGroupSettings configuration:
class ModelGroupSettings(BaseModel):
forward_client_headers_to_llm_api: Optional[List[str]] = None
Where each string in the list can be:
- An exact model name (e.g.,
"gpt-4o-mini") - A wildcard pattern (e.g.,
"openai/*") - A model group name (e.g.,
"my-model-group/*")