hXfdZddlZddlZddlZddlZddlZddlZddlmZmZm Z ddl m Z m Z m Z mZmZddlZddlmZmZmZmZmZmZmZddlZddlmZddlmZddlmZmZdd l m!Z!dd l"dd l#m$Z$m%Z%m&Z&m'Z'm(Z(dd l)m*Z*dd l+m,Z,ddl-m.Z.ddl/m0Z0ddl1m2Z2m3Z3ddl4m5Z5ddl6m7Z7m8Z8ddl9m:Z:ddl;mZ>ddl?m@Z@mAZAmBZBmCZCmDZDddlEmFZFddlGmHZHddlImJZJddlKmLZLmMZMmNZNdeOePeQffdZRdeSde eTde eUfd ZVd!eWde eTd"e eTdeXfd#ZYd$e eTdeSd!eWd%eNd&eZf d'Z[dePd(e e eTfd)Z\deSd!eWdePd&eZfd*Z]d!eWd+e eMfd,Z^d!eWdePfd-Z_de eSd!eWdePd&eZdeXf d.Z`d!eWdeOePeafd/e eFd0eXde d1f d2ZbeZcdePd3eddedfd4ZedePd!eWd5e eTde eSdeff d6Zgecjd7d8gee,gef9e<ee,edd:;fdePd!eWd5e eTfd<Ziecjd=d8gee,g>e<ee,edd:;fdePd!eWd5e eTfd?Zjdekd@eddAeddedfdBZld3eddCe e@fdDZmdeOeaenfdEeQfdFZod3eddEeQdedfdGZpdeadEeQdeXfdHZqecjdId8gee,g>e<ee,edd:;fdJedead!eWd5e eTfdKZrdLeQdMesdNeWd/eFfdOZtecjdPd8gee,g>e<ee,edd:;fdeud!eWd5e eTfdQZvecjdRd8gee,gdSTdee,fde eud!eWfdUZwecjdVd8gee,g>ej*ddWXee,fdLe eTd!eWfdYZydZe e eTd/e eFd0eXde d1fd[Zzdgiid\dddddddddddddddiddd]ddgiidddddddddddddf*d^e d_d`e eTdZe{daeddbeddce|dde e|dee eTdfe e|dge e|dhe e|die eXdje eTdke eTdLe eTde eTdle eTd"e eTdme eTdne eTdoe e}dpe eddqe e}dre e}dse dtdue eddve eTdwe e{dxe eddye eddze edd{e edd|e e{d}e e{d~e eTde e dde eXde eTde eTde e{de eTde eTde e~fVdZd!eWdeQdCe@defdZdeQded!eWdCe@deXf dZde ded!eWdee ee eQffdZde eTdedCe@d!eWdee ee eQff dZdCe@d!eWdeTdeTddf dZde endeTfdZecjdd8gee,g>ecjdd8gee,g>ee<ee,edddeddddedd;edd;edd;edd;edd;edSd;edSd;eddXeddXf dJed!eWde}de}de eTd"e eTd~e eTde eTdve eTdeXdeXde eTdeTdefdZde eTdeTde eeTeTffdZ ddCe@de}de}de eTd"e eTd~e eTdve eTde eTde eTdeXde e eTde eTdeTdefdZdeeTeffdZecjdd8gee,g>e<ee,edd:;fdeded!eWd5e eTde eQf dZecjdd8gee,g>e<ee,edd:;fdeded!eWd5e eTfdZecjdd8gee,ge9e<ee,fdJed!eWfdZd!eWdLe eTdeQdeXfdZd!eWdJede eeTefdefdÄZ ddve eTdCede eTddfdńZdye eddfdƄZy)z` KEY MANAGEMENT All /key management endpoints /key/generate /key/info /key/update /key/delete N)datetime timedeltatimezone)ListLiteralOptionalTuplecast) APIRouterDependsHeader HTTPExceptionQueryRequeststatus)verbose_proxy_logger) DualCache)LENGTH_OF_LITELLM_GENERATED_KEYUI_SESSION_TOKEN_TEAM_ID)duration_in_seconds)*)_cache_key_object_delete_cache_key_objectcan_team_access_modelget_key_objectget_team_object)abbreviate_api_key)user_api_key_authget_budget_reset_time)KeyManagementEventHooks)_is_user_team_admin_set_object_metadata_field)_add_model_to_db) attach_object_permission_to_dict&handle_update_object_permission_common)TeamMemberPermissionChecks)management_endpoint_wrapper)_is_master_key) PrismaClient_hash_token_if_neededhandle_exception_on_proxyjsonify_objectis_valid_api_key)Router) get_secret) Deployment) BudgetConfigPersonalUIKeyGenerationConfigTeamUIKeyGenerationConfigdatac|jduSNteam_idr5s w/var/www/Befach/backend/env/lib/python3.12/site-packages/litellm/proxy/management_endpoints/key_management_endpoints.py _is_team_keyr<Js <r?members r;_get_user_in_teamrDNs;// >> %&..G*CM0 r=user_api_key_dictr9c|j(|jtjjk(ry|0||jk(s!Jdj ||j| |j |j tk(ryy)zz Assert user only creates keys for themselves Relevant issue: https://github.com/BerriAI/litellm/issues/7336 TzDUser can only create keys for themselves. Got user_id={}, Your ID={}) user_roleLitellmUserRoles PROXY_ADMINvaluer?formatr9 UI_TEAM_IDrEr?r9s r;_is_allowed_to_make_key_requestrNZs ##/  ' '+;+G+G+M+M M (00 0 Q X X &..  0   % % 1!))Z7 r=assigned_user_idteam_key_generationroutec|,t||}|tdd|d|jt||j}|jduxr'|jt j jk(}|ry|'tdd|jd|jd|vr1|j|dvr tdd|jd |dtj||| y) N)r>r?User=z not assigned to team= status_codedetailTallowed_team_member_roleszTeam member role z" not in allowed_team_member_roles=)team_member_objectr>rQ) rDrr9r?rGrHrIrJroler'.does_team_member_have_permissions_for_endpoint)rOr>rErPrQkey_assigned_user_in_teamrYis_admins r;%_team_key_operation_team_member_checkr^zs]#$5!+;% ! % ,/00FzGYGYFZ[  +'8'@'@ ##4/ N  ' '+;+G+G+M+M M   #,4455KJL^L^K_`  $'::  # #"#>? @&'9'>'>&??abuwRcSbTU  MM- r=required_paramscf|y|jd}|D]}||vstdd|dy)NT exclude_unsetrSzRequired param z not in datarU) model_dumpr)r5r_ data_dictparams r;$_key_generation_required_param_checkrfsPd3I   !(|< ! r=cF|jtjjk(rytj &dtj vrtj d}nt ddg}t|j||||t||jdy)NTrPadminuserrXrOr>rErPrQr_) rGrHrIrJlitellmkey_generation_settingsr4r^r?rfget)r>rEr5rQ_team_key_generations r;_team_key_generation_checkrps ""&6&B&B&H&HH''3 !W%D%D D&>>?TU8'.&7 *+0 )   !23 r=personal_key_generationc|d|vry|j|dvr1tddtjddd|jy)Nallowed_user_rolesTrSzBPersonal key creation has been restricted by admin. Allowed roles=rqz . Your role=rU)rGrrlrm)rErqs r;_personal_key_membership_checkrts ' '> >""*ABV*WWWX_XwXwyRYSThYiXjjvwHwRwRvST  r=ctjtjjdytjd}t||t ||jdy)NrqT)rqr_)rlrmrnrtrf)rEr5_personal_key_generations r;_personal_key_generation_checkrwsl ''/  * * . ./H I Q&>>?XY" 8 )  $$%67 r=ct|}|r>|*tjtdd|j|yt ||||St ||S)z^ Check if admin has restricted key creation to certain roles for teams or individuals r:rSz1Unable to find team object in database. Team ID: rUTr>rEr5rQ)rEr5)r<rlrmrr9rprw)r>rEr5rQ is_team_keys r;key_generation_checkr{ sxD)K  '"A"A"MJ4<<.Y  )!/   ./d  r= llm_router premium_userTc  t||j|jt|j||y#t$r}t dt |d}~wt $r}t dt |d}~wwxYw)zF Check if user is allowed to make a key request, for this key rMrUNi)modelsr|r}T) rNr?r9AssertionErrorrstr Exception_check_model_access_groupr)rEr5r|r}es r;common_key_access_checksr*s '/LLLL {{! !  q6    q6   s!"= BA B(A>>B data_jsonc|j}|jdd|tjk(rdg|d<|S|tjk(rdg|d<|S|tj k(rdg|d<|S)z Handle the key type. key_typeNllm_api_routesallowed_routesmanagement_routes info_routes)rpopLiteLLMKeyTypeLLM_API MANAGEMENT READ_ONLY)r5rrs r;handle_key_typerOs}}H MM*d#>)))'7&8 "#  ^.. .':&; "#  ^-- -'4o "# r=litellm_changed_byc Kddlm}m}m}m}t ||||t j|D]}|\} } | 0| dvr,t|| t jj| d:| dk(r1| gk(r,t|| t jj| gp| dk(sv| ik(s|t|| t jj| it j|D]}|\} } tt j| d} | &| t|| | 6| dvr| | kDs@tdd | d | d | i | d vs\t| } t| } | | kDsztdd | d | d | i  ddlm}|||}|j*}||j,t/|j,|j0xsi}|j3|j5d}|j6j8j;i||j<xs||j<xs|dd{}t|dd}t>D](}t||dtA||t||*|jCdd}tE||}d|vr|jGdd|d<|||d<d|vr|jGdd|d<|j<|j<|d<|j<|d<d|vrodd lm}|dur+|d&tId!tJjLjN|jd}|s d|di|d<n |d|dd<|jGdtQ||"d{}tS|jd#d|$d{tUd*d%d&i|d'd&id{}|j,|d(<tWd*i|}|jX|_-t]j^tajb||||)|S#t $r8}t#j$dj't)|Yd}~d}~wwxYw7(777w)+Nr)litellm_proxy_admin_namer|r} prisma_clientrEr5r|r}) max_budgetr?r9max_parallel_requests tpm_limit rpm_limitbudget_durationrmetadata)rrrrrSerrorz. is over max limit set in config - user_value=z ; max_value=rU)rdurationr)&apply_enterprise_key_management_paramsz_litellm.proxy.proxy_server.generate_key_fn(): Enterprise key management params not applied - {}) soft_budgetmodel_max_budgetT) exclude_none) created_by updated_byr: budget_id) object_data field_namerJrbrrkey_max_budgetrkey_budget_durationrrtags)r}z)Only premium users can add tags to keys. )rr key_alias)rr request_typekey table_namer)r5responserEr)2litellm.proxy.proxy_serverrr|r}rrrldefault_key_generate_paramssetattrrnupperbound_key_generate_paramsgetattrrrFlitellm_enterprise.proxy.management_endpoints.key_management_endpointsrrrinforKrrrLiteLLM_BudgetTablerr-jsondblitellm_budgettablecreater?1LiteLLM_ManagementEndpoint_MetadataFields_Premiumr#rcrr ValueErrorCommonProxyErrorsnot_premium_userrJ_set_object_permission_enforce_unique_key_aliasgenerate_key_helper_fnGenerateKeyResponsetoken_idtokenasyncio create_taskr!async_key_generated_hook)r5rErr>rr|r}relemrrJupperbound_valueupperbound_duration user_durationrr _budget_id budget_row new_budget_budgetfieldr _metadatars r;_common_key_generation_helperr^s8 + ! **6DJC})"c7#F#F#J#J3PT#UVUb[c7#F#F#J#J3PR#ST "u{c7#F#F#J#J3PR#ST$--9DJC&66T   +=D#'78 !#33"/,/$+u4bchbiiuwGvH.I("# ??.A%5/+)>"/,/$+u4bchbiiuwGvH.I("#?N   6dJGJ T%5%5%A(((!228b #11*//t/2TU %((<<CC/77S;S/77S;SD  Wk48 C 4 % 1 &  dE* CdFIi0Iy &/mmL$&G "#!+ +I%+4==9JD+Q '(  ,"3";"; ,"3";"; ,; t # &(9(E;$?Ij !,5f,=Ij !& ) f,#I $-- T2#  ,'49H  ]#.X.H  N 88/1   OM  !! m t tA    " h  sB#Q*&Q*,A$Q*Q*+Q*Q*%Q*>P B,Q*9Q!:'Q*"DQ*Q$$Q*&Q&'Q*?Q(AQ* Q&-QQ*QQ*$Q*&Q*(Q*z /key/generatezkey management)r dependenciesresponse_modelzThe litellm-changed-by header enables tracking of actions performed by authorized users on behalf of other users, providing an audit trail for accountability) descriptioncK ddlm}m}m}t j d|rt j|r||d{}n td|jdd}|jdd }|sttj| d} |j- t|j|||jd d{} t#| ||t$j& t)|||| d{S77:#t $r$} t j d | d} Yd} ~ `d} ~ wwxYw78#t $r=} t j*dj-t/| t1| d} ~ wwxYww)a Generate an API key based on the provided data. Docs: https://docs.litellm.ai/docs/proxy/virtual_keys Parameters: - duration: Optional[str] - Specify the length of time the token is valid for. You can set duration as seconds ("30s"), minutes ("30m"), hours ("30h"), days ("30d"). - key_alias: Optional[str] - User defined key alias - key: Optional[str] - User defined key value. If not set, a 16-digit unique sk-key is created for you. - team_id: Optional[str] - The team id of the key - user_id: Optional[str] - The user id of the key - budget_id: Optional[str] - The budget id associated with the key. Created by calling `/budget/new`. - models: Optional[list] - Model_name's a user is allowed to call. (if empty, key is allowed to call all models) - aliases: Optional[dict] - Any alias mappings, on top of anything in the config.yaml model list. - https://docs.litellm.ai/docs/proxy/virtual_keys#managing-auth---upgradedowngrade-models - config: Optional[dict] - any key-specific configs, overrides config in config.yaml - spend: Optional[int] - Amount spent by key. Default is 0. Will be updated by proxy whenever key is used. https://docs.litellm.ai/docs/proxy/virtual_keys#managing-auth---tracking-spend - send_invite_email: Optional[bool] - Whether to send an invite email to the user_id, with the generate key - max_budget: Optional[float] - Specify max budget for a given key. - budget_duration: Optional[str] - Budget is reset at the end of specified duration. If not set, budget is never reset. You can set duration as seconds ("30s"), minutes ("30m"), hours ("30h"), days ("30d"). - max_parallel_requests: Optional[int] - Rate limit a user based on the number of parallel requests. Raises 429 error, if user's parallel requests > x. - metadata: Optional[dict] - Metadata for key, store information for key. Example metadata = {"team": "core-infra", "app": "app2", "email": "ishaan@berri.ai" } - guardrails: Optional[List[str]] - List of active guardrails for the key - permissions: Optional[dict] - key-specific permissions. Currently just used for turning off pii masking (if connected). Example - {"pii": false} - model_max_budget: Optional[Dict[str, BudgetConfig]] - Model-specific budgets {"gpt-4": {"budget_limit": 0.0005, "time_period": "30d"}}}. IF null or {} then no model specific budget. - model_rpm_limit: Optional[dict] - key-specific model rpm limit. Example - {"text-davinci-002": 1000, "gpt-3.5-turbo": 1000}. IF null or {} then no model specific rpm limit. - model_tpm_limit: Optional[dict] - key-specific model tpm limit. Example - {"text-davinci-002": 1000, "gpt-3.5-turbo": 1000}. IF null or {} then no model specific tpm limit. - allowed_cache_controls: Optional[list] - List of allowed cache control values. Example - ["no-cache", "no-store"]. See all values - https://docs.litellm.ai/docs/proxy/caching#turn-on--off-caching-per-request - blocked: Optional[bool] - Whether the key is blocked. - rpm_limit: Optional[int] - Specify rpm limit for a given key (Requests per minute) - tpm_limit: Optional[int] - Specify tpm limit for a given key (Tokens per minute) - soft_budget: Optional[float] - Specify soft budget for a given key. Will trigger a slack alert when this soft budget is reached. - tags: Optional[List[str]] - Tags for [tracking spend](https://litellm.vercel.app/docs/proxy/enterprise#tracking-spend-for-custom-tags) and/or doing [tag-based routing](https://litellm.vercel.app/docs/proxy/tag_routing). - enforced_params: Optional[List[str]] - List of enforced params for the key (Enterprise only). [Docs](https://docs.litellm.ai/docs/proxy/enterprise#enforce-required-params-for-llm-requests) - allowed_routes: Optional[list] - List of allowed routes for the key. Store the actual route or store a wildcard pattern for a set of routes. Example - ["/chat/completions", "/embeddings", "/keys/*"] - object_permission: Optional[LiteLLM_ObjectPermissionBase] - key-specific object permission. Example - {"vector_stores": ["vector_store_1", "vector_store_2"]}. IF null or {} then no object permission. - key_type: Optional[str] - Type of key that determines default allowed routes. Options: "llm_api" (can call LLM API routes), "management" (can call management routes), "read_only" (can only call info/read routes), "default" (uses default allowed routes). Defaults to "default". Examples: 1. Allow users to turn on/off pii masking ```bash curl --location 'http://0.0.0.0:4000/key/generate' --header 'Authorization: Bearer sk-1234' --header 'Content-Type: application/json' --data '{ "permissions": {"allow_pii_controls": true} }' ``` Returns: - key: (str) The generated api key - expires: (datetime) Datetime object for when key expires. - user_id: (str) Unique user id - used for tracking spend across multiple keys for same user id. rruser_api_key_cacheuser_custom_key_generateentered /key/generateN,user_custom_key_generate must be a coroutinedecisionTmessage(Authentication Failed - Custom Auth RulerUr9rrparent_otel_span check_db_only.Error getting team object in `/key/generate`: ryr5rErr>zDlitellm.proxy.proxy_server.generate_key_fn(): Exception occured - {})rrrrrdebugriscoroutinefunctionrrnrrHTTP_403_FORBIDDENr9rrrr{KeyManagementRoutes KEY_GENERATEr exceptionrKrr, r5rErrrrresultrrr>rs r;generate_key_fnrsJ7+  ""#:; # /**+CD7== !OPPzz*d3Hjj,VWG# & 9 9'<@ << # "#2 LL"/'9%6%G%G"& $  !/%22  3/1!    A> "$**DQCH"  " +&& R Y YA  (** +sFAD<DAD<&'D DD /D<D:D<FD<D D7D2-D<2D77D<< F8E==FFz/key/service-account/generate)rrcKddlm}m}m}t j d|rt j|r||d{}n td|jdd}|jdd }|sttj| d} |j- t|j|||jd d{} t#| ||t$j& d|_t+|||| d{S77A#t $r$} t j d | d} Yd} ~ gd} ~ wwxYw78w)as Generate a Service Account API key based on the provided data. This key does not belong to any user. It belongs to the team. Why use a service account key? - Prevent key from being deleted when user is deleted. - Apply team limits, not team member limits to key. Docs: https://docs.litellm.ai/docs/proxy/virtual_keys Parameters: - duration: Optional[str] - Specify the length of time the token is valid for. You can set duration as seconds ("30s"), minutes ("30m"), hours ("30h"), days ("30d"). - key_alias: Optional[str] - User defined key alias - key: Optional[str] - User defined key value. If not set, a 16-digit unique sk-key is created for you. - team_id: Optional[str] - The team id of the key - user_id: Optional[str] - [NON-FUNCTIONAL] THIS WILL BE IGNORED. The user id of the key - budget_id: Optional[str] - The budget id associated with the key. Created by calling `/budget/new`. - models: Optional[list] - Model_name's a user is allowed to call. (if empty, key is allowed to call all models) - aliases: Optional[dict] - Any alias mappings, on top of anything in the config.yaml model list. - https://docs.litellm.ai/docs/proxy/virtual_keys#managing-auth---upgradedowngrade-models - config: Optional[dict] - any key-specific configs, overrides config in config.yaml - spend: Optional[int] - Amount spent by key. Default is 0. Will be updated by proxy whenever key is used. https://docs.litellm.ai/docs/proxy/virtual_keys#managing-auth---tracking-spend - send_invite_email: Optional[bool] - Whether to send an invite email to the user_id, with the generate key - max_budget: Optional[float] - Specify max budget for a given key. - budget_duration: Optional[str] - Budget is reset at the end of specified duration. If not set, budget is never reset. You can set duration as seconds ("30s"), minutes ("30m"), hours ("30h"), days ("30d"). - max_parallel_requests: Optional[int] - Rate limit a user based on the number of parallel requests. Raises 429 error, if user's parallel requests > x. - metadata: Optional[dict] - Metadata for key, store information for key. Example metadata = {"team": "core-infra", "app": "app2", "email": "ishaan@berri.ai" } - guardrails: Optional[List[str]] - List of active guardrails for the key - permissions: Optional[dict] - key-specific permissions. Currently just used for turning off pii masking (if connected). Example - {"pii": false} - model_max_budget: Optional[Dict[str, BudgetConfig]] - Model-specific budgets {"gpt-4": {"budget_limit": 0.0005, "time_period": "30d"}}}. IF null or {} then no model specific budget. - model_rpm_limit: Optional[dict] - key-specific model rpm limit. Example - {"text-davinci-002": 1000, "gpt-3.5-turbo": 1000}. IF null or {} then no model specific rpm limit. - model_tpm_limit: Optional[dict] - key-specific model tpm limit. Example - {"text-davinci-002": 1000, "gpt-3.5-turbo": 1000}. IF null or {} then no model specific tpm limit. - allowed_cache_controls: Optional[list] - List of allowed cache control values. Example - ["no-cache", "no-store"]. See all values - https://docs.litellm.ai/docs/proxy/caching#turn-on--off-caching-per-request - blocked: Optional[bool] - Whether the key is blocked. - rpm_limit: Optional[int] - Specify rpm limit for a given key (Requests per minute) - tpm_limit: Optional[int] - Specify tpm limit for a given key (Tokens per minute) - soft_budget: Optional[float] - Specify soft budget for a given key. Will trigger a slack alert when this soft budget is reached. - tags: Optional[List[str]] - Tags for [tracking spend](https://litellm.vercel.app/docs/proxy/enterprise#tracking-spend-for-custom-tags) and/or doing [tag-based routing](https://litellm.vercel.app/docs/proxy/tag_routing). - enforced_params: Optional[List[str]] - List of enforced params for the key (Enterprise only). [Docs](https://docs.litellm.ai/docs/proxy/enterprise#enforce-required-params-for-llm-requests) - allowed_routes: Optional[list] - List of allowed routes for the key. Store the actual route or store a wildcard pattern for a set of routes. Example - ["/chat/completions", "/embeddings", "/keys/*"] - object_permission: Optional[LiteLLM_ObjectPermissionBase] - key-specific object permission. Example - {"vector_stores": ["vector_store_1", "vector_store_2"]}. IF null or {} then no object permission. Examples: 1. Allow users to turn on/off pii masking ```bash curl --location 'http://0.0.0.0:4000/key/generate' --header 'Authorization: Bearer sk-1234' --header 'Content-Type: application/json' --data '{ "permissions": {"allow_pii_controls": true} }' ``` Returns: - key: (str) The generated api key - expires: (datetime) Datetime object for when key expires. - user_id: (str) Unique user id - used for tracking spend across multiple keys for same user id. rrrNrrTrrrUrrryr)rrrrrrrrrrnrrrr9rrrr{rKEY_GENERATE_SERVICE_ACCOUNTr?rrs r;generate_service_account_key_fnrsHP 67+  & &'? @3D99FKL L::j$/**Y(RSF,E,EgV V7;J || . +#5!2!C!C"  J+ !>> DL. +-  A:  & &@D J   s[AED AE%'D D D6EEED D=D83E8D==Enon_default_valuesexisting_metadatacd|vr|j|d<tt|d}|jdd} |j D]7\}}|t vst |tr|j||<3|||<9 ||d<|S#t$r7}tjdjt|Yd}~Bd}~wwxYw)zu Check LiteLLM_ManagementEndpoint_MetadataFields (proxy/_types.py) for fields that are allowed to be updated rTrzLlitellm.proxy.proxy_server.prepare_metadata_fields(): Exception occured - {}N)copyr dictrcitems)LiteLLM_ManagementEndpoint_MetadataFields isinstancer isoformatrrrrKr)r5rrcasted_metadatarkvrs r;prepare_metadata_fieldsrs ++):)?)?)A:&4!3J!?@OdFI  OO%DAq==a*)*OA&)*OA& &&5z"   && Z a aA    sB+B C-C  CrcK||Sd|vrQ|jjj|dd{}|j|d<|j d|S7&w)z Creates the LiteLLM_ObjectPermissionTable record for the key. - Handles permissions for vector stores and mcp servers. Nobject_permissionr:object_permission_id)rlitellm_objectpermissiontablerrr)rrcreated_object_permissions r;rr6si'""@@GG23H  " & : : ()  )*  s5A A'A existing_key_rowcK|jd}|jdd|jddi}|jD]\}}|tvr|||<d|vrr|jd}|r_t |t rOt |dkDrAt|}tjtjt|z}||d <d |vrJ|jd } | r7t | t r't | dkDrdd l m} | | } | |d <| |d <d|vrt||d{}|j xsi} d|vrt#|dt%||| }|S76w)NTrarnew_keyrrrsecondsexpiresrrrbudget_reset_atr)rrr)r5rr)rcrrrrrlenrrnowrutcr)litellm.proxy.common_utils.timezone_utilsr _handle_update_object_permissionrvalidate_model_max_budgetr) r5rrrrrr duration_sr rr key_reset_atrs r;prepare_key_update_datarOsooDo9I MM% MM)T"!1 9 9  !1" ''%))*5 Hc2H 8I,h?Jll8<<09Z3PPG,3 y )..,001BC OS1O$q( W0QL4@ 0 14C 0 100#C(-$   !))/RI//!"45G"HI0 &8I  sD7E29E0:7E2cKddlm}t||j|d{}|||d<t j d||S7%w)z1 Handle the update of object permission. rr)rexisting_object_permission_idrNrzupdated object_permission_id: )rrr&rrr)rrrrs r;rrsg9"H&6&K&K#"',@ ()"",-A,B C  s"A A &A ch|jy|jy|j|jk7S)NFTr8r5rs r;is_different_teamrs6 ||' <<+33 33r=z /key/updaterequestc Kddlm}m}m}m}m} |j dd} | jd} | tdt|||||j|jdd d{} | td d d |jitj|t j"|| |d{t%|| rOt't)t*|j||dd{} |tdd dit-| | ||t/|| d{} t1| j3dd|| j4d{i| d| i}|j7| |d{}t9t;| ||d{t=j>tAjB|| |||| tEdd| i|dS7y7.7777r7U#t$r}tGjHdjKt+|tM|trYtOtQ|ddt+|d tRjTtQ|d!d"tQ|d#tVjX$tM|tNr|tOd%t+|ztRjTtQ|d!d"tVjX$d}~wwxYww)&a Update an existing API key's parameters. Parameters: - key: str - The key to update - key_alias: Optional[str] - User-friendly key alias - user_id: Optional[str] - User ID associated with key - team_id: Optional[str] - Team ID associated with key - budget_id: Optional[str] - The budget id associated with the key. Created by calling `/budget/new`. - models: Optional[list] - Model_name's a user is allowed to call - tags: Optional[List[str]] - Tags for organizing keys (Enterprise only) - enforced_params: Optional[List[str]] - List of enforced params for the key (Enterprise only). [Docs](https://docs.litellm.ai/docs/proxy/enterprise#enforce-required-params-for-llm-requests) - spend: Optional[float] - Amount spent by key - max_budget: Optional[float] - Max budget for key - model_max_budget: Optional[Dict[str, BudgetConfig]] - Model-specific budgets {"gpt-4": {"budget_limit": 0.0005, "time_period": "30d"}} - budget_duration: Optional[str] - Budget reset period ("30d", "1h", etc.) - soft_budget: Optional[float] - [TODO] Soft budget limit (warning vs. hard stop). Will trigger a slack alert when this soft budget is reached. - max_parallel_requests: Optional[int] - Rate limit for parallel requests - metadata: Optional[dict] - Metadata for key. Example {"team": "core-infra", "app": "app2"} - tpm_limit: Optional[int] - Tokens per minute limit - rpm_limit: Optional[int] - Requests per minute limit - model_rpm_limit: Optional[dict] - Model-specific RPM limits {"gpt-4": 100, "claude-v1": 200} - model_tpm_limit: Optional[dict] - Model-specific TPM limits {"gpt-4": 100000, "claude-v1": 200000} - allowed_cache_controls: Optional[list] - List of allowed cache control values - duration: Optional[str] - Key validity duration ("30d", "1h", etc.) - permissions: Optional[dict] - Key-specific permissions - send_invite_email: Optional[bool] - Send invite email to user_id - guardrails: Optional[List[str]] - List of active guardrails for the key - blocked: Optional[bool] - Whether the key is blocked - aliases: Optional[dict] - Model aliases for the key - [Docs](https://litellm.vercel.app/docs/proxy/virtual_keys#model-aliases) - config: Optional[dict] - [DEPRECATED PARAM] Key-specific config. - temp_budget_increase: Optional[float] - Temporary budget increase for the key (Enterprise only). - temp_budget_expiry: Optional[str] - Expiry time for the temporary budget increase (Enterprise only). - allowed_routes: Optional[list] - List of allowed routes for the key. Store the actual route or store a wildcard pattern for a set of routes. Example - ["/chat/completions", "/embeddings", "/keys/*"] - object_permission: Optional[LiteLLM_ObjectPermissionBase] - key-specific object permission. Example - {"vector_stores": ["vector_store_1", "vector_store_2"]}. IF null or {} then no object permission. Example: ```bash curl --location 'http://0.0.0.0:4000/key/update' --header 'Authorization: Bearer sk-1234' --header 'Content-Type: application/json' --data '{ "key": "sk-1234", "key_alias": "my-key", "user_id": "user-1234", "team_id": "team-1234", "max_budget": 100, "metadata": {"any_key": "any-val"}, }' ``` r)r|r}rproxy_logging_objrTrrNNot connected to DB!r find_uniquerr query_typeirzTeam not found, passed team_id=rUrErQrrrrr9rrrrSzeLLM router not found. Please set it up by passing in a valid config.yaml or adding models via the UI.)rteamchange_initiated_byr|r)rrexisting_key_tokenr)rr5 hashed_tokenrr!r5rrrErz(Failed to update key got response = Noner5zBlitellm.proxy.proxy_server.update_key_fn(): Exception occured - {}rWzAuthentication Error()reNonerVrtyperecodeAuthentication Error, )-rr|r}rr!rrcrrrget_datarrr9r'/can_team_member_execute_key_management_endpointr KEY_UPDATErrr rvalidate_key_team_changerrrnr update_datar hash_tokenrrr!async_key_updated_hookrrrrKrProxyExceptionrProxyErrorTypes auth_errorrHTTP_400_BAD_REQUEST)rr5rErr|r}rr!rrrrteam_objr_datarrs r; update_key_fnrAs=~o //4/P mmE"  23 3 /!%  "/!7!7((u"8"    ##B4<<.!QR  )XX/%00'-1     $9I J,S$,,/+#5" H !# #"I %$$5%   $;(8$  ((,,[$?'/55   5%4w4&2252II'#C1/    # : :!1!"3#5     GH Hs/hv.//U  &  J *  && P W WA  a ' 8/DSVHA-NO$//a&1Q v/J/JK   > *G,s1v5 ++!Wf-,,    sK7A!G<3G,4A G<G/;G<=G2>4G<2G43/G<"G6#"G<G8G<$G:%AG<+K7,G</G<2G<4G<6G<8G<:G<< K4C*K//K44K7rr(r)c t|jdkDr|jD]}t||||jZd}|jD]}|j|jk(sd}n|s(t dd|jd|j d  |j|jrN|j|jkDr5t dd |jd |jd |jd |jrZ|jrN|j|jkDr5t dd |jd|jd|jd |jtjjk(ryt||ryt dd|jd|j d )a< Validate that a key can be moved to a new team. - The team must have access to the key's models - The key's user_id must be a member of the team - The key's tpm/rpm limit must be less than the team's tpm/rpm limit - The person initiating the change must be either Proxy Admin or Team Admin r)model team_objectr|NFTrrTz is not a member of the team=z&. Check team members via `/team/info`.rUzKey=z has a tpm_limit=z, which is greater than the team's tpm_limit=.z has a rpm_limit=z, which is greater than the team's rpm_limit=rEr?z- is not a Proxy Admin or Team Admin for team=)rrrr?rBrr9rrrrGrHrIrJr")rr(r)r|rC is_memberrCs r;r7r7`s 3::ZZE ! %   {{ --F~~, .s{{m+HV|}   }} >>cmmdnn<cii[(9#--HtuyvDvDuEEFG  >>cmm 0Ncii[(9#--HtuyvDvDuEEFG  $$(8(D(D(J(JJ -  .6677deieqeqdrrst  r=z /key/deletec &K ddlm}m}| tdt j d|j d}g}|jrEt|j||d{\}}t|j}|j}n]|jrFt|j|||d{\}}t|j}|j}n td|+td tjd t j" t j d | |t|k(sJ t j d|j&j(t+j,t/j0|||||d|iS7;7#t$rt%d dd|d|iwxYw#t$r=} t j2dj5t7| t9| d} ~ wwxYww)a Delete a key from the key management system. Parameters:: - keys (List[str]): A list of keys or hashed keys to delete. Example {"keys": ["sk-QWrxEynunsNpV1zT48HIrw", "837e17519f44683334df5291321d97b8bf1098cd490e49e215f6fea935aa28be"]} - key_aliases (List[str]): A list of key aliases to delete. Can be passed instead of `keys`.Example {"key_aliases": ["alias1", "alias2"]} Returns: - deleted_keys (List[str]): A list of deleted keys. Example {"deleted_keys": ["sk-QWrxEynunsNpV1zT48HIrw", "837e17519f44683334df5291321d97b8bf1098cd490e49e215f6fea935aa28be"]} Example: ```bash curl --location 'http://0.0.0.0:4000/key/delete' --header 'Authorization: Bearer sk-1234' --header 'Content-Type: application/json' --data '{ "keys": ["sk-QWrxEynunsNpV1zT48HIrw"] }' ``` Raises: HTTPException: If an error occurs during key deletion. r)rrNr"zuser_api_key_dict.user_role: tokensrrE) key_aliasesrrrEzInvalid request typezFFailed to delete keys got None response from delete_verification_tokenkeysr0z/key/delete - deleted_keys=rSrzNot all keys passed in were deleted. This probably means you don't have access to delete all the keys passed in. Keys passed in=z, Deleted keys =rUz#/keys/delete - cache after delete: )r5keys_being_deletedrErr deleted_keyszBlitellm.proxy.proxy_server.delete_key_fn(): Exception occured - {})rrrrrrrGrLdelete_verification_tokensrrKdelete_key_aliasesrr;r<internal_server_errorrHTTP_500_INTERNAL_SERVER_ERRORrin_memory_cache cache_dictrrr!async_key_deleted_hookrrKrr,) r5rErrrnum_keys_to_be_deletedrNnumber_deleted_keys_keys_being_deletedrs r; delete_key_fnrYsRFI+P  23 3 ""+,=,G,G+H I "# 99=Wyy#5"3>8 4 !4 &)^ "99L   =O ,,+#5"3 >8 4 !4 &))9)9%: "++L34 4  & `$::::   ""%@AT@U#VW )S->> >> ""12D2T2T2_2_1` a   # : :#6"3#5,    --i88,  `aw`xxHI\H]^  . +&& P W WA  (** +shHA"G&F!'AG8F$9A9G3F&AG H!G$G&GG H8H  HHz /v2/key/infoF)rrinclude_in_schemacKddlm} | td|ttj ddi|j |jdd d{}|ttjdd ig}|D]$} |j}|j|&|j|d S7]#t$r|j}Y?wxYw#t$r}t|d}~wwxYww) a  Retrieve information about a list of keys. **New endpoint**. Currently admin only. Parameters: keys: Optional[list] = body parameter representing the key(s) in the request user_api_key_dict: UserAPIKeyAuth = Dependency representing the user's API key Returns: Dict containing the key and its associated information Example Curl: ``` curl -X GET "http://0.0.0.0:4000/key/info" -H "Authorization: Bearer sk-1234" -d {"keys": ["sk-1", "sk-2", "sk-3"]} ``` rrNDatabase not connected. Connect a database to your proxy - https://docs.litellm.ai/docs/simple_proxy#managing-auth---virtual-keysrz%Malformed request. No keys passed in.rUrfind_allr$ No keys foundrr) rrrrrHTTP_422_UNPROCESSABLE_ENTITYr4rLHTTP_404_NOT_FOUNDrcrappendr,)r5rErkey_infofiltered_key_inforrs r;info_key_fn_v2res69+  T  <"@@!#JK  '//))*0    "55!?3 A LLN  $ $Q ' yy*;<>DD"  r=g insert_datar)rirraliasesconfigspendrrrrrblockedrr user_alias user_emailrGrrrrr%)rxr8update_key_valuesrallowed_cache_controls permissionsrmodel_rpm_limitmodel_tpm_limit guardrailsteamsorganization_idr)rrisend_invite_emailrrr sso_user_idrrc+ J Kddlm}+m},|, td| !||} ndt j t } |d}-nNr)r}rz]Connect Proxy to database to generate keys - https://docs.litellm.ai/docs/proxy/virtual_keys sk-rr rrrrrr~r?r}r9rrGr{rrrrrrrrrrrrrr ryrz)rrrr|rrrrDISABLE_KEY_NAMEFT)rokey_namerget_spend_routeszJget_spend_routes permission is only available for LiteLLM Enterprise usersrrirx)r5rzFailed to create userr8)r5rrzprisma_client: Creating Key= %srrri created_at updated_atzKlitellm.proxy.proxy_server.generate_key_helper_fn(): Exception occured - {}rzInternal Server Error.rUr)*rr}rrsecrets token_urlsaferrrrrrrr rdumpsrr0rrdeepcopyrrloadsrrnrrxrrr8rrrrrK traceback format_excrrrRupdate)r&5"#">r&5"#>r!+JJx(M./ JJ'78III3H  * *  w  *  w       U  f     $%:        x %&%>&6&?& H ''(?@@8??+a/C8J4Kq4P-5__*=0%2%>%>&#)*;&?& H %**>!  ! & &'H( S(5(A(A%)B)# $++>#NHZ /6#%;T0H+ ,&--@,PT%UH\ "%,-@,PT%UH\ " &H[v " Ok  #   "" Y ` `A  ""9#7#7#9: a 'G==56    spE/T#2HRRA&R,R - R9T#:,R&R 'AR+T#R R R T BTT  T#rcrcKt|}|r|jt|j||dd{}tj&dtjvrtjd}nt ddg}|(t |j|||tjSttjd d |ji y 7w) Nr:Tr'rPrhrirjrkrz:Team not found in db, and user not proxy admin. Team id = rUF) r<r9rrlrmr4r^r?r KEY_DELETErrra)rErcrrrzr>ros r;_team_key_deletion_checkrs H-Kx''3*$$'1     + + 7%)H)HH#*#B#B%$ $=+2F*;$   !8!2!:!:%"3$8)44   "55YZbZjZjYkl  C s7CCBCcKt|}|jtjjk(ry|r#|j t ||||d{S|j|j|jk(ryy7+w)z - check if user is proxy admin - check if user is team admin and key is a team key - check if key is personal key r:TN)rErcrrF)r<rGrHrIrJr9rr?)rcrrErrzs r;can_delete_verification_tokenrsH-K""&6&B&B&H&HH ))5-/'1       %(*:*:>O>W>W*W sABB,BrJcJ Kddlm  rG|Dcgc]}t|}} jjj dd|iid{}t |dk(rttjdd i jtjjk(r j| d{ ng}g |D](}d tf fd }|j!||*t#j$|d{t }|t |k7r6|Dcgc] }| vs| } }t'dt)| zt'd|D]=}j7|t9t;t(|} j7| ?d i|fScc}w7Y77cc}w#t&$r[} t+j,dj/t)| t+j0t3j4| d} ~ wwxYww)a Helper that deletes the list of tokens from the database - check if user is proxy admin - check if user is team admin and key is a team key Args: tokens: List of tokens to delete user_id: Optional user_id to filter by Returns: Tuple[Optional[Dict], List[LiteLLM_VerificationToken]]: Optional[Dict]: - Number of deleted tokens List[LiteLLM_VerificationToken]: - List of keys being deleted, this contains information about the key_alias, token, and user_id being deleted, this is passed down to the KeyManagementEventHooks to delete the keys from the secret manager and handle audit logs rrrhrinrkNrr^rUrJrcKt|d{rAj|jgd{j|jyt t j ddi7b7?w)N)rcrrErrrz)You are not authorized to delete this keyrU)r delete_datarrbrrr)rdeleted_tokensrrrEs r; _delete_keyz/delete_verification_tokens.._delete_key0s!>%(/A.?*7 " #0";";CII;";"OOO*11#))<"/,2,E,E$+-X("# PsA=A9$A=A;>A=;A=z6Failed to delete all tokens. Failed to delete tokens: 'DB not connected. prisma_client is NonezOlitellm.proxy.proxy_server.delete_verification_tokens(): Exception occured - {}rN)rrr+rrp find_manyrrrrarGrHrIrJrLiteLLM_VerificationTokenrbrgatherrrrrrKrrr delete_cacher9r )rJrrErrXtasksr_num_deleted_tokensr failed_tokensrr,rrs `` @@r;rOrOs3.9? BHI3+#6IFI#&&@@JJ"T6N3K &'1,# & 9 9#_5!**.>.J.J.P.PP'4'@'@'@'O!O!#.C/H"LLS!12'/(nne,,,&).&9#&#f+5+1%"'U.5P%M%$Pm,- EF F'',!$sC.1 '' 5  N +-@ @@KJ"P2-% && ] d dA  ""9#7#7#9:sH#F<F+/F<F0A+F<F3A F<F5!F<1 F7;F7?$F<#AH#+F<3F<5F<7F<< H AHH  H#rKcK|jjjdd|iid{}|Dcgc]}|j}}t |||d{S73cc}w7 w)NrrrrI)rrprrrO)rKrrrErXrrJs r;rPrPas !. 0 0 J J T TT;/0!U!$7 7Ccii 7F 7+-+  8 s,.A-A$A-A& A-A+ A-&A-current_master_keynew_master_keyc~Kddlm} |jjj d{}|r|j |}tjdt|g}|D]N}ttdi||||dd{} | s'|jt| jPtjd|jjjd{tjd t||jjj!| d{ |jj"j d{} | r i} | D]} | j$d k(s| j&} | re|j)| } |j+| | }|r=|jj"j-dd idt|id{yyyy7#t $rd}YwxYw77(77#t $rd} YwxYw78w)aR Rotate the master key 1. Get the values from the DB - Get models from DB - Get config from DB 2. Decrypt the values - ModelTable - [{"model_name": "str", "litellm_params": {}}] - ConfigTable 3. Encrypt the values with the new master key 4. Update the values in the DB r) proxy_configN) new_modelsz2ABLE TO DECRYPT MODELS - len(decrypted_models): %sF) model_paramsrErnew_encryption_keyshould_create_model_in_dbzResetting proxy model tablezCreating %s modelsr:environment_variables)r)rr param_name param_valuerkr5r)rrrlitellm_proxymodeltablerrdecrypt_model_list_from_dbrrrr$r1rbr-rc delete_many create_manylitellm_configrr!_decrypt_and_set_db_env_variables_encrypt_env_variablesr)rrErrrrdecrypted_modelsrrC new_modelrzenvironment_variables_dictcdecrypted_env_varsencrypted_env_varss r;_rotate_master_keyrss[&8""::DDF F  'BBfBU!! @#FVBW  %E.'0%0"3+#1*/ I!!.1E1E1G"HI& !!"?@66BBDDD!!"6JH66BBC   $''66@@BBb%'"A||66-.]]* &!-!O!O&@"P" ".!D!D&8#1"E"  "#&&55<<')@A'8J)KL=" &C G  E C (sH='HH HAH= H H=A&H=;H#rrr)r5 new_tokens r; get_new_tokenrsv  (LL ||&&u-"77d  '//0OPQR r=z/key/{key:path}/regeneratez/key/regeneratec K ddlm}m}m}m}m}m} |xr|jdu} |dur(| s&tdtjj|r|jr |jn|}|stdddi |ttjdd i t!|| } |{|ry| rw|jttj"dd i t%||||j d{t'|j|j|jdSd|vr|} n||} |j(j*j-d| id{} | !ttj.dd|di t1j2|t4j6|| | d{t9j:d| t=|}||}d|dd}||d}i}|+t?|| d{}t9j:d||jA||jC|}|j(j*jAd| i|d{}i}| tE|}||d<|jGd|d<|rtI||| |d{| rtI||| |d{t'd"i|}tKjLtOjP|| ||| |S777c777j7N#tR$r&}t9jTd!|tW|d}~wwxYww)#a Regenerate an existing API key while optionally updating its parameters. Parameters: - key: str (path parameter) - The key to regenerate - data: Optional[RegenerateKeyRequest] - Request body containing optional parameters to update - key: Optional[str] - The key to regenerate. - new_master_key: Optional[str] - The new master key to use, if key is the master key. - new_key: Optional[str] - The new key to use, if key is not the master key. If both set, new_master_key will be used. - key_alias: Optional[str] - User-friendly key alias - user_id: Optional[str] - User ID associated with key - team_id: Optional[str] - Team ID associated with key - models: Optional[list] - Model_name's a user is allowed to call - tags: Optional[List[str]] - Tags for organizing keys (Enterprise only) - spend: Optional[float] - Amount spent by key - max_budget: Optional[float] - Max budget for key - model_max_budget: Optional[Dict[str, BudgetConfig]] - Model-specific budgets {"gpt-4": {"budget_limit": 0.0005, "time_period": "30d"}} - budget_duration: Optional[str] - Budget reset period ("30d", "1h", etc.) - soft_budget: Optional[float] - Soft budget limit (warning vs. hard stop). Will trigger a slack alert when this soft budget is reached. - max_parallel_requests: Optional[int] - Rate limit for parallel requests - metadata: Optional[dict] - Metadata for key. Example {"team": "core-infra", "app": "app2"} - tpm_limit: Optional[int] - Tokens per minute limit - rpm_limit: Optional[int] - Requests per minute limit - model_rpm_limit: Optional[dict] - Model-specific RPM limits {"gpt-4": 100, "claude-v1": 200} - model_tpm_limit: Optional[dict] - Model-specific TPM limits {"gpt-4": 100000, "claude-v1": 200000} - allowed_cache_controls: Optional[list] - List of allowed cache control values - duration: Optional[str] - Key validity duration ("30d", "1h", etc.) - permissions: Optional[dict] - Key-specific permissions - guardrails: Optional[List[str]] - List of active guardrails for the key - blocked: Optional[bool] - Whether the key is blocked Returns: - GenerateKeyResponse containing the new key and its updated parameters Example: ```bash curl --location --request POST 'http://localhost:4000/key/sk-1234/regenerate' --header 'Authorization: Bearer sk-1234' --header 'Content-Type: application/json' --data-raw '{ "max_budget": 100, "metadata": {"team": "core-infra"}, "models": ["gpt-4", "gpt-3.5-turbo"] }' ``` Note: This is an Enterprise feature. It requires a premium license to use. r)r9 master_keyr}rr!rNTz4Regenerating Virtual Keys is an Enterprise feature, rSrzNo key passed in.rUr)ro _master_keyzNew master key is required.)rrErr)rrrr skrrKey z not found.r&z key_in_db: %sr:zsk-...)rrrznon_default_values: %srrrr+r-zError regenerating key: %sr),rr9rr}rr!rrrrrrJrrrrRr)r>rrrrpr#rar'r5rKEY_REGENERATErrrrrr-rrrrrr!async_key_rotated_hookrrr,)rr5rErr9rr}rr!ris_master_key_regeneration_is_master_key_validhashed_api_key _key_in_dbrnew_token_hashnew_token_key_namer8r updated_tokenupdated_token_dictrrs r;regenerate_key_fnrsJV+  &*%Md.A.A.M"  $-GFGXGiGiGoGoFpq  488dhhCBU8VW W  "AA!JK  .czR  !d/C""*# & ; ;#%BC%+"3#-#22    ''')),,   s? N'_N(++EEQQN+R    "554uK!89  )XX/%44''1     ""?J?!t, #I.%in%56$*    '>J("  ! & &'?AS T-.#22 2D +..HHOON+P     $!%m!4 $-5!);)?)?)H:& *'_#5"3   *'_#5"3   '     # : :!+!"3#5   M $  0"   * +&&'CQG'**+sMC2L$6L70L$'M(:L$"L#AL$5L6AL$LA)L$/L0AL$5L 6L$L"=L$ML$L$L$L$L$ L$"L$$ M-!MMMkey_hashcK|jtjjk(ry|j+t dt jdtj|jjjd|jiddid{}|+t dt jdtjtdi|j}|r:|j|k7r+t dt jdtj|r9||jvr+t dt jd tj|r]|j &||j D cgc]} | j"c} vr+t d t jd tj|r} |jj$jd |i d{} t)||| d{} | s4t+tjdj-|j|S7cc} w7Z#t&$r,t dt jdtjwxYw7~w)Nz]You are not authorized to access this endpoint. No 'user_id' is associated with your API key.r?r0organization_membershipsTrjz3You are not authorized to check another user's keysz0You are not authorized to check this team's keysr9z8You are not authorized to check this organization's keysrrrzKey Hash not found.rrmrnrUr)rGrHrIrJr?r;r<bad_request_errorrrrlitellm_usertabler#LiteLLM_UserTablercrrrrprrrrrK) rEr?r9rrrrcomplete_user_info_db_objcomplete_user_info membershiprccan_user_query_key_infos r;validate_key_list_checkrs""&6&B&B&H&HH  (s 22**   00<</778/6=  !(s 22**   +T-F-Q-Q-ST  % % 0 M$66..   ,22 2 J$66..    7 7 ?#5"M"M** !R$66'..   *--GGSS)TH)A/) #  '"55T[[%//  W N  -$66 ..   # s[BJH<CJ9H? 1J>+I)I*I.J?I>=J?JI5I;;Jrc FK|gS|jjjdd|jiid{}|gS|Dcgc]}t di|j }}|Dcgc]}t ||r |j}}|S7Vcc}wcc}ww)z6 Get all team IDs where the user is an admin. Nr9rrrFr)rlitellm_teamtablerrLiteLLM_TeamTablercr"r9)rrErrr(teams_pydantic_objadmin_team_idss r;get_admin_team_idsr s! 00::t%7%=%=>?;    } MRST+@doo.?@SS'  1BT R N  Ts- *G,s1v5 66!Wf-66    saG&ADC:D.C</A/DC>D9G&:D<D>D G# CGG##G&ci}|ygd}||vr!tddddj|i|jdvrtdddi|j||<|S) N)r{rrrrrrSrz%Invalid sort column. Must be one of: z, rU)ascrz+Invalid sort order. Must be 'asc' or 'desc')rjoinlower)rrorder_by valid_columnss r;_validate_sort_paramsr s "HMm#@=AY@Z[  0JK  #((*HW Or=exclude_team_idrc XKi} | jtg}i}|rt|tr||d<|rt|tr||d<|rt|tr||d<|rt|trd|i|d<|rt|tr||d<|rt|tr||d<|r|j || r|j dd| iit |dkDr d | d |igi} n"t |dk(r| j|d t jd | |dz |z}t jd |d|| t| tr t| | nd}|jjj| |||r|nddiddigddid{}t jdt |d|jjj| d{}t jd|| |z }g}|D]u}|j}t||d{}| dur|j tdi|F|j!d}|j t#t|wt%||||S777hw)a Helper function to list keys Args: page: int size: int user_id: Optional[str] team_id: Optional[str] key_alias: Optional[str] exclude_team_id: Optional[str] # exclude a specific team_id return_full_object: bool # when true, will return UserAPIKeyAuth objects instead of just the token admin_team_ids: Optional[List[str]] # list of team IDs where the user is an admin Returns: KeyListResponseObject { "keys": List[str] or List[UserAPIKeyAuth], # Updated to reflect possible return types "total_count": int, "current_page": int, "total_pages": int, } r?r9rnotrrrrANDORrzFilter conditions: zPagination: skip=z, take=NrrrT)rkskiptakeorderrlzFetched z keysrzTotal count of keys: )rL total_count current_page total_pagesr)r._get_condition_to_filter_out_ui_session_tokensrrrbrrrrrrprcountrr%UserAPIKeyAuthrnr KeyListResponseObject)rrrr?r9rrrrrrrrrk or_conditionsuser_conditionrr rLrrkey_listrkey_dict_tokens r;rr sNJLE LL?AB+-M&(N:gs+$+y!:gs+$+y!Z 3/&/{#:os;%*O$<y!:os;,;()Jx-"*w^,i$)?@A =A} 567 ] q  ]1%&!4UG<= 1H D!24&vFG  :gs#; gz2  !!;;EE   v&&! %d+F  D#d)E:;&((BBHHIK!6{mDE!LD()K24H88:9(MRR  % OON6X6 7\\'*F OODf- . !   O $Ss9F#J*%J$&AJ*5J&6A J*?J(A%J*&J*(J*c"dddiddtiigiS)z3 Condition to filter out UI session tokens rr9Nr)rrr=r;rrG s.  E#;<   r=z /key/block http_requestc`Kddlm}m}m}m}m}m} |2tdjtjjt|js+tdtj dt"j$||j} t&j(d ur |j*j,j/d | i d{} | 9td |jd tj dt"j0t3j4|t7t9t;j<t?j@tBjD|xs|jFxs||jHtJjL| dd| jO |j*j,jQd | idd id{} tS| || d|d{} d | _*tW| | | |d{| S7M7?7)7 w)a Block an Virtual key from making any requests. Parameters: - key: str - The key to block. Can be either the unhashed key (sk-...) or the hashed key value Example: ```bash curl --location 'http://0.0.0.0:4000/key/block' --header 'Authorization: Bearer sk-1234' --header 'Content-Type: application/json' --data '{ "key": "sk-Fn8Ej39NxjAXrvpUGKghGw" }' ``` Note: This is an admin-only endpoint. Only proxy admins can block keys. rcreate_audit_log_for_updater9rrr!rN{}Invalid key format.rr0rhTrrr not foundr| idr changed_bychanged_by_api_keyr object_idactionupdated_values before_value request_datarr,rrrr!r,user_api_key_objrr!,rr(r9rrr!rrrKrdb_not_connected_errorrJr.rr;r<rrr>rlstore_audit_logsrrpr#rarrLiteLLM_AuditLogsruuiduuid4rrrrr?roLitellmTableNamesKEY_TABLE_NAMEmodel_dump_jsonrrr|r r5r%rErr(r9rrr!rr,record key_objects r; block_keyrEU s> $5$L$L$R$RSTT DHH %) 22,,   DHH-L4'$''AAMML)N   > txxj 3$66..    '.4::<('||HLL91 0(00 0/'8'@'@0??*$#'!'!7!7!9   $!##==DD %Y,=EF&!#-+ JJ !#-+   Mm 8ICH.H%DH.(H()H.H*H.H,H.(H.*H.,H.z /key/unblockc`Kddlm}m}m}m}m}m} |2tdjtjjt|js+tdtj dt"j$||j} t&j(d ur |j*j,j/d | i d{} | 9td |jd tj dt"j0t3j4|t7t9t;j<t?j@tBjD|xs|jFxs||jHtJjL| dd| jO |j*j,jQd | iddid{} tS| || d|d{} d| _*tW| | | |d{| S7M7?7)7 w)a Unblock a Virtual key to allow it to make requests again. Parameters: - key: str - The key to unblock. Can be either the unhashed key (sk-...) or the hashed key value Example: ```bash curl --location 'http://0.0.0.0:4000/key/unblock' --header 'Authorization: Bearer sk-1234' --header 'Content-Type: application/json' --data '{ "key": "sk-Fn8Ej39NxjAXrvpUGKghGw" }' ``` Note: This is an admin-only endpoint. Only proxy admins can unblock keys. rr'Nr)r*rr0rhTrrrr+r|r,r4Frr6r7r9rBs r; unblock_keyrH s> $5$L$L$R$RSTT DHH %) 22,,   DHH-L4'$''AAMML)N   > txxj 3$66..    '.4::<('||HLL91 0(00 0/'8'@'@0??*$#'!'!7!7!9   $!##==DD %Y,>EF&!#-+ JJ !#-+   Mm 8rFz /key/healthc xK |j}tdd}|r;d|vr7t|||dd{}||d<|jddk(rd|d <tdi|S7-#t$rG}t d t |tjt|d d tj d}~wwxYww)aS Check the health of the key Checks: - If key based logging is configured correctly - sends a test log Usage Pass the key in the request header ```bash curl -X POST "http://localhost:4000/key/health" -H "Authorization: Bearer sk-1234" -H "Content-Type: application/json" ``` Response when logging callbacks are setup correctly: ```json { "key": "healthy", "logging_callbacks": { "callbacks": [ "gcs_bucket" ], "status": "healthy", "details": "No logger exceptions triggered, system is healthy. Manually check if logs were sent to ['gcs_bucket']" } } ``` Response when logging callbacks are not setup correctly: ```json { "key": "unhealthy", "logging_callbacks": { "callbacks": [ "gcs_bucket" ], "status": "unhealthy", "details": "Logger exceptions triggered, system is unhealthy: Failed to load vertex credentials. Check to see if credentials containing partial/invalid information." } } ``` healthyN)rlogging_callbackslogging)rEr key_loggingrKr unhealthyrzKey health check failed: rer/r0r) rKeyHealthResponsetest_key_loggingrnrr;rr<rQrrrR)rrE key_metadata health_statuslogging_statusesrs r; key_healthrT3 sr (11 +<", I5%5"3(3&   2BM- . ##H-<'2 e$ 1=11   /Ax8 66!Wf-66    s9B:3A'A%,A'$B:%A'' B70AB22B77B:cBK|jtjjk(s'|jtjjk(ry|j |k(ry|j |j k(rytj||d{ryy7w)zB Helper to check if the user has access to the key's info T)rErNF) rGrHrIrJrror?r'user_belongs_to_keys_teamrms r;rrrr s ##'7'C'C'I'II  & &*:*P*P*V*V V  " "c )   .66 6)CC+!     sBBBBrMc Kddl}ddlm}ddlm}ddlm}m}g}|D]2} | jd|j| d)td|} |j| } | j|j|j} | j|  dd d d gd d } || ||||d{} t!j"di| d{t+j,dd{| j/}| j1| |rt'|dd|St'|dd|dS77i#t$$r$}t'|ddt)|cYd}~Sd}~wwxYw7~w)a3 Test the key-based logging - Test that key logging is correctly formatted and all args are passed correctly - Make a mock completion call -> user can check if it's correctly logged - Check if any logger.exceptions were triggered -> if they were then returns it to the user client side rN)StringIO)add_litellm_data_to_request)general_settingsr callback_namez(callback_name is required in key_loggingzopenai/litellm-key-health-testrizQHello, this is a test from litellm /key/health. No LLM API call was made for this)rZcontentz test response)rCmessages mock_response)r5rErrZrrNzLogging test failed: ) callbacksrdetailsz2Logger exceptions triggered, system is unhealthy: rJzWNo logger exceptions triggered, system is healthy. Manually check if logs were sent to  r)rLiorX$litellm.proxy.litellm_pre_call_utilsrYrrZrrnrbr StreamHandlersetLevelERROR getLogger addHandlerrl acompletionrLoggingCallbackStatusrrsleepgetvalue removeHandler)rErrMrLrXrYrZrrKcallbacklog_capture_stringchloggerr5r log_contentss r;rPrP sPI#% << ( 4  $ $Xo%> ?GH H  "   1 2BKK     F b 5#r -  1/%-   !!     --   &..0L $'HW  %'mnnAABC  ?    $'+CF84   sgB&E>)E EE E !E %E>=E<>A E>E E E9E4.E9/E>4E99E>r*cK|p|md|i}|rd|i|d<|jjj|d{}|/td|dtj dt jyyy78w) a( Helper to enforce unique key aliases across all keys. Args: key_alias (Optional[str]): The key alias to check prisma_client (Any): Prisma client instance existing_key_token (Optional[str]): ID of existing key being updated, to exclude from uniqueness check (The Admin UI passes key_alias, in all Edit key requests. So we need to be sure that if we find a key with the same alias, it's not the same key we're updating) Raises: ProxyException: If key alias already exists on a different key NrrNOTrzKey with alias 'zB' already exists. Unique key aliases across all keys are required.r0)rrp find_firstr;r<rrr>)rrr* where_clause existing_keys r;rr s"!:(3Y'? #*,>"?L *--GGRRS    # *9+5wx$66!00   $";  s;A8A69A8cr |yt|dk(ry|yddlm}m}|dur"t d|j j |jD]7\}}t|tsJd|vrt|d|d<td i|9yy#t$r}t dt|dd}~wwxYw) z Validate the model_max_budget is GenericBudgetConfigType + enforce user has an enterprise license Raises: Exception: If model_max_budget is not a valid GenericBudgetConfigType Nr)rr}Tz=You must have an enterprise license to set model_max_budget. budget_limitzInvalid model_max_budget: zM. Example of valid model_max_budget: https://docs.litellm.ai/docs/proxy/usersr) rrrr}rrrJrrrfloatr2r)rrr}_model _budget_infors r;rr s  #   A %   ' R4' STeTvTvT|T|S}~)9(>(>(@$ !&#..."\138n9U3VL0,|, )A (  (Q0} ~   s"BBA:B B6B11B6)NFNNrr7)__doc__rrrrrr=rrrtypingrrrr r fastapir r r rrrrrllitellm._loggingrlitellm.cachingrlitellm.constantsrr*litellm.litellm_core_utils.duration_parserrlitellm.proxy._typeslitellm.proxy.auth.auth_checksrrrrrlitellm.proxy.auth.auth_utilsr$litellm.proxy.auth.user_api_key_authrrr .litellm.proxy.hooks.key_management_event_hooksr!/litellm.proxy.management_endpoints.common_utilsr"r#=litellm.proxy.management_endpoints.model_management_endpointsr$8litellm.proxy.management_helpers.object_permission_utilsr%r&>litellm.proxy.management_helpers.team_member_permission_checksr'&litellm.proxy.management_helpers.utilsr(1litellm.proxy.spend_tracking.spend_tracking_utilsr)litellm.proxy.utilsr*r+r,r-r.litellm.routerr/litellm.secret_managers.mainr0litellm.types.routerr1litellm.types.utilsr2r3r4UnionGenerateKeyRequestrr<LiteLLM_TeamTableCachedObjrMemberrDrboolrNrr^rfrprtrwr{UpdateKeyRequestrrouterrrrrpostrr BaseModelrrRegenerateKeyRequestrrrrArr7 KeyRequestrYrernrtrlistr{intLiteLLM_ObjectPermissionBaserrrDictrOrPrrrrrrrrrrAnyrBlockKeyRequestrErHrOrTrrrkrPrrrr=r;rsl   2277UUU1%WJ"=BKROL"3+$u/1JJK$ * 5=c]  f %08 HPQT  @1sm1*1&13 1  1h   /7S /B  *%   B%%&CD&%-?0 34 %        @% "$44 5    T] D  ,  $ | |%|! |34 |  |~  +,-&   )00A(B(. t)u+ u+%u+! u+ u+p#  +,-  )00A(B(. t)q q%q! q  qh )-BF @L)21  "66 71/1h/ 44 4.G4 4)*'BS:T9U )00A(B(. t) r r r &r ! r r j= "= = (=  = @)*'BS:T9U )00A(B(. t)h+ h+%h+! h+h+V  +,-  "&(/0A(B5+ : 5+%5+  5+p'(@Q8R7S '"A)00A(B J+ #J+& J+J+Z T#Y -5f-=MQ T]@#&*)-!% "&"%) ! $! $#+/!##8E(,#-/"$')&*&*!% %)37(, $ $%)!% @Dgzzsm z  z  z z zUOz"#zz zz d^!z"c]#z$ C=%z&   'z,c]-z. /z0c]1z2 3z4}5z6$C=7z8tn9z:};z<}=z>45?z@ ~AzB}CzD%TNEzF$GzHtnIzJd^KzLd^MzNOzP D>QzRc]SzT/0UzV ~WzX YzZ [z\TN]z^#_z`# azf <=gzz*%*'* *" *Z'!&   6`A `A!`A&`A 8D>4 9: :; `AFc! &   8D>4 9: :; $LL%LL L  L^ !56 3   +,-    +,-  +/(/0A(B(. t) P+ #P+ ' (P+&P+! P+!"P+  P+f_%_ c]_c]_c] _ } _ sm _ _ _D !23%  #Y :  +,-  )00A(Ba]q9bkaC@"45MN"45MN%* :&$D6OP$T7QR$U8PQ# Q#OF8VW)f f %f  f   f c] f c] f c]f smf }f f f c]!f ()f *+f   f R! c]!(+! d38n!Z&*$ !CC C Cc] C c] C c] C}CsmCc]CC S Cc]CC !CL S#X ()AR9S8T )00A(B(. t) h hh&h! h'(hhV*+7CT;U:V )00A(B(. t) h hh&h! hhV  +,-$   )00A(BP P %P  P f% #( 4M %M M d38n%M  M f)- }  !   F  4 r=