Setting up auth - Bifrost

4 min read Original article ↗

Documentation Index

Fetch the complete documentation index at: https://docs.getbifrost.ai/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Bifrost provides built-in authentication to protect your dashboard and admin API endpoints. When enabled, users must log in with credentials before accessing the dashboard or making admin API calls. This feature helps secure your Bifrost instance, especially when deployed in production environments.

Enabling Authentication

Step 1: Navigate to Security Settings

  1. Open your Bifrost dashboard
  2. Go to WorkspaceConfigSecurity tab
  3. Scroll to the Password protect the dashboard section

Setting up auth

Step 2: Enable Authentication

  1. Toggle the Password protect the dashboard switch to enable authentication
  2. Enter your Username in the admin username field
  3. Enter your Password in the admin password field

Step 3: Configure Inference Call Authentication (Optional)

By default, when authentication is enabled, all API calls (including inference calls) require authentication. You can optionally disable authentication for inference calls while keeping it enabled for the dashboard and admin API:

  1. Enable the Disable authentication on inference calls toggle
  2. When enabled:
    • Dashboard and admin API calls will still require authentication
    • Inference API calls (chat completions, embeddings, etc.) will not require authentication
    • MCP tool execution calls will still require authentication

Step 4: Configure Whitelisted Routes (Optional)

You can configure specific routes that bypass the authentication middleware entirely. Requests to these routes will not require authentication, even when auth is enabled.

  1. Scroll to the Whitelisted Routes section
  2. Enter a comma-separated list of routes in the textarea

Whitelisted Routes Configuration Wildcard support: Routes ending with * are treated as prefix matches. For example, /api/webhook* will match /api/webhook, /api/webhook/v1, /api/webhook/github, etc. Example values:

/api/custom-webhook, /api/public-endpoint, /api/webhook*

Step 5: Save Changes

  1. Click Save Changes to apply your authentication settings
  2. Changes take effect immediately - no restart required

Logging In

Once authentication is enabled:

  1. Navigate to your Bifrost dashboard URL
  2. You will be automatically redirected to the login page
  3. Enter your configured username and password
  4. Click Sign in

After successful login, you’ll be redirected to the dashboard. Your session will remain active for 30 days, and you’ll need to log in again after the session expires.

Authentication Methods

Bifrost supports different authentication methods depending on the type of request:

Dashboard Access

  • Bearer Token Authentication: The dashboard uses Bearer token authentication
  • Tokens are automatically managed through the login session
  • Tokens are stored in browser localStorage and sent with each API request

API Calls

When authentication is enabled, API calls can be made using

  • Basic Authentication: Username and password encoded as base64 via HTTP Basic auth
  • Bearer Token: Session token issued after login (Bearer token from session)

When authentication is enabled for inference calls (i.e., the “Disable authentication on inference calls” toggle is OFF), inference calls can be made using:

  • Basic Authentication: Username and Password in Basic auth
  • Bearer Token: base64 string of username:password as bearer token

Whitelisted Routes

When a route is added to the whitelisted routes list in Security settings, requests to that path bypass authentication entirely - no Basic Auth or Bearer Token is required. This applies only to dashboard and admin API endpoints. Inference endpoints are controlled separately via the “Disable authentication on inference calls” toggle.

Example: Using Basic Auth for Inference Calls

# Using curl with Basic Auth
curl -X POST http://localhost:8080/v1/chat/completions \
  -u "your-username:your-password" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "openai/gpt-4o",
    "messages": [{"role": "user", "content": "Hello!"}]
  }'

Important Notes

  • No Restart Required: Authentication changes take effect immediately without requiring a server restart
  • Session Duration: Login sessions last for 30 days
  • Password Security: Passwords are hashed and stored securely in the database
  • Inference Calls: If you disable authentication on inference calls, only dashboard and admin API endpoints will be protected
  • Whitelisted Routes: Routes configured in Security settings bypass auth on dashboard/admin API endpoints only. Use * at the end of a route for prefix matching (e.g., /api/webhook*)

Disabling Authentication

To disable authentication:

  1. Navigate to WorkspaceConfigSecurity
  2. Toggle off the Password protect the dashboard switch
  3. Click Save Changes

After disabling, the dashboard will be accessible without authentication immediately.