feat(core): add gateway OAuth bearer authentication#38805
feat(core): add gateway OAuth bearer authentication#38805John Kennedy (jkennedyvz) wants to merge 4 commits into
Conversation
af7aa8f to
9f5d498
Compare
9f5d498 to
82001a8
Compare
| langsmith_gateway_oauth_token: SecretStr | None = Field( | ||
| default_factory=secret_from_env("LANGSMITH_GATEWAY_OAUTH_TOKEN", default=None), | ||
| exclude=True, | ||
| ) |
There was a problem hiding this comment.
🔴 Scope OAuth token to gateway requests
The environment token is loaded unconditionally, even when LANGSMITH_GATEWAY is unset/false and this client resolves to https://api.anthropic.com. In that normal direct-provider configuration, _gateway_oauth_auth replaces the provider credential with the LangSmith bearer token, disclosing the OAuth credential to Anthropic and causing authentication to fail. The same unconditional default exists in ChatFireworks and BaseChatOpenAI; Fireworks sends it to its direct endpoint, while OpenAI sends it whenever a direct base_url is supplied (and otherwise now crashes constructing an HTTPX client with base_url=None). Please only activate this credential when the resolved endpoint is actually LangSmith Gateway.
(Refers to lines 1004-1007)
Your feedback helps Open SWE learn. React with 👍 or 👎 to tell us if this review comment was useful.
Co-authored-by: open-swe[bot] <open-swe@users.noreply.github.com>
Gateway-backed chat clients can now use a LangSmith OAuth access token as an
Authorization: Bearercredential without treating it as a provider API key. The shared transport adapter removes provider auth headers before sending the request, and the OpenAI, Anthropic, and Fireworks clients use it when an OAuth token is configured.Release note
Add OAuth bearer authentication for LangSmith Gateway chat requests in the OpenAI, Anthropic, and Fireworks integrations.
This contribution was prepared with AI assistance.