diff --git a/src/content/changelogs/ai-gateway.yaml b/src/content/changelogs/ai-gateway.yaml index 4a92867c03a1bc7..638296c089c1a0b 100644 --- a/src/content/changelogs/ai-gateway.yaml +++ b/src/content/changelogs/ai-gateway.yaml @@ -5,11 +5,20 @@ productLink: "/ai-gateway/" productArea: Developer platform productAreaLink: /workers/platform/changelog/platform/ entries: + - publish_date: "2024-11-19" + title: WebsocketS API + description: |- + * **Configuration**: Added [WebSockets API](/ai-gateway/configuration/websockets-api/) which provides a single persistent connection, enabling continuous communication. + - publish_date: "2024-11-19" + title: Authentication + description: |- + * **Configuration**: Added [Authentication](/ai-gateway/configuration/authentication/) which adds security by requiring a valid authorization token for each request. + - publish_date: "2024-10-28" title: Grok description: |- * **Providers**: Added [Grok](/ai-gateway/providers/grok/) as a new provider. - + - publish_date: "2024-10-17" title: Vercel SDK description: |- diff --git a/src/content/docs/ai-gateway/configuration/authentication.mdx b/src/content/docs/ai-gateway/configuration/authentication.mdx new file mode 100644 index 000000000000000..126114fbdfd23c9 --- /dev/null +++ b/src/content/docs/ai-gateway/configuration/authentication.mdx @@ -0,0 +1,71 @@ +--- +pcx_content_type: configuration +title: Authentication +sidebar: + order: 7 +head: [] +description: Add security by requiring a valid authorization token for each request. +--- + +Using an Authenticated Gateway in AI Gateway adds security by requiring a valid authorization token for each request. This feature is especially useful when storing logs, as it prevents unauthorized access and protects against invalid requests that can inflate log storage usage and make it harder to find the data you need. With Authenticated Gateway enabled, only requests with the correct token are processed. + +:::note +We recommend enabling Authenticated Gateway when opting to store logs with AI Gateway. + +If Authenticated Gateway is enabled but a request does not include the required `cf-aig-authorization` header, the request will fail. This setting ensures that only verified requests pass through the gateway. To bypass the need for the `cf-aig-authorization` header, make sure to disable Authenticated Gateway. +::: + +## Setting up Authenticated Gateway using the Dashboard + +1. Go to the Settings for the specific gateway you want to enable authentication for. +2. Select **Create authentication token** to generate a custom token with the required `Run` permissions. Be sure to securely save this token, as it will not be displayed again. +3. Include the `cf-aig-authorization` header with your API token in each request for this gateway. +4. Return to the settings page and toggle on Authenticated Gateway. + +## Example requests with OpenAI + +```bash +curl https://gateway.ai.cloudflare.com/v1/{account_id}/{gateway_id}/openai/chat/completions \ + --header 'cf-aig-authorization: Bearer {CF_AIG_TOKEN}' \ + --header 'Authorization: Bearer OPENAI_TOKEN' \ + --header 'Content-Type: application/json' \ + --data '{"model": "gpt-3.5-turbo", "messages": [{"role": "user", "content": "What is Cloudflare?"}]}' +``` + +Using the OpenAI SDK: + +```javascript +import OpenAI from "openai"; + +const openai = new OpenAI({ + apiKey: process.env.OPENAI_API_KEY, + baseURL: "https://gateway.ai.cloudflare.com/v1/account-id/gateway/openai", + defaultHeaders: { + "cf-aig-token": `Bearer {token}`, + }, +}); +``` + +## Example requests with the Vercel AI SDK + +```javascript +import { createOpenAI } from "@ai-sdk/openai"; + +const openai = createOpenAI({ + baseURL: "https://gateway.ai.cloudflare.com/v1/account-id/gateway/openai", + headers: { + "cf-aig-token": `Bearer {token}`, + }, +}); +``` + +## Expected behavior + +The following table outlines gateway behavior based on the authentication settings and header status: + +| Authentication Setting | Header Info | Gateway State | Response | +| ---------------------- | -------------- | ----------------------- | ------------------------------------------ | +| On | Header present | Authenticated gateway | Request succeeds | +| On | No header | Error | Request fails due to missing authorization | +| Off | Header present | Unauthenticated gateway | Request succeeds | +| Off | No header | Unauthenticated gateway | Request succeeds | diff --git a/src/content/docs/ai-gateway/get-started.mdx b/src/content/docs/ai-gateway/get-started.mdx index 7b46c3f70436307..6dc187bf19c5d78 100644 --- a/src/content/docs/ai-gateway/get-started.mdx +++ b/src/content/docs/ai-gateway/get-started.mdx @@ -24,6 +24,10 @@ Then, create a new AI Gateway. +## Choosing gateway authentication + +When setting up a new gateway, you can choose between an authenticated and unauthenticated gateway. Enabling an authenticated gateway requires each request to include a valid authorization token, adding an extra layer of security. We recommend using an authenticated gateway when storing logs to prevent unauthorized access and protect against invalid requests that can inflate log storage usage and make it harder to find the data you need. Learn more about setting up an [Authenticated Gateway](/ai-gateway/configuration/authentication/). + ## Connect application Next, connect your AI provider to your gateway. diff --git a/src/content/docs/ai-gateway/observability/logging/index.mdx b/src/content/docs/ai-gateway/observability/logging/index.mdx index 3f19cc64702b739..7303bed04ff42c5 100644 --- a/src/content/docs/ai-gateway/observability/logging/index.mdx +++ b/src/content/docs/ai-gateway/observability/logging/index.mdx @@ -16,6 +16,8 @@ You can store up to 10 million logs per gateway. If your limit is reached, new l To learn more about your plan limits, refer to [Limits](/ai-gateway/reference/limits/). +We recommend using an authenticated gateway when storing logs to prevent unauthorized access and protecs against invalid requests that can inflate log storage usage and make it harder to find the data you need. Learn more about setting up an [authenticated gateway](/ai-gateway/configuration/authentication/). + ## Default configuration Logs, which include metrics as well as request and response data, are enabled by default for each gateway. This logging behavior will be uniformly applied to all requests in the gateway. If you are concerned about privacy or compliance and want to turn log collection off, you can go to settings and opt out of logs. If you need to modify the log settings for specific requests, you can override this setting on a per-request basis.