How can I pass an API key without storing it in a Kubernetes Secret?

[zahlekhan]

I want to implement BYOK (Bring Your Own Key) support, where customers can provide their own API key directly in the request instead of storing it in a Kubernetes Secret. What’s the best way to achieve this?

[mathetake]

all the request headers are passed/forwarded to the upstream AI Providers as-is by default. So you can just let downstream clients set API key while you configure the gateway without "BackendSecurityPolicy".

To fine control the headers forwarded to the upstream AI Providers, you can use the header mutation API introduced recently on the main branch

ai-gateway/api/v1alpha1/ai_service_backend.go

Lines 75 to 78 in 320eb50

	// HeaderMutation defines the mutation of HTTP headers that will be applied to the request
	// before sending it to the backend.
	// +optional
	HeaderMutation *HTTPHeaderMutation `json:"headerMutation,omitempty"`