Skip to content

[BUG] fix chroma api auth #4571

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
philipithomas wants to merge 2 commits into from
Closed

[BUG] fix chroma api auth #4571

philipithomas wants to merge 2 commits into from

Conversation

@philipithomas
Copy link
Contributor

@philipithomas philipithomas commented Oct 8, 2025

Philip here from the Chroma team.

This SDK currently authenticates via a bearer token.

However, Chroma uses the x-chroma-token header instead of bearer, leading all authenticated requests with this SDK to fail with a 401 error. (Details in the Chroma OpenAPI spec: https://api.trychroma.com/docs/ )

I've patched the authentication method in this PR.

@philipithomas
[BUG] fix chroma api auth
7f7940c 
Signed-off-by: Philip I. Thomas <[email protected]>
@ilayaperumalg ilayaperumalg added this to the 1.1.0.M4 milestone Oct 8, 2025
@ilayaperumalg ilayaperumalg added the bug Something isn't working label Oct 8, 2025
@ilayaperumalg
Copy link
Member

ilayaperumalg commented Oct 8, 2025

@philipithomas Thanks for the PR!

@Kehrlann Could you review the changes please? Thanks!

@philipithomas
Copy link
Contributor Author

philipithomas commented Oct 8, 2025

@Kehrlann Happy to help set up a free Chroma Cloud org for E2E testing, whether manual or automated - my email is philip at trychroma.com.

Kehrlann
Kehrlann reviewed Oct 8, 2025
View reviewed changes
Copy link
Contributor

@Kehrlann Kehrlann left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution @philipithomas ! The fix seems correct.

[question] I'm a bit confused as to why the TokenSecuredChromaWhereIT does not fail with the current setup. Can you try it on your machine, and try to reproduce?
Is it because it's an outdated Chroma image?
It'd be good to have this correctly covered by tests.

[suggestion, non-blocking] One nice-to-have, good opportunity for a small refactoring. Instead of capturing the token in ChromApi#withToken, we do something similar to ChromaApi#withBasicAuthCredentials, something like:

public ChromaApi withKeyToken(String keyToken) {
	this.restClient = this.restClient.mutate()
			.defaultHeader(X_CHROMA_TOKEN, keyToken)
			.build();
	return this;
}

And we remove both the keyToken field and the httpHeader method.

...pring-ai-chroma-store/src/main/java/org/springframework/ai/chroma/vectorstore/ChromaApi.java Outdated
private void httpHeaders(HttpHeaders headers) {
if (StringUtils.hasText(this.keyToken)) {
headers.setBearerAuth(this.keyToken);
headers.set("x-chroma-token", this.keyToken);
Copy link
Contributor

@Kehrlann Kehrlann Oct 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider putting x-chroma-token in a static field.

@ilayaperumalg
Copy link
Member

ilayaperumalg commented Oct 30, 2025

@philipithomas Could you check the latest review comments? Thanks

@ilayaperumalg ilayaperumalg modified the milestones: 1.1.0.M4, 1.1.0.RC1 Oct 31, 2025
@philipithomas
Copy link
Contributor Author

philipithomas commented Nov 3, 2025

[question] I'm a bit confused as to why the TokenSecuredChromaWhereIT does not fail with the current setup. Can you try > it on your machine, and try to reproduce?
Is it because it's an outdated Chroma image?
It'd be good to have this correctly covered by tests.

I believe that the server does not support that environment variable, so it's unauthenticated and responding to the request.

@philipithomas
Copy link
Contributor Author

philipithomas commented Nov 3, 2025

@ilayaperumalg Just patched it - ready for re-review

@Kehrlann
Copy link
Contributor

Kehrlann commented Nov 4, 2025

I believe that the server does not support that environment variable, so it's unauthenticated and responding to the request.

Got it, too bad then.

@ilayaperumalg ilayaperumalg self-assigned this Nov 4, 2025
@ilayaperumalg
Copy link
Member

ilayaperumalg commented Nov 4, 2025

@philipithomas Thanks for the PR and @Kehrlann thanks for the review. Rebased, squashed and merged as 0abfedf

@Jayaprabahar
Copy link

Jayaprabahar commented Nov 7, 2025
edited
Loading

Hi @philipithomas ,
As discussed, It is tested and working.

Hope it will be soon pushed into maven repo as well.

Thanks

@ilayaperumalg
Copy link
Member

ilayaperumalg commented Nov 7, 2025

@Jayaprabahar Thanks for testing and update! This will be part of 1.1.0-RC1.

Jayaprabahar added a commit to Jayaprabahar/agentic-rag that referenced this pull request Nov 7, 2025
@Jayaprabahar
Apply the changes from the Fix made by Chroma & Spring AI Team spring…
e754415 
…-projects/spring-ai#4571
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kehrlann Kehrlann Kehrlann approved these changes

Assignees

@ilayaperumalg ilayaperumalg

Labels

bug Something isn't working chromadb

Projects

None yet

Milestone

1.1.0.RC1

Development

Successfully merging this pull request may close these issues.

4 participants

@philipithomas @ilayaperumalg @Kehrlann @Jayaprabahar