litellm icon indicating copy to clipboard operation
litellm copied to clipboard

Published 20 hours ago verified publisher icon BerriAI

[Feature]: API Tokens to have unique names

Open gagarinfan opened this issue 10 months ago • 1 comments

The Feature

Originally mentioned in https://github.com/BerriAI/litellm/issues/2897

I think you might want to consider having unique non-secret names for the API Tokens. Currently these are only aliases that can be shared between many API Tokens. From admin perspective, it's difficult to manage API Keys not knowing their values (I don't see a need to know their secret values, esp. if created in some automatic way and shared with different teams or apps). Having unique name for the token will make the management process easier. Please consider that

| Key Name               | Key Alias  | Secret Key | Other columns |   |
|------------------------|------------|------------|---------------|---|
| my-unique-API-Key-name | some-alias | sk-12...ad | some-data     |   |
|                        |            |            |               |   |

Motivation, pitch

The motivation is making the administration and automation processes easier

Twitter / LinkedIn details

No response

gagarinfan avatar Apr 10 '24 12:04 gagarinfan

@gagarinfan is the ask to just enforce the name set by user to be unique?

krrishdholakia avatar Apr 10 '24 16:04 krrishdholakia

@krrishdholakia sort of. I think it would be nice to have a unique name for each token, like I proposed in a table above.

Unfortunately aliases are not unique to the API Keys and one can have the same alias for two different API Keys. I think it would be also more secure to manage them via Key Names instead of Key Values.

gagarinfan avatar Apr 12 '24 08:04 gagarinfan

how would you explain the difference between a key name and a key alias to a user? @gagarinfan

krrishdholakia avatar Apr 12 '24 16:04 krrishdholakia

A key name is a unique name created by the user during the API Token creation, that belongs to only one API token/key An alias is not a unique label(?) that can be assigned to many API tokens/keys

All administrative tasks, like updating or removing API Keys should be done using API Token's Key Name (for example: api-token-gagarinfan), not the secret Secret Key(for example: sk-123qwerty)

| Key Name               | Key Alias  | Secret Key | Other columns |   |
|------------------------|------------|--------------|---------------|
| api-token-gagarinfan   | some-alias | sk-123qwerty | some-data |   |

Of course clients should use Secret Key for authorization. Key Name should be use only for management Here is an example of how your aliases works. I can have two keys with the same alias image

gagarinfan avatar Apr 15 '24 08:04 gagarinfan

Agreed with everything @gagarinfan has mentioned so far. Technically, the key hash can be used as a unique ID for management operations, but this is still problematic because matching a key hash to a non-unique key alias isn't reliable if the key alias is duplicated.

Said another way... If I create two API keys with the same key alias, and then later choose to delete one of those two keys, I don't know which of the two key hashes to use in the delete request, unless I manage my own unique key ID separate from the LiteLLM proxy.

connorbrown-8451 avatar Apr 15 '24 14:04 connorbrown-8451

@gagarinfan @connorbrown-8451

Do you just want a unique key alias? (i.e. don't have a unique key name + non-unique key alias, just keep it simple and move to requiring key alias'es to be unique)

Seems like the current approach of not requiring them to be unique is problematic, if we want to allow admins to delete keys based on key alias (not the unique hash)

krrishdholakia avatar Apr 15 '24 15:04 krrishdholakia

I would say we want both a unique alias/name requirement, and support in the API to use this unique alias/name for management operations.

connorbrown-8451 avatar Apr 15 '24 17:04 connorbrown-8451