Add API key authentication for proxy endpoints.

Support multiple API keys from config, env, and CLI, enforce auth on non-public endpoints, and pass keys through remote deploy verification. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-08 13:08:27 +08:00
parent c1a0fe2949
commit 450faefaf9
8 changed files with 229 additions and 2 deletions
--- a/README.md
+++ b/README.md
@@ -288,6 +288,30 @@ REMOTE_PASSWORD='your-password' \

 The script uploads `cmd/`, `internal/`, `vendor/`, `go.mod`, and `go.sum`, prepares a Docker build context on the server, then rebuilds the runtime image there with a multi-stage Docker build. The remote host needs `docker`, `tar`, and `curl`; it does not need a host Go installation, but it does need network access to pull the base Docker images if they are not already cached.

+### API Authentication
+
+Set one or more API keys with `LINGMA_PROXY_API_KEYS` or the JSON config field `api_keys`:
+
+```bash
+export LINGMA_PROXY_API_KEYS="key-one,key-two"
+go run ./cmd/lingma-ipc-proxy --host 127.0.0.1 --port 8095
+```
+
+```json
+{
+  "api_keys": ["key-one", "key-two"]
+}
+```
+
+The deployment script also passes through `LINGMA_PROXY_API_KEYS`, so the same key set can be enabled on the remote server during deploy.
+
+When keys are configured, all API endpoints except `/`, `/health`, `/runtime/status`, and `/v1/runtime/status` require authentication. Clients can send either:
+
+- `Authorization: Bearer <key>`
+- `x-api-key: <key>`
+
+This works well with OpenAI-compatible clients that already expose an API key field.
+
 ## Client Configuration

 ### Claude Code