add: Optional router-level API key that gates router/API/web UI access

Optional router-level API key that gates router/API/web UI access (leave empty to disable) ## Supplying the router API key If you set `nomyo-router-api-key` in `config.yaml` (or `NOMYO_ROUTER_API_KEY` env), every request to NOMYO Router must include the key: - HTTP header (recommended): `Authorization: Bearer <router_key>` - Query param (fallback): `?api_key=<router_key>` Examples: ```bash curl -H "Authorization: Bearer $NOMYO_ROUTER_API_KEY" http://localhost:12434/api/tags curl "http://localhost:12434/api/tags?api_key=$NOMYO_ROUTER_API_KEY" ```
2026-01-14 09:28:02 +01:00 · 2026-01-14 09:28:02 +01:00 · eca4a92a33
commit eca4a92a33
parent 6828411f95
9 changed files with 412 additions and 25 deletions
--- a/doc/README.md
+++ b/doc/README.md
@ -36,6 +36,8 @@ doc/
   endpoints:
     - http://localhost:11434
   max_concurrent_connections: 2
+  # Optional router-level API key (leave blank to disable)
+  nomyo-router-api-key: ""
   ```
 3. **Run the router**:

@ -135,3 +137,15 @@ For additional help:
 5. **Scale as needed** by adding more endpoints

 Happy routing! 🚀
+
+
+## Router API key usage
+
+If the router API key is set (`NOMYO_ROUTER_API_KEY` env or `nomyo-router-api-key` in config), include it in every request:
+- Header (preferred): Authorization: Bearer <router_key>
+- Query param: ?api_key=<router_key>
+
+Example:
+```bash
+curl -H "Authorization: Bearer $NOMYO_ROUTER_API_KEY" http://localhost:12434/api/tags
+```
--- a/doc/configuration.md
+++ b/doc/configuration.md
@ -14,6 +14,9 @@ endpoints:

 # Maximum concurrent connections *per endpoint‑model pair*
 max_concurrent_connections: 2
+
+# Optional router-level API key to secure the router and dashboard (leave blank to disable)
+nomyo-router-api-key: ""
 ```

 ### Complete Example
@ -29,6 +32,9 @@ endpoints:
 # Maximum concurrent connections *per endpoint‑model pair* (equals to OLLAMA_NUM_PARALLEL)
 max_concurrent_connections: 2

+# Optional router-level API key to secure the router and dashboard (leave blank to disable)
+nomyo-router-api-key: ""
+
 # API keys for remote endpoints
 # Set an environment variable like OPENAI_KEY
 # Confirm endpoints are exactly as in endpoints block
@ -80,6 +86,21 @@ max_concurrent_connections: 4
 - When this limit is reached, the router will route requests to other endpoints with available capacity
 - Higher values allow more parallel requests but may increase memory usage

+### `router_api_key`
+
+**Type**: `str` (optional)
+
+**Description**: Shared secret that gates access to the NOMYO Router APIs and dashboard. When set, clients must send `Authorization: Bearer <key>` or an `api_key` query parameter.
+
+**Example**:
+```yaml
+nomyo-router-api-key: "super-secret-value"
+```
+
+**Notes**:
+- Leave this blank or omit it to disable router-level authentication.
+- You can also set the `NOMYO_ROUTER_API_KEY` environment variable to avoid storing the key in plain text.
+
 ### `api_keys`

 **Type**: `dict[str, str]`
@ -118,6 +139,15 @@ export NOMYO_ROUTER_CONFIG_PATH=/etc/nomyo-router/config.yaml
 export NOMYO_ROUTER_DB_PATH=/var/lib/nomyo-router/token_counts.db
 ```

+### `NOMYO_ROUTER_API_KEY`
+
+**Description**: Router-level API key. When set, all router endpoints and the dashboard require this key via `Authorization: Bearer <key>` or the `api_key` query parameter.
+
+**Example**:
+```bash
+export NOMYO_ROUTER_API_KEY=your_router_api_key
+```
+
 ### API-Specific Keys

 You can set API keys directly as environment variables:
@ -195,3 +225,15 @@ The configuration is loaded at startup and cannot be changed without restarting
 ## Example Configurations

 See the [examples](examples/) directory for ready-to-use configuration examples.
+
+
+### Using the router API key
+
+When `router_api_key`/`NOMYO_ROUTER_API_KEY` is set, clients must send it on every request:
+- Header (recommended): Authorization: Bearer <router_key>
+- Query param (fallback): ?api_key=<router_key>
+
+Example:
+```bash
+curl -H "Authorization: Bearer $NOMYO_ROUTER_API_KEY" http://localhost:12434/api/tags
+```
--- a/doc/deployment.md
+++ b/doc/deployment.md
@ -217,6 +217,7 @@ data:
    endpoints:
      - http://ollama-service:11434
    max_concurrent_connections: 2
+    nomyo-router-api-key: ""
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
@ -283,6 +284,9 @@ endpoints:

 max_concurrent_connections: 4

+# Optional router-level API key to secure the router and dashboard (leave blank to disable)
+nomyo-router-api-key: ""
+
 api_keys:
  "https://api.openai.com/v1": "${OPENAI_KEY}"
 ```
--- a/doc/examples/sample-config.yaml
+++ b/doc/examples/sample-config.yaml
@ -6,6 +6,9 @@ endpoints:

 max_concurrent_connections: 2

+# Optional router-level API key to secure the router and dashboard (leave blank to disable)
+nomyo-router-api-key: ""
+
 # Multi-endpoint configuration with local Ollama instances
 # endpoints:
 #   - http://ollama-worker1:11434
--- a/doc/usage.md
+++ b/doc/usage.md
@ -21,6 +21,9 @@ endpoints:
  - http://localhost:11434

 max_concurrent_connections: 2
+
+# Optional router-level API key (leave blank to disable)
+nomyo-router-api-key: ""
 ```

 ### 3. Run the Router
@ -346,3 +349,15 @@ print(f"Available models: {[m.id for m in response.data]}")
 ## Examples

 See the [examples](examples/) directory for complete integration examples.
+
+
+### Authentication to NOMYO Router
+
+If a router API key is configured, include it with each request:
+- Header: Authorization: Bearer <router_key>
+- Query: ?api_key=<router_key>
+
+Example (tags):
+```bash
+curl -H "Authorization: Bearer $NOMYO_ROUTER_API_KEY" http://localhost:12434/api/tags
+```