[GH-ISSUE #8252] bug: ENABLE_API_KEY_ENDPOINT_RESTRICTIONS feature does not work #30580

New Issue

Closed

opened 2026-04-25 04:48:52 -05:00 by GiteaMirror · 4 comments

GiteaMirror commented 2026-04-25 04:48:52 -05:00

Owner

Copy Link

Originally created by @ndrsfel on GitHub (Jan 1, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/8252

Bug Report

Installation Method

Docker

Environment

• Open WebUI Version: v0.5.3

• Operating System: macOS

Confirmation:

• I have read and followed all the instructions provided in the README.md.
• I am on the latest version of both Open WebUI and Ollama.
• I have included the browser console logs.
• I have included the Docker container logs.
• I have provided the exact steps to reproduce the bug in the "Steps to Reproduce" section below.

Expected Behavior:

One can restrict API key access using ENABLE_API_KEY_ENDPOINT_RESTRICTIONS & API_KEY_ALLOWED_ENDPOINTS environment variables.

Actual Behavior:

One get's the following exception/error

2025-01-01T18:12:36.954948518Z   File "/app/backend/open_webui/utils/auth.py", line 102, in get_current_user
2025-01-01T18:12:36.954951718Z     for path in str(request.app.state.config.API_KEY_ALLOWED_PATHS).split(
2025-01-01T18:12:36.954955218Z                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2025-01-01T18:12:36.954958218Z   File "/app/backend/open_webui/config.py", line 262, in __getattr__
2025-01-01T18:12:36.954961618Z     return self._state[key].value
2025-01-01T18:12:36.954965119Z            ~~~~~~~~~~~^^^^^
2025-01-01T18:12:36.954968119Z KeyError: 'API_KEY_ALLOWED_PATHS'

Description

Bug Summary: To fix, please refac this section of the code to use API_KEY_ALLOWED_ENDPOINTS instead of API_KEY_ALLOWED_PATHS as the error states above.

Thank you for this awesome tool, Tim!

Originally created by @ndrsfel on GitHub (Jan 1, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/8252 # Bug Report ## Installation Method Docker ## Environment - **Open WebUI Version:** v0.5.3 - **Operating System:** macOS **Confirmation:** - [x] I have read and followed all the instructions provided in the README.md. - [x] I am on the latest version of both Open WebUI and Ollama. - [ ] I have included the browser console logs. - [ ] I have included the Docker container logs. - [x] I have provided the exact steps to reproduce the bug in the "Steps to Reproduce" section below. ## Expected Behavior: One can restrict API key access using `ENABLE_API_KEY_ENDPOINT_RESTRICTIONS` & `API_KEY_ALLOWED_ENDPOINTS` environment variables. ## Actual Behavior: One get's the following exception/error ```txt 2025-01-01T18:12:36.954948518Z File "/app/backend/open_webui/utils/auth.py", line 102, in get_current_user 2025-01-01T18:12:36.954951718Z for path in str(request.app.state.config.API_KEY_ALLOWED_PATHS).split( 2025-01-01T18:12:36.954955218Z ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2025-01-01T18:12:36.954958218Z File "/app/backend/open_webui/config.py", line 262, in __getattr__ 2025-01-01T18:12:36.954961618Z return self._state[key].value 2025-01-01T18:12:36.954965119Z ~~~~~~~~~~~^^^^^ 2025-01-01T18:12:36.954968119Z KeyError: 'API_KEY_ALLOWED_PATHS' ``` ## Description **Bug Summary:** To fix, please refac [this](https://github.com/open-webui/open-webui/blob/00a089b59683a9d48a2c97f739c8a781ba27b61f/backend/open_webui/utils/auth.py#L102C58-L102C79) section of the code to use `API_KEY_ALLOWED_ENDPOINTS` instead of `API_KEY_ALLOWED_PATHS` as the error states above. Thank you for this awesome tool, Tim!

GiteaMirror closed this issue 2026-04-25 04:48:53 -05:00

GiteaMirror commented 2026-04-25 04:48:56 -05:00

Author

Owner

Copy Link

@tjbck commented on GitHub (Jan 1, 2025):

Its's a persistent config, and must be configured from the ui.

<!-- gh-comment-id:2567134800 --> @tjbck commented on GitHub (Jan 1, 2025): Its's a persistent config, and must be configured from the ui.

GiteaMirror commented 2026-04-25 04:48:58 -05:00

Author

Owner

Copy Link

@ndrsfel commented on GitHub (Jan 3, 2025):

@tjbck Sorry for not being clear here, a quick search in the codebase shows, that there is no request.app.state.config.API_KEY_ALLOWED_PATHS or API_KEY_ALLOWED_PATHS configurable via Admin UI.

Rather, this is a typo and should be re-named to request.app.state.config.API_KEY_ALLOWED_ENDPOINTS. Then, this is actually the correct value the Admin UI AND the environment variables point to.

<!-- gh-comment-id:2568932512 --> @ndrsfel commented on GitHub (Jan 3, 2025): @tjbck Sorry for not being clear here, a quick search in the codebase shows, that there is no `request.app.state.config.API_KEY_ALLOWED_PATHS` or `API_KEY_ALLOWED_PATHS` configurable via Admin UI. Rather, this is a typo and should be re-named to `request.app.state.config.API_KEY_ALLOWED_ENDPOINTS`. Then, this is actually the correct value the Admin UI AND the environment variables point to.

GiteaMirror commented 2026-04-25 04:49:00 -05:00

Author

Owner

Copy Link

@ndrsfel commented on GitHub (Jan 5, 2025):

fixed with 99c3194. Thank you!

<!-- gh-comment-id:2571574139 --> @ndrsfel commented on GitHub (Jan 5, 2025): fixed with 99c3194. Thank you!

GiteaMirror commented 2026-04-25 04:49:01 -05:00

Author

Owner

Copy Link

@tjbck commented on GitHub (Jan 5, 2025):

@ndrsfel I must've been half awake half asleep reading your post, apologies for the confusion and thanks for the report! 😅

<!-- gh-comment-id:2571575432 --> @tjbck commented on GitHub (Jan 5, 2025): @ndrsfel I must've been half awake half asleep reading your post, apologies for the confusion and thanks for the report! 😅

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.43

v0.6.42

v0.6.41

v0.6.40

v0.6.39

v0.6.38

v0.6.37

v0.6.36

v0.6.35

v0.6.34

v0.6.33

v0.6.32

v0.6.31

v0.6.30

v0.6.29

v0.6.28

v0.6.27

v0.6.26

v0.6.25

v0.6.24

v0.6.23

v0.6.22

v0.6.21

v0.6.20

v0.6.19

v0.6.18

v0.6.17

v0.6.16

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.20

v0.5.19

v0.5.18

v0.5.17

v0.5.16

v0.5.15

v0.5.14

v0.5.13

v0.5.12

v0.5.11

v0.5.10

v0.5.9

v0.5.8

v0.5.7

v0.5.6

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.35

v0.3.34

v0.3.33

v0.3.32

v0.3.31

v0.3.30

v0.3.29

v0.3.28

v0.3.27

v0.3.26

v0.3.25

v0.3.24

v0.3.23

v0.3.22

v0.3.21

v0.3.20

v0.3.19

v0.3.18

v0.3.17

v0.3.16

v0.3.15

v0.3.14

v0.3.13

v0.3.12

v0.3.11

v0.3.10

v0.3.9

v0.3.8

v0.3.7

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.125

v0.1.124

v0.1.123

v0.1.122

v0.1.121

v0.1.120

v0.1.119

v0.1.118

v0.1.117

v0.1.116

v0.1.115

v0.1.114

v0.1.113

v0.1.112

v0.1.111

v0.1.110

v0.1.109

v0.1.108

v0.1.107

v0.1.106

v0.1.105

v0.1.104

v0.1.103

v0.1.102

Labels

Clear labels

bug

confirmed

confirmed issue

core

documentation

enhancement

good first issue

help wanted

non-core

pull-request

Mirrored from GitHub Pull Request

python

question

testing wanted

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#30580