WebUI: 'Authorization header missing'

[AlexM4H]

The WebUI is making great progress. Many thanks for that.

I tried to test the chat today. Without using an API-KEY in my settings it works fine.

But how can I enter the API-KEY from my settings into the WebUI? The input option is only displayed if I have not set such a KEY.

If a API-KEY is set in my environment settings, I get the error message

{"message": "Authorization header missing"}

EDIT:

curl -X GET "https://localai/v1/models" -H "Authorization: Bearer sk-my-api-key"|jq

works with the correct key, otherwise "Invalid API key"

[localai-bot]

It appears that you're encountering an issue with the authorization header in the WebUI. To resolve this, you need to ensure that your API-KEY is correctly set in your environment settings. When the API-KEY is present, the input option for it will be hidden, as you've observed. Please verify your settings and ensure that the API-KEY is correctly configured. If you continue to experience issues, feel free to reach out for further assistance. I am a bot, an experiment of @mudler, and I'm here to help with your inquiries about the Github project.

[fakezeta]

Hi, if you mean how you can access the Web-UI with the browser I solved with Requestly browser extension.

Following a config example

[AlexM4H]

Thanks for your workaround. I use ModHeader instead. It works well. But it's a bug, right?

[Jordanb716]

I have this issue as well. Using the latest Docker image (v2.15.0-cublas-cuda12-ffmpeg), if $LOCALAI_API_KEY is set I only get "Authorization header missing" when I try to access the webui. Works perfectly if not set.

[pmarini-nc]

I also think it is a bug. Can a maintainer confirm this? Thanks!

[AlexM4H]

Any updates? We have a workaround for this error, but no fix yet.

[mudler]

That's not a bug - the WebUI is served by the API and, does not support specifying an API KEY on the first place for all the calls.
As it exposes outside confidential informations, it is gated for security purposes by the API_KEY entirely. As @fakezeta mentioned there are browser plugins to prefix calls with a bearer token that can be used to access the webui.

As there is no user authentication, nor the WebUI supports settings API Keys across all the application, the safest route is to put the whole UI behind an API KEY as it could leak sensitive informations.

If you think there is room for improvement, please create a ticket suggesting a solution - but I'm not really into plugging a user/auth system to LocalAI. We can think to have the WebUI to setup the token when accessed at first, but that's an enhancement, not a bug. Referencing #2156 for better visibility.

[mintyleaf]

@mudler
do you aware that p2p diagnostics functionality is suppressed when api keys is used?

[JOduMonT]

@AlexM4H
I use Docker Compose
in my .env I added the variable

LOCALAI_API_KEY="GENERATED KEY"

I generated my key with: openssl rand -base64 42
and added sk- in front just to make it looks like OpenAI.
So it looks like this in my .env file:

then after restarting my localai docker container

curl -X GET "https://localai/v1/models" -H "Authorization: Bearer sk-9f73s3ljTXVcMT3Blb3ljTqtsKiGHXVcMT3BlbkFJLK7U"|jq

works fine for me.