litellm - ✅(Solved) Fix [Bug] "PassThrough endpoint fails without Authorization header when auth=false" [1 pull requests, 1 comments, 2 participants]

litellm2026-03-17 22:20:10

ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

GitHub issue URL

Helpful · Quick feedback

GitHub stats

BerriAI/litellm#23909•Fetched 2026-04-08 00:53:55

View on GitHub

Comments

Participants

Timeline

Reactions

Author

shivamrawat1

Participants

BillionClaw

shivamrawat1

Timeline (top)

labeled ×2commented ×1cross-referenced ×1referenced ×1

Error Message

A PassThrough endpoint configured with auth: false still requires an Authorization header. When no auth header is provided, LiteLLM throws a parsing exception: Authentication Error, 'NoneType' object has no attribute 'split' (401). Same request without Authorization header → returns 401 with parsing error (NoneType split).

Fix Action

Fix / Workaround

Forces sending dummy/junk Authorization headers as a workaround.

PR fix notes

PR #24085: fix(proxy): pass-through endpoints with auth:false no longer crash wh…

Repository: BerriAI/litellm
Author: RoyVivat
State: open | merged: False
Link: https://github.com/BerriAI/litellm/pull/24085

Description (problem / solution / changelog)

fix(proxy): pass-through endpoints with auth:false no longer crash when Authorization header is absent

Adds an early bail-out in _user_api_key_auth_builder for pass-through endpoints configured with auth:false, returning an empty UserAPIKeyAuth before any token parsing occurs. Also adds a None guard to JWTHandler.is_jwt() as defense-in-depth.

Relevant issues

Fixes #23909

Pre-Submission checklist

Please complete all items before asking a LiteLLM maintainer to review your PR

I have Added testing in the tests/test_litellm/ directory, Adding at least 1 test is a hard requirement - see details
My PR passes all unit tests on make test-unit
My PR's scope is as isolated as possible, it only solves 1 specific problem
I have requested a Greptile review by commenting @greptileai and received a Confidence Score of at least 4/5 before requesting a maintainer review

Delays in PR merge?

If you're seeing a delay in your PR being merged, ping the LiteLLM Team on Slack (#pr-review).

CI (LiteLLM team)

CI status guideline:

50-55 passing tests: main is stable with minor issues.

45-49 passing tests: acceptable but needs attention

<= 40 passing tests: unstable; be careful with your merges and assess the risk.

Branch creation CI run
Link:
CI run for the last commit
Link:
Merge / cherry-pick CI run
Links:

Type

🆕 New Feature 🐛 Bug Fix 🧹 Refactoring 📖 Documentation 🚄 Infrastructure ✅ Test

Changes

Changed files

litellm/proxy/auth/handle_jwt.py (modified, +2/-0)
litellm/proxy/auth/user_api_key_auth.py (modified, +9/-0)
tests/proxy_unit_tests/test_jwt.py (modified, +3/-0)
tests/proxy_unit_tests/test_user_api_key_auth.py (modified, +105/-0)

Code Example

- path: "/v1/cuopt/request"
  target: "https://inference.prd.astra.company.com/nim/default/default/cuopt-latest/cuopt/request"
  auth: false
  headers:
    content-type: "application/json"
  forward_headers: true

---

na

RAW_BUFFERClick to expand / collapse

Check for existing issues

I have searched the existing issues and checked that my issue is not a duplicate.

What happened?

Problem: A PassThrough endpoint configured with auth: false still requires an Authorization header. When no auth header is provided, LiteLLM throws a parsing exception: Authentication Error, 'NoneType' object has no attribute 'split' (401).

This breaks valid use cases where the upstream model/client cannot send authentication headers and the endpoint is explicitly configured to disable auth.

Configuration:

- path: "/v1/cuopt/request"
  target: "https://inference.prd.astra.company.com/nim/default/default/cuopt-latest/cuopt/request"
  auth: false
  headers:
    content-type: "application/json"
  forward_headers: true

Repro:

Request with junk Authorization header → works.

Same request without Authorization header → returns 401 with parsing error (NoneType split).

Expectation: If auth: false is set for a PassThrough route, LiteLLM should:

Not require an Authorization header.

Not attempt to parse or validate auth headers.

Forward the request to the target as-is (respecting forward_headers config).

Add a guard condition to skip all auth parsing/validation logic when auth: false.

Ensure missing Authorization header does not trigger .split() or related parsing.

Add test coverage for PassThrough endpoints without auth headers.

Impact / blocking:

Breaks integrations where clients cannot send auth headers.

Forces sending dummy/junk Authorization headers as a workaround.

Violates expected behavior of auth: false.

Needed by:

As soon as possible to support auth-less PassThrough integrations in production environments

Steps to Reproduce

see above

Relevant log output

na

What part of LiteLLM is this about?

Proxy

What LiteLLM version are you on ?

v1.82.0

Twitter / LinkedIn details

No response

extent analysis

Fix Plan

To resolve the issue, we need to modify the authentication logic in the PassThrough endpoint to skip parsing and validation when auth: false is configured. Here are the steps:

Add a conditional check for auth: false in the authentication logic
Skip parsing and validation of the Authorization header when the condition is met
Ensure the request is forwarded to the target as-is, respecting the forward_headers configuration

Example code snippet:

if not auth:
    # Skip auth parsing and validation
    del request.headers['Authorization']
    # Forward the request to the target
    return forward_request(request, target)

Alternatively, you can also use a decorator to achieve this:

def skip_auth_if_disabled(func):
    def wrapper(request, *args, **kwargs):
        if not auth:
            del request.headers['Authorization']
            return func(request, *args, **kwargs)
        return func(request, *args, **kwargs)
    return wrapper

@skip_auth_if_disabled
def forward_request(request, target):
    # Forward the request to the target
    pass

Verification

To verify the fix, test the PassThrough endpoint with and without the Authorization header. The endpoint should not require the Authorization header when auth: false is configured, and should forward the request to the target as-is.

Extra Tips

Add test coverage for PassThrough endpoints without auth headers to ensure the fix is working as expected.
Consider adding a configuration option to explicitly disable auth parsing and validation for specific routes or endpoints.

Vote matrix · Quick signals

Works

Did the solution work? Tap to confirm.

Easy Fix

Was it a quick fix?

Time Saver

Did it save you time?

Blocking

Was it severely blocking?

Common Issue

Are others likely hitting this too?

Flaky / Intermittent

Is it intermittent?

Verified / Reproducible

Can you reproduce it reliably?

#api #ssr #installation #tensor shape #autograd error #model save/load #optimization #mixed precision

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.