Skip to main content

Endpoint Authorizers Secure Your Deployed Models

· 2 min read

proxiML now supports Endpoint Authorizers, letting you control access to your deployed ML serving endpoints. Choose between API Key authentication for simple shared-secret access or OIDC (OpenID Connect) for enterprise-grade JWT-based authentication with configurable issuers, audiences, and required claims.

How It Works

When you deploy an endpoint job, you can optionally attach an authorizer that requires callers to authenticate before the endpoint serves requests. Without an authorizer, your endpoint remains open. With one configured, every incoming request is validated before it reaches your model.

Two authorizer types are available:

API Key -- Each authorized client is assigned a client ID and a secret key. Callers present their key (e.g., via an Authorization: Bearer header) and the endpoint validates it against the configured list. You can configure up to 10 API keys per endpoint.

OIDC -- For integration with identity providers like Azure AD, Auth0, or Okta. Configure the OIDC issuer URL, expected audience, signing algorithms (e.g., RS256), JWKS URI for token verification, and optionally required JWT claims that must be present for authorization.

Authorizers can be set when creating an endpoint job and edited at any time after deployment, without restarting the endpoint.

Using the Web Platform

When creating or editing an endpoint job, find the Authorizer section in the endpoint configuration. Select the authorizer type from the dropdown:

  • None -- Leaves the endpoint open (unauthenticated).
  • API Key -- Add one or more key entries, each with a Client ID label and a secret Key value.
  • OIDC -- Configure the Issuer, Audience, Algorithms, and optionally the JWKS URI and Required Claims (key-value pairs that must match the JWT).

Using the SDK

To create an endpoint with an API Key authorizer:

job = await proximl.jobs.create(
name="Secure Endpoint",
type="endpoint",
gpu_type="rtx2070s",
gpu_count=1,
endpoint=dict(
start_command="python serve.py",
authorizer=dict(
type="api_key",
keys=[
dict(client_id="my-client", key="secret-key-value"),
],
),
),
)

To create an endpoint with an OIDC authorizer:

job = await proximl.jobs.create(
    name="OIDC Endpoint",
    type="endpoint",
    gpu_type="rtx2070s",
    gpu_count=1,
    endpoint=dict(
        start_command="python serve.py",
        authorizer=dict(
            type="oidc",
            oidc={
                "issuer": "https://login.microsoftonline.com/YOUR-TENANT-ID/v2.0",
                "audience": "api://YOUR-CLIENT-ID",
                "jwks_uri": "https://login.microsoftonline.com/YOUR-TENANT-ID/discovery/v2.0/keys",
                "algorithms": ["RS256"],
                "required_claims": {"scp": ["api.access"]},
            },
        ),
    ),
)