feat: Add skipAuth option for custom endpoints without Google Cloud c… #1137
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
…redentials
## Why
When using custom endpoints that implement the Vertex AI API format,
users currently must provide Google Cloud credentials even though
these credentials are never used for actual authentication. The custom
endpoint handles its own authentication (e.g., via Bearer tokens).
This creates unnecessary friction:
- Users must obtain a real GCP service account JSON file
- Must set GOOGLE_APPLICATION_CREDENTIALS environment variable
- Must provide valid project/location values
- All of this just to initialize the SDK, even though the custom
endpoint ignores these credentials entirely
## Solution
Added a new `skipAuth` option to `HttpOptions` that allows users to:
- Skip Google Cloud credential validation and loading
- Skip project/location requirement checks
- Bypass GoogleAuth initialization entirely
When `skipAuth: true`:
1. node_client.ts skips reading env vars and validation
2. _node_auth.ts skips GoogleAuth initialization
3. No auth headers are added (custom endpoint handles auth via httpOptions.headers)
## Changes
- src/types.ts: Added `skipAuth?: boolean` to HttpOptions interface
- src/node/_node_auth.ts: Skip GoogleAuth init when skipAuth is true
- src/node/node_client.ts: Conditional env var loading based on skipAuth
## Example Usage
### Before (requires REAL Google Cloud credentials):
```typescript
// Step 1: Must have a real GCP service account JSON file
// Step 2: Set environment variable
process.env.GOOGLE_APPLICATION_CREDENTIALS = './service_account.json';
// Step 3: Initialize SDK (GoogleAuth tries to load credentials)
const ai = new GoogleGenAI({
vertexai: true,
project: 'my-gcp-project', // Required even though never used
location: 'us-central1', // Required even though never used
httpOptions: {
baseUrl: 'https://custom-endpoint.example.com/v1/',
headers: { 'Authorization': 'Bearer MY_CUSTOM_TOKEN' },
},
});
// Without GOOGLE_APPLICATION_CREDENTIALS: Error - Could not load credentials
```
### After (no Google Cloud setup needed):
```typescript
// No service account file needed!
// No GOOGLE_APPLICATION_CREDENTIALS needed!
// No project/location needed!
const ai = new GoogleGenAI({
vertexai: true,
httpOptions: {
baseUrl: 'https://custom-endpoint.example.com/v1/',
headers: { 'Authorization': 'Bearer MY_CUSTOM_TOKEN' },
skipAuth: true, // Skip all Google Cloud authentication
},
});
```
This brings the TypeScript SDK in line with the Python SDK's behavior,
where custom http_options automatically bypass Google Cloud authentication.
what-is-thy-bidding
force-pushed
the
skipAuth
branch
from
d1a7eb4 to
b41b436
Compare
When using a custom baseUrl that is not aiplatform.googleapis.com,
the SDK should not prepend projects/{project}/locations/{location}
to the request paths.
This allows custom Vertex AI-compatible endpoints to work without
needing to provide dummy project/location values.
Changes:
- src/_api_client.ts: Check for custom baseUrl in shouldPrependVertexProjectPath
- api-report/*.md: Updated API signatures for skipAuth feature
This complements the skipAuth feature to provide a complete solution
for using custom endpoints without Google Cloud configuration.
Merged two separate if (!skipAuth) blocks into one for better code organization and readability. All validation and env var loading now happens in a single conditional block. No functional changes - all 435 unit tests still passing.
Added validation to ensure skipAuth can only be used with a custom baseUrl. Using skipAuth without baseUrl would be invalid since it would attempt to call Google's servers without authentication.
Added skipAuth check to shouldPrependVertexProjectPath() to ensure project/location path is not prepended when using skipAuth mode.
dist-temp was accidentally committed. Removed from tracking and added to .gitignore to prevent future accidental commits.
Handle the simple skipAuth case first, then proceed with the more complex validation and env var loading logic.
- Removed duplicate assignments by using conditional env var loading - env vars are undefined when skipAuth, so single ?? assignment works for both cases - Flattened nested if/else structure
Validation should happen first - fail fast before setting any state.
Removed the baseUrl.includes('aiplatform.googleapis.com') check.
Users with custom URLs are expected to set skipAuth explicitly.
## Why
When using custom endpoints (proxy servers) that implement the Vertex AI API format, users currently MUST provide Google Cloud credentials even though these credentials are never used for actual authentication. The custom endpoints (proxy servers) handle their own authentication (e.g., via Bearer tokens).
The credentials are stored on that proxy server and not on the client's machine locally.
This creates unnecessary friction:
- Users must obtain a real GCP service account JSON file
- Must set GOOGLE_APPLICATION_CREDENTIALS environment variable
- Must provide valid project/location values
- All of this just to initialize the SDK, even though the custom endpoint ignores these credentials entirely
## Solution
Added a new `skipAuth` option to `HttpOptions` that allows users to:
- Skip Google Cloud credential validation and loading
- Skip project/location requirement checks
- Bypass GoogleAuth initialization entirely
- Skip prepending `projects/{project}/locations/{location}/` to URL paths
When `skipAuth: true`:
1. node_client.ts skips reading env vars and validation
2. _node_auth.ts skips GoogleAuth initialization
3. No auth headers are added (custom endpoint handles auth via httpOptions.headers)
4. _api_client.ts skips prepending `projects/{project}/locations/{location}/` to request paths
### Why skip prependProjectLocation?
Normal Vertex AI URLs look like:
```
https://us-central1-aiplatform.googleapis.com/v1beta1/projects/my-project/locations/us-central1/publishers/google/models/gemini:generateContent
```
Custom endpoint URLs should look like:
```
https://custom-endpoint.com/v1/publishers/google/models/gemini:generateContent
```
When `skipAuth` is set:
- Custom endpoints don't expect the `projects/{project}/locations/{location}/` path prefix
- With `skipAuth`, we likely don't have valid project/location values anyway (they'd be `undefined`)
- The custom endpoint handles its own routing and doesn't need GCP resource paths
## Changes
- src/types.ts: Added `skipAuth?: boolean` to HttpOptions interface
- src/node/_node_auth.ts: Skip GoogleAuth init when skipAuth is true
- src/node/node_client.ts: Conditional env var loading based on skipAuth
- src/_api_client.ts: Skip project/location path prepending when skipAuth is true
## Example Usage
### Before (requires REAL Google Cloud credentials):
```typescript
// Step 1: Must have a real GCP service account JSON file
// Step 2: Set environment variable
process.env.GOOGLE_APPLICATION_CREDENTIALS = './service_account.json';
// Step 3: Initialize SDK (GoogleAuth tries to load credentials)
const ai = new GoogleGenAI({
vertexai: true,
project: 'my-gcp-project', // Required even though never used
location: 'us-central1', // Required even though never used
httpOptions: {
baseUrl: 'https://custom-endpoint.example.com/v1/',
headers: { 'Authorization': 'Bearer MY_CUSTOM_TOKEN' },
},
});
// Without GOOGLE_APPLICATION_CREDENTIALS: Error - Could not load credentials
// URL would be: .../projects/my-gcp-project/locations/us-central1/publishers/... (wrong!)
```
### After (no Google Cloud setup needed):
```typescript
// No service account file needed!
// No GOOGLE_APPLICATION_CREDENTIALS needed!
// No project/location needed!
const ai = new GoogleGenAI({
vertexai: true,
httpOptions: {
baseUrl: 'https://custom-endpoint-proxy-server.com/v1/',
apiVersion: '', // Empty if baseUrl already includes version
headers: { 'Authorization': 'Bearer MY_CUSTOM_TOKEN' },
skipAuth: true, // Skip all Google Cloud authentication
},
});
// URL will be: .../publishers/google/models/gemini:generateContent (correct!)
```
This brings the TypeScript SDK in line with the Python SDK's behavior, where custom http_options automatically bypass Google Cloud authentication.
Comment on lines
+319
to
+322
| // If skipAuth is set, don't prepend project/location path | ||
| if (this.clientOptions.httpOptions?.skipAuth) { | ||
| return false; | ||
| } |
Author
There was a problem hiding this comment.
The project name and the location shouldn't be available on the client's local machine when using a proxy server. Those details are stored in the proxy server
Hence shouldn't be prepended to the final url
Comment on lines
+92
to
+96
| if (skipAuth && !options.httpOptions?.baseUrl) { | ||
| throw new Error( | ||
| 'skipAuth requires a baseUrl to be provided in httpOptions.', | ||
| ); | ||
| } |
Author
There was a problem hiding this comment.
This will force skipAuth to ONLY be used when using a baseUrl set by the client and not the default base url set by the SDK
Added tests for: - node_client.ts: skipAuth validation, env var skipping, value handling - _node_auth.ts: skipAuth header behavior, googleAuth initialization skip - _api_client.ts: shouldPrependVertexProjectPath with skipAuth 10 new tests, all passing (445 total specs)
shmishra99
added
api: vertex-ai
Author
|
@shmishra99 : is there an update on this feature request? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why
When using custom endpoints (proxy servers) that implement the Vertex AI API format, users currently MUST provide Google Cloud credentials even though these credentials are never used for actual authentication. The custom endpoints (proxy servers) handle their own authentication (e.g., via Bearer tokens).
The credentials are stored on that proxy server and not on the client's machine locally.
This creates unnecessary friction:
Solution
Added a new `skipAuth` option to `HttpOptions` that allows users to:
When `skipAuth: true`:
Why skip prependProjectLocation?
Normal Vertex AI URLs look like:
https://us-central1-aiplatform.googleapis.com/v1/projects/my-project/locations/us-central1/publishers/google/models/gemini:generateContentCustom endpoint URLs should look like:
https://custom-endpoint.com/v1/publishers/google/models/gemini:generateContentWhen `skipAuth` is set:
Changes
Example Usage
Before (requires REAL Google Cloud credentials):
After (no Google Cloud setup needed):
This brings the TypeScript SDK in line with the Python SDK's behavior, where custom http_options automatically bypass Google Cloud authentication.