> ## Documentation Index > Fetch the complete documentation index at: https://docs.getbifrost.ai/llms.txt > Use this file to discover all available pages before exploring further. # Upstream OAuth proxy - authorize with upstream service > Initiates an OAuth flow with an upstream MCP service (Notion, GitHub, etc.) on behalf of the current user. Used during the consent flow (via "Connect" buttons on the MCPs page) and at runtime when a tool call is made to an unauthenticated service. **Consent flow** - provide `flow_id` (from the pending consent flow). The browser-binding cookie (`__bifrost_flow_secret`) is validated. **Runtime flow** - provide `session` (the Bifrost session ID from the token endpoint). Used when a service was skipped during consent and needs to be connected later. On success, redirects the user to the upstream provider's authorize URL. After the user grants access, the upstream callback lands at `/api/oauth/callback`, stores the upstream token against the user's identity, and redirects back to the consent screen (consent flow) or returns an authorization success page (runtime flow). Authentication is not required - cookie/session validation is performed instead. ## OpenAPI ````yaml /openapi/openapi.json get /api/oauth/per-user/upstream/authorize openapi: 3.1.0 info: title: Bifrost API description: > Bifrost HTTP Transport API for AI model inference and gateway management. This API provides a unified interface for interacting with multiple AI providers including OpenAI, Anthropic, Bedrock, Gemini, and more through a single API, along with comprehensive management APIs for configuring and monitoring the gateway. ## API Structure ### Unified Inference API (`/v1/*`) The primary API using Bifrost's unified format. Model parameters use the format `provider/model` (e.g., `openai/gpt-4`, `anthropic/claude-3-opus`). ### Async Inference API (`/v1/async/*`) Submit inference requests for asynchronous execution. Returns a job ID immediately and allows polling for results. Supports all inference types except batches, files, and containers. ### Provider Integration APIs Native provider-format APIs for drop-in compatibility: - `/openai/*` - OpenAI-compatible API - `/anthropic/*` - Anthropic-compatible API - `/genai/*` - Google GenAI (Gemini) compatible API - `/bedrock/*` - AWS Bedrock compatible API - `/cohere/*` - Cohere compatible API ### Framework Integration APIs Multi-provider proxy endpoints for AI frameworks: - `/litellm/*` - LiteLLM proxy with all provider formats - `/langchain/*` - LangChain compatible endpoints - `/pydanticai/*` - PydanticAI compatible endpoints ### Management APIs (`/api/*`) APIs for managing and monitoring the Bifrost gateway: - `/api/config` - Configuration management - `/api/providers` - Provider and API key management - `/api/plugins` - Plugin management - `/api/governance/*` - Virtual keys, teams, customers, budgets, rate limits, routing rules, and pricing overrides - `/api/logs` - Log search and analytics - `/api/mcp/*` - MCP (Model Context Protocol) client management - `/api/session/*` - Authentication and session management - `/api/cache/*` - Cache management - `/health` - Health check endpoint ## Fallbacks Requests can include fallback models that will be tried if the primary model fails. version: 1.0.0 contact: name: Contact Us url: https://getmaxim.ai/bifrost license: name: Apache 2.0 url: https://opensource.org/licenses/Apache-2.0 servers: - url: '{baseUrl}' description: Your Bifrost instance variables: baseUrl: default: http://localhost:8080 description: Base URL of your Bifrost instance (e.g. https://bifrost.mycompany.com) security: - BearerAuth: [] - BasicAuth: [] - ApiKeyAuth: [] tags: - name: Models description: Model listing and information - name: Chat Completions description: Chat-based text generation - name: Text Completions description: Text completion generation - name: Responses description: OpenAI Responses API compatible endpoints - name: OCR description: Optical character recognition for documents and images - name: Rerank description: Document reranking by relevance to a query - name: Embeddings description: Text embedding generation - name: Images description: Image generations, editing, and variations - name: Videos description: Video generation and management - name: Audio description: Speech synthesis and transcription - name: Count Tokens description: Token counting utilities - name: Batch description: Batch processing operations - name: Files description: File management operations - name: Containers description: Container management operations - name: Async Jobs description: Asynchronous job submission and retrieval endpoints - name: OpenAI Integration description: OpenAI-compatible API endpoints (/openai/*) - name: Azure Integration description: Azure OpenAI integration endpoints - name: Anthropic Integration description: Anthropic-compatible API endpoints (/anthropic/*) - name: GenAI Integration description: Google GenAI (Gemini) compatible API endpoints (/genai/*) - name: Bedrock Integration description: AWS Bedrock compatible API endpoints (/bedrock/*) - name: Cohere Integration description: Cohere compatible API endpoints (/cohere/*) - name: LiteLLM Integration description: LiteLLM proxy endpoints with multi-provider support (/litellm/*) - name: LangChain Integration description: LangChain compatible endpoints with multi-provider support (/langchain/*) - name: PydanticAI Integration description: >- PydanticAI compatible endpoints with multi-provider support (/pydanticai/*) - name: Health description: Health check endpoints - name: Configuration description: Configuration management endpoints - name: Session description: Session and authentication endpoints - name: Providers description: Provider management endpoints - name: Plugins description: Plugin management endpoints - name: MCP description: Model Context Protocol endpoints - name: Governance description: Virtual keys, teams, and customers management - name: Logging description: Log search and management endpoints - name: Cache description: Cache management endpoints paths: /api/oauth/per-user/upstream/authorize: get: tags: - OAuth - Per-User OAuth summary: Upstream OAuth proxy - authorize with upstream service description: > Initiates an OAuth flow with an upstream MCP service (Notion, GitHub, etc.) on behalf of the current user. Used during the consent flow (via "Connect" buttons on the MCPs page) and at runtime when a tool call is made to an unauthenticated service. **Consent flow** - provide `flow_id` (from the pending consent flow). The browser-binding cookie (`__bifrost_flow_secret`) is validated. **Runtime flow** - provide `session` (the Bifrost session ID from the token endpoint). Used when a service was skipped during consent and needs to be connected later. On success, redirects the user to the upstream provider's authorize URL. After the user grants access, the upstream callback lands at `/api/oauth/callback`, stores the upstream token against the user's identity, and redirects back to the consent screen (consent flow) or returns an authorization success page (runtime flow). Authentication is not required - cookie/session validation is performed instead. operationId: authorizeUpstreamPerUserOAuth parameters: - name: mcp_client_id in: query required: true description: ID of the per-user OAuth MCP client to authenticate with schema: type: string - name: flow_id in: query required: false description: > Pending consent flow ID. Required if `session` is not provided. The `__bifrost_flow_secret` cookie must be present and match the flow. schema: type: string - name: session in: query required: false description: > Bifrost session ID (from the token endpoint). Required if `flow_id` is not provided. Used for runtime (post-consent) upstream authorization. schema: type: string responses: '302': description: Redirect to upstream OAuth provider's authorize URL headers: Location: schema: type: string description: Upstream provider authorization URL with PKCE parameters '400': description: Bad request content: application/json: schema: $ref: '#/components/schemas/BifrostError' '401': description: Invalid or expired flow/session content: application/json: schema: $ref: '#/components/schemas/ManagementErrorResponse' '403': description: Browser-binding cookie mismatch (CSRF protection) content: application/json: schema: $ref: '#/components/schemas/ManagementErrorResponse' '404': description: MCP client not found or not configured for per-user OAuth content: application/json: schema: $ref: '#/components/schemas/ManagementErrorResponse' '503': description: Config store is disabled content: application/json: schema: $ref: '#/components/schemas/ManagementErrorResponse' components: schemas: BifrostError: type: object description: Error response from Bifrost properties: event_id: type: string type: type: string is_bifrost_error: type: boolean status_code: type: integer error: $ref: '#/components/schemas/ErrorField' extra_fields: $ref: '#/components/schemas/BifrostErrorExtraFields' ManagementErrorResponse: $ref: '#/components/schemas/BifrostError' type: object description: Error response ErrorField: type: object properties: type: type: string code: type: string message: type: string param: type: string event_id: type: string BifrostErrorExtraFields: type: object properties: provider: $ref: '#/components/schemas/ModelProvider' model_requested: type: string request_type: type: string ModelProvider: type: string description: AI model provider identifier enum: - openai - azure - anthropic - bedrock - cohere - vertex - vllm - mistral - ollama - groq - sgl - parasail - perplexity - replicate - cerebras - gemini - openrouter - elevenlabs - huggingface - nebius - xai - runway - fireworks securitySchemes: BearerAuth: type: http scheme: bearer description: > Bearer token authentication. Use your provider API key or Bifrost authentication token. Virtual keys (prefixed with `sk-bf-`) can also be passed here. BasicAuth: type: http scheme: basic description: | Basic authentication using username and password. ApiKeyAuth: type: apiKey in: header name: x-api-key description: | API key authentication via the `x-api-key` header. Virtual keys (prefixed with `sk-bf-`) can also be passed here. ````