Skip to main content
The client block controls how Bifrost manages its internal worker pool, request logging, authentication enforcement, header policies, SDK compatibility shims, and MCP agent behaviour.

Connection Pool

A larger pool reduces latency spikes under burst load at the cost of higher baseline memory. 500–1000 is a common starting point for production workloads with multiple providers.

Request & Response Logging

Set disable_content_logging: true for HIPAA / PCI compliance workloads where message content must not be persisted.

Reverse Proxy

When Bifrost acts as an OAuth client to upstream MCP servers, the redirect_uri it registers is built from the incoming Host header by default - behind a reverse proxy that is the proxy’s internal address, not its public one. One setting lets you override it with the proxy’s public URL. This field supports env var syntax ("env.MY_VAR"). When unset, it falls back to the incoming Host header.

The client role

When Bifrost connects to an upstream MCP server (Notion, Jira, GitHub, etc.) on behalf of a user, it acts as an OAuth client. mcp_external_client_url is the callback Bifrost registers as its redirect_uri with those upstream providers - they redirect the user’s browser to <client URL>/api/oauth/callback after login. Set it to the proxy’s public URL so the callback resolves to a publicly reachable address.

Example

Or as a plain URL:
When left empty, the redirect_uri falls back to the request’s Host header - correct for development or when no reverse proxy fronts Bifrost. This setting is also configurable via the UI (MCP Gateway → MCP Settings) and the management API, with no restart required.

Security & CORS


Header Filtering

Controls which x-bf-eh-* extra headers are forwarded to upstream LLM providers. When both allowlist and denylist are empty, all x-bf-eh-* headers pass through. Specifying an allowlist enables strict whitelist mode - only listed headers are forwarded.

Compat Shims

Compatibility flags that let Bifrost silently adapt request/response shapes for SDK integrations.

MCP Agent Settings


Async Jobs


Prometheus Labels

Add custom labels to every Prometheus metric emitted by Bifrost:

Authentication

governance.auth_config protects the Bifrost dashboard and management API with username/password auth.
A top-level auth_config is also accepted for backwards compatibility, but governance.auth_config is the preferred location.

Encryption Key


Full Example