client block controls how Bifrost manages its internal worker pool, request logging, authentication enforcement, header policies, SDK compatibility shims, and MCP agent behaviour.
Connection Pool
A larger pool reduces latency spikes under burst load at the cost of higher baseline memory.
500–1000 is a common starting point for production workloads with multiple providers.
Request & Response Logging
Set
disable_content_logging: true for HIPAA / PCI compliance workloads where message content must not be persisted.
Reverse Proxy
When Bifrost acts as an OAuth client to upstream MCP servers, theredirect_uri it registers is built from the incoming Host header by default - behind a reverse proxy that is the proxy’s internal address, not its public one. One setting lets you override it with the proxy’s public URL.
This field supports env var syntax (
"env.MY_VAR"). When unset, it falls back to the incoming Host header.
The client role
When Bifrost connects to an upstream MCP server (Notion, Jira, GitHub, etc.) on behalf of a user, it acts as an OAuth client.mcp_external_client_url is the callback Bifrost registers as its redirect_uri with those upstream providers - they redirect the user’s browser to <client URL>/api/oauth/callback after login. Set it to the proxy’s public URL so the callback resolves to a publicly reachable address.
Example
redirect_uri falls back to the request’s Host header - correct for development or when no reverse proxy fronts Bifrost.
This setting is also configurable via the UI (MCP Gateway → MCP Settings) and the management API, with no restart required.
Security & CORS
Header Filtering
Controls whichx-bf-eh-* extra headers are forwarded to upstream LLM providers.
When both
allowlist and denylist are empty, all x-bf-eh-* headers pass through. Specifying an allowlist enables strict whitelist mode - only listed headers are forwarded.
Compat Shims
Compatibility flags that let Bifrost silently adapt request/response shapes for SDK integrations.MCP Agent Settings
Async Jobs
Prometheus Labels
Add custom labels to every Prometheus metric emitted by Bifrost:Authentication
governance.auth_config protects the Bifrost dashboard and management API with username/password auth.
A top-level
auth_config is also accepted for backwards compatibility, but governance.auth_config is the preferred location.
