Skip to main content
The bifrost.client block controls how Bifrost manages its internal worker pool, request logging, authentication enforcement, header policies, SDK compatibility shims, and MCP agent behaviour. All settings map directly to the client section of the rendered config.json.

Connection Pool

ParameterDescriptionDefault
bifrost.client.initialPoolSizePre-allocated worker goroutines per provider queue300
bifrost.client.dropExcessRequestsDrop requests when queue is full instead of waitingfalse
A larger pool reduces latency spikes under burst load at the cost of higher baseline memory. For production workloads with multiple providers, 1000 is a common starting point. 
# client-pool.yaml
image:
  tag: "v1.4.11"

bifrost:
  client:
    initialPoolSize: 1000
    dropExcessRequests: true   # Return 429 instead of queuing indefinitely

helm install bifrost bifrost/bifrost -f client-pool.yaml

# Or set inline
helm upgrade bifrost bifrost/bifrost \
  --reuse-values \
  --set bifrost.client.initialPoolSize=1000 \
  --set bifrost.client.dropExcessRequests=true

Request & Response Logging

ParameterDescriptionDefault
bifrost.client.enableLoggingLog all LLM requests and responsestrue
bifrost.client.disableContentLoggingStrip message content from logs (keeps metadata)false
bifrost.client.logRetentionDaysDays to retain log entries in the store365
bifrost.client.loggingHeadersHTTP request headers to capture in log metadata[]
Set disableContentLogging: true for HIPAA / PCI compliance workloads where message content must not be persisted. 
bifrost:
  client:
    enableLogging: true
    disableContentLogging: true    # PII / compliance: store metadata only
    logRetentionDays: 90
    loggingHeaders:
      - "x-request-id"
      - "x-user-id"

helm upgrade bifrost bifrost/bifrost \
  --reuse-values \
  --set bifrost.client.disableContentLogging=true \
  --set bifrost.client.logRetentionDays=90

Security & CORS

ParameterDescriptionDefault
bifrost.client.allowedOriginsCORS allowed origins["*"]
bifrost.client.allowDirectKeysAllow callers to pass provider keys directly in requestsfalse
bifrost.client.enforceGovernanceHeaderRequire x-bf-vk virtual-key header on every requestfalse
bifrost.client.maxRequestBodySizeMbMaximum allowed request body size100
bifrost.client.whitelistedRoutesRoutes that bypass auth middleware[]
bifrost:
  client:
    allowedOrigins:
      - "https://app.yourdomain.com"
      - "https://admin.yourdomain.com"
    allowDirectKeys: false         # Prevent callers from supplying raw provider keys
    enforceGovernanceHeader: true  # Every request must carry a virtual key
    maxRequestBodySizeMb: 50
    whitelistedRoutes:
      - "/health"
      - "/metrics"

helm install bifrost bifrost/bifrost \
  --set image.tag=v1.4.11 \
  --set bifrost.client.enforceGovernanceHeader=true \
  --set bifrost.client.allowDirectKeys=false

Header Filtering

Controls which x-bf-eh-* headers are forwarded to upstream LLM providers.
ParameterDescriptionDefault
bifrost.client.headerFilterConfig.allowlistOnly these headers are forwarded (whitelist mode)[]
bifrost.client.headerFilterConfig.denylistThese headers are always blocked[]
bifrost.client.requiredHeadersHeaders that must be present on every request[]
bifrost.client.allowedHeadersAdditional headers permitted for CORS and WebSocket[]
When both lists are empty, all x-bf-eh-* headers pass through. Specifying an allowlist enables strict whitelist mode — only listed headers are forwarded. 
bifrost:
  client:
    headerFilterConfig:
      allowlist:
        - "x-bf-eh-anthropic-version"
        - "x-bf-eh-openai-beta"
      denylist: []
    requiredHeaders:
      - "x-request-id"

Authentication

ParameterDescriptionDefault
bifrost.authConfig.isEnabledEnable username/password auth for the API and dashboardfalse
bifrost.authConfig.adminUsernameAdmin username (plain text, prefer secret)""
bifrost.authConfig.adminPasswordAdmin password (plain text, prefer secret)""
bifrost.authConfig.existingSecretKubernetes Secret name for credentials""
bifrost.authConfig.usernameKeyKey within the secret for username"username"
bifrost.authConfig.passwordKeyKey within the secret for password"password"
bifrost.authConfig.disableAuthOnInferenceSkip auth check on /v1/* inference routesfalse
# Create secret first
kubectl create secret generic bifrost-admin \
  --from-literal=username='admin' \
  --from-literal=password='your-secure-password'

bifrost:
  authConfig:
    isEnabled: true
    disableAuthOnInference: false
    existingSecret: "bifrost-admin"
    usernameKey: "username"
    passwordKey: "password"

helm upgrade bifrost bifrost/bifrost \
  --reuse-values \
  -f auth-values.yaml

Encryption

ParameterDescriptionDefault
bifrost.encryptionKey32-byte encryption key (plain text — use secret in production)""
bifrost.encryptionKeySecret.nameKubernetes Secret name containing the key""
bifrost.encryptionKeySecret.keyKey within the secret"encryption-key"
Always use a Kubernetes Secret in production: 
kubectl create secret generic bifrost-encryption \
  --from-literal=encryption-key='your-32-byte-encryption-key-here'

bifrost:
  encryptionKeySecret:
    name: "bifrost-encryption"
    key: "encryption-key"

helm install bifrost bifrost/bifrost \
  --set image.tag=v1.4.11 \
  -f encryption-values.yaml

Async Jobs & Database Pings

ParameterDescriptionDefault
bifrost.client.disableDbPingsInHealthExclude DB connectivity from /health checksfalse
bifrost.client.asyncJobResultTTLTTL (seconds) for async job results3600

Compat Shims

Compatibility flags that let Bifrost silently adapt request/response shapes for SDK integrations:
ParameterDescriptionDefault
bifrost.client.compat.convertTextToChatWrap legacy text completions as chat messagesfalse
bifrost.client.compat.convertChatToResponsesTranslate chat completions to Responses API formatfalse
bifrost.client.compat.shouldDropParamsSilently drop unsupported parameters instead of erroringfalse
bifrost.client.compat.shouldConvertParamsAuto-convert parameter names across provider schemasfalse
bifrost:
  client:
    compat:
      shouldDropParams: true     # Useful when proxying mixed SDK traffic
      convertTextToChat: true    # For clients using the legacy /v1/completions endpoint

Prometheus Labels

Add custom labels to every Prometheus metric emitted by Bifrost: 
bifrost:
  client:
    prometheusLabels:
      - name: "environment"
        value: "production"
      - name: "region"
        value: "us-east-1"

MCP Agent Settings

ParameterDescriptionDefault
bifrost.client.mcpAgentDepthMaximum tool-call recursion depth for MCP agent mode10
bifrost.client.mcpToolExecutionTimeoutTimeout per tool execution in seconds30
bifrost.client.mcpCodeModeBindingLevelCode mode binding level (server or tool)""
bifrost.client.mcpToolSyncIntervalGlobal tool sync interval in minutes (0 = disabled)0
bifrost:
  client:
    mcpAgentDepth: 15
    mcpToolExecutionTimeout: 60

Full Example

# client-full.yaml
image:
  tag: "v1.4.11"

bifrost:
  encryptionKeySecret:
    name: "bifrost-encryption"
    key: "encryption-key"

  authConfig:
    isEnabled: true
    disableAuthOnInference: false
    existingSecret: "bifrost-admin"
    usernameKey: "username"
    passwordKey: "password"

  client:
    initialPoolSize: 1000
    dropExcessRequests: true
    allowedOrigins:
      - "https://app.yourdomain.com"
    enableLogging: true
    disableContentLogging: false
    logRetentionDays: 90
    enforceGovernanceHeader: true
    allowDirectKeys: false
    maxRequestBodySizeMb: 100
    headerFilterConfig:
      allowlist: []
      denylist: []
    prometheusLabels:
      - name: "environment"
        value: "production"
    mcpAgentDepth: 10
    mcpToolExecutionTimeout: 30

# Create prerequisites
kubectl create secret generic bifrost-encryption \
  --from-literal=encryption-key='your-32-byte-encryption-key-here'

kubectl create secret generic bifrost-admin \
  --from-literal=username='admin' \
  --from-literal=password='your-secure-password'

# Install
helm install bifrost bifrost/bifrost -f client-full.yaml