claude-code-proxy/config.yaml.example

# LLM Proxy Configuration Example
# This file demonstrates all available configuration options
# Copy this file to config.yaml and customize as needed

# Server configuration
server:
  # Bind host for the proxy server.
  # Defaults to 127.0.0.1 for local-only access.
  host: 127.0.0.1

  # Port to listen on (default: 3001)
  port: 3001
  
  # Timeout configurations
  timeouts:
    # Maximum duration for reading the entire request, including the body
    read: 10m
    
    # Maximum duration before timing out writes of the response
    write: 10m
    
    # Maximum amount of time to wait for the next request when keep-alives are enabled
    idle: 10m

# Provider configurations
providers:
  # Anthropic Claude configuration
  anthropic:
    # Base URL for Anthropic API (can be changed for custom endpoints)
    base_url: "https://api.anthropic.com"

    # Maximum number of retries for failed requests
    max_retries: 3

  # OpenAI configuration
  openai:
    # API key for OpenAI
    # Can also be set via OPENAI_API_KEY environment variable
    # api_key: "..."

    # Base URL for OpenAI API (can be changed for custom endpoints)
    # Can also be set via OPENAI_BASE_URL environment variable
    # base_url: "https://api.openai.com"

    # Allow clients to provide their own API key via header
    # Can also be set via OPENAI_ALLOW_CLIENT_API_KEY environment variable
    allow_client_api_key: false

    # Header name for client-provided API key (default: x-openai-api-key)
    # Can also be set via OPENAI_CLIENT_API_KEY_HEADER environment variable
    client_api_key_header: "x-openai-api-key"

# CORS Configuration
# Controls Cross-Origin Resource Sharing for the web UI
cors:
  # Allowed origins. Defaults are localhost-only.
  # Can also be set via CORS_ALLOWED_ORIGINS environment variable (comma-separated)
  allowed_origins:
    - "http://localhost:3000"
    - "http://127.0.0.1:3000"
    - "http://localhost:5173"
    - "http://127.0.0.1:5173"

  # Allowed HTTP methods
  # Can also be set via CORS_ALLOWED_METHODS environment variable (comma-separated)
  allowed_methods:
    - "GET"
    - "POST"
    - "DELETE"
    - "OPTIONS"

  # Allowed headers
  # Can also be set via CORS_ALLOWED_HEADERS environment variable (comma-separated)
  allowed_headers:
    - "Accept"
    - "Authorization"
    - "Content-Type"
    - "Anthropic-Version"
    - "Anthropic-Beta"
    - "X-API-Key"
    - "X-Requested-With"

# Auth Configuration
# When enabled, all non-health endpoints require bearer token or X-API-Key auth.
auth:
  # Enable auth for non-health endpoints
  # Public/non-loopback binds must enable auth and set a token.
  enabled: false

  # Shared secret used for Authorization: Bearer <token> or X-API-Key: <token>
  token: ""

  # Header name used for API-key style auth
  api_key_header: "x-api-key"

  # Allow requests from localhost to bypass auth when enabled
  allow_localhost_bypass: true

# Storage configuration
storage:
  # SQLite database path for storing request history
  db_path: "requests.db"

  # Keep request bodies in storage. Disable for metadata-only tracking.
  capture_request_body: true

  # Keep response bodies and streaming chunks in storage.
  capture_response_body: true

  # Store only request/response metadata, not payload bodies.
  metadata_only: false

  # Delete records older than this many days on write. 0 disables cleanup.
  retention_days: 0

  # JSON payload fields to redact before storage.
  redacted_fields:
    - api_key
    - authorization
    - token
    - password
    - secret
    - access_token
    - refresh_token
    - client_secret
  
  # Directory for storing request files (if needed in future)
  # requests_dir: "./requests"

# Subagent Configuration (Optional)
# Enable this feature if you want to route specific Claude Code agents to different LLM providers
# For subagent setup instructions, see: https://docs.anthropic.com/en/docs/claude-code/sub-agents
subagents:
  # Enable subagent routing (default: false)
  enable: false
  
  # Maps subagent types to specific models
  # Only used when enable: true
  mappings:
    # Code review specialist (example)
    # code-reviewer: "gpt-4o"
    
    # Data analysis expert (example)
    # data-analyst: "o3"
    
    # Documentation writer (example)
    # doc-writer: "gpt-3.5-turbo"

# Environment variable overrides:
# The following environment variables will override the YAML configuration:
#
# Server:
#   SERVER_HOST                     - Bind host (default: 127.0.0.1)
#   PORT                            - Server port
#   READ_TIMEOUT                    - Read timeout duration
#   WRITE_TIMEOUT                   - Write timeout duration
#   IDLE_TIMEOUT                    - Idle timeout duration
#
# Anthropic:
#   ANTHROPIC_FORWARD_URL           - Anthropic base URL
#   ANTHROPIC_VERSION               - Anthropic API version
#   ANTHROPIC_MAX_RETRIES           - Maximum retries for Anthropic requests
#
# OpenAI:
#   OPENAI_API_KEY                  - OpenAI API key
#   OPENAI_BASE_URL                 - OpenAI base URL
#   OPENAI_ALLOW_CLIENT_API_KEY     - Allow client-provided API keys (true/false)
#   OPENAI_CLIENT_API_KEY_HEADER    - Header name for client API key
#
# Auth:
#   AUTH_ENABLED                    - Enable auth for non-health endpoints (true/false)
#   AUTH_TOKEN                      - Shared secret for bearer / API-key auth
#   AUTH_API_KEY_HEADER             - Header name for API-key style auth
#   AUTH_ALLOW_LOCALHOST_BYPASS     - Allow loopback requests to bypass auth (true/false)
#
# Storage:
#   DB_PATH                         - Database file path
#   STORAGE_CAPTURE_REQUEST_BODY    - Keep request bodies (true/false)
#   STORAGE_CAPTURE_RESPONSE_BODY   - Keep response bodies (true/false)
#   STORAGE_METADATA_ONLY           - Store metadata only (true/false)
#   STORAGE_RETENTION_DAYS          - Delete rows older than N days
#   STORAGE_REDACTED_FIELDS         - Comma-separated payload fields to redact
#
# CORS:
#   CORS_ALLOWED_ORIGINS            - Comma-separated allowed origins
#   CORS_ALLOWED_METHODS            - Comma-separated allowed methods
#   CORS_ALLOWED_HEADERS            - Comma-separated allowed headers
#
# Subagents:
#   SUBAGENT_MAPPINGS               - Comma-separated subagent:model pairs
#                                     Example: "code-reviewer:claude-3-5-sonnet"
temp 2025-08-01 21:19:30 -04:00			`# LLM Proxy Configuration Example`
			`# This file demonstrates all available configuration options`
			`# Copy this file to config.yaml and customize as needed`

			`# Server configuration`
			`server:`
Harden proxy auth, storage, and conversation access 2026-03-19 19:00:24 -06:00			`# Bind host for the proxy server.`
			`# Defaults to 127.0.0.1 for local-only access.`
			`host: 127.0.0.1`

temp 2025-08-01 21:19:30 -04:00			`# Port to listen on (default: 3001)`
			`port: 3001`

			`# Timeout configurations`
			`timeouts:`
			`# Maximum duration for reading the entire request, including the body`
			`read: 10m`

			`# Maximum duration before timing out writes of the response`
			`write: 10m`

			`# Maximum amount of time to wait for the next request when keep-alives are enabled`
			`idle: 10m`

			`# Provider configurations`
			`providers:`
			`# Anthropic Claude configuration`
			`anthropic:`
			`# Base URL for Anthropic API (can be changed for custom endpoints)`
			`base_url: "https://api.anthropic.com"`
Harden streaming, pagination, and config loading 2026-03-19 18:52:09 -06:00
temp 2025-08-01 21:19:30 -04:00			`# Maximum number of retries for failed requests`
			`max_retries: 3`
Harden streaming, pagination, and config loading 2026-03-19 18:52:09 -06:00
temp 2025-08-01 21:19:30 -04:00			`# OpenAI configuration`
			`openai:`
			`# API key for OpenAI`
			`# Can also be set via OPENAI_API_KEY environment variable`
route cleanup working Working version 2025-08-03 22:30:13 -04:00			`# api_key: "..."`
Harden streaming, pagination, and config loading 2026-03-19 18:52:09 -06:00
temp 2025-08-01 21:19:30 -04:00			`# Base URL for OpenAI API (can be changed for custom endpoints)`
			`# Can also be set via OPENAI_BASE_URL environment variable`
			`# base_url: "https://api.openai.com"`

Harden streaming, pagination, and config loading 2026-03-19 18:52:09 -06:00			`# Allow clients to provide their own API key via header`
			`# Can also be set via OPENAI_ALLOW_CLIENT_API_KEY environment variable`
			`allow_client_api_key: false`

			`# Header name for client-provided API key (default: x-openai-api-key)`
			`# Can also be set via OPENAI_CLIENT_API_KEY_HEADER environment variable`
			`client_api_key_header: "x-openai-api-key"`

			`# CORS Configuration`
			`# Controls Cross-Origin Resource Sharing for the web UI`
			`cors:`
Harden proxy auth, storage, and conversation access 2026-03-19 19:00:24 -06:00			`# Allowed origins. Defaults are localhost-only.`
Harden streaming, pagination, and config loading 2026-03-19 18:52:09 -06:00			`# Can also be set via CORS_ALLOWED_ORIGINS environment variable (comma-separated)`
			`allowed_origins:`
Harden proxy auth, storage, and conversation access 2026-03-19 19:00:24 -06:00			`- "http://localhost:3000"`
			`- "http://127.0.0.1:3000"`
			`- "http://localhost:5173"`
			`- "http://127.0.0.1:5173"`
Harden streaming, pagination, and config loading 2026-03-19 18:52:09 -06:00
			`# Allowed HTTP methods`
			`# Can also be set via CORS_ALLOWED_METHODS environment variable (comma-separated)`
			`allowed_methods:`
			`- "GET"`
			`- "POST"`
			`- "DELETE"`
			`- "OPTIONS"`

Harden proxy auth, storage, and conversation access 2026-03-19 19:00:24 -06:00			`# Allowed headers`
Harden streaming, pagination, and config loading 2026-03-19 18:52:09 -06:00			`# Can also be set via CORS_ALLOWED_HEADERS environment variable (comma-separated)`
			`allowed_headers:`
Harden proxy auth, storage, and conversation access 2026-03-19 19:00:24 -06:00			`- "Accept"`
			`- "Authorization"`
			`- "Content-Type"`
			`- "Anthropic-Version"`
			`- "Anthropic-Beta"`
			`- "X-API-Key"`
			`- "X-Requested-With"`

			`# Auth Configuration`
			`# When enabled, all non-health endpoints require bearer token or X-API-Key auth.`
			`auth:`
			`# Enable auth for non-health endpoints`
			`# Public/non-loopback binds must enable auth and set a token.`
			`enabled: false`

			`# Shared secret used for Authorization: Bearer <token> or X-API-Key: <token>`
			`token: ""`

			`# Header name used for API-key style auth`
			`api_key_header: "x-api-key"`

			`# Allow requests from localhost to bypass auth when enabled`
			`allow_localhost_bypass: true`
Harden streaming, pagination, and config loading 2026-03-19 18:52:09 -06:00
temp 2025-08-01 21:19:30 -04:00			`# Storage configuration`
			`storage:`
			`# SQLite database path for storing request history`
			`db_path: "requests.db"`
Harden proxy auth, storage, and conversation access 2026-03-19 19:00:24 -06:00
			`# Keep request bodies in storage. Disable for metadata-only tracking.`
			`capture_request_body: true`

			`# Keep response bodies and streaming chunks in storage.`
			`capture_response_body: true`

			`# Store only request/response metadata, not payload bodies.`
			`metadata_only: false`

			`# Delete records older than this many days on write. 0 disables cleanup.`
			`retention_days: 0`

			`# JSON payload fields to redact before storage.`
			`redacted_fields:`
			`- api_key`
			`- authorization`
			`- token`
			`- password`
			`- secret`
			`- access_token`
			`- refresh_token`
			`- client_secret`
temp 2025-08-01 21:19:30 -04:00
			`# Directory for storing request files (if needed in future)`
			`# requests_dir: "./requests"`

route cleanup working Working version 2025-08-03 22:30:13 -04:00			`# Subagent Configuration (Optional)`
			`# Enable this feature if you want to route specific Claude Code agents to different LLM providers`
			`# For subagent setup instructions, see: https://docs.anthropic.com/en/docs/claude-code/sub-agents`
temp 2025-08-01 21:19:30 -04:00			`subagents:`
route cleanup working Working version 2025-08-03 22:30:13 -04:00			`# Enable subagent routing (default: false)`
			`enable: false`

			`# Maps subagent types to specific models`
			`# Only used when enable: true`
temp 2025-08-01 21:19:30 -04:00			`mappings:`
			`# Code review specialist (example)`
			`# code-reviewer: "gpt-4o"`

			`# Data analysis expert (example)`
route cleanup working Working version 2025-08-03 22:30:13 -04:00			`# data-analyst: "o3"`
temp 2025-08-01 21:19:30 -04:00
			`# Documentation writer (example)`
			`# doc-writer: "gpt-3.5-turbo"`

			`# Environment variable overrides:`
			`# The following environment variables will override the YAML configuration:`
			`#`
			`# Server:`
Harden proxy auth, storage, and conversation access 2026-03-19 19:00:24 -06:00			`# SERVER_HOST - Bind host (default: 127.0.0.1)`
Harden streaming, pagination, and config loading 2026-03-19 18:52:09 -06:00			`# PORT - Server port`
			`# READ_TIMEOUT - Read timeout duration`
			`# WRITE_TIMEOUT - Write timeout duration`
			`# IDLE_TIMEOUT - Idle timeout duration`
temp 2025-08-01 21:19:30 -04:00			`#`
			`# Anthropic:`
Harden streaming, pagination, and config loading 2026-03-19 18:52:09 -06:00			`# ANTHROPIC_FORWARD_URL - Anthropic base URL`
			`# ANTHROPIC_VERSION - Anthropic API version`
			`# ANTHROPIC_MAX_RETRIES - Maximum retries for Anthropic requests`
temp 2025-08-01 21:19:30 -04:00			`#`
			`# OpenAI:`
Harden streaming, pagination, and config loading 2026-03-19 18:52:09 -06:00			`# OPENAI_API_KEY - OpenAI API key`
			`# OPENAI_BASE_URL - OpenAI base URL`
			`# OPENAI_ALLOW_CLIENT_API_KEY - Allow client-provided API keys (true/false)`
			`# OPENAI_CLIENT_API_KEY_HEADER - Header name for client API key`
temp 2025-08-01 21:19:30 -04:00			`#`
Harden proxy auth, storage, and conversation access 2026-03-19 19:00:24 -06:00			`# Auth:`
			`# AUTH_ENABLED - Enable auth for non-health endpoints (true/false)`
			`# AUTH_TOKEN - Shared secret for bearer / API-key auth`
			`# AUTH_API_KEY_HEADER - Header name for API-key style auth`
			`# AUTH_ALLOW_LOCALHOST_BYPASS - Allow loopback requests to bypass auth (true/false)`
			`#`
temp 2025-08-01 21:19:30 -04:00			`# Storage:`
Harden streaming, pagination, and config loading 2026-03-19 18:52:09 -06:00			`# DB_PATH - Database file path`
Harden proxy auth, storage, and conversation access 2026-03-19 19:00:24 -06:00			`# STORAGE_CAPTURE_REQUEST_BODY - Keep request bodies (true/false)`
			`# STORAGE_CAPTURE_RESPONSE_BODY - Keep response bodies (true/false)`
			`# STORAGE_METADATA_ONLY - Store metadata only (true/false)`
			`# STORAGE_RETENTION_DAYS - Delete rows older than N days`
			`# STORAGE_REDACTED_FIELDS - Comma-separated payload fields to redact`
Harden streaming, pagination, and config loading 2026-03-19 18:52:09 -06:00			`#`
			`# CORS:`
			`# CORS_ALLOWED_ORIGINS - Comma-separated allowed origins`
			`# CORS_ALLOWED_METHODS - Comma-separated allowed methods`
			`# CORS_ALLOWED_HEADERS - Comma-separated allowed headers`
temp 2025-08-01 21:19:30 -04:00			`#`
			`# Subagents:`
Harden streaming, pagination, and config loading 2026-03-19 18:52:09 -06:00			`# SUBAGENT_MAPPINGS - Comma-separated subagent:model pairs`
Harden proxy auth, storage, and conversation access 2026-03-19 19:00:24 -06:00			`# Example: "code-reviewer:claude-3-5-sonnet"`