Client Configuration

The bifrost.client block controls how Bifrost manages its internal worker pool, request logging, authentication enforcement, header policies, SDK compatibility shims, and MCP agent behaviour. All settings map directly to the client section of the rendered config.json.

Connection Pool

Parameter	Description	Default
`bifrost.client.initialPoolSize`	Pre-allocated worker goroutines per provider queue	`300`
`bifrost.client.dropExcessRequests`	Drop requests when queue is full instead of waiting	`false`

A larger pool reduces latency spikes under burst load at the cost of higher baseline memory. For production workloads with multiple providers, 1000 is a common starting point.

# client-pool.yaml
image:
  tag: "v1.4.11"

bifrost:
  client:
    initialPoolSize: 1000
    dropExcessRequests: true   # Return 429 instead of queuing indefinitely

helm install bifrost bifrost/bifrost -f client-pool.yaml

# Or set inline
helm upgrade bifrost bifrost/bifrost \
  --reuse-values \
  --set bifrost.client.initialPoolSize=1000 \
  --set bifrost.client.dropExcessRequests=true

Request & Response Logging

Parameter	Description	Default
`bifrost.client.enableLogging`	Log all LLM requests and responses	`true`
`bifrost.client.disableContentLogging`	Strip message content from logs (keeps metadata)	`false`
`bifrost.client.logRetentionDays`	Days to retain log entries in the store	`365`
`bifrost.client.loggingHeaders`	HTTP request headers to capture in log metadata	`[]`

Set disableContentLogging: true for HIPAA / PCI compliance workloads where message content must not be persisted.

bifrost:
  client:
    enableLogging: true
    disableContentLogging: true    # PII / compliance: store metadata only
    logRetentionDays: 90
    loggingHeaders:
      - "x-request-id"
      - "x-user-id"

helm upgrade bifrost bifrost/bifrost \
  --reuse-values \
  --set bifrost.client.disableContentLogging=true \
  --set bifrost.client.logRetentionDays=90

Security & CORS

Parameter	Description	Default
`bifrost.client.allowedOrigins`	CORS allowed origins	`["*"]`
`bifrost.client.enforceGovernanceHeader`	Require `x-bf-vk` virtual-key header on every request	`false`
`bifrost.client.maxRequestBodySizeMb`	Maximum allowed request body size	`100`
`bifrost.client.whitelistedRoutes`	Routes that bypass auth middleware	`[]`

bifrost:
  client:
    allowedOrigins:
      - "https://app.yourdomain.com"
      - "https://admin.yourdomain.com"
    enforceGovernanceHeader: true  # Every request must carry a virtual key
    maxRequestBodySizeMb: 50
    whitelistedRoutes:
      - "/health"
      - "/metrics"

helm install bifrost bifrost/bifrost \
  --set image.tag=v1.4.11 \
  --set bifrost.client.enforceGovernanceHeader=true

Header Filtering

Controls which x-bf-eh-* headers are forwarded to upstream LLM providers.

Parameter	Description	Default
`bifrost.client.headerFilterConfig.allowlist`	Only these headers are forwarded (whitelist mode)	`[]`
`bifrost.client.headerFilterConfig.denylist`	These headers are always blocked	`[]`
`bifrost.client.requiredHeaders`	Headers that must be present on every request	`[]`
`bifrost.client.allowedHeaders`	Additional headers permitted for CORS and WebSocket	`[]`

When both lists are empty, all x-bf-eh-* headers pass through. Specifying an allowlist enables strict whitelist mode - only listed headers are forwarded.

bifrost:
  client:
    headerFilterConfig:
      allowlist:
        - "x-bf-eh-anthropic-version"
        - "x-bf-eh-openai-beta"
      denylist: []
    requiredHeaders:
      - "x-request-id"

Authentication

Parameter	Description	Default
`bifrost.authConfig.isEnabled`	Enable username/password auth for the API and dashboard	`false`
`bifrost.authConfig.adminUsername`	Admin username (plain text, prefer secret)	`""`
`bifrost.authConfig.adminPassword`	Admin password (plain text, prefer secret)	`""`
`bifrost.authConfig.existingSecret`	Kubernetes Secret name for credentials	`""`
`bifrost.authConfig.usernameKey`	Key within the secret for username	`"username"`
`bifrost.authConfig.passwordKey`	Key within the secret for password	`"password"`
`bifrost.authConfig.disableAuthOnInference`	Skip auth check on `/v1/*` inference routes	`false`

# Create secret first
kubectl create secret generic bifrost-admin \
  --from-literal=username='admin' \
  --from-literal=password='your-secure-password'

bifrost:
  authConfig:
    isEnabled: true
    disableAuthOnInference: false
    existingSecret: "bifrost-admin"
    usernameKey: "username"
    passwordKey: "password"

helm upgrade bifrost bifrost/bifrost \
  --reuse-values \
  -f auth-values.yaml

Encryption

Parameter	Description	Default
`bifrost.encryptionKey`	Optional encryption key (plain text - use `encryptionKeySecret` in production). If omitted, data is stored in plaintext.	`""`
`bifrost.encryptionKeySecret.name`	Kubernetes Secret name containing the key	`""`
`bifrost.encryptionKeySecret.key`	Key within the secret	`"encryption-key"`

Always use a Kubernetes Secret in production:

kubectl create secret generic bifrost-encryption \
  --from-literal=encryption-key='your-32-byte-encryption-key-here'

bifrost:
  encryptionKeySecret:
    name: "bifrost-encryption"
    key: "encryption-key"

helm install bifrost bifrost/bifrost \
  --set image.tag=v1.4.11 \
  -f encryption-values.yaml

Async Jobs & Database Pings

Parameter	Description	Default
`bifrost.client.disableDbPingsInHealth`	Exclude DB connectivity from `/health` checks	`false`
`bifrost.client.asyncJobResultTTL`	TTL (seconds) for async job results	`3600`

Compat Shims

Compatibility flags that let Bifrost silently adapt request/response shapes for SDK integrations:

Parameter	Description	Default
`bifrost.client.compat.convertTextToChat`	Wrap legacy text completions as chat messages	`false`
`bifrost.client.compat.convertChatToResponses`	Translate chat completions to Responses API format	`false`
`bifrost.client.compat.shouldDropParams`	Silently drop unsupported parameters instead of erroring	`false`
`bifrost.client.compat.shouldConvertParams`	Auto-convert parameter names across provider schemas	`false`

bifrost:
  client:
    compat:
      shouldDropParams: true     # Useful when proxying mixed SDK traffic
      convertTextToChat: true    # For clients using the legacy /v1/completions endpoint

Prometheus Labels

Add custom labels to every Prometheus metric emitted by Bifrost:

bifrost:
  client:
    prometheusLabels:
      - name: "environment"
        value: "production"
      - name: "region"
        value: "us-east-1"

MCP Agent Settings

Parameter	Description	Default
`bifrost.mcp.toolManagerConfig.maxAgentDepth`	Maximum tool-call recursion depth for MCP agent mode	`10`
`bifrost.mcp.toolManagerConfig.toolExecutionTimeout`	Timeout per tool execution in seconds	`30`
`bifrost.mcp.toolManagerConfig.codeModeBindingLevel`	Code mode binding level (`server` or `tool`)	`server`
`bifrost.mcp.toolManagerConfig.disableAutoToolInject`	Disable automatic MCP tool injection	`false`
`bifrost.mcp.toolSyncInterval`	Global tool sync interval as a Go duration string (for example `10m`). Use `0s` to use the runtime default (it does not disable sync). This differs from legacy `bifrost.client.mcpToolSyncInterval: 0`, which represented disabled behavior.	`10m`

bifrost:
  mcp:
    toolSyncInterval: "15m"
    toolManagerConfig:
      maxAgentDepth: 15
      toolExecutionTimeout: 60
      codeModeBindingLevel: "tool"
      disableAutoToolInject: false

Full Example

# client-full.yaml
image:
  tag: "v1.4.11"

bifrost:
  encryptionKeySecret:
    name: "bifrost-encryption"
    key: "encryption-key"

  authConfig:
    isEnabled: true
    disableAuthOnInference: false
    existingSecret: "bifrost-admin"
    usernameKey: "username"
    passwordKey: "password"

  client:
    initialPoolSize: 1000
    dropExcessRequests: true
    allowedOrigins:
      - "https://app.yourdomain.com"
    enableLogging: true
    disableContentLogging: false
    logRetentionDays: 90
    enforceGovernanceHeader: true
    maxRequestBodySizeMb: 100
    headerFilterConfig:
      allowlist: []
      denylist: []
    prometheusLabels:
      - name: "environment"
        value: "production"
  mcp:
    toolSyncInterval: "10m"
    toolManagerConfig:
      maxAgentDepth: 10
      toolExecutionTimeout: 30
      codeModeBindingLevel: "server"
      disableAutoToolInject: false

# Create prerequisites
kubectl create secret generic bifrost-encryption \
  --from-literal=encryption-key='your-32-byte-encryption-key-here'

kubectl create secret generic bifrost-admin \
  --from-literal=username='admin' \
  --from-literal=password='your-secure-password'

# Install
helm install bifrost bifrost/bifrost -f client-full.yaml

​Connection Pool

​Request & Response Logging

​Security & CORS

​Header Filtering

​Authentication

​Encryption

​Async Jobs & Database Pings

​Compat Shims

​Prometheus Labels

​MCP Agent Settings

​Full Example