Modal logo
IntroductionCustom container images Defining ImagesPrivate registriesFast pull from registryGPUs and other resources GPU accelerationUsing CUDA on ModalReserving CPU and memoryScaling out Scaling outInput concurrencyBatch processingJob queuesDynamic batching (beta)Scheduling and cron jobsDeployment Apps, Functions, and entrypointsManaging deploymentsInvoking deployed functionsContinuous deploymentRunning untrusted code in FunctionsSecrets and environment variables SecretsEnvironment variablesWeb endpoints Web endpointsStreaming endpointsWeb endpoint URLsRequest timeoutsProxy Auth TokensNetworking TunnelsProxies (beta)Cluster networkingData sharing and storage Passing local dataVolumesStoring model weightsCloud bucket mountsDictsQueuesDataset ingestionSandboxes SandboxesRunning commandsNetworking and securityFile accessSnapshotsPerformance Cold start performanceMemory SnapshotGeographic latencyReliability and robustness Failures and retriesPreemptionTimeoutsGPU healthTroubleshootingSecurity and privacyIntegrations Using OIDC to authenticate with external servicesConnecting Modal to your Datadog accountConnecting Modal to your OpenTelemetry providerOkta SSOSlack notifications (beta)Workspace & account settings WorkspacesEnvironmentsModal user account setupService usersOther topics Modal 1.0 migration guideFile and project structureDeveloping and debuggingDeveloping Modal code with LLMsJupyter notebooksAsynchronous API usageGlobal variablesRegion selectionContainer lifecycle hooksParametrized functionsS3 Gateway endpointsGPU Metrics

Proxy Auth Tokens

Use Proxy Auth Tokens to prevent unauthorized clients from triggering your web endpoints.

import modal

image = modal.Image.debian_slim().pip_install("fastapi")
app = modal.App("proxy-auth-public", image=image)


@app.function()
@modal.fastapi_endpoint()
def public():
    return "hello world"


@app.function()
@modal.fastapi_endpoint(requires_proxy_auth=True)
def private():
    return "hello friend"

The public endpoint can be hit by any client over the Internet.

curl https://public-url--goes-here.modal.run

The private endpoint cannot.

curl --fail-with-body https://private-url--goes-here.modal.run
# modal-http: missing credentials for proxy authorization
# curl: (22) The requested URL returned error: 401
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401

Authorization is demonstrated via a Proxy Auth Token. You can create a Proxy Auth Token for your workspace here. In requests to the web endpoint, clients supply the Token ID and Token Secret in the Modal-Key and Modal-Secret HTTP headers.

export TOKEN_ID=wk-1234abcd
export TOKEN_SECRET=ws-1234abcd
curl -H "Modal-Key: $TOKEN_ID" \
     -H "Modal-Secret: $TOKEN_SECRET" \
     https://private-url--goes-here.modal.run

Proxy authorization can be added to web endpoints created by the fastapi_endpoint, asgi_app, wsgi_app, or web_server decorators, which are otherwise publicly available.

Everyone within the workspace of the web endpoint can manage its Proxy Auth Tokens.