Modal logo
IntroductionCustom container images Defining ImagesPrivate registriesFast pull from registryGPUs and other resources GPU accelerationUsing CUDA on ModalReserving CPU and memoryScaling out Scaling outDicts and queuesJob processingConcurrent inputs on a single container (beta)Dynamic batching (beta)Scheduling and cron jobsDeployment Apps, Stubs, and entrypointsManaging deploymentsInvoking deployed functionsContinuous deploymentSecrets and environment variables SecretsEnvironment variablesWeb endpoints Web endpointsStreaming endpointsWeb endpoint URLsRequest timeoutsWebhook tokens (beta)Networking Tunnels (beta)Proxies (beta)Data sharing and storage Passing local dataVolumesMounting local files and directoriesStoring model weightsDataset ingestionCloud bucket mountsSandboxes SandboxesRunning commandsNetworking and securityFile accessSnapshotsPerformance Cold start performanceMemory Snapshot (beta)Geographic latencyReliability and robustness Failures and retriesPreemptionTimeoutsTroubleshootingSecurity and privacyIntegrations Using OIDC to authenticate with external servicesConnecting Modal to your Datadog accountConnecting Modal to your OpenTelemetry providerOkta SSOSlack notifications (beta)Other topics Modal 1.0 migration guideFile and project structureDeveloping and debuggingModal user account setupWorkspacesEnvironmentsJupyter notebooksAsynchronous API usageGlobal variablesRegion selectionContainer lifecycle hooksParametrized functionsS3 Gateway endpointsGPU Metrics

Proxy auth tokens (beta)

To prevent users outside of your workspace from discovering and triggering web endpoints that you create, Modal will check for two headers: Modal-Key and Modal-Secret on HTTP requests to the endpoint. You can populate these headers with tokens created under Settings > Proxy Auth Tokens.

By default, web endpoints created by the fastapi_endpoint, asgi_app, wsgi_app, or web_server decorators are publicly available. The optional field requires_proxy_auth protects your web endpoint by verifying a key and a token are passed in the Modal-Key and Modal-Secret headers. Requests without those headers will receive the HTTP error 401 Unauthorized unless valid credentials are supplied.

import modal

@app.function()
@modal.fastapi_endpoint(requires_proxy_auth=True)
def app():
    return "hello world"

To trigger the endpoint, create a Proxy Auth Token, which will generate a token ID and token secret that you use to prove the authorization of your request. In requests to the web endpoint, add the Modal-Key and Modal-Secret HTTP headers and supply your token in the header value.

export TOKEN_ID=wk-1234abcd
export TOKEN_SECRET=ws-1234abcd
curl -H "Modal-Key: $TOKEN_ID" \
     -H "Modal-Secret: $TOKEN_SECRET" \
     https://my-secure-endpoint.modal.run

Everyone within the workspace of the web endpoint can manage the tokens that will be accepted as valid authentication.

Proxy-Authorization header

Previously, Modal Proxy Auth tokens used the verified the Proxy-Authorization header, returning a 407 Proxy Unauthorized HTTP error in case the token isn’t valid. We have since made an update to use Modal-Key and Modal-Secret instead. Proxy-Authorization is still supported but will be deprecated sometime in the future.

The Proxy-Authorization header uses the Basic authentication scheme and expect base64 encoding of [TOKEN_ID]:[TOKEN_SECRET] for the credentials. For example:

export TOKEN_ID=wk-1234abcd
export TOKEN_SECRET=ws-1234abcd
curl https://my-secure-endpoint.modal.run -H "Proxy-Authorization: Basic $(echo -n $TOKEN_ID:$TOKEN_SECRET | base64)"