Skip to content

[ENH] For chroma cloud efs, extract api key from header if available to authenticate #5914

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jairad26 merged 1 commit into from
Dec 4, 2025
Merged

[ENH] For chroma cloud efs, extract api key from header if available to authenticate #5914

jairad26 merged 1 commit into from
Dec 4, 2025

Conversation

@jairad26
Copy link
Contributor

@jairad26 jairad26 commented Nov 26, 2025
edited
Loading

Description of changes

Summarize the changes made by this PR.

  • Improvements & Bug fixes
    • Since chroma cloud splade & qwen are both authenticated using the same api key as Chroma Cloud, as a fallback we can iterate through the available clients and use the first api key found when the host is api.trychroma.com
  • New functionality
    • ...

Test plan

How are these changes tested?
Added tests for extraction function

  • Tests pass locally with pytest for python, yarn test for js, cargo test for rust

Migration plan

Are there any migrations, or any forwards/backwards compatibility changes needed in order to make sure this change deploys reliably?

Observability plan

What is the plan to instrument and monitor this change?

Documentation Changes

Are all docstrings for user-facing APIs updated if required? Do we need to make documentation changes in the docs section?

@jairad26 Graphite App
Copy link
Contributor Author

jairad26 commented Nov 26, 2025

This stack of pull requests is managed by Graphite. Learn more about stacking.

@github-actions
Copy link

github-actions bot commented Nov 26, 2025

Reviewer Checklist

Please leverage this checklist to ensure your code review is thorough before approving

Testing, Bugs, Errors, Logs, Documentation

  • Can you think of any use case in which the code does not behave as intended? Have they been tested?
  • Can you think of any inputs or external events that could break the code? Is user input validated and safe? Have they been tested?
  • If appropriate, are there adequate property based tests?
  • If appropriate, are there adequate unit tests?
  • Should any logging, debugging, tracing information be added or removed?
  • Are error messages user-friendly?
  • Have all documentation changes needed been made?
  • Have all non-obvious changes been commented?

System Compatibility

  • Are there any potential impacts on other parts of the system or backward compatibility?
  • Does this change intersect with any items on our roadmap, and if so, is there a plan for fitting them together?

Quality

  • Is this code of a unexpectedly high quality (Readability, Modularity, Intuitiveness)

@jairad26 jairad26 force-pushed the jai/cloud-ef-api-key-extraction branch 2 times, most recently from 994803a to a92603d Compare November 26, 2025 19:35
@jairad26 jairad26 marked this pull request as ready for review November 26, 2025 19:36
@propel-code-bot
Copy link
Contributor

propel-code-bot bot commented Nov 26, 2025
edited
Loading

Add shared client API key discovery for Chroma Cloud embeddings

Introduces a static helper on SharedSystemClient that iterates cached ServerAPI instances to recover the Chroma Cloud API key from HTTP client headers when targeting hosted endpoints. The fallback is wired into both the Qwen and Splade embedding functions so they can authenticate automatically when the environment variable is unset, and tests validate the extraction logic across multiple clients and edge cases.

Key Changes

• Added SharedSystemClient.get_chroma_cloud_api_key_from_clients() to inspect cached BaseHTTPClient implementations and extract the first x-chroma-token header for api.trychroma.com or gcp.trychroma.com hosts
• Exposed get_request_headers() and get_api_url() on BaseHTTPClient, with concrete overrides in FastAPI and AsyncFastAPI to surface their HTTPX client state
• Updated ChromaCloudQwenEmbeddingFunction and ChromaCloudSpladeEmbeddingFunction to lazily import SharedSystemClient, reuse a shared helper, and fall back to the discovered API key when the configured environment variable is empty
• Added chromadb/test/api/test_shared_system_client.py covering header casing, multiple client scenarios, non-HTTP clients, missing URLs, and exception handling during API key extraction

Affected Areas

chromadb/api/shared_system_client.py
chromadb/api/base_http_client.py
chromadb/api/fastapi.py
chromadb/api/async_fastapi.py
chromadb/utils/embedding_functions/chroma_cloud_qwen_embedding_function.py
chromadb/utils/embedding_functions/chroma_cloud_splade_embedding_function.py
chromadb/utils/embedding_functions/utils.py
chromadb/test/api/test_shared_system_client.py

This summary was automatically generated by @propel-code-bot

propel-code-bot[bot]
propel-code-bot bot reviewed Nov 26, 2025
View reviewed changes
propel-code-bot[bot]
propel-code-bot bot reviewed Nov 26, 2025
View reviewed changes
chromadb/api/shared_system_client.py
Comment on lines 130 to 144
except Exception:
# if we can't access the ServerAPI instance or it doesn't have _session,
# continue to the next system instance
continue
Copy link
Contributor

@propel-code-bot propel-code-bot bot Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Important

[Reliability] The broad except Exception silently catches all errors, including critical issues like AttributeError from API changes or KeyError from malformed data structures. This makes debugging difficult when the code fails.

except AttributeError as e:
    # ServerAPI doesn't have expected attributes (_session or _api_url)
    logger.debug(f"Skipping system {system_id}: {e}")
    continue
except Exception as e:
    # Unexpected errors should be logged for investigation
    logger.warning(f"Unexpected error extracting API key from system: {e}")
    continue

This distinguishes expected structural variations from genuine errors that need attention.

Context for Agents 
The broad `except Exception` silently catches all errors, including critical issues like `AttributeError` from API changes or `KeyError` from malformed data structures. This makes debugging difficult when the code fails.

```python
except AttributeError as e:
    # ServerAPI doesn't have expected attributes (_session or _api_url)
    logger.debug(f"Skipping system {system_id}: {e}")
    continue
except Exception as e:
    # Unexpected errors should be logged for investigation
    logger.warning(f"Unexpected error extracting API key from system: {e}")
    continue
```

This distinguishes expected structural variations from genuine errors that need attention.

File: chromadb/api/shared_system_client.py
Line: 133

HammadB
HammadB reviewed Nov 26, 2025
View reviewed changes
chromadb/utils/embedding_functions/chroma_cloud_qwen_embedding_function.py Outdated
# If not found in env var, try to get it from existing client instances
if not self.api_key:
raise ValueError(f"The {api_key_env_var} environment variable is not set.")
from chromadb.api.shared_system_client import SharedSystemClient
Copy link
Collaborator

@HammadB HammadB Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please do not do inline imports. Why is this needed?

Copy link
Contributor Author

@jairad26 jairad26 Dec 1, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is because of circular dependencies. The path is essentially chromadb.api -> schema -> embedding function -> qwen ef -> shared system client -> chromadb.api

we would need to either refactor where the embedding function protocol is defined which is a breaking change, or move the ServerAPI.

An alternative would be to refactor the embedding function protocol to allow build_from_config to take a client, but that's a much larger refactor, and would also be a breaking change for custom efs

I'm not able to think of another way to get the client to auto propagate keys to the ef. we could also have an optional parameter to the ef that takes in a client, but it removes the ease of use, and its weird to pass in a client to the ef.

Copy link
Contributor Author

@jairad26 jairad26 Dec 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

changed it to lazy import similar to how schema and types.py import

@jairad26 jairad26 force-pushed the jai/cloud-ef-api-key-extraction branch 4 times, most recently from fb83644 to 51d83a3 Compare December 1, 2025 19:43
HammadB
HammadB reviewed Dec 3, 2025
View reviewed changes
HammadB
HammadB reviewed Dec 3, 2025
View reviewed changes
HammadB
HammadB reviewed Dec 3, 2025
View reviewed changes
HammadB
HammadB reviewed Dec 3, 2025
View reviewed changes
@jairad26 jairad26 force-pushed the jai/cloud-ef-api-key-extraction branch from 51d83a3 to fb90210 Compare December 3, 2025 20:19
@blacksmith-sh

This comment has been minimized.

Sign in to view
@jairad26 jairad26 force-pushed the jai/cloud-ef-api-key-extraction branch from fb90210 to db92fb8 Compare December 3, 2025 20:35
@jairad26 jairad26 force-pushed the jai/cloud-ef-api-key-extraction branch from db92fb8 to fb6b061 Compare December 3, 2025 20:45
HammadB
HammadB reviewed Dec 3, 2025
View reviewed changes
HammadB
HammadB reviewed Dec 3, 2025
View reviewed changes
HammadB
HammadB reviewed Dec 3, 2025
View reviewed changes
@jairad26 jairad26 force-pushed the jai/cloud-ef-api-key-extraction branch from fb6b061 to 541c25a Compare December 3, 2025 21:40
propel-code-bot[bot]
propel-code-bot bot reviewed Dec 3, 2025
View reviewed changes
chromadb/api/shared_system_client.py
Comment on lines +172 to +153
if len(api_keys) > 1:
logger.info(
f"Multiple Chroma Cloud clients found, using API key starting with {api_keys[0][:8]}..."
)
Copy link
Contributor

@propel-code-bot propel-code-bot bot Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical

[Security] Logging a prefix of the API key poses a security risk. Sensitive credentials, even partial ones, should not be written to logs as they could be exposed. A more secure approach is to log that multiple keys were found without revealing any part of the key itself.

Context for Agents 
Logging a prefix of the API key poses a security risk. Sensitive credentials, even partial ones, should not be written to logs as they could be exposed. A more secure approach is to log that multiple keys were found without revealing any part of the key itself.

File: chromadb/api/shared_system_client.py
Line: 175

@jairad26 jairad26 force-pushed the jai/cloud-ef-api-key-extraction branch 2 times, most recently from 3f4fee4 to 3cfe00d Compare December 3, 2025 22:34
HammadB
HammadB reviewed Dec 4, 2025
View reviewed changes
chromadb/utils/embedding_functions/chroma_cloud_qwen_embedding_function.py Outdated
from enum import Enum


def _get_shared_system_client():
Copy link
Collaborator

@HammadB HammadB Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is every ef defining this when it could be shared?

Copy link
Contributor Author

@jairad26 jairad26 Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thought it would be clearer since its for import purposes and it was a 2 liner. updated so splade ef reads from qwen ef's impl. thought about moving to its own file, but didnt think this was worth introducing an ef helper file

@jairad26 jairad26 force-pushed the jai/cloud-ef-api-key-extraction branch from 3cfe00d to 0f0fd2b Compare December 4, 2025 01:21
HammadB
HammadB reviewed Dec 4, 2025
View reviewed changes
chromadb/utils/embedding_functions/chroma_cloud_splade_embedding_function.py Outdated
from chromadb.base_types import SparseVector
import os
from typing import Union
from chromadb.utils.embedding_functions.chroma_cloud_qwen_embedding_function import (
Copy link
Collaborator

@HammadB HammadB Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it makes sense for this to import from another embedding function. I think this should just be in a seperate file.

@jairad26 jairad26 force-pushed the jai/cloud-ef-api-key-extraction branch from 0f0fd2b to 62022f8 Compare December 4, 2025 01:27
@jairad26 jairad26 enabled auto-merge (squash) December 4, 2025 01:43
@jairad26 jairad26 merged commit 17703ea into main Dec 4, 2025
63 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@propel-code-bot propel-code-bot[bot] propel-code-bot[bot] left review comments

@HammadB HammadB HammadB approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jairad26 @HammadB