[Feature] UI - Admin Settings: Add option for Authentication for public AI Hub

[yuneng-jiang]

Relevant issues

Pre-Submission checklist

Please complete all items before asking a LiteLLM maintainer to review your PR

• I have Added testing in the tests/litellm/ directory, Adding at least 1 test is a hard requirement - see details
• My PR passes all unit tests on make test-unit
• My PR's scope is as isolated as possible, it only solves 1 specific problem

CI (LiteLLM team)

CI status guideline:

• 50-55 passing tests: main is stable with minor issues.
• 45-49 passing tests: acceptable but needs attention
• <= 40 passing tests: unstable; be careful with your merges and assess the risk.

• Branch creation CI run
  Link:

• CI run for the last commit
  Link:

• Merge / cherry-pick CI run
  Links:

Type

🆕 New Feature
🧹 Refactoring
✅ Test

Changes

Adds a UI setting require_auth_for_public_ai_hub that allows administrators to require authentication for accessing the public AI Hub. When enabled, unauthenticated users are redirected to the login page. Refactors useAuthorized hook to consolidate token validation logic using checkTokenValidity and decodeToken utilities. Adds tests for ModelHubTable authentication flow, UISettings component, useAuthorized hook, and jwtUtils functions.

Screenshots

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
litellm	Ready	Preview, Comment	Feb 5, 2026 1:07am

[greptile-apps]

Greptile Overview

Greptile Summary

This PR adds a UI setting require_auth_for_public_ai_hub that allows administrators to require authentication for accessing the public AI Hub. The implementation includes both frontend and backend changes along with comprehensive test coverage.

Key Changes:

• Added require_auth_for_public_ai_hub boolean field to backend UISettings model and allowlist
• Refactored useAuthorized hook to use new checkTokenValidity and decodeToken utility functions
• Made /get/ui_settings endpoint public (removed auth requirement) so the setting can be fetched before authentication
• Added authentication check in ModelHubTable component that redirects unauthenticated users to login when the setting is enabled
• Added UI toggle in admin settings panel to control the feature
• Comprehensive test coverage for new utilities, hooks, and authentication flow

Issues Found:

• Critical: Frontend checks the setting but backend /public/model_hub endpoint still has hardcoded dependencies=[Depends(user_api_key_auth)], meaning it always requires authentication regardless of this setting
• Moderate: The refactored useAuthorized hook returns decoded user data even when isAuthorized is false, potentially exposing data from expired tokens

The refactoring of JWT utilities and useAuthorized hook is well-designed with good separation of concerns and comprehensive test coverage.

Confidence Score: 3/5

• This PR has a critical backend enforcement gap that prevents the feature from working as intended
• The frontend implementation is solid with good tests, but the backend /public/model_hub endpoint doesn't respect the require_auth_for_public_ai_hub setting. Additionally, the useAuthorized refactor has a data exposure issue with expired tokens. These issues need to be resolved before merge.
• litellm/proxy/public_endpoints/public_endpoints.py (not in this PR) needs to be updated to conditionally apply authentication based on the setting, and ui/litellm-dashboard/src/app/(dashboard)/hooks/useAuthorized.ts should gate decoded fields by authorization status

Important Files Changed

Filename	Overview
litellm/proxy/ui_crud_endpoints/proxy_setting_endpoints.py	Added require_auth_for_public_ai_hub boolean field to UISettings model and allowlist - backend definition is correct
ui/litellm-dashboard/src/components/AIHub/ModelHubTable.tsx	Added frontend auth check using require_auth_for_public_ai_hub setting - redirects to login when enabled and token invalid, but backend enforcement is missing
ui/litellm-dashboard/src/app/(dashboard)/hooks/useAuthorized.ts	Refactored to use new checkTokenValidity and decodeToken utilities, consolidated redirect logic into single useEffect - cleaner implementation
ui/litellm-dashboard/src/utils/jwtUtils.ts	Added decodeToken and checkTokenValidity utility functions with proper error handling - good refactor for code reuse
ui/litellm-dashboard/src/components/networking.tsx	Removed authentication header from getUiSettings call - correctly made endpoint public

Sequence Diagram

sequenceDiagram
    participant User
    participant Browser
    participant ModelHubTable
    participant useUISettings
    participant Networking
    participant Backend
    participant Database

    User->>Browser: Access Public AI Hub
    Browser->>ModelHubTable: Render component
    ModelHubTable->>useUISettings: Fetch UI settings
    useUISettings->>Networking: getUiSettings()
    Networking->>Backend: GET /get/ui_settings (no auth)
    Backend->>Database: Query ui_settings
    Database-->>Backend: Return settings
    Backend-->>Networking: Return {require_auth_for_public_ai_hub: true/false}
    Networking-->>useUISettings: Settings data
    useUISettings-->>ModelHubTable: Settings with require_auth flag
    
    alt require_auth_for_public_ai_hub is true
        ModelHubTable->>ModelHubTable: getCookie("token")
        ModelHubTable->>ModelHubTable: checkTokenValidity(token)
        alt token is invalid
            ModelHubTable->>Browser: router.replace("/ui/login")
            Browser->>User: Redirect to login page
        else token is valid
            ModelHubTable->>Backend: Fetch model hub data (authenticated)
            Backend-->>ModelHubTable: Return data
            ModelHubTable->>User: Display AI Hub
        end
    else require_auth_for_public_ai_hub is false
        ModelHubTable->>Backend: Fetch model hub data
        Backend-->>ModelHubTable: Return data
        ModelHubTable->>User: Display AI Hub (public access)
    end

Loading

[greptile-apps]

_{3 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

_{5 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Frontend implements the require_auth_for_public_ai_hub check, but the backend /public/model_hub endpoint at litellm/proxy/public_endpoints/public_endpoints.py:27 still has dependencies=[Depends(user_api_key_auth)] hardcoded. This means the backend always requires authentication regardless of this setting.

The setting should control the backend endpoint's authentication dependency, not just redirect on the frontend. Otherwise, unauthenticated users will be blocked by the API even if the setting is disabled.

Prompt To Fix With AI

This is a comment left during a code review.
Path: ui/litellm-dashboard/src/components/AIHub/ModelHubTable.tsx
Line: 84:105

Comment:
Frontend implements the `require_auth_for_public_ai_hub` check, but the backend `/public/model_hub` endpoint at `litellm/proxy/public_endpoints/public_endpoints.py:27` still has `dependencies=[Depends(user_api_key_auth)]` hardcoded. This means the backend always requires authentication regardless of this setting.

The setting should control the backend endpoint's authentication dependency, not just redirect on the frontend. Otherwise, unauthenticated users will be blocked by the API even if the setting is disabled.

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

Decoded user data is returned even when isAuthorized is false. This exposes data from expired/invalid tokens. Consider gating these fields by isAuthorized like the token field on line 65.

Prompt To Fix With AI

This is a comment left during a code review.
Path: ui/litellm-dashboard/src/app/(dashboard)/hooks/useAuthorized.ts
Line: 66:72

Comment:
Decoded user data is returned even when `isAuthorized` is false. This exposes data from expired/invalid tokens. Consider gating these fields by `isAuthorized` like the `token` field on line 65.

How can I resolve this? If you propose a fix, please make it concise.