Add refresh auth headers (sync and async) as alternate approach to allow bearer tokens to be updated

johanste · johanste · commit 3fc9edf4ca15 · 2025-08-26T12:29:47.000-07:00
Allow api_key to be a callable to enable refresh of keys/tokens.
diff --git a/src/openai/_client.py b/src/openai/_client.py
@@ -3,11 +3,13 @@
 from __future__ import annotations
 
 import os
-from typing import TYPE_CHECKING, Any, Union, Mapping
+from typing import TYPE_CHECKING, Any, Union, Mapping, Callable, Awaitable
 from typing_extensions import Self, override
 
 import httpx
 
+from openai._models import FinalRequestOptions
+
 from . import _exceptions
 from ._qs import Querystring
 from ._types import (
@@ -95,6 +97,7 @@ def __init__(
         self,
         *,
         api_key: str | None = None,
+        bearer_token_provider: Callable[[], str] | None = None,
         organization: str | None = None,
         project: str | None = None,
         webhook_secret: str | None = None,
@@ -128,11 +131,12 @@ def __init__(
         """
         if api_key is None:
             api_key = os.environ.get("OPENAI_API_KEY")
-        if api_key is None:
+        if api_key is None and bearer_token_provider is None:
             raise OpenAIError(
                 "The api_key client option must be set either by passing api_key to the client or by setting the OPENAI_API_KEY environment variable"
             )
-        self.api_key = api_key
+        self.bearer_token_provider = bearer_token_provider
+        self.api_key = api_key or ''
 
         if organization is None:
             organization = os.environ.get("OPENAI_ORG_ID")
@@ -165,6 +169,7 @@ def __init__(
         )
 
         self._default_stream_cls = Stream
+        self._auth_headers: dict[str, str] = {}
 
     @cached_property
     def completions(self) -> Completions:
@@ -281,21 +286,26 @@ def with_raw_response(self) -> OpenAIWithRawResponse:
     @cached_property
     def with_streaming_response(self) -> OpenAIWithStreamedResponse:
         return OpenAIWithStreamedResponse(self)
-
     @property
     @override
     def qs(self) -> Querystring:
         return Querystring(array_format="brackets")
 
+    def refresh_auth_headers(self):
+        bearer_token = self.bearer_token_provider() if self.bearer_token_provider else self.api_key 
+        self._auth_headers = {"Authorization": f"Bearer {bearer_token}"}
+
+
+    @override
+    def _prepare_options(self, options: FinalRequestOptions) -> FinalRequestOptions:
+        self.refresh_auth_headers()
+        return super()._prepare_options(options)
+    
     @property
     @override
     def auth_headers(self) -> dict[str, str]:
-        api_key = self.api_key
-        if not api_key:
-            # if the api key is an empty string, encoding the header will fail
-            return {}
-        return {"Authorization": f"Bearer {api_key}"}
-
+        return self._auth_headers
+    
     @property
     @override
     def default_headers(self) -> dict[str, str | Omit]:
@@ -420,6 +430,7 @@ def __init__(
         self,
         *,
         api_key: str | None = None,
+        bearer_token_provider: Callable[[], Awaitable[str]] | None = None,
         organization: str | None = None,
         project: str | None = None,
         webhook_secret: str | None = None,
@@ -453,11 +464,12 @@ def __init__(
         """
         if api_key is None:
             api_key = os.environ.get("OPENAI_API_KEY")
-        if api_key is None:
+        if api_key is None and bearer_token_provider is None:
             raise OpenAIError(
                 "The api_key client option must be set either by passing api_key to the client or by setting the OPENAI_API_KEY environment variable"
             )
-        self.api_key = api_key
+        self.bearer_token_provider = bearer_token_provider
+        self.api_key = api_key or ''
 
         if organization is None:
             organization = os.environ.get("OPENAI_ORG_ID")
@@ -490,6 +502,7 @@ def __init__(
         )
 
         self._default_stream_cls = AsyncStream
+        self._auth_headers: dict[str, str] = {}
 
     @cached_property
     def completions(self) -> AsyncCompletions:
@@ -612,14 +625,22 @@ def with_streaming_response(self) -> AsyncOpenAIWithStreamedResponse:
     def qs(self) -> Querystring:
         return Querystring(array_format="brackets")
 
+    async def refresh_auth_headers(self):
+        if self.bearer_token_provider:
+            bearer_token = await self.bearer_token_provider()
+        else:
+            bearer_token = self.api_key
+        self._auth_headers = {"Authorization": f"Bearer {bearer_token}"}
+    
+    @override
+    async def _prepare_options(self, options: FinalRequestOptions) -> FinalRequestOptions:
+        await self.refresh_auth_headers()
+        return await super()._prepare_options(options)
+        
     @property
     @override
     def auth_headers(self) -> dict[str, str]:
-        api_key = self.api_key
-        if not api_key:
-            # if the api key is an empty string, encoding the header will fail
-            return {}
-        return {"Authorization": f"Bearer {api_key}"}
+        return self._auth_headers
 
     @property
     @override
diff --git a/src/openai/lib/azure.py b/src/openai/lib/azure.py
@@ -628,7 +628,7 @@ async def _configure_realtime(self, model: str, extra_query: Query) -> tuple[htt
             "api-version": self._api_version,
             "deployment": self._azure_deployment or model,
         }
-        if self.api_key != "<missing API key>":
+        if self.api_key and self.api_key != "<missing API key>":
             auth_headers = {"api-key": self.api_key}
         else:
             token = await self._get_azure_ad_token()
diff --git a/src/openai/resources/beta/realtime/realtime.py b/src/openai/resources/beta/realtime/realtime.py
@@ -358,6 +358,7 @@ async def __aenter__(self) -> AsyncRealtimeConnection:
             raise OpenAIError("You need to install `openai[realtime]` to use this method") from exc
 
         extra_query = self.__extra_query
+        await self.__client.refresh_auth_headers()
         auth_headers = self.__client.auth_headers
         if is_async_azure_client(self.__client):
             url, auth_headers = await self.__client._configure_realtime(self.__model, extra_query)
@@ -540,6 +541,7 @@ def __enter__(self) -> RealtimeConnection:
             raise OpenAIError("You need to install `openai[realtime]` to use this method") from exc
 
         extra_query = self.__extra_query
+        self.__client.refresh_auth_headers()
         auth_headers = self.__client.auth_headers
         if is_azure_client(self.__client):
             url, auth_headers = self.__client._configure_realtime(self.__model, extra_query)

Original file line number	Diff line number	Diff line change
`@@ -628,7 +628,7 @@ async def _configure_realtime(self, model: str, extra_query: Query) -> tuple[htt`
`628`	`628`	`"api-version": self._api_version,`
`629`	`629`	`"deployment": self._azure_deployment or model,`
`630`	`630`	`}`
`631`		`- if self.api_key != "<missing API key>":`
	`631`	`+ if self.api_key and self.api_key != "<missing API key>":`
`632`	`632`	`auth_headers = {"api-key": self.api_key}`
`633`	`633`	`else:`
`634`	`634`	`token = await self._get_azure_ad_token()`