Files
litellm/tests/test_litellm/proxy
ryan-crabbe-berri 9d9558e78f fix(auth): preserve 401 status for expired JWTs in OTel traces (#29510)
* fix(auth): preserve 401 status for expired JWTs in OTel traces

Expired JWT access tokens raised a generic Exception with no status
code attached. Because the codeless exception was logged to OTel via
post_call_failure_hook before auth_exception_handler re-wrapped it as
ProxyException(401), the OTel span never set http.response.status_code
and trace viewers displayed it as a generic 500. Clients still got a
401 back, so traces and actual responses diverged.

Raise ProxyException(code=401, type=expired_key) directly at the source
in both JWT decode paths so the 401 is consistent across the client
response and the OTel http.response.status_code attribute, matching how
virtual-key expirations are handled.

* fix(auth): preserve 401 for expired JWTs on issuer-scoped path

The issuer-scoped JWT path (_auth_jwt_with_issuer) still raised a generic
Exception on expiry, surfacing as a 500 in client responses and OTel traces.
Raise ProxyException with expired_key/401 there too, matching auth_jwt, and
add a regression test exercising the issuer path end-to-end
2026-06-02 16:33:16 -07:00
..
2026-06-02 08:48:10 -07:00