Description
Is your feature request related to a problem? Please describe.
I'm working with the Azure SDK for Python to create an agent that can interact with APIs defined by OpenAPI specifications. I create the agent with the azure-sdk-for-python, upload it to the Azure AI Foundry and then interact with it there again via the azure-sdk-for-python. The agent receives user questions, formulates API calls, fetches the necessary data, and then responds with an answer. However, I need a way to pass a user-specific authentication token (e.g., a bearer token) that is injected directly into the headers of each API call. Currently, there’s no clear mechanism to inject this header in a secure and consistent way without sending it through the language model, which poses a security and privacy risk.
Describe the solution you'd like
I would like a built-in mechanism in the SDK to allow for dynamic injection of custom headers—specifically, user tokens—into each API call made by the agent. This should happen at runtime and without requiring the token to be passed through the LLM prompt. Ideally, this would involve some form of callback or context object where per-request headers can be specified securely. Perhaps in the **kwargs of the create_message method?
Describe alternatives you've considered
I have considered the Foundry solutions to authentication. However, the Foundry solutions are thought for either static API keys, or for server-to-server communication. In my use case, the bearer token is issued to the user itself, and changes every time, so none of the Foundry solutions work for me.
I’ve considered modifying the OpenAPI schema directly to include token placeholders, but this would still require the token to pass through the LLM if the agent is involved in constructing the request. Another option was to post-process the API request before sending it, but this is not straightforward with agents in Foundry.
Additional context
This feature would greatly improve support for multi-user scenarios, where each user has a unique access token and the agent must respect individual permissions without compromising security. It would also align with best practices for zero-trust and principle-of-least-privilege models, ensuring sensitive tokens are never exposed to LLMs.