Securing Endpoint Access#

Server Side Authentication#

To enable authentication for a given BentoServer endpoint, An authentication middleware can be added to bentoml.Service’s via add_asgi_middleware API. This API supports mounting any ASGI middleware to the BentoServer endpoints. And many of the middlewares built by the Python community, provides authentication or security functionality.

For example, you may apply HTTPS redirect and set trusted host URLs this way:

from starlette.middleware.httpsredirect import HTTPSRedirectMiddleware
from starlette.middleware.trustedhost import TrustedHostMiddleware

svc = bentoml.Service('my_service', runners=[...])

svc.add_asgi_middleware(TrustedHostMiddleware, allowed_hosts=['', '*'])

For JWT authentication, check out the starlette-authlib and starlette-auth-toolkit. Here’s an example with starlette-authlib:

from starlette_authlib.middleware import AuthlibMiddleware as SessionMiddleware

svc = bentoml.Service('my_service', runners=[...])

svc.add_asgi_middleware(SessionMiddleware, secret_key='you_secret')


BentoML supports HTTPS with self-signed certificates. To enable HTTPS, you can to provide SSL certificate and key files as arguments to the bentoml serve command. Use bentoml serve --help to see the full list of options.

bentoml serve iris_classifier:latest --ssl-certfile /path/to/cert.pem --ssl-keyfile /path/to/key.pem

Reverse Proxy#

It is a common practice to set up a reverse proxy server to handle rate limiting and authentication for any given backend services.

Service Mesh#

For Kubernetes users looking for advanced authentication, access control, and routing policies, we recommend you deploy Bentos with BentoCloud.

Security Policy#

To report a vulnerability, we kindly ask you not to share it publicly on GitHub or in the community slack channel. Instead, contact the BentoML team directly at

View the full BentoML’s security policy here.


  • Base Image Security

  • Reverse Proxy setup guide and sample code/config

  • Service Mesh setup guide and sample code/config