External Deployments
External deployments allow you to connect models that are hosted outside of Deeploy to the Deeploy platform. This enables you to monitor, manage, and interact with models running in your own infrastructure or on third-party services, while still leveraging Deeploy's features. To ensure secure communication between Deeploy and your externally hosted models, you will need to configure the appropriate authentication method. This page describes the various authentication options available to securely connect to your external models.
Authentication Methods
Choose from the following authentication methods depending on then authentication required to interact with the externally hosted model.
Basic Authentication
Authenticate to the provided URL using HTTP basic authentication.
- Provide a
usernameandpassword - Deeploy will base64 encode these credentials (
username:password) - The encoded string is added to the HTTP request in the Authorization header:
Authorization: Basic {base64_encoded_credentials}
For example,
username: apiuser
password: secret123
results in the header: Authorization: Basic YXBpdXNlcjpzZWNyZXQxMjM=.
Bearer Token
Authenticate using a token-based authentication scheme, commonly used with OAuth 2.0 and JWT.
- Provide your token in the
passwordfield - The token is added to the HTTP request in the Authorization header:
Authorization: Bearer {token}
For example,
password: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
results in the header: Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9....
Custom Header
Use a custom HTTP header for authentication when standard methods don't meet your requirements.
- The
usernamefield specifies the custom header name - The
passwordfield provides the header value - Useful for APIs requiring non-standard authentication headers
For example,
username: api-key
password: abcd1234
results in the header: api-key: abcd1234.
This is particularly relevant for services like Azure OpenAI as shown in our OpenAI integration example.
OAuth Client Credentials
Authenticate using the OAuth 2.0 client credentials flow, suitable for server-to-server authentication.
- Provide your OAuth client credentials:
username: client_idpassword: client_secrettokenURL: the OAuth token endpointcustom scope(optional): custom scope for fetching tokens.
- Deeploy will request an access token from the specified token endpoint with:
grant_type: client_credentialsscope: all-apis (default) or the provided custom OAuth scope
- The received
access_tokenis added to the HTTP request in the Authorization header:Authorization: Bearer {access_token}
Note: Currently, only bearer token types are supported.
For example,
username: client_12345
password: client_secret_67890
tokenURL: https://auth.example.com/oauth/token
Wildcard Routing
Wildcard routing allows you to forward requests with dynamic or variable URL paths to your external deployment. This is useful when your model or API exposes multiple endpoints or requires flexible path handling. This is an optional feature which is disabled by default. To enable, select 'Allow wildcard routing' in the connection settings.
When configuring an external deployment with wildcard routing:
- You can specify a base url path, allowing Deeploy to match and forward any request to your external service.
- Wildcard routing requests should be made to the Deeploy endpoint:
<Deeploy base API URL>/custom/ - The portion of the path matching the wildcard will be appended to the base URL of your external deployment.
Example:
If you set the external Deployment base URL to https://api.example.com/model/, a request to Deeploy at <Deeploy base API URL>/custom/123 will be routed to https://api.example.com/model/123.