OpenAI API: Optional API key authentication

[kovtcharov]

Problem

The OpenAI-compatible API server has no authentication. Anyone who can reach the port can query the LLM, index documents, and access all agent capabilities.

Strategic Context

Required for any non-localhost deployment: internal demos, strategy portals, shared team instances. The strategy webapp will need this for any deployment beyond a single developer's machine.

Source: webapp-plan.md §4.2 gap #5

Proposed Fix

• Add optional GAIA_API_KEY environment variable
• When set, require Authorization: Bearer <key> header on all API requests
• When not set, behave as today (no auth, localhost use case)
• Support multiple keys via comma-separated values

Files

• src/gaia/api/openai_server.py — Add middleware

Acceptance Criteria

• API key validation when GAIA_API_KEY is set
• 401 Unauthorized for missing/invalid keys
• No auth required when env var is unset (backward compatible)

[amankishore8585]

This makes sense for a quick fix, but curious — have you considered handling this at a gateway layer instead of inside the application?
That way auth + rate limiting can be centralized instead of implemented per service.
Just wondering if there’s a reason you prefer keeping it inside the app here