[Bug]: Credentials with names longer than 8 characters don't work #16104
Description
What happened?
In the proxy UI, I tried to create a credential named "anthropic" (bug reproduces with any other credential name >8 characters long) and then use it this credential for a model. I did all this in the UI, not using the config file or any env vars.
This fails and will ask for a credential to be supplied at LLM-request-time because the model configuration will end up having the credential name as anth*opic.
Analysis of the issue by Claude Code yields a promising lead:
The Issue
File: litellm/litellm_core_utils/sensitive_data_masker.py:14-26, 45-55, 73-75
The SensitiveDataMasker class has a list of sensitive patterns including "credential":
self.sensitive_patterns = sensitive_patterns or {
"password",
"secret",
"key",
"token",
"auth",
"credential", # ← This is the problem!
"access",
# ...
}
When processing dictionaries, it checks if any key contains these patterns:
elif self.is_sensitive_key(k): # Checks if "credential" is in the key name
str_value = str(v) if v is not None else ""
masked_data[k] = self._mask_value(str_value) # Masks the value!
The field litellm_credential_name contains the word "credential", so the masker treats the credential NAME as sensitive and masks it!
For "anthropic" (9 characters):
- visible_prefix = 4, visible_suffix = 4
- masked_length = 9 - 8 = 1
- Result: "anth" + "*" + "opic" = "anth*opic"
That's exactly what you're seeing!
Why This Breaks
When the model is stored in the database with litellm_credential_name: "anth*opic", the router tries to fetch the credential:
credential_values = CredentialAccessor.get_credential_values("anth*opic")
But your credential is named "anthropic", not "anth*opic", so the lookup fails! No API key is applied, and you get the "Missing Anthropic API Key" error.
Workarounds
Option 1: Rename Your Credential (Easiest)
Create a new credential with a shorter name that won't get masked:
- Name it "anth" (4 chars) instead of "anthropic"
- Or any name < 8 characters (won't trigger masking)
Option 2: Use Environment Variable (What you're doing now)
Keep using ANTHROPIC_API_KEY environment variable - this works fine.
Option 3: Use Config File with Direct API Key
model_list:
- model_name: my-model-name
litellm_params:
model: claude-sonnet-4-5
api_key: sk-ant-your-actual-key-here
The Real Fix
This needs to be fixed in LiteLLM. The litellm_credential_name field should be excluded from masking because it's a reference/pointer, not a secret value.
The masker should only mask the actual credential values in the credentials table, not the name references.
This is a genuine bug that affects anyone using credentials with names longer than 7 characters that contain sensitive pattern words.
---
TL;DR: The SensitiveDataMasker is incorrectly masking your credential name from "anthropic" → "anth*opic" because litellm_credential_name contains the word
"credential". The masked name doesn't match your actual credential, so the API key lookup fails. Use a credential name < 8 chars or stick with environment
variables for now.
Relevant log output
Are you a ML Ops Team?
No
What LiteLLM version are you on ?
v1.78.5