Verify Docker Image Signature
All LiteLLM Docker images are signed with cosign. Every release is signed with the same key introduced in commit 0112e53.
Verify using the pinned commit hash (recommended):
A commit hash is cryptographically immutable, so this is the strongest way to ensure you are using the original signing key:
cosign verify \
--key https://raw.githubusercontent.com/BerriAI/litellm/0112e53046018d726492c814b3644b7d376029d0/cosign.pub \
ghcr.io/berriai/litellm:v1.91.0-dev.2Verify using the release tag (convenience):
Tags are protected in this repository and resolve to the same key. This option is easier to read but relies on tag protection rules:
cosign verify \
--key https://raw.githubusercontent.com/BerriAI/litellm/v1.91.0-dev.2/cosign.pub \
ghcr.io/berriai/litellm:v1.91.0-dev.2Expected output:
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
What's Changed
- fix(bedrock-mantle): honor api_base for VPC endpoint routing on bedro… by @shivamrawat1 in #31141
- fix(docker): bump wolfi-base digest to patch openssl CVE-2026-34182 by @yucheng-berri in #31133
- feat: add minimal rust router + axum ai-gateway calling router.realtime (2/2) by @ishaan-berri in #31135
- build: add Dockerfile + render blueprint for rust ai-gateway by @ishaan-berri in #31154
- fix(mcp): resolve config-defined servers in per-user credential and env-var endpoints by @tin-berri in #31171
- perf: pre-warm upstream realtime connection pool to cut session-establishment latency by @ishaan-berri in #31163
- chore: clarify rule about trailing periods by @mateo-berri in #31175
- fix(anthropic): drop unsupported speed param with drop_params by @krrish-berri-2 in #31152
- fix(proxy): expand all-proxy-models sentinel in direct access lookup by @mubashir1osmani in #31153
- fix(anthropic): sanitize tool_use ids on native /v1/messages path by @Sameerlite in #31094
- fix(ui): persist budget window deletion on virtual keys by @ryan-crabbe-berri in #31107
- feat(ui): track frontend lint counts in a committed snapshot by @ryan-crabbe-berri in #31157
- refactor(litellm-rust): dissolve providers into core + ai-gateway (strict 3-crate layers) by @ishaan-berri in #31218
- fix(vertex/files): stream OpenAI->Vertex batch JSONL uploads by @mubashir1osmani in #31036
- fix(mcp): let proxy admins assign MCP servers to teamless keys by @tin-berri in #31126
- feat(mcp): graft v2 resolver onto _create_mcp_client (none + api_key static family) by @tin-berri in #31058
- test: add e2e tests for spend, budgets and llms by @mateo-berri in #30869
- feat(proxy): add POST /v1/callbacks/logs to replay logging payloads through callbacks by @ishaan-berri in #31134
- fix(ui): render logos under a custom server_root_path by @ryan-crabbe-berri in #31156
- feat: make rust OCR async-first by @ishaan-berri in #31253
- test(e2e): drop xfail markers for now-fixed team-budget-JSON and custom-pricing-leak bugs by @mubashir1osmani in #31249
- fix(proxy): stop double-decrypting email/slack alerting env vars in get_config by @mubashir1osmani in #31117
- fix(mcp): correct misleading no-trusted-proxy warning for XFF access control by @mateo-berri in #31264
- fix(mcp): warn loudly when X-Forwarded-For is present but use_x_forwarded_for is off by @mateo-berri in #31266
- fix(mcp): resolve toolset tools by the server's known prefix by @tin-berri in #31254
- fix(mcp): challenge delegate-auth OAuth servers with upstream resource_metadata by @tin-berri in #31255
- fix(ci): point OSS contributor workflows to litellm_oss_staging by @Sameerlite in #31270
- fix(streaming): word-sliced cache replay for stream=true cache hits by @michelligabriele in #30216
- feat(mcp): add mcp_xff_num_trusted_hops to harden X-Forwarded-For client IP resolution by @mateo-berri in #31257
- chore: migrate Python formatter from black to ruff format by @mateo-berri in #31317
- fix(otel): hashable scope for _emit_once when guardrail_mode is list by @yucheng-berri in #31262
- feat: package Rust OCR bridge in LiteLLM wheel by @ishaan-berri in #31267
- chore: gitignore rust bridge build artifacts by @mateo-berri in #31349
- ci: harden cargo fetches during maturin builds by @ishaan-berri in #31348
- chore(lint): widen ANN slack to 10% of baseline and drop PLR0913 from the strict gate by @mateo-berri in #31335
- feat: add Rust OCR providers by @ishaan-berri in #31272
- fix(cache): apply Redis namespace to all key operations by @yassin-berriai in #31288
- feat(pricing): add gemini-3-pro-image and gemini-3.1-flash-image GA model pricing by @milan-berri in #30022
- fix: clarify further that customer names shouldn't be made public by @mateo-berri in #31365
- ci(image-scan): add Grype image scan for OS + library CVEs by @yucheng-berri in #31151
- feat(aiml): add openai/gpt-image-2 image model by @mateo-berri in #31323
- feat(mistral): support Mistral OCR 4 (mistral-ocr-4-0) by @mateo-berri in #31353
- fix: inverted rule in CLAUDE.md by @mateo-berri in #31370
- fix(proxy/client): redact api key from key/info client error messages by @yucheng-berri in #31342
- feat(spend): store litellm_call_id on spend logs for DB-to-trace correlation by @yucheng-berri in #31344
- chore(deps): bump deps by @yuneng-berri in #31377
- fix(cost-map): retarget mistral-medium-latest to Medium 3.5 and add date-pinned aliases by @mateo-berri in #31373
- feat(ocr): thin Rust OCR Python bridge by @ishaan-berri in #31368
- feat(mcp): opt-in least-privilege default for team key MCP access by @ryan-crabbe-berri in #31380
- chore(ci): main into internal_staging (reconcile OCR hotfix history; unblocks #31384) by @yuneng-berri in #31390
- fix(vertex): preserve Gemini Embedding 2 usageMetadata for cost tracking by @mateo-berri in #31354
- chore: remove CI section from PR template by @mateo-berri in #31376
- test(logging): regression coverage for streaming /v1/messages OpenAI Responses spend logs by @yucheng-berri in #31388
- chore: litellm oss staging 250626 by @Sameerlite in #31305
- fix(vertex_ai): prevent stale Vertex bearer token causing /v1/messages 401 after token expiry by @Sameerlite in #31276
- fix(proxy): skip model override when response has no model field by @Sameerlite in #31183
- fix(vertex): stop O(n^2) re-parse of accumulated Gemini stream JSON by @yassin-berriai in #31297
- fix(router): surface clean RateLimitError on mid-stream 429 with no fallbacks by @yassin-berriai in #31298
- build(docker): build the Admin UI from source in a build-platform-pinned stage by @tin-berri in #31130
- fix(bedrock_guardrails): select latest user message by original role in apply_guardrail by @michelligabriele in #30482
- fix(proxy): restore wildcard expansion in /v1/model/info by @Sameerlite in #31444
- fix(cli): mint per-session agent credential on lite login by @Sameerlite in #31072
- chore: litellm oss staging by @Sameerlite in #31185
- fix(cost): restore per-query Gemini 3.x web search billing by @mateo-berri in #31363
- chore(ci): reconcile main into internal_staging to unblock promotion (#31384) by @yuneng-berri in #31392
- test: add realtime proxy e2e suite across providers by @Sameerlite in #30960
- perf(spend-logs): only strip NUL bytes in safe_dumps when present by @yassin-berriai in #31424
- perf(cost-calc): precompute service-tier cost-key suffixes by @yassin-berriai in #31431
- perf(caching): memoize _get_all_llm_api_params, rebuilt per request by @yassin-berriai in #31430
- chore(ci): promote internal staging to main by @yuneng-berri in #31384
- feat(mistral): add mistral/mistral-ocr-2512 (OCR 3) to cost map by @mateo-berri in #31463
- feat(guardrails): make the Generic Guardrail resilient to built-in tools and errors (adopted from #31286) by @yucheng-berri in #31461
- test(pass-through): fix langfuse auth=true test broken by allowed_passthrough_routes gate by @yuneng-berri in #31420
- fix(team): persist budget_duration on /team/member_add member budgets by @yassin-berriai in #31443
- fix(spend): fold logs-tab total into the page query to avoid a separate COUNT(*) by @yassin-berriai in #31423
- fix(bedrock): surface web identity token aud/iss on InvalidIdentityToken by @yassin-berriai in #31412
- fix(guardrails): instrument during-call and post-call guardrail latency by @yassin-berriai in #31414
- fix(auth): cache auth-path team object under canonical team_id key by @yassin-berriai in #31418
- fix(build): restore pure-Python uv_build backend to unblock PyPI publish by @yuneng-berri in #31470
- chore(ci): promote internal staging to main by @yuneng-berri in #31477
Full Changelog: v1.91.0-dev.1...v1.91.0-dev.2