Route all API calls through Secure Gateway proxy and rename LICENSE_SERVER (#2254)

* Route all API calls through secure gateway proxy when configured

Rename LICENSE_SERVER to SECURE_GATEWAY with deprecation fallback
and wrap all external HTTP requests with wrap_url() so every outbound
call routes through the secure gateway in air-gapped deployments.

Also remove runtime GitHub download of GroundingDINO config file,
resolving the path from the installed package instead.

* Add changes to version, adjust deprecation warnings and prepare changelog

* Bump inference requirements

---------

Co-authored-by: Paweł Pęczek <pawel@roboflow.com>

Author: alexnorell

docs/quickstart/docker_configuration_options.md

@@ -59,11 +59,13 @@ Sets the max batch size accepted by the clip model inference functions.
 
 If true, the batch size will be fixed to the maximum batch size configured for this server.
 
-## License Server
+## Secure Gateway
 
-**LICENSE_SERVER**: String (default = None)
+**SECURE_GATEWAY**: String (default = None)
 
-Sets the address of a Roboflow license server.
+Sets the address of a Roboflow Secure Gateway for air-gapped deployments. All API and model download traffic will be routed through this proxy.
+
+The legacy `LICENSE_SERVER` environment variable is still accepted but deprecated.
 
 ## Maximum Active Models
 

inference/core/env.py

@@ -367,8 +367,17 @@
 # Flag to enable legacy route, default is True
 LEGACY_ROUTE_ENABLED = str2bool(os.getenv("LEGACY_ROUTE_ENABLED", True))
 
-# License server, default is None
-LICENSE_SERVER = os.getenv("LICENSE_SERVER", None)
+# Secure gateway address for air-gapped deployments.
+# Accepts SECURE_GATEWAY (preferred) or LICENSE_SERVER (legacy).
+_legacy_license_server = os.getenv("LICENSE_SERVER")
+SECURE_GATEWAY = os.getenv("SECURE_GATEWAY") or _legacy_license_server or None
+if _legacy_license_server and not os.getenv("SECURE_GATEWAY"):
+    warnings.warn(
+        "`LICENSE_SERVER` env variable is deprecated, use `SECURE_GATEWAY` instead. "
+        "`LICENSE_SERVER` will be removed end of Q3 2026.",
+        DeprecationWarning,
+        stacklevel=1,
+    )
 
 # Log level, default is "WARNING"
 LOG_LEVEL = os.getenv("LOG_LEVEL", "WARNING")

inference/core/interfaces/http/http_api.py

@@ -287,6 +287,7 @@
 )
 from inference.core.utils.container import is_docker_socket_mounted
 from inference.core.utils.notebooks import start_notebook
+from inference.core.utils.url_utils import wrap_url
 from inference.core.workflows.core_steps.common.entities import StepExecutionMode
 from inference.core.workflows.errors import (
     WorkflowBlockError,
@@ -3354,7 +3355,7 @@ def sam3_segment_image(
                             )
 
                             response = requests.post(
-                                f"{endpoint}?api_key={api_key}",
+                                wrap_url(f"{endpoint}?api_key={api_key}"),
                                 json=payload,
                                 headers=headers,
                                 timeout=60,
@@ -3455,7 +3456,7 @@ def sam3_visual_segment(
                             )
 
                             response = requests.post(
-                                f"{endpoint}?api_key={api_key}",
+                                wrap_url(f"{endpoint}?api_key={api_key}"),
                                 json=payload,
                                 headers=headers,
                                 timeout=60,

inference/core/interfaces/webrtc_worker/watchdog.py

@@ -11,6 +11,7 @@
 )
 from inference.core.interfaces.webrtc_worker.utils import is_over_quota
 from inference.core.logger import logger
+from inference.core.utils.url_utils import wrap_url
 
 
 class Watchdog:
@@ -87,7 +88,7 @@ def _send_session_heartbeat(self):
 
         try:
             response = requests.post(
-                self._heartbeat_url,
+                wrap_url(self._heartbeat_url),
                 json={
                     "session_id": self._session_id,
                     "api_key": self._api_key,
@@ -116,7 +117,7 @@ def _send_session_heartbeat_stop(self):
         url = self._heartbeat_url + "/end"
         try:
             response = requests.post(
-                url,
+                wrap_url(url),
                 json={
                     "session_id": self._session_id,
                     "api_key": self._api_key,

inference/core/roboflow_api.py

@@ -20,6 +20,7 @@
 from cachetools.func import ttl_cache
 from requests import Response, Timeout
 from requests_toolbelt import MultipartEncoder
+from yarl import URL
 
 from inference.core import logger
 from inference.core.cache import cache
@@ -290,10 +291,15 @@ def get_roboflow_workspace(api_key: str) -> WorkspaceID:
 async def get_roboflow_workspace_async(api_key: str) -> WorkspaceID:
     try:
         headers = build_roboflow_api_headers()
+        full_url = wrap_url(
+            _add_params_to_url(
+                url=f"{API_BASE_URL}/",
+                params=[("api_key", api_key), ("nocache", "true")],
+            )
+        )
         async with aiohttp.ClientSession() as session:
             async with session.get(
-                f"{API_BASE_URL}/",
-                params={"api_key": api_key, "nocache": "true"},
+                URL(full_url, encoded=True),
                 headers=headers,
                 timeout=ROBOFLOW_API_REQUEST_TIMEOUT,
             ) as response:
@@ -332,10 +338,15 @@ async def get_serverless_usage_check_async(
 ) -> ServerlessUsageCheckResponse:
     try:
         headers = build_roboflow_api_headers()
+        full_url = wrap_url(
+            _add_params_to_url(
+                url=f"{API_BASE_URL}/serverless/usage-check",
+                params=[("api_key", api_key), ("nocache", "true")],
+            )
+        )
         async with aiohttp.ClientSession() as session:
             async with session.get(
-                f"{API_BASE_URL}/serverless/usage-check",
-                params={"api_key": api_key, "nocache": "true"},
+                URL(full_url, encoded=True),
                 headers=headers,
                 timeout=ROBOFLOW_API_REQUEST_TIMEOUT,
             ) as response:
@@ -389,9 +400,11 @@ def add_custom_metadata(
     field_name: str,
     field_value: str,
 ):
-    api_url = _add_params_to_url(
-        url=f"{API_BASE_URL}/{workspace_id}/inference-stats/metadata",
-        params=[("api_key", api_key), ("nocache", "true")],
+    api_url = wrap_url(
+        _add_params_to_url(
+            url=f"{API_BASE_URL}/{workspace_id}/inference-stats/metadata",
+            params=[("api_key", api_key), ("nocache", "true")],
+        )
     )
     response = requests.post(
         url=api_url,
@@ -1126,7 +1139,9 @@ def _test_range_request(url: str, timeout: int = 10) -> bool:
     """
     try:
         headers = {"Range": "bytes=0-0"}
-        response = requests.get(url, headers=headers, stream=True, timeout=timeout)
+        response = requests.get(
+            wrap_url(url), headers=headers, stream=True, timeout=timeout
+        )
         response.close()
         if response.status_code == 206:
             return True
@@ -1200,9 +1215,11 @@ def send_inference_results_to_model_monitoring(
     workspace_id: WorkspaceID,
     inference_data: dict,
 ):
-    api_url = _add_params_to_url(
-        url=f"{API_BASE_URL}/{workspace_id}/inference-stats",
-        params=[("api_key", api_key)],
+    api_url = wrap_url(
+        _add_params_to_url(
+            url=f"{API_BASE_URL}/{workspace_id}/inference-stats",
+            params=[("api_key", api_key)],
+        )
     )
     response = requests.post(
         url=api_url,

inference/core/utils/url_utils.py

@@ -1,11 +1,11 @@
 import urllib
 
-from inference.core.env import LICENSE_SERVER
+from inference.core.env import SECURE_GATEWAY
 
 
 def wrap_url(url: str) -> str:
-    if not LICENSE_SERVER:
+    if not SECURE_GATEWAY:
         return url
-    return f"http://{LICENSE_SERVER}/proxy?url=" + urllib.parse.quote(
+    return f"http://{SECURE_GATEWAY}/proxy?url=" + urllib.parse.quote(
         url, safe="~()*!'"
     )

inference/core/workflows/core_steps/models/foundation/seg_preview/v1.py

@@ -18,6 +18,7 @@
 )
 from inference.core.managers.base import ModelManager
 from inference.core.roboflow_api import build_roboflow_api_headers
+from inference.core.utils.url_utils import wrap_url
 from inference.core.workflows.core_steps.common.entities import StepExecutionMode
 from inference.core.workflows.core_steps.common.utils import (
     attach_parents_coordinates_to_batch_of_sv_detections,
@@ -200,7 +201,7 @@ def run_via_request(
                 headers = build_roboflow_api_headers(explicit_headers=headers)
 
                 response = requests.post(
-                    f"{endpoint}?api_key={api_key}",
+                    wrap_url(f"{endpoint}?api_key={api_key}"),
                     json=payload,
                     headers=headers,
                     timeout=60,

inference/core/workflows/core_steps/models/foundation/segment_anything3/v1.py

@@ -26,6 +26,7 @@
 )
 from inference.core.managers.base import ModelManager
 from inference.core.roboflow_api import build_roboflow_api_headers
+from inference.core.utils.url_utils import wrap_url
 from inference.core.workflows.core_steps.common.entities import StepExecutionMode
 from inference.core.workflows.core_steps.common.utils import (
     attach_parents_coordinates_to_batch_of_sv_detections,
@@ -404,7 +405,7 @@ def run_via_request(
                 headers = build_roboflow_api_headers(explicit_headers=headers)
 
                 response = requests.post(
-                    f"{endpoint}?api_key={api_key}",
+                    wrap_url(f"{endpoint}?api_key={api_key}"),
                     json=payload,
                     headers=headers,
                     timeout=60,

inference/core/workflows/core_steps/models/foundation/segment_anything3/v2.py

@@ -26,6 +26,7 @@
 )
 from inference.core.managers.base import ModelManager
 from inference.core.roboflow_api import build_roboflow_api_headers
+from inference.core.utils.url_utils import wrap_url
 from inference.core.workflows.core_steps.common.entities import StepExecutionMode
 from inference.core.workflows.core_steps.common.utils import (
     attach_parents_coordinates_to_batch_of_sv_detections,
@@ -493,7 +494,7 @@ def run_via_request(
                 headers = build_roboflow_api_headers(explicit_headers=headers)
 
                 response = requests.post(
-                    f"{endpoint}?api_key={api_key}",
+                    wrap_url(f"{endpoint}?api_key={api_key}"),
                     json=payload,
                     headers=headers,
                     timeout=60,

inference/core/workflows/core_steps/models/foundation/segment_anything3/v3.py

@@ -26,6 +26,7 @@
 )
 from inference.core.managers.base import ModelManager
 from inference.core.roboflow_api import build_roboflow_api_headers
+from inference.core.utils.url_utils import wrap_url
 from inference.core.workflows.core_steps.common.entities import StepExecutionMode
 from inference.core.workflows.core_steps.common.utils import (
     attach_parents_coordinates_to_batch_of_sv_detections,
@@ -536,7 +537,7 @@ def run_via_request(
                 headers = build_roboflow_api_headers(explicit_headers=headers)
 
                 response = requests.post(
-                    f"{endpoint}?api_key={api_key}",
+                    wrap_url(f"{endpoint}?api_key={api_key}"),
                     json=payload,
                     headers=headers,
                     timeout=60,