R
RadMah AIDOCS
Sign In

On-Prem & Custom CA Bundles

Point the SDK at a RadMah AI instance running behind your internal PKI. TLS verification stays on — the SDK re-roots the trust anchor to your private certificate authority without ever disabling certificate checks.

Available from SDK 1.2.0. Earlier versions relied on theSSL_CERT_FILE environment variable, which was fragile in multi-tenant hosts where different clients needed different trust stores.

#Why you need this

Enterprise customers running the platform inside a closed network typically issue the API server's TLS certificate from an internal root CA that isn't trusted by the default system store bundled with certifi. Without re-rooting trust, every outbound call fails with ssl.SSLCertVerificationError: unable to get local issuer certificate. The SDK accepts a PEM bundle at construction time so operators can ship a consistent, reproducible trust store with their deployment.

#Using ca_bundle_path=

from radmah_sdk import RadMahClient

client = RadMahClient(
    api_key="sl_live_…",
    base_url="https://radmah.internal",       # private DNS name
    ca_bundle_path="/etc/radmah/internal-root-ca.pem",
    allow_private_base_url=True,                # opt-in to private hosts
)

# httpx is instructed to verify against your PEM — certificate
# verification is NOT disabled.
client.health()

#Deploy-time injection via environment variable

When you can't change the application code, set RADMAH_CA_BUNDLE at the process level. The SDK resolves the env var only when the ca_bundle_path= kwarg is omitted — explicit caller arguments always win.

export RADMAH_CA_BUNDLE=/etc/radmah/internal-root-ca.pem
export RADMAH_API_URL=https://radmah.internal
python -m your_app

#Validation rules

The SDK validates the bundle at construction time — you get a loud ValueError instead of a surprise SSLError deep inside a worker on its first request. A bundle is accepted when all of the following are true:

  • The path exists and points to a regular file (directory-hash trust stores are not supported — concatenate the CA and every intermediate into a single PEM).
  • The file is readable by the current process user.
  • The first 8 KB contains a -----BEGIN CERTIFICATE----- marker (PEM format check).
  • ~ expansions are resolved to the caller's home.

#Can I turn off verification?

No. The SDK does not expose a verify=False kwarg, andca_bundle_path= refuses booleans. This is an intentional safety: turning off TLS verification would allow any MITM on the private network to silently impersonate the RadMah AI API and harvest bearer tokens. If you need a self-signed certificate for testing, generate a throwaway root CA, sign the server cert with it, and ship the root in ca_bundle_path=.

#Async client

AsyncRadMah AI shares the same validator and accepts the same ca_bundle_path= kwarg:

from radmah_sdk import AsyncRadMah AI

async with AsyncRadMah(
    api_key="sl_live_…",
    base_url="https://radmah.internal",
    ca_bundle_path="/etc/radmah/internal-root-ca.pem",
    allow_private_base_url=True,
) as client:
    await client.health()