Adding MSA authentication

[papagala]

Adding MSA Server Security and Authentication Support

Summary

This PR adds security/authentication support for calling custom MSA servers in IntelliFold, enabling both basic authentication and API token authentication when accessing protected MSA endpoints. This implementation is based on similar functionality that was successfully merged in Boltz: jwohlwend/boltz#466

Changes

• Basic Authentication: --msa_server_username and --msa_server_password CLI options, with INTELLIFOLD_MSA_USERNAME/MSA_USERNAME and INTELLIFOLD_MSA_PASSWORD/MSA_PASSWORD environment variable support

• API Key Authentication: --api_key_header and --api_key_value CLI options, with INTELLIFOLD_MSA_API_KEY_VALUE/MSA_API_KEY_VALUE environment variable support

• Validation: Only one authentication method can be used at a time, with clear error messages for conflicts

• Backward Compatibility: Legacy environment variable names (MSA_*) are still supported alongside prefixed versions (INTELLIFOLD_MSA_*)

Motivation

Many custom MSA servers require authentication for access. This enables IntelliFold to work with protected MSA servers in enterprise environments while maintaining full backward compatibility with existing workflows.

Usage Examples

Basic Authentication

# Using environment variables (recommended for security)
export INTELLIFOLD_MSA_USERNAME="your_username"
export INTELLIFOLD_MSA_PASSWORD="your_password"

intellifold predict input.yaml --out_dir ./output \
  --use_msa_server \
  --msa_server_url "https://your-msa-server.com"

API Key Authentication

# Using environment variables (recommended for security)
export INTELLIFOLD_MSA_API_KEY_VALUE="your_api_key"

intellifold predict input.yaml --out_dir ./output \
  --use_msa_server \
  --msa_server_url "https://your-msa-server.com" \
  --api_key_header "X-API-Key"

Command Line Usage

# Basic auth via CLI (not recommended for production)
intellifold predict input.yaml --out_dir ./output \
  --use_msa_server \
  --msa_server_url "https://your-msa-server.com" \
  --msa_server_username "username" \
  --msa_server_password "password"

# API key via CLI (not recommended for production)  
intellifold predict input.yaml --out_dir ./output \
  --use_msa_server \
  --msa_server_url "https://your-msa-server.com" \
  --api_key_header "Authorization" \
  --api_key_value "Bearer your-token"

Backward Compatibility

• All authentication features are completely optional
• Existing workflows continue to work without any changes
• The public ColabFold server (https://api.colabfold.com) requires no authentication and remains the default
• Legacy environment variable names (MSA_USERNAME, MSA_PASSWORD, MSA_API_KEY_VALUE) are still supported

Files Modified

• runner/intellifold_inference.py - Main inference script with authentication logic
• run_intellifold.py - Standalone runner script with matching authentication support
• CLI help text updated to document new authentication options
• Enhanced validation and error handling for authentication parameters

Reference

This authentication implementation is based on similar work done in the Boltz project: jwohlwend/boltz#466

---

Security Note: Always use environment variables for credentials in production environments to avoid exposing sensitive information in command-line history or process lists.

[papagala]

Hello @fuxuliu nice to meet you. I would like to propose this optional authentication that works as normal if none is provided for your consideration. Thank you!

[fuxuliu]

Hi, @papagala , sorry for the late reply, thank you very much for providing this function, I will test it later, and then consider adding it to the pipeline.

[papagala]

Hi, @papagala , sorry for the late reply, thank you very much for providing this function, I will test it later, and then consider adding it to the pipeline.

No worries, please let me know if it needs any changes and I’m happy to apply them