feat(deepgram): add STT/TTS with_cloudflare() for Cloudflare AI Gateway

[mcdgavin]

Summary

Adds Cloudflare AI Gateway support to the Deepgram plugin — streaming STT (Nova-3 / Flux)
and TTS (Aura) — via deepgram.STT.with_cloudflare(...) and deepgram.TTS.with_cloudflare(...).

Addresses the STT/TTS portion of #3163. (The LLM portion shipped separately in #6131 as
openai.LLM.with_cloudflare.)

from livekit.plugins import deepgram

# account_id from CLOUDFLARE_ACCOUNT_ID, token from CLOUDFLARE_AI_GATEWAY_TOKEN
stt = deepgram.STT.with_cloudflare(model="@cf/deepgram/nova-3")
tts = deepgram.TTS.with_cloudflare(model="@cf/deepgram/aura-1")

Design notes

• Rides on the Deepgram plugin. Cloudflare's AI Gateway proxies Deepgram's streaming
  WebSocket protocol verbatim (channel.alternatives[0].transcript + is_final for STT;
  Speak/Flush/Flushed for TTS), so these reuse the existing Deepgram STT/TTS
  streaming implementations rather than duplicating them. This mirrors the LLM approach, where
  Cloudflare-LLM rode on the OpenAI plugin because it's OpenAI-compatible — each Cloudflare
  modality lives on the plugin whose protocol it matches.
• Backward-compatible auth seam. The connection auth headers (previously hardcoded
  Authorization: Token <key>) become an overridable _connect_headers, defaulting to the
  exact prior value. Existing Deepgram usage is unchanged; with_cloudflare injects
  cf-aig-authorization (the raw Cloudflare token — no Deepgram key required).

Testing

• tests/test_deepgram_with_cloudflare.py — 12 hermetic --unit tests covering URL building,
  CLOUDFLARE_ACCOUNT_ID env fallback, base_url override, the cf-aig-authorization header,
  default models, streaming capability, and the ValueError paths.
• A regression check confirms default (non-Cloudflare) Deepgram STT/TTS auth is byte-identical.
• make check passes (ruff format + lint, strict mypy).

[devin-ai-integration]

Devin Review found 0 potential issues.

[chenghao-mou]

is it possible to construct "@cf/deepgram" part internally? Then we can reuse the same DeepgramModels | str type

[mcdgavin]

Thank you for the feedback @chenghao-mou, this is done.

with_cloudflare now takes a bare Deepgram model name typed DeepgramModels | str (default nova-3 for STT, aura-1 for TTS) and prepends @cf/deepgram/ internally.
A value already prefixed with @cf/ is passed through unchanged, so the full form still works.

[chenghao-mou]

We can just call it extra_headers: NotGivenOr[dict[str, str]] = NOT_GIVEN. We use similar parameters in other plugins as well, it could also be useful for self-hosted DG instances too.

[mcdgavin]

Switched _connect_headers to a public extra_headers, additive, matching the other plugins and supporting self hosting.

One note, a purely additive extra_headers merges on top of the default Authorization: Token <key>, so the Cloudflare path would send both Authorization and cf-aig-authorization which requires a Deepgram key it doesn't need and risks the gateway rejecting the stray header. To keep it additive without that, the default Authorization: Token is now built only when a Deepgram key is present, and at least one auth source (key or extra_headers) is required:

headers = ({"Authorization": f"Token {key}"} if key else {}) | extra_headers

Behavior:

• Normal Deepgram (key set): Authorization: Token + extras — unchanged.
• Self-hosted DG with custom auth (no key): just extra_headers.
• Cloudflare via with_cloudflare (no key): just cf-aig-authorization.

[chenghao-mou]

double checking here: the code in their doc says "cf-aig-authorization": "Bearer {CF_AIG_TOKEN}": https://developers.cloudflare.com/ai-gateway/usage/providers/deepgram/

[mcdgavin]

I double-checked against the realtime WebSockets page. The Bearer form is documented on the /deepgram provider-proxy endpoint, but this plugin targets the /workers-ai endpoint, and its Deepgram (Workers AI) examples (both @cf/deepgram/nova-3 and @cf/deepgram/aura-1) use the raw cf-aig-authorization token:

"wss://gateway.ai.cloudflare.com/v1/<account_id>/<gateway>/workers-ai?model=@cf/deepgram/nova-3..."
headers: { "cf-aig-authorization": process.env.CLOUDFLARE_API_KEY }

Since it flows through extra_headers, it's still overridable either way.

[devin-ai-integration]

Devin Review found 0 new potential issues.

[devin-ai-integration]

Devin Review found 1 new potential issue.

[devin-ai-integration]

🚩 stt_v2.py still uses the old _api_key pattern and was not updated

The file livekit-plugins/livekit-plugins-deepgram/livekit/plugins/deepgram/stt_v2.py still uses the old self._api_key / Authorization: Token {self._api_key} pattern (lines 119, 190, 288, 487). It was not modified in this PR. If Cloudflare AI Gateway support is expected to work with stt_v2 as well, it would need parallel changes. This may be intentional if stt_v2 is legacy/deprecated.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[mcdgavin]

Intentional. STTv2 is the Deepgram v2 / Flux class (different protocol, /v2/listen). This PR scopes Cloudflare support to the stable STT (nova-3) and TTS (Aura).

A STTv2.with_cloudflare for Flux is a sensible follow-up rather than part of this change.

[devin-ai-integration]

Devin Review found 0 new potential issues.