Skip to content

Remove anthropic api token from http auth#564

Open
stuartc wants to merge 2 commits into
mainfrom
worktree-remove-anthropic-token-fallback
Open

Remove anthropic api token from http auth#564
stuartc wants to merge 2 commits into
mainfrom
worktree-remove-anthropic-token-fallback

Conversation

@stuartc

@stuartc stuartc commented Jun 29, 2026

Copy link
Copy Markdown
Member

Short Description

Tightens instance auth so an inbound api_key is only ever treated as a client credential, never forwarded to Anthropic. Drops the old sk-ant- bring-your-own-key path.

Fixes #

Implementation Details

Previously an unknown sk-ant--shaped key was forwarded to the LLM as a bring-your-own key. That path is gone. An api_key now resolves one of four ways:

  • known client → swap in their stored Anthropic key
  • known client with a NULL stored key → 500 (server misconfig, reported to Sentry)
  • unknown key → 401, or 503 if the client store is unreachable (can't verify, so don't guess)
  • no api_key → global ANTHROPIC_API_KEY, else 401

Removed the forward KeyResolution tag and the shape check that went with it. Also trimmed a couple of log lines that were either routine or not actionable: the internal-token mismatch no longer reports to Sentry (it's a config/forgery signal, not a bug), and a max-staleness cache eviction no longer warns (happens whenever the DB lags). Tidied the comments in instance-auth.ts while I was in there.

AI Usage

  • Yes, I have used AI
  • No, I have not used AI

stuartc added 2 commits June 29, 2026 14:20
@stuartc
Auth: reject unknown api_keys instead of forwarding bring-your-own keys
f018af0 
An inbound api_key is now only ever a client credential, never forwarded
to the LLM:

- known client          -> swap in its stored Anthropic key
- known client, NULL key -> 500 (server misconfig, reported to Sentry)
- unknown key            -> 401 (verified unknown) / 503 (store unreachable)
- no api_key             -> global ANTHROPIC_API_KEY, else 401

Drops the sk-ant- shape check and the `forward` KeyResolution tag. Also
trims unactionable logging (internal-token mismatch and max-staleness
eviction no longer warn/report) and tidies comments in instance-auth.ts.
@stuartc
add changeset
7747d7c
@stuartc stuartc changed the title Reject unknown api_keys instead of forwarding them as bring-your-own keys Remove anthropic api token from http auth Jun 29, 2026
@stuartc stuartc requested a review from josephjclark June 29, 2026 12:44
@stuartc stuartc self-assigned this Jun 29, 2026
@stuartc stuartc added this to Core Jun 29, 2026
@github-project-automation github-project-automation Bot moved this to New Issues in Core Jun 29, 2026
@stuartc stuartc moved this from New Issues to In progress in Core Jun 29, 2026
@stuartc stuartc moved this from In progress to In review in Core Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@josephjclark josephjclark Awaiting requested review from josephjclark

At least 1 approving review is required to merge this pull request.

Assignees

@stuartc stuartc

Labels

None yet

Projects

Core
Status: In review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@stuartc