Skip to content

Remove anthropic api token from http auth#564

Merged
josephjclark merged 8 commits into
mainfrom
worktree-remove-anthropic-token-fallback
Jun 30, 2026
Merged

Remove anthropic api token from http auth#564
josephjclark merged 8 commits into
mainfrom
worktree-remove-anthropic-token-fallback

Conversation

@stuartc

@stuartc stuartc commented Jun 29, 2026

Copy link
Copy Markdown
Member

Short Description

Tightens instance auth so an inbound api_key is only ever treated as a client credential, never forwarded to Anthropic. Drops the old sk-ant- bring-your-own-key path.

Fixes #

Implementation Details

Previously an unknown sk-ant--shaped key was forwarded to the LLM as a bring-your-own key. That path is gone. An api_key now resolves one of four ways:

  • known client → swap in their stored Anthropic key
  • known client with a NULL stored key → 500 (server misconfig, reported to Sentry)
  • unknown key → 401, or 503 if the client store is unreachable (can't verify, so don't guess)
  • no api_key → global ANTHROPIC_API_KEY, else 401

Removed the forward KeyResolution tag and the shape check that went with it. Also trimmed a couple of log lines that were either routine or not actionable: the internal-token mismatch no longer reports to Sentry (it's a config/forgery signal, not a bug), and a max-staleness cache eviction no longer warns (happens whenever the DB lags). Tidied the comments in instance-auth.ts while I was in there.

AI Usage

  • Yes, I have used AI
  • No, I have not used AI

stuartc added 2 commits June 29, 2026 14:20
An inbound api_key is now only ever a client credential, never forwarded
to the LLM:

- known client          -> swap in its stored Anthropic key
- known client, NULL key -> 500 (server misconfig, reported to Sentry)
- unknown key            -> 401 (verified unknown) / 503 (store unreachable)
- no api_key             -> global ANTHROPIC_API_KEY, else 401

Drops the sk-ant- shape check and the `forward` KeyResolution tag. Also
trims unactionable logging (internal-token mismatch and max-staleness
eviction no longer warn/report) and tidies comments in instance-auth.ts.
@stuartc stuartc changed the title Reject unknown api_keys instead of forwarding them as bring-your-own keys Remove anthropic api token from http auth Jun 29, 2026
@stuartc stuartc requested a review from josephjclark June 29, 2026 12:44
@stuartc stuartc self-assigned this Jun 29, 2026
@stuartc stuartc added this to Core Jun 29, 2026
@github-project-automation github-project-automation Bot moved this to New Issues in Core Jun 29, 2026
@stuartc stuartc moved this from New Issues to In progress in Core Jun 29, 2026
@stuartc stuartc moved this from In progress to In review in Core Jun 29, 2026
@josephjclark

josephjclark commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

QA notes:

  • echo service is rejected if no API key is passed
  • If ANTHROPIC_API_KEY is set, echo is allowed without a key
  • With ANTHROPIC_API_KEY unset, lightning requests without an api key will be rejected
  • With ANTHROPIC_API_KEY unset, lightning with a valid key will be rejected
  • With ANTHROPIC_API_KEY unset and a new API key cfreated, lightning requests are accepted

@josephjclark josephjclark merged commit 99f1b3f into main Jun 30, 2026
2 checks passed
@josephjclark josephjclark deleted the worktree-remove-anthropic-token-fallback branch June 30, 2026 13:31
@github-project-automation github-project-automation Bot moved this from In review to Done in Core Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

2 participants