Skip to content

feat: personal-access-token auth (AGENTAGE_TOKEN / --token)#266

Merged
vreshch merged 1 commit into
masterfrom
feature/pat-auth
Jul 11, 2026
Merged

feat: personal-access-token auth (AGENTAGE_TOKEN / --token)#266
vreshch merged 1 commit into
masterfrom
feature/pat-auth

Conversation

@vreshch

@vreshch vreshch commented Jul 11, 2026

Copy link
Copy Markdown
Member

What

Adds a personal-access-token (PAT) credential path to the CLI so CI / headless machines can authenticate without the interactive OAuth/DCR browser sign-in.

  • AGENTAGE_TOKEN=aga_... env var (primary, CI-friendly) + --token <token> flag on status.
  • Precedence: flag > env PAT > stored OAuth session.
  • When a PAT is present the OAuth/DCR flow is skipped entirely and the PAT is used as the Authorization: Bearer on the existing authed request paths. PATs are oauthAccessToken rows server-side, so introspection / MCP validate them identically to an OAuth access token.
  • A PAT carries no refresh token and never attempts an OAuth refresh (refuses with a dashboard-pointing message; 401 is terminal, no retry).
  • REST account-channel provisioning is session-only (cli#197) - with a PAT it fails with a clear message: "a personal access token only authorizes memory (MCP) calls".
  • status labels PAT auth (signed in via token).

Files

  • src/lib/auth/credentials.ts (new) - resolveAuth (precedence), patAuthState, rawPatToken, assertPatShape.
  • src/lib/auth/api.ts - refreshOrThrow refuses a PAT.
  • src/lib/auth/provision.ts - PAT -> clear unauthenticated message, no network call.
  • src/lib/fs/config.ts - AuthState.kind?: 'pat' marker (never persisted).
  • src/commands/status/status.ts + src/lib/status/status-info.ts - --token flag, PAT-aware status line.

Tests

  • credentials.test.ts - precedence (flag > env > stored), shape validation, synthesized state.
  • api.test.ts - PAT rides through authedGet/authedPost as the bearer; refresh refused; 401 terminal (no /token call).
  • provision.test.ts - PAT -> unauthenticated, no REST call.
  • status-info.test.ts - pat: true flag.

npm run verify green (499 tests), coverage gate green.

Manual smoke (prod, fake token)

$ AGENTAGE_TOKEN=aga_dummy_smoke_token agentage status
target     ✓ agentage.io (production)
auth       ✗ session expired - run: agentage setup    # server rejected the fake PAT cleanly
# status --json showed "pat": true - the bearer path executed against auth.agentage.io

$ agentage status --token notaga
token must be a personal access token starting with "aga_" (mint one in the dashboard: Settings -> API tokens)

Proves the PAT header path executes against agentage.io and a real token would authenticate.

Not in scope

  • Daemon-run couch sync stays on stored OAuth (the daemon reads auth.json, not the foreground env).
  • No merge / no release.

Add AGENTAGE_TOKEN env var and a --token flag so CI / headless machines
can authenticate with a dashboard-minted PAT (aga_...) instead of the
interactive OAuth/DCR sign-in. A PAT is an oauthAccessToken row, so it
rides through the existing authed request paths as the bearer; it carries
no refresh token and never attempts an OAuth refresh. Precedence is
flag > env > stored OAuth. REST provisioning (session-only) fails with a
clear message naming the MCP-only limitation.
@github-actions

github-actions Bot commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

🎉 PR Validation ✅ PASSED

Commit: 381ef635de5f4d28555fc8650766eb5ffd12b68f
Branch: feature/pat-auth

Checks:

  • ✅ Release guard (no version/changelog changes)
  • ✅ Dependencies installed
  • ✅ Type check passed
  • ✅ Linting passed
  • ✅ Format check passed
  • ✅ Tests + coverage passed
  • ✅ Build successful

Ready to merge!


🔗 View workflow run
⏰ Generated at: 2026-07-11T17:49:36.190Z

@vreshch vreshch marked this pull request as ready for review July 11, 2026 17:52
@vreshch vreshch merged commit 29d9f86 into master Jul 11, 2026
3 checks passed
@vreshch vreshch deleted the feature/pat-auth branch July 11, 2026 17:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant