Skip to content

fix(mcp): platform token requests send Org-Id/Workspace-Id tenancy headers#328

Merged
initializ-mk merged 1 commit into
mainfrom
fix/platform-token-tenancy-headers
Jul 17, 2026
Merged

fix(mcp): platform token requests send Org-Id/Workspace-Id tenancy headers#328
initializ-mk merged 1 commit into
mainfrom
fix/platform-token-tenancy-headers

Conversation

@initializ-mk

Copy link
Copy Markdown
Contributor

Follow-up to #326 (merged). Found live on the FanDuel testbed — a deployed agent's auth.type=platform read fails at startup:

initialize: mcp: protocol error: platform token endpoint returned 401 for
server "mcp.atlassian": {"error":"missing org-id header"}

Cause

The platform token endpoint verifies a per-org HS256 token (the workspace FORGE_PLATFORM_TOKEN), so it needs Org-Id to select the signing secret before it can validate the bearer — and Workspace-Id to authorize the request against the registry entry (the entitlement check). platform_token.go sent only Authorization: Bearer, so the request 401s before verification, and the required read server backs off in a degraded loop.

Fix

Send Org-Id + Workspace-Id from the standard FORGE_ORG_ID / FORGE_WORKSPACE_ID env the platform always injects (omitted when empty for standalone/dev) — exactly as the admission client (admission_loader.go) and the remote session-store client (remote_session_store.go) already do. This is the established Forge→platform tenancy-header convention; the platform token client just wasn't following it.

Test updated: the fake resolver now rejects a request missing the tenancy headers, so the regression is covered.

Rollout

The fix is in the agent runtime, so a deployed agent picks it up on its next rebuild with a forge runtime that includes this (e.g. AGENT_FORGE_VERSION=vnext once the edge build publishes from main). No agent-builder platform-side change needed — its token endpoint was correct (requiring org-id is right for per-org HS256 verification).

🤖 Generated with Claude Code

…aders

A deployed agent's auth.type=platform read failed at startup with
'platform token endpoint returned 401: missing org-id header'. The
platform verifies a PER-ORG HS256 token, so it needs Org-Id to select
the signing secret BEFORE it can validate the bearer — and Workspace-Id
to authorize the request against the registry entry (entitlement). The
token request sent only the bearer.

Now sends both from the standard FORGE_ORG_ID / FORGE_WORKSPACE_ID env
the platform injects (omitted when empty), exactly as the admission and
remote-session-store clients already do. Test asserts the resolver
receives them.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@initializ-mk
initializ-mk merged commit f8bd475 into main Jul 17, 2026
8 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant