Skip to content

feat: automatically rotate SDK API tokens#445

Open
timmarkhuff wants to merge 9 commits into
mainfrom
thuff/gl-1709-token-auto-refresh-independent
Open

feat: automatically rotate SDK API tokens#445
timmarkhuff wants to merge 9 commits into
mainfrom
thuff/gl-1709-token-auto-refresh-independent

Conversation

@timmarkhuff

@timmarkhuff timmarkhuff commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Mint 30-day working tokens from the configured bootstrap token and refresh them daily.
  • Cache tokens per credential using atomic writes and cross-process file locking.
  • Recover from HTTP 401s, clean up superseded tokens, and support graceful client shutdown.
  • Regenerate the API token client from the updated OpenAPI spec.

Dependency

Requires axon-groundlight/zuuul#6579 (merged), which adds the GET /v1/api-tokens/by-snippet/<snippet> endpoint used for token lookup during rotation.

Test plan

  • Token caching, rotation, cleanup, and 401 recovery tests
  • Generated API token tests
  • Ruff, Pylint, and mypy

Rotate short-lived working tokens through a locked disk cache while preserving bootstrap credentials for recovery.

Co-authored-by: Cursor <cursoragent@cursor.com>
@timmarkhuff timmarkhuff changed the title Add automatic API token refresh feat: automatically rotate SDK API tokens Jul 9, 2026
Tim Huff and others added 8 commits July 9, 2026 11:59
Keep the new close method from being auto-registered as a shell command so CLI initialization and tests continue to work.

Co-authored-by: Cursor <cursoragent@cursor.com>
Back off after failed refreshes, preserve pending cleanup metadata, and make 401 recovery safe for streamed and raw HTTP requests.

Co-authored-by: Cursor <cursoragent@cursor.com>
Fall back to the bootstrap token when a server does not yet expose token management, preserving compatibility during deployment.

Co-authored-by: Cursor <cursoragent@cursor.com>
Replay generated stream bodies correctly, cover note requests, and make locking and shutdown safe for in-flight refresh work.
The bootstrap token has only one job: mint the first working token.
Keeping it alive afterward is a security risk -- a leaked bootstrap
can silently mint tokens indefinitely. Revoke it immediately after
the first slot is written.

Consequences:
- 401 recovery no longer falls back to bootstrap to re-mint; it
  adopts a fresher cached token from another process or raises loudly
  requiring human intervention (provision a new bootstrap token).
- refresh() raises on a missing slot rather than re-minting from
  bootstrap, since the bootstrap is gone.

Updates plan doc and Google Doc accordingly.

Co-authored-by: Cursor <cursoragent@cursor.com>
…ing rotation

The bootstrap token's name (suffix-stripped) is now written into the slot cache
as base_name once, at first mint. Subsequent rotations read it from the slot
instead of doing a paginated list call to rediscover the current token's name.

Key changes:
- TokenSlot gains a base_name field; old slots with no field fall back to a
  live lookup via the new _resolve_base_name helper.
- _initialize_token looks up the bootstrap token once; the result seeds
  base_name and is passed directly to _revoke_bootstrap, eliminating the
  second paginated scan that revocation previously required.
- _mint_replacement now receives base_name as a parameter rather than
  doing its own lookup.
- _new_token_name simplified: it no longer accepts None or strips suffixes
  (that responsibility moved to _resolve_base_name).

Co-authored-by: Cursor <cursoragent@cursor.com>
The GET /v1/api-tokens/by-snippet/<snippet> endpoint (zuuul#6579) is
now deployed. Replace the paginated list scan with a single direct
call, removing _find_token_by_snippet and TOKEN_PAGE_SIZE entirely.

- _initialize_token and _resolve_base_name both call _get_token_by_snippet;
  NotFoundException means "token not found" and falls back gracefully.
- Revert TOKEN_TTL_DAYS to 30 and REFRESH_INTERVAL_DAYS to 1 (temporary
  short values were only for live rotation testing).
- Update tests: list_api_tokens mocks replaced with
  get_api_token_by_snippet; _page helper and EXPECTED_PAGE_COUNT removed.

Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant