Skip to content

POK-88: Reject invalid virtual key during gateway model discovery#30

Merged
saheljalal merged 1 commit into
mainfrom
pok-88-bearer-only-auth
Jul 3, 2026
Merged

POK-88: Reject invalid virtual key during gateway model discovery#30
saheljalal merged 1 commit into
mainfrom
pok-88-bearer-only-auth

Conversation

@saheljalal

Copy link
Copy Markdown
Collaborator

Summary

  • Gateway HTTP clients (gateway models, gateway on, passthrough probes, doctor reachability) now send Authorization: Bearer only
  • Fixes silent acceptance of invalid virtual keys on gateways that enforce Bearer but accept any x-api-key when both headers are present

Test plan

  • pytest tests/test_aikit_gateway.py tests/test_aikit_gateway_passthrough.py
  • New regression tests for Bearer-only headers and POK-88 masking scenario

Closes POK-88

Dual Authorization + x-api-key headers let lenient gateways accept invalid
virtual keys during models/on/verify. Use Bearer only to match LiteLLM semantics.

Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: multica-agent <github@multica.ai>
@saheljalal saheljalal merged commit 3ccbb44 into main Jul 3, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant