Skip to content

feat: act_as_user_id service delegation (v0.5.0)#26

Open
artugro wants to merge 1 commit into
mainfrom
feat/service-delegation
Open

feat: act_as_user_id service delegation (v0.5.0)#26
artugro wants to merge 1 commit into
mainfrom
feat/service-delegation

Conversation

@artugro
Copy link
Copy Markdown
Contributor

@artugro artugro commented Apr 23, 2026

Summary

Adds `act_as_user_id` kwarg to both clients so internal services (wisdom-agents, hosting multi-tenant entities) can operate on behalf of specific users without holding user-scoped API keys.

Closes: #25

Paired with:

What changes

  • `IntunoClient` / `AsyncIntunoClient` accept optional `act_as_user_id: UUID | str | None`
  • When set, the client sends `X-Service-Key: <api_key>` + `X-On-Behalf-Of: ` instead of the normal `X-API-Key` / `Bearer` header
  • Mutually exclusive — delegation mode never mixes the two auth headers
  • Version bump: 0.4.0 → 0.5.0 (MINOR, additive)

Test plan

  • 4 new unit tests covering normal mode, delegation with UUID, delegation with string user_id, async delegation
  • All 42 pre-existing tests still pass (46 total now)
  • Smoke: `IntunoClient(api_key='secret', act_as_user_id=uuid)` \u2014 correct headers

Usage

from uuid import UUID
from intuno_sdk import AsyncIntunoClient

# Normal end-user flow (unchanged)
client = AsyncIntunoClient(api_key="wsk_user_key")

# Internal service (wisdom-agents)
client = AsyncIntunoClient(
    api_key=settings.AGENTS_SERVICE_API_KEY,
    act_as_user_id=UUID("..."),  # the entity's owner
)

🤖 Generated with Claude Code

@artugro @claude
feat: act_as_user_id service delegation (v0.5.0)
8b6cfca 
Adds an optional kwarg to both clients enabling service-level callers
(wisdom-agents, any internal microservice) to operate on behalf of
specific users. Closes #25.

Shape
- IntunoClient(api_key=..., *, act_as_user_id: UUID | str | None = None)
- AsyncIntunoClient(... same ...)
- When act_as_user_id is set: the client sends X-Service-Key +
  X-On-Behalf-Of instead of the normal X-API-Key / Bearer header. The
  backend (wisdom, #38) validates the service secret and attributes
  the request to the delegated user.
- Mutually exclusive: in delegation mode the X-API-Key / Authorization
  header is not sent.

Backward compatible: the existing constructor signature + behavior is
unchanged for every caller that doesn't pass act_as_user_id.

- src/intuno_sdk/client.py — _build_auth_headers switches on
  act_as_user_id; both client __init__ accept the new kwarg and expose
  it as self.act_as_user_id for introspection.
- src/intuno_sdk/constants.py — SDK_VERSION → 0.5.0
- pyproject.toml — version → 0.5.0
- CHANGELOG.md — 0.5.0 entry with the pattern + example
- tests/test_client.py — 4 new tests covering normal mode, delegation
  with UUID, delegation with string user_id, async delegation; all
  pre-existing 42 tests still pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@artugro artugro mentioned this pull request Apr 23, 2026
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@artugro