Skip to content

Add API key authentication for production A2A endpoints#2

Merged
rockfordlhotka merged 5 commits intomainfrom
feat/api-key-auth
Mar 19, 2026
Merged

Add API key authentication for production A2A endpoints#2
rockfordlhotka merged 5 commits intomainfrom
feat/api-key-auth

Conversation

@rockfordlhotka
Copy link
Copy Markdown
Member

@rockfordlhotka rockfordlhotka commented Mar 18, 2026

Summary

  • Add custom API key authentication handler for production A2A endpoints, avoiding Azure Entra ID dependency for self-hosted k8s deployments
  • Clients authenticate via X-Api-Key header or Authorization: ApiKey <token>
  • Auth is bypassed in Development mode (existing behavior)
  • Update k8s manifests with correct provider config, Docker Hub image reference, and API key secret
  • Fix global.json SDK version constraint and add .dockerignore for container builds

Test plan

  • Solution builds with zero warnings/errors
  • All unit tests pass
  • Docker image builds and pushes to Docker Hub
  • Deployed to k8s cluster — pod running, health checks passing
  • Verified 401 returned when no API key provided
  • Verified agent card returned with valid API key via X-Api-Key header
  • Both Mastodon and Bluesky providers polling successfully into PostgreSQL

🤖 Generated with Claude Code

rockfordlhotka and others added 5 commits March 18, 2026 15:14
@rockfordlhotka @claude
feat: add API key authentication for production A2A endpoints
9d35f4a 
Adds a custom ASP.NET Core authentication handler that validates
API keys via X-Api-Key header or Authorization: ApiKey <token>,
avoiding Azure Entra ID dependency for self-hosted k8s deployments.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@rockfordlhotka @claude
fix: update k8s manifests and Docker build for production deployment
4a42502 
- Fix global.json SDK version constraint for container compatibility
- Add .dockerignore to reduce build context
- Update deployment image to rockylhotka/socialagent:latest
- Set correct Mastodon instance URL and Bluesky handle in configmap

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@rockfordlhotka @claude
feat: add Serilog structured logging and OpenTelemetry instrumentation
a1ddc05 
- Replace default logging with Serilog (console sink, config-driven)
- Add OpenTelemetry traces and metrics with OTLP exporter
- Instrument ASP.NET Core, HttpClient, and Npgsql
- Serilog OTel sink available for log export when collector is configured

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@rockfordlhotka @claude
feat: add LLM skill routing, fix provider DI, sync notification read …
fd873c5 
…status

- Add Gemini Flash skill router via OpenRouter for natural language A2A
  intent classification, with keyword matching as fallback
- Fix HttpClient DI collision where both providers registered against
  ISocialMediaProvider, causing Mastodon to use Bluesky's base URL
- Sync read status from platforms: Bluesky maps IsRead directly,
  Mastodon uses markers API to compare against last_read_id
- Repository now updates IsRead on existing notifications during upsert

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@rockfordlhotka @claude
chore: move k8s deployment to rockbot namespace with LLM and OTel config
456bb20 
- Move all manifests from social-agent to rockbot namespace
- Add LLM__Low env vars from rockbot-secrets for skill routing
- Add OTEL exporter endpoint pointing to alloy collector

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@rockfordlhotka rockfordlhotka merged commit 5e18cfa into main Mar 19, 2026
@rockfordlhotka rockfordlhotka deleted the feat/api-key-auth branch March 19, 2026 06:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rockfordlhotka