feat(proxy): support accessToken auth alongside apiKey#314
Open
Eyalm321 wants to merge 1 commit intogoogle-labs-code:mainfrom
Open
feat(proxy): support accessToken auth alongside apiKey#314Eyalm321 wants to merge 1 commit intogoogle-labs-code:mainfrom
Eyalm321 wants to merge 1 commit intogoogle-labs-code:mainfrom
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
Eyalm321
pushed a commit
to Eyalm321/stitch-mcp
that referenced
this pull request
Apr 14, 2026
Wire gcloudService.getAccessToken() into the proxy handler so that when STITCH_API_KEY is not set, the proxy falls back to Application Default Credentials. This enables STITCH_USE_SYSTEM_GCLOUD workflows, especially on Windows where system gcloud integration is needed. Includes a patch-package patch for @google/stitch-sdk to add accessToken support to the proxy module (schema, constructor, and HTTP headers). The patch can be removed once google-labs-code/stitch-sdk#314 is merged and released. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
6 tasks
Eyalm321
force-pushed
the
feat/access-token-auth
branch
2 times, most recently
from
9ab9e9f to
6fa48f3
Compare
Eyalm321
added a commit
to Eyalm321/stitch-mcp
that referenced
this pull request
Apr 14, 2026
Wire gcloudService.getAccessToken() into the proxy handler so that when STITCH_API_KEY is not set, the proxy falls back to Application Default Credentials. This enables STITCH_USE_SYSTEM_GCLOUD workflows, especially on Windows where system gcloud integration is needed. Includes a patch-package patch for @google/stitch-sdk to add accessToken support to the proxy module (schema, constructor, and HTTP headers). The patch can be removed once google-labs-code/stitch-sdk#314 is merged and released.
Eyalm321
added a commit
to Eyalm321/stitch-mcp
that referenced
this pull request
Apr 14, 2026
Wire gcloudService.getAccessToken() into the proxy handler so that when STITCH_API_KEY is not set, the proxy falls back to Application Default Credentials. This enables STITCH_USE_SYSTEM_GCLOUD workflows, especially on Windows where system gcloud integration is needed. Includes a patch-package patch for @google/stitch-sdk to add accessToken support to the proxy module (schema, constructor, and HTTP headers). The patch can be removed once google-labs-code/stitch-sdk#314 is merged and released.
Eyalm321
added a commit
to Eyalm321/stitch-mcp
that referenced
this pull request
Apr 14, 2026
Wire gcloudService.getAccessToken() into the proxy handler so that when STITCH_API_KEY is not set, the proxy falls back to Application Default Credentials. This enables STITCH_USE_SYSTEM_GCLOUD workflows, especially on Windows where system gcloud integration is needed. Depends on google-labs-code/stitch-sdk#314 for accessToken support in the SDK proxy module.
Eyalm321
added a commit
to Eyalm321/stitch-mcp
that referenced
this pull request
Apr 14, 2026
Wire gcloudService.getAccessToken() into the proxy handler so that when STITCH_API_KEY is not set, the proxy falls back to Application Default Credentials. This enables STITCH_USE_SYSTEM_GCLOUD workflows, especially on Windows where system gcloud integration is needed. Depends on google-labs-code/stitch-sdk#314 for accessToken support in the SDK proxy module.
Eyalm321
force-pushed
the
feat/access-token-auth
branch
from
6fa48f3 to
c9a04fe
Compare
Add accessToken and quotaProjectId as alternative authentication for the proxy module, enabling ADC/OAuth2 workflows. When accessToken is provided (via config or STITCH_ACCESS_TOKEN env var), the proxy sends Authorization: Bearer and X-Goog-User-Project headers instead of X-Goog-Api-Key.
Eyalm321
force-pushed
the
feat/access-token-auth
branch
from
fd1423f to
8d90657
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
accessTokenas an alternative authentication method in the proxy module's Zod schema, constructor, and HTTP clientaccessTokenis provided (via config orSTITCH_ACCESS_TOKENenv var), the proxy sendsAuthorization: Bearerheaders instead ofX-Goog-Api-KeyquotaProjectIdto sendX-Goog-User-Projectheader with Bearer auth (required by Google APIs for billing/quota)apiKeyoraccessToken, throwing only if neither is providedMotivation
The proxy module currently only supports API key authentication (
X-Goog-Api-Key), but the Stitch service layer already supports access tokens. This PR addsaccessTokensupport to the proxy module to enable ADC/OAuth2 workflows, which is especially important for Windows users where system-levelgcloudintegration is needed and API keys may not be the preferred auth method.Changes
spec/proxy.ts— AddedaccessTokenandquotaProjectIdtoStitchProxyConfigSchemaproxy/core.ts— Constructor readsaccessTokenandquotaProjectIdfrom config/env vars; validation guard accepts either credentialproxy/client.ts— NewbuildAuthHeaders()helper selectsAuthorization: Bearer+X-Goog-User-ProjectorX-Goog-Api-Keyheaderstest/proxy.test.ts— 4 new tests covering accessToken init, env var init, error on missing credentials, and header verificationTest plan
STITCH_API_KEYset (existing behavior unchanged)STITCH_ACCESS_TOKENset (new behavior)Authorization: Bearer+X-Goog-User-Projectheaders sent with accessTokenX-Goog-Api-Keyheader is sent when only apiKey is configuredcreate_projecttool call succeeds with Bearer + quota projectAll 97 tests passing (14 test files).