fix: support token auth in middleware and improve workspace detection

- Add token/host header check in middleware to allow public mode requests
- Update /api/auth to return authenticated:true when token headers present
- Decode JWT to extract workspace name as fallback in /api/config
- Pass token/host headers when checking auth status in use-login
- Use devMode: false for token-based client to avoid branch mode

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: rmorehig

dashboard/app/api/auth/route.ts

@@ -1,4 +1,4 @@
-import { NextResponse } from 'next/server'
+import { NextRequest, NextResponse } from 'next/server'
 import { cookies } from 'next/headers'
 import { createHash } from 'crypto'
 
@@ -31,12 +31,19 @@ function validateSession(sessionToken: string): boolean {
 }
 
 // GET - Check auth status
-export async function GET() {
+export async function GET(request: NextRequest) {
   // If auth is disabled, always return authenticated
   if (process.env.DISABLE_AUTH === 'true') {
     return NextResponse.json({ authenticated: true })
   }
 
+  // Check for token auth from headers (passed from URL params by client)
+  const headerToken = request.headers.get('X-Tinybird-Token')
+  const headerHost = request.headers.get('X-Tinybird-Host')
+  if (headerToken && headerHost) {
+    return NextResponse.json({ authenticated: true })
+  }
+
   const cookieStore = await cookies()
   const sessionCookie = cookieStore.get(SESSION_COOKIE_NAME)
 

dashboard/app/api/config/route.ts

@@ -13,7 +13,23 @@ interface TinybirdRegionResponse {
   api_host: string
 }
 
-// Cache for regions to avoid repeated API calls
+// Try to extract workspace name from JWT token payload
+function extractWorkspaceNameFromToken(token: string): string | null {
+  try {
+    const payload = token.split('.')[1]
+    if (!payload) return null
+    const base64 =
+      payload.replace(/-/g, '+').replace(/_/g, '/') +
+      '==='.slice((payload.length + 3) % 4)
+    const json = Buffer.from(base64, 'base64').toString()
+    const data = JSON.parse(json)
+    // Skip 'frontend_jwt' as it's just a token label, not workspace name
+    const name = data.workspace_name || (data.name !== 'frontend_jwt' ? data.name : null)
+    return name || null
+  } catch {
+    return null
+  }
+}
 
 async function fetchTinybirdRegions(): Promise<TinybirdRegionResponse[]> {
   try {
@@ -93,6 +109,11 @@ export async function GET(request: NextRequest) {
     workspaceName = tinybirdWorkspace?.name || null
   }
 
+  // If still no workspace name and we have a token, try to decode it
+  if (!workspaceName && headerToken) {
+    workspaceName = extractWorkspaceNameFromToken(headerToken)
+  }
+
   const workspace =
     configured && host && regionInfo
       ? {

dashboard/lib/hooks/use-login.ts

@@ -29,7 +29,16 @@ export function getStoredCredentials(): StoredCredentials | null {
   }
 }
 
-const fetcher = (url: string) => fetch(url).then(res => res.json())
+function createFetcher(token: string | null, host: string | null) {
+  return (url: string) => {
+    const headers: HeadersInit = {}
+    if (token && host) {
+      headers['X-Tinybird-Token'] = token
+      headers['X-Tinybird-Host'] = host
+    }
+    return fetch(url, { headers }).then(res => res.json())
+  }
+}
 
 export function useLogin() {
   const searchParams = useSearchParams()
@@ -39,6 +48,9 @@ export function useLogin() {
   const host = searchParams?.get('host')
   const hasTokenAuth = !!token && !!host
 
+  // Create fetcher with token/host to pass as headers
+  const fetcher = createFetcher(token, host)
+
   // Check server session auth
   const { data, error, isLoading: isSessionLoading, mutate } = useSWR(
     '/api/auth',

dashboard/lib/server.ts

@@ -44,7 +44,7 @@ export function getServerClient() {
 }
 
 export function createClientWithCredentials(token: string, host: string) {
-  return createAnalyticsClient({ token, baseUrl: host })
+  return createAnalyticsClient({ token, baseUrl: host, devMode: false })
 }
 
 export async function getWorkspace(): Promise<TinybirdWorkspace | null> {

dashboard/middleware.ts

@@ -24,6 +24,13 @@ export function middleware(request: NextRequest) {
     return NextResponse.next()
   }
 
+  // Check for token auth from headers (public mode)
+  const headerToken = request.headers.get('X-Tinybird-Token')
+  const headerHost = request.headers.get('X-Tinybird-Host')
+  if (headerToken && headerHost) {
+    return NextResponse.next()
+  }
+
   // Check for session cookie
   const sessionCookie = request.cookies.get(SESSION_COOKIE_NAME)
 

tinybird/src/client.ts

@@ -109,19 +109,27 @@ const __configDir = dirname(fileURLToPath(import.meta.url));
 interface CreateAnalyticsClientOptions {
   token?: string;
   baseUrl?: string;
+  devMode?: boolean | "branch";
 }
 
 /**
  * Create a Tinybird client with custom configuration
  */
 export function createAnalyticsClient(options?: CreateAnalyticsClientOptions) {
-  return createTinybirdClient({
+  const clientOptions: Parameters<typeof createTinybirdClient>[0] = {
     datasources,
     pipes,
     configDir: __configDir,
     baseUrl: options?.baseUrl ?? process.env.TINYBIRD_HOST,
     token: options?.token ?? process.env.TINYBIRD_TOKEN,
-  });
+  };
+
+  // Only set devMode if explicitly provided (otherwise use tinybird.json config)
+  if (options?.devMode !== undefined) {
+    clientOptions.devMode = options.devMode;
+  }
+
+  return createTinybirdClient(clientOptions);
 }
 
 /**