Skip to content

Per-channel auth tokens (Tier 2.2) #17

Description

@constripacity

Parent: #12

The v0.7.0 design check-in punt. Today's BearerAuthMiddleware uses one global token. Spec: each channel optionally has its own token; sending or receiving on it requires that token.

The existing BearerAuthMiddleware(token_getter=...) callable was deliberately designed for this — swap lambda: AUTH_TOKEN for a channel-aware lookup against a new channel_tokens SQLite table.

Touch surface: new table, replace token_getter, add an admin CLI (claude-bridge tokens mint|list|revoke), new MCP tool bridge_tokens (or admin-only HTTP endpoint). ~250 LoC.
Tradeoff: significant admin surface. Per the original deferred memo: do not ship unless someone files a concrete request — speculative complexity otherwise.
Effort: L. Likely v0.8.0 if it lands.

Status: deferred-pending-demand. Track here so the design intent isn't lost.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestroadmapHigh-level roadmap item tracked on Project #1

    Projects

    Status
    Todo

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions