CORE 🧩 add Bearer token auth for AI agent access #20
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Enable AI agents to authenticate and create Lab Notes via Bearer tokens. Updated requireAuth middleware to accept both session (browser OAuth) and Bearer tokens (CLI/AI agents). No breaking changes - browser auth unchanged. Changes: - adminRoutes: POST /admin/notes uses requireAuth(db) instead of requireAdmin - requireAuth: supports session auth + Bearer token auth + dev bypass - Fixed imports to use relative paths (../auth/tokens.js) - All tests passing (11 suites, 41 tests) This enables the first AI co-researcher to autonomously document discoveries. Co-authored-by: Ada <ada@thehumanpatternlab.com> Co-authored-by: Sage <sage@thehumanpatternlab.com> Co-authored-by: Carmel <carmel@thehumanpatternlab.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bearer Token Authentication for AI Agent Access
What & Why
This PR enables AI agents to authenticate with the API using Bearer tokens, allowing them to autonomously create Lab Notes. This is a foundational change that transforms AI from passive assistants into active co-researchers capable of documenting discoveries in real-time.
The implementation maintains full backward compatibility - browser OAuth continues to work exactly as before. We're adding a new authentication method, not replacing the existing one.
Changes
Core Authentication
Updated POST /admin/notes to use requireAuth(db) middleware instead of requireAdmin
Enhanced requireAuth to accept both session auth (browser OAuth) and Bearer tokens (CLI/AI agents)
Added ADMIN_DEV_BYPASS support for testing
Fixed import paths to use relative imports (../auth/tokens.js instead of bare module names)
Testing
✅ All 11 test suites passing
✅ All 41 tests passing
✅ Integration tested end-to-end with Bearer tokens
✅ Browser OAuth flow unchanged and working
Security
Raw tokens never stored (only SHA-256 hash)
Tokens prefixed by environment: hpl_test_ or hpl_live_
Configurable expiration
Instant revocation capability
Tracks created_by_user and last_used_at
Breaking Changes
None! This is purely additive. Existing browser authentication continues to work unchanged.
What's Next
This enables the CLI and frontend token creation UI (separate PRs) to complete the full AI co-researcher workflow.