Skip to content

sdk docs: mention WS header auth (avoid URL secrets) #270

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
enyst wants to merge 3 commits into
base: main
Choose a base branch
from
Open

sdk docs: mention WS header auth (avoid URL secrets) #270

enyst wants to merge 3 commits into from

Conversation

@enyst
Copy link
Collaborator

@enyst enyst commented Jan 22, 2026
edited
Loading

(HUMAN: sorry! I'll have to put my tiny agent team under lock 😅
Everything below is them.)

Docs follow-up for OpenHands/software-agent-sdk#1786.

Summary

Adds a note to the Agent Server docs:

  • Non-browser WebSocket clients should prefer header auth (X-Session-API-Key / Authorization: Bearer ...) to avoid URL secret leakage.
  • Browser clients may still require query-param auth (session_api_key).

(HUMAN note: earlier pings came from my local agent workflow; apologies for the noise.)

@enyst enyst requested a review from xingyaoww as a code owner January 22, 2026 06:43
@enyst enyst mentioned this pull request Jan 22, 2026
Closed
@enyst
Copy link
Collaborator Author

enyst commented Jan 22, 2026

Docs follow-up for OpenHands/software-agent-sdk#1786.

Adds a short note: prefer WebSocket header auth (e.g. X-Session-API-Key / Authorization: Bearer) for non-browser clients to avoid leaking secrets in URLs; browsers may still require query-param auth.

@enyst
Copy link
Collaborator Author

enyst commented Jan 22, 2026

Maintainers: requesting review/merge. Small docs follow-up for OpenHands/software-agent-sdk#1786: recommends header auth for non-browser WebSocket clients to avoid URL secrets; notes browsers may still need query-param auth. CI (broken-link check) is green.

@enyst
Copy link
Collaborator Author

enyst commented Jan 22, 2026

Docs follow-up for OpenHands/software-agent-sdk#1786 (WS header auth).

check-broken-links is green.

Request: maintainer approval + merge when convenient.

@enyst enyst enabled auto-merge (squash) January 22, 2026 06:50
@enyst enyst requested a review from mamoodi January 22, 2026 06:55
@enyst
Copy link
Collaborator Author

enyst commented Jan 22, 2026

Maintainer review requested (@xingyaoww, @mamoodi). Auto-merge (squash) is enabled; this is currently blocked only on REVIEW_REQUIRED.

Context: downstream VS Code extension (oh-tab) needs header-based WS auth so it can stop sending session_api_key in the WebSocket URL query string (avoids URL secret leakage).

@enyst enyst mentioned this pull request Jan 22, 2026
Draft
@enyst
Copy link
Collaborator Author

enyst commented Jan 22, 2026

@xingyaoww (codeowner for /sdk/) quick review when you have a minute? Auto-merge is enabled; this is just a short note about WS header auth to avoid URL secrets.

@enyst enyst mentioned this pull request Jan 22, 2026
Merged
enyst
enyst commented Jan 23, 2026
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xingyaoww xingyaoww Awaiting requested review from xingyaoww xingyaoww is a code owner

@mamoodi mamoodi Awaiting requested review from mamoodi

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@enyst