CRED-2147: Add PAT auth support to Go API client

Author: tausman

.generator/src/generator/templates/client.j2

@@ -84,13 +84,21 @@ func UseDelegatedTokenAuth(ctx context.Context, headerParams *map[string]string,
 }
 
 // SetAuthKeys sets the appropriate values in the headers parameter.
+// When a bearer token is present in the context, only the
+// Authorization: Bearer header is sent. No API key or app key
+// headers are included — bearer auth is a standalone auth path.
 func SetAuthKeys(ctx context.Context, headerParams *map[string]string, keys ...[2]string) {
-	if ctx != nil {
-		for _, key := range keys {
-			if auth, ok := ctx.Value(ContextAPIKeys).(map[string]APIKey); ok {
-				if apiKey, ok := auth[key[0]]; ok {
-					(*headerParams)[key[1]] = apiKey.Key
-				}
+	if ctx == nil {
+		return
+	}
+	if bearerToken, ok := ctx.Value(ContextBearerToken).(string); ok {
+		(*headerParams)[authorizationHeader] = fmt.Sprintf(bearerTokenFormat, bearerToken)
+		return
+	}
+	for _, key := range keys {
+		if auth, ok := ctx.Value(ContextAPIKeys).(map[string]APIKey); ok {
+			if apiKey, ok := auth[key[0]]; ok {
+				(*headerParams)[key[1]] = apiKey.Key
 			}
 		}
 	}
@@ -180,6 +188,10 @@ func (c *APIClient) CallAPI(request *http.Request) (*http.Response, error) {
 					dump = valueRegex.ReplaceAll(dump, []byte("REDACTED"))
 				}
 			}
+			if bearerToken, ok := newRequest.Context().Value(ContextBearerToken).(string); ok {
+				valueRegex := regexp.MustCompile(fmt.Sprintf("(?m)%s", bearerToken))
+				dump = valueRegex.ReplaceAll(dump, []byte("REDACTED"))
+			}
 			log.Printf("\n%s\n", string(dump))
 		}
 		resp, requestErr := c.Cfg.HTTPClient.Do(newRequest)

.generator/src/generator/templates/configuration.j2

@@ -59,6 +59,9 @@ var (
 
 	// ContextOperationServerVariables overrides a server configuration variables using operation specific values.
 	ContextOperationServerVariables = contextKey("serverOperationVariables")
+
+	// ContextBearerToken takes a bearer token (e.g. PAT) as authentication for the request.
+	ContextBearerToken = contextKey("bearerToken")
 )
 
 // BasicAuth provides basic http authentication to a request passed via context using ContextBasicAuth.
@@ -399,6 +402,11 @@ func NewDefaultContext(ctx context.Context) context.Context {
 		keys["{{ name }}"] = APIKey{Key: apiKey}
 	}
 
+	{%- endfor %}
+	{%- for name, schema in openapi.components.securitySchemes.items() if "x-env-name" in schema and schema.type == "http" and schema.scheme == "bearer" %}
+	if bearerToken, ok := os.LookupEnv("{{ schema["x-env-name"] }}"); ok {
+		ctx = context.WithValue(ctx, ContextBearerToken, bearerToken)
+	}
 	{%- endfor %}
 	ctx = context.WithValue(
 		ctx,

api/datadog/client.go

@@ -86,13 +86,21 @@ func UseDelegatedTokenAuth(ctx context.Context, headerParams *map[string]string,
 }
 
 // SetAuthKeys sets the appropriate values in the headers parameter.
+// When a bearer token is present in the context, only the
+// Authorization: Bearer header is sent. No API key or app key
+// headers are included — bearer auth is a standalone auth path.
 func SetAuthKeys(ctx context.Context, headerParams *map[string]string, keys ...[2]string) {
-	if ctx != nil {
-		for _, key := range keys {
-			if auth, ok := ctx.Value(ContextAPIKeys).(map[string]APIKey); ok {
-				if apiKey, ok := auth[key[0]]; ok {
-					(*headerParams)[key[1]] = apiKey.Key
-				}
+	if ctx == nil {
+		return
+	}
+	if bearerToken, ok := ctx.Value(ContextBearerToken).(string); ok {
+		(*headerParams)[authorizationHeader] = fmt.Sprintf(bearerTokenFormat, bearerToken)
+		return
+	}
+	for _, key := range keys {
+		if auth, ok := ctx.Value(ContextAPIKeys).(map[string]APIKey); ok {
+			if apiKey, ok := auth[key[0]]; ok {
+				(*headerParams)[key[1]] = apiKey.Key
 			}
 		}
 	}
@@ -181,6 +189,10 @@ func (c *APIClient) CallAPI(request *http.Request) (*http.Response, error) {
 					dump = valueRegex.ReplaceAll(dump, []byte("REDACTED"))
 				}
 			}
+			if bearerToken, ok := newRequest.Context().Value(ContextBearerToken).(string); ok {
+				valueRegex := regexp.MustCompile(fmt.Sprintf("(?m)%s", bearerToken))
+				dump = valueRegex.ReplaceAll(dump, []byte("REDACTED"))
+			}
 			log.Printf("\n%s\n", string(dump))
 		}
 		resp, requestErr := c.Cfg.HTTPClient.Do(newRequest)

api/datadog/configuration.go

@@ -62,6 +62,9 @@ var (
 
 	// ContextOperationServerVariables overrides a server configuration variables using operation specific values.
 	ContextOperationServerVariables = contextKey("serverOperationVariables")
+
+	// ContextBearerToken takes a bearer token (e.g. PAT) as authentication for the request.
+	ContextBearerToken = contextKey("bearerToken")
 )
 
 // BasicAuth provides basic http authentication to a request passed via context using ContextBasicAuth.
@@ -1064,6 +1067,9 @@ func NewDefaultContext(ctx context.Context) context.Context {
 	if apiKey, ok := os.LookupEnv("DD_APP_KEY"); ok {
 		keys["appKeyAuth"] = APIKey{Key: apiKey}
 	}
+	if bearerToken, ok := os.LookupEnv("DD_BEARER_TOKEN"); ok {
+		ctx = context.WithValue(ctx, ContextBearerToken, bearerToken)
+	}
 	ctx = context.WithValue(
 		ctx,
 		ContextAPIKeys,

tests/api/client_test.go

@@ -3,12 +3,17 @@ package api
 import (
 	"context"
 	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
 	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
+	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
 	"github.com/DataDog/datadog-api-client-go/v2/tests/api/mocks"
 	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/assert"
-	"testing"
-	"time"
+	"github.com/stretchr/testify/require"
 )
 
 const FAKE_TOKEN = "fake-token"
@@ -155,3 +160,103 @@ func TestApiAppKeyAuthenticate(t *testing.T) {
 	assert.Equal(t, headers["DD-API-KEY"], apiKey)
 	assert.Equal(t, headers["DD-APPLICATION-KEY"], appKey)
 }
+
+func TestPATAuthentication(t *testing.T) {
+	pat := "ddapp_test-pat-token"
+	keys := map[string]datadog.APIKey{
+		"apiKeyAuth": {Key: "api-key"},
+	}
+	testAuthCtx := context.WithValue(
+		context.Background(),
+		datadog.ContextAPIKeys,
+		keys,
+	)
+	testAuthCtx = context.WithValue(testAuthCtx, datadog.ContextBearerToken, pat)
+
+	headers := map[string]string{}
+	datadog.SetAuthKeys(
+		testAuthCtx,
+		&headers,
+		[2]string{"apiKeyAuth", "DD-API-KEY"},
+		[2]string{"appKeyAuth", "DD-APPLICATION-KEY"},
+	)
+	assert.Equal(t, "Bearer ddapp_test-pat-token", headers["Authorization"])
+	assert.Empty(t, headers["DD-API-KEY"], "PAT auth should not send DD-API-KEY")
+	assert.Empty(t, headers["DD-APPLICATION-KEY"], "PAT auth should not send DD-APPLICATION-KEY")
+}
+
+func TestNewDefaultContextWithBearerToken(t *testing.T) {
+	t.Setenv("DD_API_KEY", "test-api-key")
+	t.Setenv("DD_BEARER_TOKEN", "ddapp_test-pat-token")
+
+	ctx := datadog.NewDefaultContext(context.Background())
+	keys := ctx.Value(datadog.ContextAPIKeys).(map[string]datadog.APIKey)
+	assert.Equal(t, "test-api-key", keys["apiKeyAuth"].Key)
+	bearerToken := ctx.Value(datadog.ContextBearerToken).(string)
+	assert.Equal(t, "ddapp_test-pat-token", bearerToken)
+}
+
+func TestNewDefaultContextBearerTokenOverridesAppKey(t *testing.T) {
+	t.Setenv("DD_API_KEY", "test-api-key")
+	t.Setenv("DD_APP_KEY", "test-app-key")
+	t.Setenv("DD_BEARER_TOKEN", "ddapp_test-pat-token")
+
+	ctx := datadog.NewDefaultContext(context.Background())
+	// App key is still stored, but bearer token takes precedence in SetAuthKeys
+	keys := ctx.Value(datadog.ContextAPIKeys).(map[string]datadog.APIKey)
+	assert.Equal(t, "test-app-key", keys["appKeyAuth"].Key)
+	bearerToken := ctx.Value(datadog.ContextBearerToken).(string)
+	assert.Equal(t, "ddapp_test-pat-token", bearerToken)
+
+	// Verify bearer token is used — no API key or app key headers
+	headers := map[string]string{}
+	datadog.SetAuthKeys(
+		ctx,
+		&headers,
+		[2]string{"apiKeyAuth", "DD-API-KEY"},
+		[2]string{"appKeyAuth", "DD-APPLICATION-KEY"},
+	)
+	assert.Equal(t, "Bearer ddapp_test-pat-token", headers["Authorization"])
+	assert.Empty(t, headers["DD-API-KEY"], "Bearer auth should not send DD-API-KEY")
+	assert.Empty(t, headers["DD-APPLICATION-KEY"], "Bearer auth should not send DD-APPLICATION-KEY")
+}
+
+func TestNewDefaultContextAppKeyWithoutBearerToken(t *testing.T) {
+	t.Setenv("DD_API_KEY", "test-api-key")
+	t.Setenv("DD_APP_KEY", "test-app-key")
+
+	ctx := datadog.NewDefaultContext(context.Background())
+	keys := ctx.Value(datadog.ContextAPIKeys).(map[string]datadog.APIKey)
+	assert.Equal(t, "test-app-key", keys["appKeyAuth"].Key)
+	assert.Nil(t, ctx.Value(datadog.ContextBearerToken))
+}
+
+func TestPATBearerHeaderSentViaHTTPClient(t *testing.T) {
+	pat := "ddapp_test-token"
+
+	var capturedHeaders http.Header
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		capturedHeaders = r.Header.Clone()
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(200)
+		fmt.Fprint(w, `{"data":[],"meta":{"page":{"total_count":0,"total_filtered_count":0}}}`)
+	}))
+	defer ts.Close()
+
+	ctx := context.Background()
+	ctx = context.WithValue(ctx, datadog.ContextBearerToken, pat)
+
+	cfg := datadog.NewConfiguration()
+	cfg.Servers = datadog.ServerConfigurations{{URL: ts.URL}}
+	client := datadog.NewAPIClient(cfg)
+	usersAPI := datadogV2.NewUsersApi(client)
+
+	_, httpResp, err := usersAPI.ListUsers(ctx, *datadogV2.NewListUsersOptionalParameters())
+	require.NoError(t, err)
+	defer httpResp.Body.Close()
+
+	assert.Equal(t, 200, httpResp.StatusCode)
+	assert.Equal(t, "Bearer "+pat, capturedHeaders.Get("Authorization"))
+	assert.Empty(t, capturedHeaders.Get("DD-API-KEY"), "PAT auth should not send DD-API-KEY")
+	assert.Empty(t, capturedHeaders.Get("DD-APPLICATION-KEY"), "PAT auth should not send DD-APPLICATION-KEY")
+}

tests/go.mod

@@ -1,6 +1,7 @@
 module github.com/DataDog/datadog-api-client-go/v2/tests
 
-go 1.22
+go 1.23.0
+
 toolchain go1.23.7
 
 require (

tests/go.sum

@@ -114,6 +114,7 @@ github.com/tinylib/msgp v1.1.6 h1:i+SbKraHhnrf9M5MYmvQhFnbLhAXSDWF8WWsuyRdocw=
 github.com/tinylib/msgp v1.1.6/go.mod h1:75BAfg2hauQhs3qedfdDZmWAPcFMAvJE5b9rGOMufyw=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
@@ -123,6 +124,7 @@ golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvx
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -132,6 +134,7 @@ golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.36.0 h1:vWF2fRbw4qslQsQzgFqZff+BItCvGFQqKzKIzx1rmoA=
 golang.org/x/net v0.36.0/go.mod h1:bFmbeoIPfrw4sMHNhb4J9f6+tPziuGjq7Jk/38fxi1I=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -142,15 +145,20 @@ golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
 golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -167,6 +175,7 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20201022035929-9cf592e881e9/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=