Fix PAT auth: Bearer-only, no API key/app key headers (CRED-2147)

tausman · tausman · commit 3fd94ec6e146 · 2026-03-04T21:19:07.000Z
PAT auth is a standalone auth path — when a PAT is configured, the client
sends only Authorization: Bearer &lt;token&gt; with no DD-API-KEY or
DD-APPLICATION-KEY headers. This is mutually exclusive with the existing
API key + app key flow.

Changes:
- Add ContextPATKey context variable to store PAT separately
- SetAuthKeys: when PAT is present, send only Authorization: Bearer and
  skip all other auth headers (apiKeyAuth, appKeyAuth)
- NewDefaultContext: store DD_PAT env var in ContextPATKey (not appKeyAuth)
- Update template (.j2) to match
- Update unit tests to verify Bearer-only behavior (no API key headers)
- Add mock-server test confirming full HTTP flow sends correct headers

Verified against staging: Bearer-only auth returns 200 on /api/v2/users
and /api/v2/current_user.
diff --git a/.generator/src/generator/templates/configuration.j2 b/.generator/src/generator/templates/configuration.j2
@@ -400,6 +400,9 @@ func NewDefaultContext(ctx context.Context) context.Context {
 	}
 
 	{%- endfor %}
+	if pat, ok := os.LookupEnv("DD_PAT"); ok {
+		ctx = context.WithValue(ctx, ContextPATKey, pat)
+	}
 	ctx = context.WithValue(
 		ctx,
 		ContextAPIKeys,
diff --git a/api/datadog/client.go b/api/datadog/client.go
@@ -86,13 +86,21 @@ func UseDelegatedTokenAuth(ctx context.Context, headerParams *map[string]string,
 }
 
 // SetAuthKeys sets the appropriate values in the headers parameter.
+// When a PAT (Personal Access Token) is present in the context, only the
+// Authorization: Bearer header is sent. No DD-API-KEY or DD-APPLICATION-KEY
+// headers are included — PAT auth is a standalone auth path.
 func SetAuthKeys(ctx context.Context, headerParams *map[string]string, keys ...[2]string) {
-	if ctx != nil {
-		for _, key := range keys {
-			if auth, ok := ctx.Value(ContextAPIKeys).(map[string]APIKey); ok {
-				if apiKey, ok := auth[key[0]]; ok {
-					(*headerParams)[key[1]] = apiKey.Key
-				}
+	if ctx == nil {
+		return
+	}
+	if pat, ok := ctx.Value(ContextPATKey).(string); ok {
+		(*headerParams)[authorizationHeader] = fmt.Sprintf(bearerTokenFormat, pat)
+		return
+	}
+	for _, key := range keys {
+		if auth, ok := ctx.Value(ContextAPIKeys).(map[string]APIKey); ok {
+			if apiKey, ok := auth[key[0]]; ok {
+				(*headerParams)[key[1]] = apiKey.Key
 			}
 		}
 	}
diff --git a/api/datadog/configuration.go b/api/datadog/configuration.go
@@ -62,6 +62,9 @@ var (
 
 	// ContextOperationServerVariables overrides a server configuration variables using operation specific values.
 	ContextOperationServerVariables = contextKey("serverOperationVariables")
+
+	// ContextPATKey holds the Personal Access Token for Bearer auth.
+	ContextPATKey = contextKey("patKey")
 )
 
 // BasicAuth provides basic http authentication to a request passed via context using ContextBasicAuth.
@@ -1064,6 +1067,9 @@ func NewDefaultContext(ctx context.Context) context.Context {
 	if apiKey, ok := os.LookupEnv("DD_APP_KEY"); ok {
 		keys["appKeyAuth"] = APIKey{Key: apiKey}
 	}
+	if pat, ok := os.LookupEnv("DD_PAT"); ok {
+		ctx = context.WithValue(ctx, ContextPATKey, pat)
+	}
 	ctx = context.WithValue(
 		ctx,
 		ContextAPIKeys,
diff --git a/tests/api/client_test.go b/tests/api/client_test.go
@@ -3,12 +3,17 @@ package api
 import (
 	"context"
 	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
 	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
+	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
 	"github.com/DataDog/datadog-api-client-go/v2/tests/api/mocks"
 	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/assert"
-	"testing"
-	"time"
+	"github.com/stretchr/testify/require"
 )
 
 const FAKE_TOKEN = "fake-token"
@@ -155,3 +160,103 @@ func TestApiAppKeyAuthenticate(t *testing.T) {
 	assert.Equal(t, headers["DD-API-KEY"], apiKey)
 	assert.Equal(t, headers["DD-APPLICATION-KEY"], appKey)
 }
+
+func TestPATAuthentication(t *testing.T) {
+	pat := "ddapp_test-pat-token"
+	keys := map[string]datadog.APIKey{
+		"apiKeyAuth": {Key: "api-key"},
+	}
+	testAuthCtx := context.WithValue(
+		context.Background(),
+		datadog.ContextAPIKeys,
+		keys,
+	)
+	testAuthCtx = context.WithValue(testAuthCtx, datadog.ContextPATKey, pat)
+
+	headers := map[string]string{}
+	datadog.SetAuthKeys(
+		testAuthCtx,
+		&headers,
+		[2]string{"apiKeyAuth", "DD-API-KEY"},
+		[2]string{"appKeyAuth", "DD-APPLICATION-KEY"},
+	)
+	assert.Equal(t, "Bearer ddapp_test-pat-token", headers["Authorization"])
+	assert.Empty(t, headers["DD-API-KEY"], "PAT auth should not send DD-API-KEY")
+	assert.Empty(t, headers["DD-APPLICATION-KEY"], "PAT auth should not send DD-APPLICATION-KEY")
+}
+
+func TestNewDefaultContextWithPAT(t *testing.T) {
+	t.Setenv("DD_API_KEY", "test-api-key")
+	t.Setenv("DD_PAT", "ddapp_test-pat-token")
+
+	ctx := datadog.NewDefaultContext(context.Background())
+	keys := ctx.Value(datadog.ContextAPIKeys).(map[string]datadog.APIKey)
+	assert.Equal(t, "test-api-key", keys["apiKeyAuth"].Key)
+	pat := ctx.Value(datadog.ContextPATKey).(string)
+	assert.Equal(t, "ddapp_test-pat-token", pat)
+}
+
+func TestNewDefaultContextPATOverridesAppKey(t *testing.T) {
+	t.Setenv("DD_API_KEY", "test-api-key")
+	t.Setenv("DD_APP_KEY", "test-app-key")
+	t.Setenv("DD_PAT", "ddapp_test-pat-token")
+
+	ctx := datadog.NewDefaultContext(context.Background())
+	// App key is still stored, but PAT takes precedence in SetAuthKeys
+	keys := ctx.Value(datadog.ContextAPIKeys).(map[string]datadog.APIKey)
+	assert.Equal(t, "test-app-key", keys["appKeyAuth"].Key)
+	pat := ctx.Value(datadog.ContextPATKey).(string)
+	assert.Equal(t, "ddapp_test-pat-token", pat)
+
+	// Verify PAT is used as Bearer — no API key or app key headers
+	headers := map[string]string{}
+	datadog.SetAuthKeys(
+		ctx,
+		&headers,
+		[2]string{"apiKeyAuth", "DD-API-KEY"},
+		[2]string{"appKeyAuth", "DD-APPLICATION-KEY"},
+	)
+	assert.Equal(t, "Bearer ddapp_test-pat-token", headers["Authorization"])
+	assert.Empty(t, headers["DD-API-KEY"], "PAT auth should not send DD-API-KEY")
+	assert.Empty(t, headers["DD-APPLICATION-KEY"], "PAT auth should not send DD-APPLICATION-KEY")
+}
+
+func TestNewDefaultContextAppKeyWithoutPAT(t *testing.T) {
+	t.Setenv("DD_API_KEY", "test-api-key")
+	t.Setenv("DD_APP_KEY", "test-app-key")
+
+	ctx := datadog.NewDefaultContext(context.Background())
+	keys := ctx.Value(datadog.ContextAPIKeys).(map[string]datadog.APIKey)
+	assert.Equal(t, "test-app-key", keys["appKeyAuth"].Key)
+	assert.Nil(t, ctx.Value(datadog.ContextPATKey))
+}
+
+func TestPATBearerHeaderSentViaHTTPClient(t *testing.T) {
+	pat := "ddapp_test-token"
+
+	var capturedHeaders http.Header
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		capturedHeaders = r.Header.Clone()
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(200)
+		fmt.Fprint(w, `{"data":[],"meta":{"page":{"total_count":0,"total_filtered_count":0}}}`)
+	}))
+	defer ts.Close()
+
+	ctx := context.Background()
+	ctx = context.WithValue(ctx, datadog.ContextPATKey, pat)
+
+	cfg := datadog.NewConfiguration()
+	cfg.Servers = datadog.ServerConfigurations{{URL: ts.URL}}
+	client := datadog.NewAPIClient(cfg)
+	usersAPI := datadogV2.NewUsersApi(client)
+
+	_, httpResp, err := usersAPI.ListUsers(ctx, *datadogV2.NewListUsersOptionalParameters())
+	require.NoError(t, err)
+	defer httpResp.Body.Close()
+
+	assert.Equal(t, 200, httpResp.StatusCode)
+	assert.Equal(t, "Bearer "+pat, capturedHeaders.Get("Authorization"))
+	assert.Empty(t, capturedHeaders.Get("DD-API-KEY"), "PAT auth should not send DD-API-KEY")
+	assert.Empty(t, capturedHeaders.Get("DD-APPLICATION-KEY"), "PAT auth should not send DD-APPLICATION-KEY")
+}
diff --git a/tests/go.mod b/tests/go.mod
@@ -1,6 +1,7 @@
 module github.com/DataDog/datadog-api-client-go/v2/tests
 
-go 1.22
+go 1.23.0
+
 toolchain go1.23.7
 
 require (
diff --git a/tests/go.sum b/tests/go.sum
@@ -114,6 +114,7 @@ github.com/tinylib/msgp v1.1.6 h1:i+SbKraHhnrf9M5MYmvQhFnbLhAXSDWF8WWsuyRdocw=
 github.com/tinylib/msgp v1.1.6/go.mod h1:75BAfg2hauQhs3qedfdDZmWAPcFMAvJE5b9rGOMufyw=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
@@ -123,6 +124,7 @@ golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvx
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -132,6 +134,7 @@ golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.36.0 h1:vWF2fRbw4qslQsQzgFqZff+BItCvGFQqKzKIzx1rmoA=
 golang.org/x/net v0.36.0/go.mod h1:bFmbeoIPfrw4sMHNhb4J9f6+tPziuGjq7Jk/38fxi1I=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -142,15 +145,20 @@ golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
 golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -167,6 +175,7 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20201022035929-9cf592e881e9/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

Original file line number	Diff line number	Diff line change
`@@ -400,6 +400,9 @@ func NewDefaultContext(ctx context.Context) context.Context {`
`400`	`400`	`}`
`401`	`401`
`402`	`402`	`{%- endfor %}`
	`403`	`+ if pat, ok := os.LookupEnv("DD_PAT"); ok {`
	`404`	`+ ctx = context.WithValue(ctx, ContextPATKey, pat)`
	`405`	`+ }`
`403`	`406`	`ctx = context.WithValue(`
`404`	`407`	`ctx,`
`405`	`408`	`ContextAPIKeys,`