Add PAT (Personal Access Token) auth support via Bearer header

tausman · tausman · commit 36432fc06841 · 2026-03-04T20:40:03.000Z
- Add bearer_token field to Configuration with DD_BEARER_TOKEN env var support
- Add bearerAuth entry to auth_settings() when bearer_token is set
- Modify update_params_for_auth() to send Authorization: Bearer instead of
  DD-APPLICATION-KEY when bearer_token is configured
- Delegated auth takes priority over bearer token when both are configured
- Update generator templates (configuration.j2, api_client.j2) to match
- Add comprehensive tests in tests/test_pat_auth.py

Ref: CRED-2146
diff --git a/.generator/src/generator/templates/api_client.j2 b/.generator/src/generator/templates/api_client.j2
@@ -893,9 +893,34 @@ class Endpoint:
             self.api_client.configuration.delegated_auth_org_uuid is not None
         )
 
+        # Check if bearer token (PAT) auth is configured
+        has_bearer_token = self.api_client.configuration.bearer_token is not None
+
         if has_app_key_auth and has_delegated_auth:
             # Use delegated token authentication
             self.api_client.use_delegated_token_auth(headers)
+        elif has_app_key_auth and has_bearer_token:
+            # Use bearer token (PAT) authentication:
+            # Send API key + Authorization: Bearer instead of app key
+            all_auth_settings = self.api_client.configuration.auth_settings()
+            for auth in self.settings["auth"]:
+                if auth == "appKeyAuth":
+                    # Replace app key with bearer token
+                    bearer_setting = all_auth_settings.get("bearerAuth")
+                    if bearer_setting:
+                        headers[bearer_setting["key"]] = bearer_setting["value"]
+                    continue
+                auth_setting = all_auth_settings.get(auth)
+                if auth_setting:
+                    if auth_setting["in"] == "header":
+                        if auth_setting["type"] != "http-signature":
+                            if auth_setting["value"] is None:
+                                raise ApiValueError("Invalid authentication token for {}".format(auth_setting["key"]))
+                            headers[auth_setting["key"]] = auth_setting["value"]
+                    elif auth_setting["in"] == "query":
+                        queries.append((auth_setting["key"], auth_setting["value"]))
+                    else:
+                        raise ApiValueError("Authentication token must be in `query` or `header`")
         else:
             # Use regular authentication
             for auth in self.settings["auth"]:
diff --git a/.generator/src/generator/templates/configuration.j2 b/.generator/src/generator/templates/configuration.j2
@@ -179,6 +179,7 @@ class Configuration:
         retry_policy=None,
         delegated_auth_provider=None,
         delegated_auth_org_uuid=None,
+        bearer_token=None,
     ):
         """Constructor."""
         self._base_path = "https://api.datadoghq.com" if host is None else host
@@ -190,6 +191,7 @@ class Configuration:
 
         # Authentication Settings
         self.access_token = access_token
+        self.bearer_token = bearer_token
         self.api_key = {}
         if api_key:
             self.api_key = api_key
@@ -269,6 +271,8 @@ class Configuration:
             self.api_key["apiKeyAuth"] = os.environ["DD_API_KEY"]
         if "DD_APP_KEY" in os.environ and not self.api_key.get("appKeyAuth"):
             self.api_key["appKeyAuth"] = os.environ["DD_APP_KEY"]
+        if "DD_BEARER_TOKEN" in os.environ and not self.bearer_token:
+            self.bearer_token = os.environ["DD_BEARER_TOKEN"]
 
     def __deepcopy__(self, memo):
         cls = self.__class__
@@ -557,5 +561,12 @@ class Configuration:
             }
 {%- endif %}
 {%- endfor %}
+        if self.bearer_token is not None:
+            auth["bearerAuth"] = {
+                "type": "bearer",
+                "in": "header",
+                "key": "Authorization",
+                "value": "Bearer " + self.bearer_token,
+            }
         return auth
 {# keep new line #}
diff --git a/src/datadog_api_client/api_client.py b/src/datadog_api_client/api_client.py
@@ -902,9 +902,34 @@ def update_params_for_auth(self, headers, queries) -> None:
             and self.api_client.configuration.delegated_auth_org_uuid is not None
         )
 
+        # Check if bearer token (PAT) auth is configured
+        has_bearer_token = self.api_client.configuration.bearer_token is not None
+
         if has_app_key_auth and has_delegated_auth:
             # Use delegated token authentication
             self.api_client.use_delegated_token_auth(headers)
+        elif has_app_key_auth and has_bearer_token:
+            # Use bearer token (PAT) authentication:
+            # Send API key + Authorization: Bearer instead of app key
+            all_auth_settings = self.api_client.configuration.auth_settings()
+            for auth in self.settings["auth"]:
+                if auth == "appKeyAuth":
+                    # Replace app key with bearer token
+                    bearer_setting = all_auth_settings.get("bearerAuth")
+                    if bearer_setting:
+                        headers[bearer_setting["key"]] = bearer_setting["value"]
+                    continue
+                auth_setting = all_auth_settings.get(auth)
+                if auth_setting:
+                    if auth_setting["in"] == "header":
+                        if auth_setting["type"] != "http-signature":
+                            if auth_setting["value"] is None:
+                                raise ApiValueError("Invalid authentication token for {}".format(auth_setting["key"]))
+                            headers[auth_setting["key"]] = auth_setting["value"]
+                    elif auth_setting["in"] == "query":
+                        queries.append((auth_setting["key"], auth_setting["value"]))
+                    else:
+                        raise ApiValueError("Authentication token must be in `query` or `header`")
         else:
             # Use regular authentication
             for auth in self.settings["auth"]:
diff --git a/src/datadog_api_client/configuration.py b/src/datadog_api_client/configuration.py
@@ -180,6 +180,7 @@ def __init__(
         retry_policy=None,
         delegated_auth_provider=None,
         delegated_auth_org_uuid=None,
+        bearer_token=None,
     ):
         """Constructor."""
         self._base_path = "https://api.datadoghq.com" if host is None else host
@@ -191,6 +192,7 @@ def __init__(
 
         # Authentication Settings
         self.access_token = access_token
+        self.bearer_token = bearer_token
         self.api_key = {}
         if api_key:
             self.api_key = api_key
@@ -478,6 +480,8 @@ def __init__(
             self.api_key["apiKeyAuth"] = os.environ["DD_API_KEY"]
         if "DD_APP_KEY" in os.environ and not self.api_key.get("appKeyAuth"):
             self.api_key["appKeyAuth"] = os.environ["DD_APP_KEY"]
+        if "DD_BEARER_TOKEN" in os.environ and not self.bearer_token:
+            self.bearer_token = os.environ["DD_BEARER_TOKEN"]
 
     def __deepcopy__(self, memo):
         cls = self.__class__
@@ -777,4 +781,11 @@ def auth_settings(self):
                     "appKeyAuth",
                 ),
             }
+        if self.bearer_token is not None:
+            auth["bearerAuth"] = {
+                "type": "bearer",
+                "in": "header",
+                "key": "Authorization",
+                "value": "Bearer " + self.bearer_token,
+            }
         return auth
diff --git a/tests/test_pat_auth.py b/tests/test_pat_auth.py
@@ -0,0 +1,165 @@
+"""Tests for Personal Access Token (PAT) authentication support."""
+
+import pytest
+from datetime import datetime, timedelta
+from unittest.mock import patch
+
+from datadog_api_client.api_client import ApiClient, Endpoint as _Endpoint
+from datadog_api_client.configuration import Configuration
+from datadog_api_client.delegated_auth import (
+    DelegatedTokenCredentials,
+    DelegatedTokenConfig,
+    DelegatedTokenProvider,
+)
+
+
+class TestBearerTokenConfiguration:
+    """Test bearer_token field on Configuration."""
+
+    def test_bearer_token_stored(self):
+        config = Configuration(bearer_token="ddapp_test123")
+        assert config.bearer_token == "ddapp_test123"
+
+    def test_bearer_token_default_none(self):
+        config = Configuration()
+        assert config.bearer_token is None
+
+    @patch.dict("os.environ", {"DD_BEARER_TOKEN": "ddapp_from_env"})
+    def test_bearer_token_env_var(self):
+        config = Configuration()
+        assert config.bearer_token == "ddapp_from_env"
+
+    @patch.dict("os.environ", {"DD_BEARER_TOKEN": "ddapp_from_env"})
+    def test_bearer_token_env_var_no_override(self):
+        config = Configuration(bearer_token="ddapp_explicit")
+        assert config.bearer_token == "ddapp_explicit"
+
+
+class TestAuthSettingsWithBearerToken:
+    """Test auth_settings() with bearer_token configured."""
+
+    def test_auth_settings_includes_bearer(self):
+        config = Configuration(bearer_token="ddapp_test123")
+        auth = config.auth_settings()
+        assert "bearerAuth" in auth
+        assert auth["bearerAuth"]["type"] == "bearer"
+        assert auth["bearerAuth"]["in"] == "header"
+        assert auth["bearerAuth"]["key"] == "Authorization"
+        assert auth["bearerAuth"]["value"] == "Bearer ddapp_test123"
+
+    def test_auth_settings_without_bearer(self):
+        config = Configuration()
+        auth = config.auth_settings()
+        assert "bearerAuth" not in auth
+
+    def test_auth_settings_bearer_coexists_with_api_keys(self):
+        config = Configuration(
+            api_key={"apiKeyAuth": "test-api-key", "appKeyAuth": "test-app-key"},
+            bearer_token="ddapp_test123",
+        )
+        auth = config.auth_settings()
+        assert "bearerAuth" in auth
+        assert "apiKeyAuth" in auth
+        assert "appKeyAuth" in auth
+
+
+class TestUpdateParamsForAuthWithBearerToken:
+    """Test that update_params_for_auth uses bearer token correctly."""
+
+    def _make_endpoint(self, config, auth_schemes):
+        """Helper to create an Endpoint with given auth schemes."""
+        api_client = ApiClient(config)
+        return _Endpoint(
+            settings={
+                "response_type": None,
+                "auth": auth_schemes,
+                "endpoint_path": "/api/v2/test",
+                "operation_id": "test_op",
+                "http_method": "GET",
+                "version": "v2",
+            },
+            params_map={},
+            headers_map={"accept": ["application/json"]},
+            api_client=api_client,
+        )
+
+    def test_bearer_replaces_app_key(self):
+        config = Configuration(
+            api_key={"apiKeyAuth": "test-api-key", "appKeyAuth": "test-app-key"},
+            bearer_token="ddapp_test_pat",
+        )
+        endpoint = self._make_endpoint(config, ["apiKeyAuth", "appKeyAuth"])
+        headers = {}
+        queries = []
+        endpoint.update_params_for_auth(headers, queries)
+
+        assert headers["DD-API-KEY"] == "test-api-key"
+        assert headers["Authorization"] == "Bearer ddapp_test_pat"
+        assert "DD-APPLICATION-KEY" not in headers
+
+    def test_bearer_without_app_key_auth_scheme(self):
+        """If endpoint doesn't use appKeyAuth, bearer token is not used."""
+        config = Configuration(
+            api_key={"apiKeyAuth": "test-api-key"},
+            bearer_token="ddapp_test_pat",
+        )
+        endpoint = self._make_endpoint(config, ["apiKeyAuth"])
+        headers = {}
+        queries = []
+        endpoint.update_params_for_auth(headers, queries)
+
+        assert headers["DD-API-KEY"] == "test-api-key"
+        assert "Authorization" not in headers
+
+    def test_regular_auth_without_bearer(self):
+        config = Configuration(
+            api_key={"apiKeyAuth": "test-api-key", "appKeyAuth": "test-app-key"},
+        )
+        endpoint = self._make_endpoint(config, ["apiKeyAuth", "appKeyAuth"])
+        headers = {}
+        queries = []
+        endpoint.update_params_for_auth(headers, queries)
+
+        assert headers["DD-API-KEY"] == "test-api-key"
+        assert headers["DD-APPLICATION-KEY"] == "test-app-key"
+        assert "Authorization" not in headers
+
+    def test_delegated_auth_takes_priority_over_bearer(self):
+        """When both delegated auth and bearer token are configured, delegated wins."""
+
+        class MockProvider(DelegatedTokenProvider):
+            def authenticate(self, config, api_config):
+                return DelegatedTokenCredentials(
+                    org_uuid="test-org",
+                    delegated_token="delegated-token-123",
+                    delegated_proof="proof",
+                    expiration=datetime.now() + timedelta(minutes=10),
+                )
+
+        config = Configuration(
+            api_key={"apiKeyAuth": "test-api-key", "appKeyAuth": "test-app-key"},
+            bearer_token="ddapp_test_pat",
+            delegated_auth_provider=MockProvider(),
+            delegated_auth_org_uuid="test-org",
+        )
+        endpoint = self._make_endpoint(config, ["apiKeyAuth", "appKeyAuth"])
+        headers = {}
+        queries = []
+        endpoint.update_params_for_auth(headers, queries)
+
+        # Delegated auth should be used, not bearer token
+        assert headers["Authorization"] == "Bearer delegated-token-123"
+        assert "DD-APPLICATION-KEY" not in headers
+
+    def test_bearer_with_no_api_key_set(self):
+        """Bearer token with apiKeyAuth in scheme but no key configured."""
+        config = Configuration(bearer_token="ddapp_test_pat")
+        endpoint = self._make_endpoint(config, ["apiKeyAuth", "appKeyAuth"])
+        headers = {}
+        queries = []
+        endpoint.update_params_for_auth(headers, queries)
+
+        # apiKeyAuth is not configured, so it won't be in headers
+        assert "DD-API-KEY" not in headers
+        # Bearer token should still be set (replacing appKeyAuth)
+        assert headers["Authorization"] == "Bearer ddapp_test_pat"
