Remove mutual exclusivity between PAT and API+App key auth

tausman · tausman · commit f7ec619e4f0f · 2026-03-05T00:44:34.000Z
diff --git a/.generator/src/generator/templates/api_client.j2 b/.generator/src/generator/templates/api_client.j2
@@ -893,16 +893,7 @@ class Endpoint:
             self.api_client.configuration.delegated_auth_org_uuid is not None
         )
 
-        # Check if bearer token (PAT) auth is configured
-        has_bearer_token = self.api_client.configuration.access_token is not None and "bearerAuth" in self.settings["auth"]
-
-        if has_bearer_token:
-            # Bearer token authentication: send ONLY Authorization: Bearer header.
-            # This is a separate auth path — no API key or app key headers.
-            bearer_setting = self.api_client.configuration.auth_settings().get("bearerAuth")
-            if bearer_setting:
-                headers[bearer_setting["key"]] = bearer_setting["value"]
-        elif has_app_key_auth and has_delegated_auth:
+        if has_app_key_auth and has_delegated_auth:
             # Use delegated token authentication
             self.api_client.use_delegated_token_auth(headers)
         else:
diff --git a/src/datadog_api_client/api_client.py b/src/datadog_api_client/api_client.py
@@ -902,16 +902,7 @@ def update_params_for_auth(self, headers, queries) -> None:
             and self.api_client.configuration.delegated_auth_org_uuid is not None
         )
 
-        # Check if bearer token (PAT) auth is configured
-        has_bearer_token = self.api_client.configuration.access_token is not None and "bearerAuth" in self.settings["auth"]
-
-        if has_bearer_token:
-            # Bearer token authentication: send ONLY Authorization: Bearer header.
-            # This is a separate auth path — no API key or app key headers.
-            bearer_setting = self.api_client.configuration.auth_settings().get("bearerAuth")
-            if bearer_setting:
-                headers[bearer_setting["key"]] = bearer_setting["value"]
-        elif has_app_key_auth and has_delegated_auth:
+        if has_app_key_auth and has_delegated_auth:
             # Use delegated token authentication
             self.api_client.use_delegated_token_auth(headers)
         else:
diff --git a/tests/test_pat_auth.py b/tests/test_pat_auth.py
@@ -54,7 +54,7 @@ def test_auth_settings_without_bearer(self):
 
 
 class TestUpdateParamsForAuthWithBearerToken:
-    """Test that update_params_for_auth uses bearer token correctly."""
+    """Test that update_params_for_auth sends all configured auth headers."""
 
     def _make_endpoint(self, config, auth_schemes):
         """Helper to create an Endpoint with given auth schemes."""
@@ -73,8 +73,8 @@ def _make_endpoint(self, config, auth_schemes):
             api_client=api_client,
         )
 
-    def test_bearer_sends_only_authorization_header(self):
-        """When access_token is set and bearerAuth is in auth, only Authorization: Bearer is sent."""
+    def test_all_auth_headers_sent_when_all_configured(self):
+        """When all credentials are set, all auth headers are sent."""
         config = Configuration(
             api_key={"apiKeyAuth": "test-api-key", "appKeyAuth": "test-app-key"},
             access_token="ddpat_test_pat",
@@ -85,11 +85,11 @@ def test_bearer_sends_only_authorization_header(self):
         endpoint.update_params_for_auth(headers, queries)
 
         assert headers["Authorization"] == "Bearer ddpat_test_pat"
-        assert "DD-API-KEY" not in headers
-        assert "DD-APPLICATION-KEY" not in headers
+        assert headers["DD-API-KEY"] == "test-api-key"
+        assert headers["DD-APPLICATION-KEY"] == "test-app-key"
 
-    def test_bearer_without_api_keys(self):
-        """Bearer token works even without any API keys configured."""
+    def test_bearer_only(self):
+        """Bearer token works without any API keys configured."""
         config = Configuration(access_token="ddpat_test_pat")
         endpoint = self._make_endpoint(config, ["apiKeyAuth", "appKeyAuth", "bearerAuth"])
         headers = {}
@@ -100,21 +100,8 @@ def test_bearer_without_api_keys(self):
         assert "DD-API-KEY" not in headers
         assert "DD-APPLICATION-KEY" not in headers
 
-    def test_no_bearer_when_not_in_endpoint_auth(self):
-        """access_token set but endpoint doesn't declare bearerAuth — uses regular auth."""
-        config = Configuration(
-            api_key={"apiKeyAuth": "test-api-key", "appKeyAuth": "test-app-key"},
-            access_token="ddpat_test_pat",
-        )
-        endpoint = self._make_endpoint(config, ["apiKeyAuth", "appKeyAuth"])
-        headers = {}
-        queries = []
-        endpoint.update_params_for_auth(headers, queries)
-
-        assert headers["DD-API-KEY"] == "test-api-key"
-        assert headers["DD-APPLICATION-KEY"] == "test-app-key"
-
-    def test_regular_auth_without_bearer(self):
+    def test_api_keys_only(self):
+        """Regular auth works without bearer token."""
         config = Configuration(
             api_key={"apiKeyAuth": "test-api-key", "appKeyAuth": "test-app-key"},
         )
@@ -127,30 +114,17 @@ def test_regular_auth_without_bearer(self):
         assert headers["DD-APPLICATION-KEY"] == "test-app-key"
         assert "Authorization" not in headers
 
-    def test_bearer_takes_priority_over_delegated_auth(self):
-        """When both bearer token and delegated auth are configured, bearer wins."""
-
-        class MockProvider(DelegatedTokenProvider):
-            def authenticate(self, config, api_config):
-                return DelegatedTokenCredentials(
-                    org_uuid="test-org",
-                    delegated_token="delegated-token-123",
-                    delegated_proof="proof",
-                    expiration=datetime.now() + timedelta(minutes=10),
-                )
-
+    def test_bearer_not_sent_when_not_in_endpoint_auth(self):
+        """access_token set but endpoint doesn't declare bearerAuth."""
         config = Configuration(
             api_key={"apiKeyAuth": "test-api-key", "appKeyAuth": "test-app-key"},
             access_token="ddpat_test_pat",
-            delegated_auth_provider=MockProvider(),
-            delegated_auth_org_uuid="test-org",
         )
-        endpoint = self._make_endpoint(config, ["apiKeyAuth", "appKeyAuth", "bearerAuth"])
+        endpoint = self._make_endpoint(config, ["apiKeyAuth", "appKeyAuth"])
         headers = {}
         queries = []
         endpoint.update_params_for_auth(headers, queries)
 
-        # Bearer token takes priority
-        assert headers["Authorization"] == "Bearer ddpat_test_pat"
-        assert "DD-API-KEY" not in headers
-        assert "DD-APPLICATION-KEY" not in headers
+        assert headers["DD-API-KEY"] == "test-api-key"
+        assert headers["DD-APPLICATION-KEY"] == "test-app-key"
+        assert "Authorization" not in headers
