Add PAT (Personal Access Token) auth support via Bearer header

tausman · tausman · commit fd911c266a03 · 2026-03-04T21:17:03.000Z
PAT auth is a separate auth path from API key + App key. When a bearer
token is configured, the client sends ONLY the Authorization: Bearer
header — no DD-API-KEY or DD-APPLICATION-KEY headers are sent.

Priority order: PAT (bearer_token) &gt; Delegated Auth &gt; API key + App key.
diff --git a/.generator/src/generator/templates/api_client.j2 b/.generator/src/generator/templates/api_client.j2
@@ -893,7 +893,16 @@ class Endpoint:
             self.api_client.configuration.delegated_auth_org_uuid is not None
         )
 
-        if has_app_key_auth and has_delegated_auth:
+        # Check if bearer token (PAT) auth is configured
+        has_bearer_token = self.api_client.configuration.bearer_token is not None
+
+        if has_bearer_token:
+            # PAT authentication: send ONLY Authorization: Bearer header.
+            # This is a separate auth path — no API key or app key headers.
+            bearer_setting = self.api_client.configuration.auth_settings().get("bearerAuth")
+            if bearer_setting:
+                headers[bearer_setting["key"]] = bearer_setting["value"]
+        elif has_app_key_auth and has_delegated_auth:
             # Use delegated token authentication
             self.api_client.use_delegated_token_auth(headers)
         else:
diff --git a/.generator/src/generator/templates/configuration.j2 b/.generator/src/generator/templates/configuration.j2
@@ -179,6 +179,7 @@ class Configuration:
         retry_policy=None,
         delegated_auth_provider=None,
         delegated_auth_org_uuid=None,
+        bearer_token=None,
     ):
         """Constructor."""
         self._base_path = "https://api.datadoghq.com" if host is None else host
@@ -190,6 +191,7 @@ class Configuration:
 
         # Authentication Settings
         self.access_token = access_token
+        self.bearer_token = bearer_token
         self.api_key = {}
         if api_key:
             self.api_key = api_key
@@ -269,6 +271,8 @@ class Configuration:
             self.api_key["apiKeyAuth"] = os.environ["DD_API_KEY"]
         if "DD_APP_KEY" in os.environ and not self.api_key.get("appKeyAuth"):
             self.api_key["appKeyAuth"] = os.environ["DD_APP_KEY"]
+        if "DD_BEARER_TOKEN" in os.environ and not self.bearer_token:
+            self.bearer_token = os.environ["DD_BEARER_TOKEN"]
 
     def __deepcopy__(self, memo):
         cls = self.__class__
@@ -557,5 +561,12 @@ class Configuration:
             }
 {%- endif %}
 {%- endfor %}
+        if self.bearer_token is not None:
+            auth["bearerAuth"] = {
+                "type": "bearer",
+                "in": "header",
+                "key": "Authorization",
+                "value": "Bearer " + self.bearer_token,
+            }
         return auth
 {# keep new line #}
diff --git a/src/datadog_api_client/api_client.py b/src/datadog_api_client/api_client.py
@@ -902,7 +902,16 @@ def update_params_for_auth(self, headers, queries) -> None:
             and self.api_client.configuration.delegated_auth_org_uuid is not None
         )
 
-        if has_app_key_auth and has_delegated_auth:
+        # Check if bearer token (PAT) auth is configured
+        has_bearer_token = self.api_client.configuration.bearer_token is not None
+
+        if has_bearer_token:
+            # PAT authentication: send ONLY Authorization: Bearer header.
+            # This is a separate auth path — no API key or app key headers.
+            bearer_setting = self.api_client.configuration.auth_settings().get("bearerAuth")
+            if bearer_setting:
+                headers[bearer_setting["key"]] = bearer_setting["value"]
+        elif has_app_key_auth and has_delegated_auth:
             # Use delegated token authentication
             self.api_client.use_delegated_token_auth(headers)
         else:
diff --git a/src/datadog_api_client/configuration.py b/src/datadog_api_client/configuration.py
@@ -180,6 +180,7 @@ def __init__(
         retry_policy=None,
         delegated_auth_provider=None,
         delegated_auth_org_uuid=None,
+        bearer_token=None,
     ):
         """Constructor."""
         self._base_path = "https://api.datadoghq.com" if host is None else host
@@ -191,6 +192,7 @@ def __init__(
 
         # Authentication Settings
         self.access_token = access_token
+        self.bearer_token = bearer_token
         self.api_key = {}
         if api_key:
             self.api_key = api_key
@@ -478,6 +480,8 @@ def __init__(
             self.api_key["apiKeyAuth"] = os.environ["DD_API_KEY"]
         if "DD_APP_KEY" in os.environ and not self.api_key.get("appKeyAuth"):
             self.api_key["appKeyAuth"] = os.environ["DD_APP_KEY"]
+        if "DD_BEARER_TOKEN" in os.environ and not self.bearer_token:
+            self.bearer_token = os.environ["DD_BEARER_TOKEN"]
 
     def __deepcopy__(self, memo):
         cls = self.__class__
@@ -777,4 +781,11 @@ def auth_settings(self):
                     "appKeyAuth",
                 ),
             }
+        if self.bearer_token is not None:
+            auth["bearerAuth"] = {
+                "type": "bearer",
+                "in": "header",
+                "key": "Authorization",
+                "value": "Bearer " + self.bearer_token,
+            }
         return auth
diff --git a/tests/test_pat_auth.py b/tests/test_pat_auth.py
@@ -0,0 +1,156 @@
+"""Tests for Personal Access Token (PAT) authentication support."""
+
+import pytest
+from datetime import datetime, timedelta
+from unittest.mock import patch
+
+from datadog_api_client.api_client import ApiClient, Endpoint as _Endpoint
+from datadog_api_client.configuration import Configuration
+from datadog_api_client.delegated_auth import (
+    DelegatedTokenCredentials,
+    DelegatedTokenConfig,
+    DelegatedTokenProvider,
+)
+
+
+class TestBearerTokenConfiguration:
+    """Test bearer_token field on Configuration."""
+
+    def test_bearer_token_stored(self):
+        config = Configuration(bearer_token="ddpat_test123")
+        assert config.bearer_token == "ddpat_test123"
+
+    def test_bearer_token_default_none(self):
+        config = Configuration()
+        assert config.bearer_token is None
+
+    @patch.dict("os.environ", {"DD_BEARER_TOKEN": "ddpat_from_env"})
+    def test_bearer_token_env_var(self):
+        config = Configuration()
+        assert config.bearer_token == "ddpat_from_env"
+
+    @patch.dict("os.environ", {"DD_BEARER_TOKEN": "ddpat_from_env"})
+    def test_bearer_token_env_var_no_override(self):
+        config = Configuration(bearer_token="ddpat_explicit")
+        assert config.bearer_token == "ddpat_explicit"
+
+
+class TestAuthSettingsWithBearerToken:
+    """Test auth_settings() with bearer_token configured."""
+
+    def test_auth_settings_includes_bearer(self):
+        config = Configuration(bearer_token="ddpat_test123")
+        auth = config.auth_settings()
+        assert "bearerAuth" in auth
+        assert auth["bearerAuth"]["type"] == "bearer"
+        assert auth["bearerAuth"]["in"] == "header"
+        assert auth["bearerAuth"]["key"] == "Authorization"
+        assert auth["bearerAuth"]["value"] == "Bearer ddpat_test123"
+
+    def test_auth_settings_without_bearer(self):
+        config = Configuration()
+        auth = config.auth_settings()
+        assert "bearerAuth" not in auth
+
+
+class TestUpdateParamsForAuthWithBearerToken:
+    """Test that update_params_for_auth uses bearer token correctly."""
+
+    def _make_endpoint(self, config, auth_schemes):
+        """Helper to create an Endpoint with given auth schemes."""
+        api_client = ApiClient(config)
+        return _Endpoint(
+            settings={
+                "response_type": None,
+                "auth": auth_schemes,
+                "endpoint_path": "/api/v2/test",
+                "operation_id": "test_op",
+                "http_method": "GET",
+                "version": "v2",
+            },
+            params_map={},
+            headers_map={"accept": ["application/json"]},
+            api_client=api_client,
+        )
+
+    def test_bearer_sends_only_authorization_header(self):
+        """When bearer_token is set, only Authorization: Bearer is sent."""
+        config = Configuration(
+            api_key={"apiKeyAuth": "test-api-key", "appKeyAuth": "test-app-key"},
+            bearer_token="ddpat_test_pat",
+        )
+        endpoint = self._make_endpoint(config, ["apiKeyAuth", "appKeyAuth"])
+        headers = {}
+        queries = []
+        endpoint.update_params_for_auth(headers, queries)
+
+        assert headers["Authorization"] == "Bearer ddpat_test_pat"
+        assert "DD-API-KEY" not in headers
+        assert "DD-APPLICATION-KEY" not in headers
+
+    def test_bearer_without_api_keys(self):
+        """Bearer token works even without any API keys configured."""
+        config = Configuration(bearer_token="ddpat_test_pat")
+        endpoint = self._make_endpoint(config, ["apiKeyAuth", "appKeyAuth"])
+        headers = {}
+        queries = []
+        endpoint.update_params_for_auth(headers, queries)
+
+        assert headers["Authorization"] == "Bearer ddpat_test_pat"
+        assert "DD-API-KEY" not in headers
+        assert "DD-APPLICATION-KEY" not in headers
+
+    def test_bearer_on_apikey_only_endpoint(self):
+        """Bearer token is used even if endpoint only declares apiKeyAuth."""
+        config = Configuration(
+            api_key={"apiKeyAuth": "test-api-key"},
+            bearer_token="ddpat_test_pat",
+        )
+        endpoint = self._make_endpoint(config, ["apiKeyAuth"])
+        headers = {}
+        queries = []
+        endpoint.update_params_for_auth(headers, queries)
+
+        assert headers["Authorization"] == "Bearer ddpat_test_pat"
+        assert "DD-API-KEY" not in headers
+
+    def test_regular_auth_without_bearer(self):
+        config = Configuration(
+            api_key={"apiKeyAuth": "test-api-key", "appKeyAuth": "test-app-key"},
+        )
+        endpoint = self._make_endpoint(config, ["apiKeyAuth", "appKeyAuth"])
+        headers = {}
+        queries = []
+        endpoint.update_params_for_auth(headers, queries)
+
+        assert headers["DD-API-KEY"] == "test-api-key"
+        assert headers["DD-APPLICATION-KEY"] == "test-app-key"
+        assert "Authorization" not in headers
+
+    def test_bearer_takes_priority_over_delegated_auth(self):
+        """When both bearer token and delegated auth are configured, bearer wins."""
+
+        class MockProvider(DelegatedTokenProvider):
+            def authenticate(self, config, api_config):
+                return DelegatedTokenCredentials(
+                    org_uuid="test-org",
+                    delegated_token="delegated-token-123",
+                    delegated_proof="proof",
+                    expiration=datetime.now() + timedelta(minutes=10),
+                )
+
+        config = Configuration(
+            api_key={"apiKeyAuth": "test-api-key", "appKeyAuth": "test-app-key"},
+            bearer_token="ddpat_test_pat",
+            delegated_auth_provider=MockProvider(),
+            delegated_auth_org_uuid="test-org",
+        )
+        endpoint = self._make_endpoint(config, ["apiKeyAuth", "appKeyAuth"])
+        headers = {}
+        queries = []
+        endpoint.update_params_for_auth(headers, queries)
+
+        # Bearer token takes priority
+        assert headers["Authorization"] == "Bearer ddpat_test_pat"
+        assert "DD-API-KEY" not in headers
+        assert "DD-APPLICATION-KEY" not in headers
