Add Personal Access Token (PAT) auth support

When a PAT is configured, use Bearer auth exclusively. PAT auth is a
separate auth path that replaces API key + App key entirely - send only
Authorization: Bearer <PAT> header, no DD-API-KEY or DD-APPLICATION-KEY.

Author: tausman

lib/datadog_api_client/api_client.rb

@@ -154,7 +154,7 @@ def calculate_retry_interval(response, backoff_base, backoff_multiplier, attempt
     #Redact api and app key in the request header
     def sanitize_request_header(request_header)
       sanitized_headers= request_header.dup
-      keys_to_redact = ["DD-API-KEY", "DD-APPLICATION-KEY"]
+      keys_to_redact = ["DD-API-KEY", "DD-APPLICATION-KEY", "Authorization"]
       keys_to_redact.each do |key_to_redact|
         if sanitized_headers.key?(key_to_redact)
           sanitized_headers[key_to_redact] = "REDACTED"
@@ -377,9 +377,18 @@ def build_request_url(path, opts = {})
     # @param [Hash] query_params Query parameters
     # @param [String] auth_names Authentication scheme name
     def update_params_for_auth!(header_params, query_params, auth_names)
-      Array(auth_names).each do |auth_name|
+      auth_names = Array(auth_names)
+
+      # When a personal access token is configured, use Bearer auth exclusively.
+      # PAT auth is a separate auth path that replaces API key + App key entirely.
+      if @config.personal_access_token
+        auth_names = [:bearerAuth]
+      end
+
+      auth_names.each do |auth_name|
         auth_setting = @config.auth_settings[auth_name]
         next unless auth_setting
+        next if auth_setting[:value].nil? || auth_setting[:value].to_s.empty?
         case auth_setting[:in]
         when 'header' then header_params[auth_setting[:key]] = auth_setting[:value]
         when 'query'  then query_params[auth_setting[:key]] = auth_setting[:value]

lib/datadog_api_client/configuration.rb

@@ -65,6 +65,10 @@ class Configuration
     # Defines the access token (Bearer) used with OAuth2.
     attr_accessor :access_token
 
+    # Defines the personal access token (PAT) used for Bearer authentication.
+    # When set, sends Authorization: Bearer <token> header in place of DD-APPLICATION-KEY.
+    attr_accessor :personal_access_token
+
     # Set this to enable/disable debugging. When enabled (set to true), HTTP request/response
     # details will be logged with `logger.debug` (see the `logger` attribute).
     # Default to false.
@@ -408,6 +412,7 @@ def initialize
       @server_variables[:site] = ENV['DD_SITE'] if ENV.key? 'DD_SITE'
       @api_key['apiKeyAuth'] = ENV['DD_API_KEY'] if ENV.key? 'DD_API_KEY'
       @api_key['appKeyAuth'] = ENV['DD_APP_KEY'] if ENV.key? 'DD_APP_KEY'
+      @personal_access_token = ENV['DD_PAT'] if ENV.key? 'DD_PAT'
 
       yield(self) if block_given?
     end
@@ -503,6 +508,13 @@ def auth_settings
             key: 'DD-APPLICATION-KEY',
             value: api_key_with_prefix('appKeyAuth')
           },
+        bearerAuth:
+          {
+            type: 'http',
+            in: 'header',
+            key: 'Authorization',
+            value: personal_access_token ? "Bearer #{personal_access_token}" : nil
+          },
       }
     end
 

spec/api_client_spec.rb

@@ -206,4 +206,69 @@
       expect(api_client.sanitize_filename('.\sun.gif')).to eq('sun.gif')
     end
   end
+
+  describe '#update_params_for_auth!' do
+    let(:config) { DatadogAPIClient::Configuration.new }
+    let(:api_client) { DatadogAPIClient::APIClient.new(config) }
+
+    context 'when personal access token is configured' do
+      before do
+        config.api_key = 'test_api_key'
+        config.application_key = 'test_app_key'
+        config.personal_access_token = 'ddpat_test_pat'
+      end
+
+      it 'sends only Bearer Authorization header, no API key or app key' do
+        header_params = {}
+        query_params = {}
+        api_client.update_params_for_auth!(header_params, query_params, [:apiKeyAuth, :appKeyAuth])
+        expect(header_params['Authorization']).to eq('Bearer ddpat_test_pat')
+        expect(header_params).not_to have_key('DD-API-KEY')
+        expect(header_params).not_to have_key('DD-APPLICATION-KEY')
+      end
+
+      it 'sends only Bearer even when bearerAuth is already in auth_names' do
+        header_params = {}
+        query_params = {}
+        api_client.update_params_for_auth!(header_params, query_params, [:apiKeyAuth, :appKeyAuth, :bearerAuth])
+        expect(header_params['Authorization']).to eq('Bearer ddpat_test_pat')
+        expect(header_params).not_to have_key('DD-API-KEY')
+        expect(header_params).not_to have_key('DD-APPLICATION-KEY')
+      end
+    end
+
+    context 'when personal access token is not configured' do
+      before do
+        config.api_key = 'test_api_key'
+        config.application_key = 'test_app_key'
+      end
+
+      it 'uses API key and app key, no Bearer header' do
+        header_params = {}
+        query_params = {}
+        api_client.update_params_for_auth!(header_params, query_params, [:apiKeyAuth, :appKeyAuth])
+        expect(header_params['DD-API-KEY']).to eq('test_api_key')
+        expect(header_params['DD-APPLICATION-KEY']).to eq('test_app_key')
+        expect(header_params).not_to have_key('Authorization')
+      end
+    end
+  end
+
+  describe '#sanitize_request_header' do
+    let(:api_client) { DatadogAPIClient::APIClient.new }
+
+    it 'redacts sensitive headers including Authorization' do
+      headers = {
+        'DD-API-KEY' => 'secret_api_key',
+        'DD-APPLICATION-KEY' => 'secret_app_key',
+        'Authorization' => 'Bearer ddapp_secret_pat',
+        'Content-Type' => 'application/json'
+      }
+      sanitized = api_client.sanitize_request_header(headers)
+      expect(sanitized['DD-API-KEY']).to eq('REDACTED')
+      expect(sanitized['DD-APPLICATION-KEY']).to eq('REDACTED')
+      expect(sanitized['Authorization']).to eq('REDACTED')
+      expect(sanitized['Content-Type']).to eq('application/json')
+    end
+  end
 end

spec/configuration_spec.rb

@@ -58,5 +58,45 @@
     end
   end
 
+  describe '#personal_access_token' do
+    let(:config) { DatadogAPIClient::Configuration.new }
+
+    it 'defaults to nil' do
+      expect(config.personal_access_token).to be_nil
+    end
+
+    it 'can be set directly' do
+      config.personal_access_token = 'ddapp_test_token_123'
+      expect(config.personal_access_token).to eq('ddapp_test_token_123')
+    end
+
+    it 'loads from DD_PAT environment variable' do
+      allow(ENV).to receive(:key?).and_call_original
+      allow(ENV).to receive(:key?).with('DD_PAT').and_return(true)
+      allow(ENV).to receive(:[]).and_call_original
+      allow(ENV).to receive(:[]).with('DD_PAT').and_return('ddapp_env_token')
+      new_config = DatadogAPIClient::Configuration.new
+      expect(new_config.personal_access_token).to eq('ddapp_env_token')
+    end
+  end
+
+  describe '#auth_settings' do
+    let(:config) { DatadogAPIClient::Configuration.new }
+
+    it 'includes bearerAuth with nil value when PAT not set' do
+      expect(config.auth_settings[:bearerAuth]).not_to be_nil
+      expect(config.auth_settings[:bearerAuth][:value]).to be_nil
+    end
+
+    it 'includes bearerAuth with Bearer token when PAT is set' do
+      config.personal_access_token = 'ddapp_my_token'
+      auth = config.auth_settings[:bearerAuth]
+      expect(auth[:type]).to eq('http')
+      expect(auth[:in]).to eq('header')
+      expect(auth[:key]).to eq('Authorization')
+      expect(auth[:value]).to eq('Bearer ddapp_my_token')
+    end
+  end
+
 
 end