Add PAT (Personal Access Token) auth support

- Add set_pat() convenience method on Configuration to set a PAT
  that is used in place of an application key (DD-APPLICATION-KEY header)
- Add DD_PAT env var support, taking precedence over DD_APP_KEY when set
- Update both configuration.rs and configuration.j2 template in sync
- Add unit tests for PAT configuration behavior

Ref: CRED-2150

Use Authorization: Bearer header for PAT auth instead of DD-APPLICATION-KEY

PAT auth is now a separate auth path from API key + App key:
- When PAT is set: sends only Authorization: Bearer <PAT> header
- When PAT is not set: uses existing DD-API-KEY + DD-APPLICATION-KEY flow
- These are mutually exclusive with no fallback between them

Added auth_headers() method to Configuration that all generated API
methods now call instead of inline auth key lookups.

Author: tausman

.generator/src/generator/templates/api.j2

@@ -384,19 +384,14 @@ impl {{ structName }} {
         };
 
         // build auth
-        {%- set authMethods = operation.security if "security" in operation else openapi.security %}
-        {%- if authMethods %}
-        {%- for authMethod in authMethods %}
-        {%- for name in authMethod %}
-        {%- set schema = openapi.components.securitySchemes[name] %}
-        {%- if schema.type == "apiKey" and schema.in != "cookie" %}
-        if let Some(local_key) = local_configuration.auth_keys.get("{{ name }}") {
-            headers.insert("{{schema.name}}", HeaderValue::from_str(local_key.key.as_str()).expect("failed to parse {{schema.name}} header"));
-        };
-        {%- endif %}
-        {%- endfor %}
-        {%- endfor %}
-        {%- endif %}
+        for (key, value) in local_configuration.auth_headers() {
+            headers.insert(
+                reqwest::header::HeaderName::from_bytes(key.as_bytes())
+                    .expect("failed to parse auth header name"),
+                HeaderValue::from_str(value.as_str())
+                    .expect("failed to parse auth header value"),
+            );
+        }
 
         {% if formParameter %}
         // build form parameters

.generator/src/generator/templates/configuration.j2

@@ -44,6 +44,7 @@ pub struct Configuration {
     pub(crate) user_agent: String,
     pub(crate) unstable_operations: HashMap<String, bool>,
     pub(crate) auth_keys: HashMap<String, APIKey>,
+    pub(crate) pat: Option<String>,
     pub server_index: usize,
     pub server_variables: HashMap<String, String>,
     pub server_operation_index: HashMap<String, usize>,
@@ -106,6 +107,30 @@ impl Configuration {
         self.auth_keys.insert(operation_str.to_string(), api_key);
     }
 
+    /// Set a Personal Access Token (PAT) for authentication.
+    /// When a PAT is configured, the client sends only an `Authorization: Bearer <PAT>`
+    /// header and does NOT send DD-API-KEY or DD-APPLICATION-KEY headers.
+    pub fn set_pat(&mut self, pat: String) {
+        self.pat = Some(pat);
+    }
+
+    /// Build authentication headers for an API request.
+    /// If a PAT is configured, returns a single `Authorization: Bearer` header.
+    /// Otherwise, returns `DD-API-KEY` and `DD-APPLICATION-KEY` headers.
+    pub fn auth_headers(&self) -> Vec<(String, String)> {
+        if let Some(ref pat) = self.pat {
+            return vec![("Authorization".to_string(), format!("Bearer {}", pat))];
+        }
+        let mut headers = Vec::new();
+        if let Some(key) = self.auth_keys.get("apiKeyAuth") {
+            headers.push(("DD-API-KEY".to_string(), key.key.clone()));
+        }
+        if let Some(key) = self.auth_keys.get("appKeyAuth") {
+            headers.push(("DD-APPLICATION-KEY".to_string(), key.key.clone()));
+        }
+        headers
+    }
+
     pub fn set_proxy_url(&mut self, proxy_url: Option<String>) {
         self.proxy_url = proxy_url;
     }
@@ -149,10 +174,14 @@ impl Default for Configuration {
         {%- endfor %}
         {%- endif %}
 
+        // DD_PAT env var enables Bearer token auth (mutually exclusive with API key auth)
+        let pat = env::var("DD_PAT").ok().filter(|p| !p.is_empty());
+
         Self {
             user_agent: DEFAULT_USER_AGENT.clone(),
             unstable_operations,
             auth_keys,
+            pat,
             server_index: 0,
             server_variables: HashMap::from([(
                 "site".into(),

src/datadog/configuration.rs

@@ -46,6 +46,7 @@ pub struct Configuration {
     pub(crate) user_agent: String,
     pub(crate) unstable_operations: HashMap<String, bool>,
     pub(crate) auth_keys: HashMap<String, APIKey>,
+    pub(crate) pat: Option<String>,
     pub server_index: usize,
     pub server_variables: HashMap<String, String>,
     pub server_operation_index: HashMap<String, usize>,
@@ -109,6 +110,30 @@ impl Configuration {
         self.auth_keys.insert(operation_str.to_string(), api_key);
     }
 
+    /// Set a Personal Access Token (PAT) for authentication.
+    /// When a PAT is configured, the client sends only an `Authorization: Bearer <PAT>`
+    /// header and does NOT send DD-API-KEY or DD-APPLICATION-KEY headers.
+    pub fn set_pat(&mut self, pat: String) {
+        self.pat = Some(pat);
+    }
+
+    /// Build authentication headers for an API request.
+    /// If a PAT is configured, returns a single `Authorization: Bearer` header.
+    /// Otherwise, returns `DD-API-KEY` and `DD-APPLICATION-KEY` headers.
+    pub fn auth_headers(&self) -> Vec<(String, String)> {
+        if let Some(ref pat) = self.pat {
+            return vec![("Authorization".to_string(), format!("Bearer {}", pat))];
+        }
+        let mut headers = Vec::new();
+        if let Some(key) = self.auth_keys.get("apiKeyAuth") {
+            headers.push(("DD-API-KEY".to_string(), key.key.clone()));
+        }
+        if let Some(key) = self.auth_keys.get("appKeyAuth") {
+            headers.push(("DD-APPLICATION-KEY".to_string(), key.key.clone()));
+        }
+        headers
+    }
+
     pub fn set_proxy_url(&mut self, proxy_url: Option<String>) {
         self.proxy_url = proxy_url;
     }
@@ -363,10 +388,14 @@ impl Default for Configuration {
             },
         );
 
+        // DD_PAT env var enables Bearer token auth (mutually exclusive with API key auth)
+        let pat = env::var("DD_PAT").ok().filter(|p| !p.is_empty());
+
         Self {
             user_agent: DEFAULT_USER_AGENT.clone(),
             unstable_operations,
             auth_keys,
+            pat,
             server_index: 0,
             server_variables: HashMap::from([(
                 "site".into(),
@@ -1128,3 +1157,138 @@ lazy_static! {
         ])
     };
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use std::sync::Mutex;
+
+    // Mutex to prevent env var tests from interfering with each other
+    static ENV_MUTEX: Mutex<()> = Mutex::new(());
+
+    #[test]
+    fn test_set_pat_stores_pat() {
+        let mut config = Configuration::new();
+        config.set_pat("my-pat-token".to_string());
+        assert_eq!(config.pat.as_deref(), Some("my-pat-token"));
+    }
+
+    #[test]
+    fn test_auth_headers_with_pat_returns_bearer() {
+        let mut config = Configuration::new();
+        config.set_pat("my-pat-token".to_string());
+
+        let headers = config.auth_headers();
+        assert_eq!(headers.len(), 1);
+        assert_eq!(headers[0].0, "Authorization");
+        assert_eq!(headers[0].1, "Bearer my-pat-token");
+    }
+
+    #[test]
+    fn test_auth_headers_with_pat_excludes_api_keys() {
+        let mut config = Configuration::new();
+        config.set_auth_key(
+            "apiKeyAuth",
+            APIKey {
+                key: "my-api-key".to_string(),
+                prefix: "".to_string(),
+            },
+        );
+        config.set_auth_key(
+            "appKeyAuth",
+            APIKey {
+                key: "my-app-key".to_string(),
+                prefix: "".to_string(),
+            },
+        );
+        // PAT overrides all key-based auth
+        config.set_pat("my-pat-token".to_string());
+
+        let headers = config.auth_headers();
+        assert_eq!(headers.len(), 1);
+        assert_eq!(headers[0].0, "Authorization");
+        assert_eq!(headers[0].1, "Bearer my-pat-token");
+    }
+
+    #[test]
+    fn test_auth_headers_without_pat_returns_api_keys() {
+        let _lock = ENV_MUTEX.lock().unwrap();
+        let old_pat = env::var("DD_PAT").ok();
+        env::remove_var("DD_PAT");
+
+        let mut config = Configuration::new();
+        config.set_auth_key(
+            "apiKeyAuth",
+            APIKey {
+                key: "my-api-key".to_string(),
+                prefix: "".to_string(),
+            },
+        );
+        config.set_auth_key(
+            "appKeyAuth",
+            APIKey {
+                key: "my-app-key".to_string(),
+                prefix: "".to_string(),
+            },
+        );
+
+        let headers = config.auth_headers();
+        assert!(headers.iter().any(|(k, v)| k == "DD-API-KEY" && v == "my-api-key"));
+        assert!(headers.iter().any(|(k, v)| k == "DD-APPLICATION-KEY" && v == "my-app-key"));
+        // No Authorization header should be present
+        assert!(!headers.iter().any(|(k, _)| k == "Authorization"));
+
+        match old_pat {
+            Some(v) => env::set_var("DD_PAT", v),
+            None => env::remove_var("DD_PAT"),
+        }
+    }
+
+    #[test]
+    fn test_dd_pat_env_var() {
+        let _lock = ENV_MUTEX.lock().unwrap();
+        let old_pat = env::var("DD_PAT").ok();
+
+        env::set_var("DD_PAT", "env-pat-token");
+
+        let config = Configuration::default();
+        assert_eq!(config.pat.as_deref(), Some("env-pat-token"));
+
+        let headers = config.auth_headers();
+        assert_eq!(headers.len(), 1);
+        assert_eq!(headers[0].0, "Authorization");
+        assert_eq!(headers[0].1, "Bearer env-pat-token");
+
+        // Restore env
+        match old_pat {
+            Some(v) => env::set_var("DD_PAT", v),
+            None => env::remove_var("DD_PAT"),
+        }
+    }
+
+    #[test]
+    fn test_empty_dd_pat_does_not_set_pat() {
+        let _lock = ENV_MUTEX.lock().unwrap();
+        let old_pat = env::var("DD_PAT").ok();
+        let old_app_key = env::var("DD_APP_KEY").ok();
+
+        env::set_var("DD_PAT", "");
+        env::set_var("DD_APP_KEY", "my-app-key");
+
+        let config = Configuration::default();
+        assert!(config.pat.is_none());
+
+        let headers = config.auth_headers();
+        assert!(headers.iter().any(|(k, v)| k == "DD-APPLICATION-KEY" && v == "my-app-key"));
+
+        // Restore env
+        match old_pat {
+            Some(v) => env::set_var("DD_PAT", v),
+            None => env::remove_var("DD_PAT"),
+        }
+        match old_app_key {
+            Some(v) => env::set_var("DD_APP_KEY", v),
+            None => env::remove_var("DD_APP_KEY"),
+        }
+    }
+}

src/datadogV1/api/api_authentication.rs

@@ -143,13 +143,14 @@ impl AuthenticationAPI {
         };
 
         // build auth
-        if let Some(local_key) = local_configuration.auth_keys.get("apiKeyAuth") {
+        for (key, value) in local_configuration.auth_headers() {
             headers.insert(
-                "DD-API-KEY",
-                HeaderValue::from_str(local_key.key.as_str())
-                    .expect("failed to parse DD-API-KEY header"),
+                reqwest::header::HeaderName::from_bytes(key.as_bytes())
+                    .expect("failed to parse auth header name"),
+                HeaderValue::from_str(value.as_str())
+                    .expect("failed to parse auth header value"),
             );
-        };
+        }
 
         local_req_builder = local_req_builder.headers(headers);
         let local_req = local_req_builder.build()?;