@@ -18,17 +18,34 @@ type SandboxClient struct {
1818 Client * resty.Client
1919}
2020
21- // NewSandboxClient builds a SandboxClient with the given token + URL.
22- // Empty url falls back to DefaultSandboxBaseURL. The same token used
23- // for the CreateOS API works here too — fc-spawn validates against the
24- // same upstream NodeOps auth service.
21+ // NewSandboxClient builds a SandboxClient for API-key auth. Empty url
22+ // falls back to DefaultSandboxBaseURL. The api key is sent as X-Api-Key
23+ // — fc-spawn validates it against the same upstream NodeOps auth service.
24+ //
25+ // For OAuth/browser logins the credential is an access-token JWT, NOT an
26+ // api key: fc-spawn rejects it under X-Api-Key ("invalid api key") and
27+ // requires the X-Access-Token header instead. Use
28+ // NewSandboxClientWithAccessToken for that case.
2529func NewSandboxClient (token , sandboxURL string , debug bool ) SandboxClient {
30+ return newSandboxClient ("X-Api-Key" , token , sandboxURL , debug )
31+ }
32+
33+ // NewSandboxClientWithAccessToken builds a SandboxClient authenticated
34+ // with an OAuth access token, sent via the X-Access-Token header. This
35+ // mirrors NewClientWithAccessToken on the main API client — fc-spawn
36+ // accepts the same token under this header.
37+ func NewSandboxClientWithAccessToken (accessToken , sandboxURL string , debug bool ) SandboxClient {
38+ return newSandboxClient ("X-Access-Token" , accessToken , sandboxURL , debug )
39+ }
40+
41+ // newSandboxClient is the shared builder behind the two auth schemes.
42+ func newSandboxClient (authHeader , token , sandboxURL string , debug bool ) SandboxClient {
2643 if sandboxURL == "" {
2744 sandboxURL = DefaultSandboxBaseURL
2845 }
2946 client := resty .New ().
3047 SetBaseURL (sandboxURL ).
31- SetHeader ("X-Api-Key" , token ).
48+ SetHeader (authHeader , token ).
3249 SetHeader ("Content-Type" , "application/json" )
3350 if debug {
3451 client .SetDebug (true )
0 commit comments