Skip to content

Commit 1e3a261

Browse files
rdimitrovclaude
rdimitrov
and
claude
committed
Fix entries-without-claims visibility for auth-only mode
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent e7fc32d commit 1e3a261

2 files changed

Lines changed: 10 additions & 8 deletions

File tree

docs/toolhive/guides-registry/authorization.mdx

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -221,12 +221,13 @@ caller's claims must be a superset of the resource's claims. For example:
221221
| `{org: "acme"}` | `{org: "contoso"}` | Denied |
222222

223223
Registries and sources with no claims are accessible to all authenticated
224-
callers. However, **entries** with no claims behave differently: they are only
225-
visible in anonymous mode. When authorization is enabled, an authenticated
226-
caller's per-entry filter requires both sides to have claims for a match — so
227-
entries without claims are invisible. To make entries visible to authenticated
228-
callers, attach claims to the source (for synced sources) or to individual
229-
entries (via the publish payload or the
224+
callers. However, **entries** with no claims behave differently: they are
225+
visible in anonymous mode and [auth-only mode](#auth-only-mode), but invisible
226+
when full authorization is enabled. With authorization, the per-entry filter
227+
requires both sides to have claims for a match — so entries without claims are
228+
filtered out. To make entries visible to authorized callers, attach claims to
229+
the source (for synced sources) or to individual entries (via the publish
230+
payload or the
230231
[`authz-claims` annotation](./configuration.mdx#per-entry-claims-via-annotation)
231232
for Kubernetes sources).
232233

docs/toolhive/guides-registry/configuration.mdx

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -417,8 +417,9 @@ spec:
417417

418418
Entry claims come exclusively from the annotation — source-level claims are
419419
**not** inherited. Entries without the annotation have no claims, which means
420-
they are visible in anonymous mode but invisible when authorization is
421-
configured.
420+
they are visible in anonymous mode and
421+
[auth-only mode](./authorization.mdx#auth-only-mode) but invisible when full
422+
authorization is configured.
422423

423424
If the annotation contains invalid JSON or unsupported claim value types
424425
(anything other than strings or arrays of strings), the entry is **skipped

0 commit comments

Comments
 (0)