Regenerate client credential handling

Author: gjtorikian

src/workos/_client.py

@@ -17,6 +17,7 @@
 
 from ._errors import (
     BaseRequestException,
+    ConfigurationException,
     RateLimitExceededException,
     ServerException,
     WorkOSConnectionException,
@@ -401,16 +402,12 @@ def __init__(
         max_retries: int = MAX_RETRIES,
     ) -> None:
         self._api_key = api_key or os.environ.get("WORKOS_API_KEY")
-        if not self._api_key:
-            raise ValueError(
-                "WorkOS API key must be provided when instantiating the client "
-                "or via the WORKOS_API_KEY environment variable."
-            )
         self.client_id = client_id or os.environ.get("WORKOS_CLIENT_ID")
-        if not self.client_id:
+        if not self._api_key and not self.client_id:
             raise ValueError(
-                "WorkOS client ID must be provided when instantiating the client "
-                "or via the WORKOS_CLIENT_ID environment variable."
+                "WorkOS requires either an API key or a client ID. "
+                "Provide api_key / WORKOS_API_KEY for authenticated server-side usage, "
+                "or client_id / WORKOS_CLIENT_ID for flows that require a client ID."
             )
         resolved_base_url = base_url or os.environ.get(
             "WORKOS_BASE_URL", "https://api.workos.com"
@@ -493,17 +490,34 @@ def _resolve_max_retries(self, request_options: Optional[RequestOptions]) -> int
                 return retries
         return self._max_retries
 
+    def _require_api_key(self) -> str:
+        if not self._api_key:
+            raise ConfigurationException(
+                "This operation requires a WorkOS API key. Provide api_key when instantiating the client "
+                "or via the WORKOS_API_KEY environment variable."
+            )
+        return self._api_key
+
+    def _require_client_id(self) -> str:
+        if not self.client_id:
+            raise ConfigurationException(
+                "This operation requires a WorkOS client ID. Provide client_id when instantiating the client "
+                "or via the WORKOS_CLIENT_ID environment variable."
+            )
+        return self.client_id
+
     def _build_headers(
         self,
         method: str,
         idempotency_key: Optional[str],
         request_options: Optional[RequestOptions],
     ) -> Dict[str, str]:
         headers: Dict[str, str] = {
-            "Authorization": f"Bearer {self._api_key}",
             "Content-Type": "application/json",
             "User-Agent": f"workos-python/{VERSION} python/{platform.python_version()}",
         }
+        if self._api_key:
+            headers["Authorization"] = f"Bearer {self._api_key}"
         effective_idempotency_key = idempotency_key
         if effective_idempotency_key is None and request_options:
             request_option_idempotency_key = request_options.get("idempotency_key")
@@ -652,7 +666,7 @@ def __init__(
             max_retries: Maximum number of retries for failed requests. Defaults to 3.
 
         Raises:
-            ValueError: If api_key is not provided and WORKOS_API_KEY is not set.
+            ValueError: If neither api_key nor client_id is provided, directly or via environment variables.
         """
         super().__init__(
             api_key=api_key,
@@ -931,7 +945,7 @@ def __init__(
             max_retries: Maximum number of retries for failed requests. Defaults to 3.
 
         Raises:
-            ValueError: If api_key is not provided and WORKOS_API_KEY is not set.
+            ValueError: If neither api_key nor client_id is provided, directly or via environment variables.
         """
         super().__init__(
             api_key=api_key,

src/workos/sso/_resource.py

@@ -91,7 +91,9 @@ def authorize(
             }.items()
             if v is not None
         }
-        params["client_id"] = params.get("client_id") or self._client.client_id
+        params["client_id"] = (
+            params.get("client_id") or self._client._require_client_id()
+        )
         return self._client.build_url("sso/authorize", params)
 
     def logout(
@@ -238,8 +240,10 @@ def token(
             "code": code,
             "grant_type": grant_type,
         }
-        body["client_id"] = body.get("client_id") or self._client.client_id
-        body["client_secret"] = body.get("client_secret") or self._client._api_key
+        body["client_id"] = body.get("client_id") or self._client._require_client_id()
+        body["client_secret"] = (
+            body.get("client_secret") or self._client._require_api_key()
+        )
         return self._client.request(
             method="post",
             path="sso/token",
@@ -407,7 +411,9 @@ async def authorize(
             }.items()
             if v is not None
         }
-        params["client_id"] = params.get("client_id") or self._client.client_id
+        params["client_id"] = (
+            params.get("client_id") or self._client._require_client_id()
+        )
         return self._client.build_url("sso/authorize", params)
 
     async def logout(
@@ -554,8 +560,10 @@ async def token(
             "code": code,
             "grant_type": grant_type,
         }
-        body["client_id"] = body.get("client_id") or self._client.client_id
-        body["client_secret"] = body.get("client_secret") or self._client._api_key
+        body["client_id"] = body.get("client_id") or self._client._require_client_id()
+        body["client_secret"] = (
+            body.get("client_secret") or self._client._require_api_key()
+        )
         return await self._client.request(
             method="post",
             path="sso/token",

tests/test_generated_client.py

@@ -20,17 +20,24 @@
 
 
 class TestWorkOSClient:
-    def test_missing_api_key_raises(self):
+    def test_missing_credentials_raise(self):
         with pytest.raises(ValueError):
-            WorkOS(client_id="client_test")
+            WorkOS()
 
     def test_context_manager(self):
         with WorkOS(api_key="sk_test_123", client_id="client_test") as client:
             assert client._api_key == "sk_test_123"
 
+    def test_api_key_only_initializes(self):
+        client = WorkOS(api_key="sk_test_123")
+        assert client._api_key == "sk_test_123"
+        assert client.client_id is None
+        client.close()
+
     def test_client_id_from_constructor(self):
-        client = WorkOS(api_key="sk_test_123", client_id="client_test_456")
+        client = WorkOS(client_id="client_test_456")
         assert client.client_id == "client_test_456"
+        assert client._api_key is None
         client.close()
 
     def test_raises_400(self, httpx_mock):
@@ -129,6 +136,14 @@ def test_no_idempotency_key_on_get(self, httpx_mock):
         assert "Idempotency-Key" not in request.headers
         client.close()
 
+    def test_no_authorization_header_without_api_key(self, httpx_mock):
+        httpx_mock.add_response(json={})
+        client = WorkOS(client_id="client_test")
+        client.request("GET", "test")
+        request = httpx_mock.get_request()
+        assert "Authorization" not in request.headers
+        client.close()
+
     def test_empty_body_sends_json(self, httpx_mock):
         httpx_mock.add_response(json={})
         client = WorkOS(api_key="sk_test_123", client_id="client_test")