Skip to content

fix(client): auto-retry agent requests with Bearer when API key is rejected#64

Merged
xergioalex merged 4 commits into
mainfrom
fix/agent-auth-bearer-fallback
Jul 13, 2026
Merged

fix(client): auto-retry agent requests with Bearer when API key is rejected#64
xergioalex merged 4 commits into
mainfrom
fix/agent-auth-bearer-fallback

Conversation

@xergioalex

Copy link
Copy Markdown
Member

Summary

  • When a profile's API key is stale/revoked and the server returns 401, agent commands now automatically retry with the login session Bearer token instead of failing with "API Key Not Valid"
  • Adds _agent_request() wrapper that centralizes all 11 agent endpoint calls through a single retry path: try X-API-KEY first, on 401 fall back to Bearer if available
  • No retry when already using Bearer or when the error is not 401 (403, 429, etc. are passed through as-is)

Root cause

When agents.json has a default profile with an expired API key, the CLI sends X-API-KEY → gets 401 → fails. Even though the user has a valid login session (Bearer token from dailybot login), the CLI never tried it because the profile explicitly declared an API key.

Test plan

  • 5 new test cases in TestAgentBearerFallback:
    • API key rejected → Bearer retry succeeds
    • API key rejected, no Bearer available → 401 propagates
    • Non-401 errors (403) → no retry
    • Already using Bearer → no retry (avoids loops)
    • Fallback works across different agent methods (health, report)
  • All 905 existing tests pass
  • No linter errors

Made with Cursor

xergioalex and others added 4 commits July 13, 2026 01:55
…jected

When a profile's API key is stale/revoked and the server returns 401,
agent commands now automatically retry with the login session token
instead of failing with "API Key Not Valid". This prevents users who
have a valid login session from being blocked by an expired API key
in their agents.json profile.

The new _agent_request() wrapper centralizes all 11 agent endpoint
calls through a single retry path: try X-API-KEY first, and on 401
fall back to Bearer if available. No retry occurs when already using
Bearer or when the error is not 401.

Co-authored-by: Cursor <cursoragent@cursor.com>
All endpoints now use Bearer-first, API-key-second priority, matching
the behavior of _headers(). The _agent_request() retry is now
bidirectional: Bearer rejected → retry with API key, and API key
rejected → retry with Bearer. This eliminates the confusing
inconsistency where user commands preferred Bearer but agent commands
preferred API key.

Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
@xergioalex xergioalex merged commit ff23b9e into main Jul 13, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant