feat: support SENTRY_AUTH_TOKEN and SENTRY_TOKEN env vars for headless auth#356
Merged
feat: support SENTRY_AUTH_TOKEN and SENTRY_TOKEN env vars for headless auth#356
Conversation
…s auth
Add environment variable authentication for headless/agent workflows.
SENTRY_AUTH_TOKEN takes priority over SENTRY_TOKEN, and both take
priority over stored OAuth tokens.
Core changes:
- Add getEnvToken() private helper in db/auth.ts that reads and trims
env vars, returning the token and its source
- Add AuthSource type ('env:SENTRY_AUTH_TOKEN' | 'env:SENTRY_TOKEN' | 'oauth')
and required source field on AuthConfig
- Add isEnvTokenActive() exported helper for commands and sentry-client
- Modify getAuthToken(), getAuthConfig(), refreshToken() to check env
vars first, short-circuiting all SQLite and OAuth refresh logic
- Modify handleUnauthorized() in sentry-client.ts to skip token refresh
for env tokens (let 401 propagate)
Command updates:
- auth status: shows 'Authenticated via <ENV_VAR> environment variable',
skips config path and auto-refresh display for env tokens
- auth refresh: errors with clear message for env tokens
- auth login: warns that env var provides auth, suggests removing it
- auth logout: clears stored auth but warns env var still active
- auth token: works as-is (getAuthToken returns env token)
- auth whoami: works as-is (just needs valid token)
Tests:
- New test/lib/db/auth.test.ts: 22 unit tests for env var priority,
source tracking, trimming, empty values, refresh bypass
- New test/lib/db/auth.property.test.ts: 9 property-based tests with
fast-check verifying priority invariants for any valid token values
- Extended test/lib/db/model-based.test.ts: env var commands in model
(SetEnvAuthToken, ClearEnvAuthToken, SetEnvSentryToken,
ClearEnvSentryToken, IsEnvTokenActive) with save/restore in finally
- test/preload.ts: added SENTRY_TOKEN cleanup alongside SENTRY_AUTH_TOKEN
Contributor
Semver Impact of This PR🟡 Minor (new features) 📋 Changelog PreviewThis is how your changes will appear in the changelog. New Features ✨Trace
Other
Bug Fixes 🐛Api
Formatters
Setup
Upgrade
Other
Documentation 📚
Internal Changes 🔧Api
Other
🤖 This preview updates automatically when you update the PR. |
Contributor
Codecov Results 📊✅ 101 passed | Total: 101 | Pass Rate: 100% | Execution Time: 0ms 📊 Comparison with Base Branch
✨ No test changes detected All tests are passing successfully. ✅ Patch coverage is 93.18%. Project has 3553 uncovered lines. Files with missing lines (5)
Coverage diff@@ Coverage Diff @@
## main #PR +/-##
==========================================
+ Coverage 80.80% 81.50% +0.7%
==========================================
Files 127 127 —
Lines 19146 19205 +59
Branches 0 0 —
==========================================
+ Hits 15470 15652 +182
- Misses 3676 3553 -123
- Partials 0 0 —Generated by Codecov Action |
BYK
commented
Mar 5, 2026
- Logout no longer clears stored auth when env var is active; just informs user to unset the env var - Extract ENV_SOURCE_PREFIX constant, use .length instead of magic 4 - Keep getEnvToken/isEnvTokenActive in db/auth.ts (tightly coupled with getAuthToken/getAuthConfig/refreshToken in the same file)
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Cover the env-token-aware branches in status, logout, refresh, and login commands to push patch coverage above 80%. - status: 14 tests (env source display, hidden config path, no expiry/refresh for env tokens, credential verification, defaults) - logout: 5 tests (env token blocks clear, correct env var name, fallback to SENTRY_AUTH_TOKEN) - refresh: 6 tests (env token throws, no-refresh-token, success, still-valid, --json output) - login: 1 new test (env token active → remove env var message)
Login and refresh now dynamically extract the active env var name (SENTRY_AUTH_TOKEN or SENTRY_TOKEN) from getAuthConfig().source, matching the behavior of logout and status commands. Addresses BugBot feedback about inconsistent generic env var references.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Replace the duplicated 3-line env var name extraction pattern in login, logout, and refresh commands with a single getActiveEnvVarName() helper exported from db/auth.ts. Addresses BugBot feedback about code duplication across commands.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Support
SENTRY_AUTH_TOKENandSENTRY_TOKENenvironment variables for authentication, bypassing the OAuth device flow and SQLite token storage. This enables headless environments (CI, Docker, agent sandboxes) to authenticate without interactive login.Closes #348
Changes
Core auth layer (
src/lib/db/auth.ts)AuthSourcetype:"env:SENTRY_AUTH_TOKEN" | "env:SENTRY_TOKEN" | "oauth"getAuthToken()andgetAuthConfig()check env vars first, then fall back to SQLiterefreshToken()short-circuits for env tokens (no refresh/expiry logic)isEnvTokenActive()helper for commands that need to branch on auth sourceHTTP layer (
src/lib/sentry-client.ts)handleUnauthorized()skips token refresh when env token is active (401s propagate as-is)Commands
auth status— Shows "Authenticated via SENTRY_AUTH_TOKEN environment variable ✓"; skips config path, expiry, and auto-refresh display for env tokensauth refresh— Errors early with clear message when env token is activeauth login— Tells user to remove env var instead of re-authenticatingauth logout— Clears stored auth but warns env var still provides authenticationTests
SENTRY_TOKENalongside existingSENTRY_AUTH_TOKENDesign decisions
SENTRY_AUTH_TOKENtakes priority overSENTRY_TOKEN(matches legacy sentry-cli and Sentry SDK convention)AuthConfig.sourceis required on every config object (not optional) so consumers can't forget to handle it