CRED-2146: Add PAT auth support to Python API client

tausman · tausman · commit fe5c4e44372c · 2026-03-04T22:51:29.000Z
diff --git a/.generator/src/generator/templates/api_client.j2 b/.generator/src/generator/templates/api_client.j2
@@ -893,7 +893,16 @@ class Endpoint:
             self.api_client.configuration.delegated_auth_org_uuid is not None
         )
 
-        if has_app_key_auth and has_delegated_auth:
+        # Check if bearer token (PAT) auth is configured
+        has_bearer_token = self.api_client.configuration.access_token is not None and "bearerAuth" in self.settings["auth"]
+
+        if has_bearer_token:
+            # Bearer token authentication: send ONLY Authorization: Bearer header.
+            # This is a separate auth path — no API key or app key headers.
+            bearer_setting = self.api_client.configuration.auth_settings().get("bearerAuth")
+            if bearer_setting:
+                headers[bearer_setting["key"]] = bearer_setting["value"]
+        elif has_app_key_auth and has_delegated_auth:
             # Use delegated token authentication
             self.api_client.use_delegated_token_auth(headers)
         else:
diff --git a/.generator/src/generator/templates/configuration.j2 b/.generator/src/generator/templates/configuration.j2
@@ -269,6 +269,8 @@ class Configuration:
             self.api_key["apiKeyAuth"] = os.environ["DD_API_KEY"]
         if "DD_APP_KEY" in os.environ and not self.api_key.get("appKeyAuth"):
             self.api_key["appKeyAuth"] = os.environ["DD_APP_KEY"]
+        if "DD_BEARER_TOKEN" in os.environ and not self.access_token:
+            self.access_token = os.environ["DD_BEARER_TOKEN"]
 
     def __deepcopy__(self, memo):
         cls = self.__class__
@@ -535,7 +537,7 @@ class Configuration:
                 "key": "Authorization",
                 "value": self.get_basic_auth_token()
             }
-{# {%- elif schema.type == "http" and schema.scheme == "bearer" %}
+{%- elif schema.type == "http" and schema.scheme == "bearer" %}
         if self.access_token is not None:
             auth["{{name}}"] = {
                 "type": "bearer",
@@ -546,7 +548,6 @@ class Configuration:
                 "key": "Authorization",
                 "value": "Bearer " + self.access_token
             }
-#}
 {%- elif schema.type == "oauth2" %}
         if self.access_token is not None:
             auth["AuthZ"] = {
diff --git a/src/datadog_api_client/api_client.py b/src/datadog_api_client/api_client.py
@@ -902,7 +902,16 @@ def update_params_for_auth(self, headers, queries) -> None:
             and self.api_client.configuration.delegated_auth_org_uuid is not None
         )
 
-        if has_app_key_auth and has_delegated_auth:
+        # Check if bearer token (PAT) auth is configured
+        has_bearer_token = self.api_client.configuration.access_token is not None and "bearerAuth" in self.settings["auth"]
+
+        if has_bearer_token:
+            # Bearer token authentication: send ONLY Authorization: Bearer header.
+            # This is a separate auth path — no API key or app key headers.
+            bearer_setting = self.api_client.configuration.auth_settings().get("bearerAuth")
+            if bearer_setting:
+                headers[bearer_setting["key"]] = bearer_setting["value"]
+        elif has_app_key_auth and has_delegated_auth:
             # Use delegated token authentication
             self.api_client.use_delegated_token_auth(headers)
         else:
diff --git a/src/datadog_api_client/configuration.py b/src/datadog_api_client/configuration.py
@@ -478,6 +478,8 @@ def __init__(
             self.api_key["apiKeyAuth"] = os.environ["DD_API_KEY"]
         if "DD_APP_KEY" in os.environ and not self.api_key.get("appKeyAuth"):
             self.api_key["appKeyAuth"] = os.environ["DD_APP_KEY"]
+        if "DD_BEARER_TOKEN" in os.environ and not self.access_token:
+            self.access_token = os.environ["DD_BEARER_TOKEN"]
 
     def __deepcopy__(self, memo):
         cls = self.__class__
@@ -777,4 +779,11 @@ def auth_settings(self):
                     "appKeyAuth",
                 ),
             }
+        if self.access_token is not None:
+            auth["bearerAuth"] = {
+                "type": "bearer",
+                "in": "header",
+                "key": "Authorization",
+                "value": "Bearer " + self.access_token,
+            }
         return auth
diff --git a/tests/test_pat_auth.py b/tests/test_pat_auth.py
@@ -0,0 +1,156 @@
+"""Tests for Personal Access Token (PAT) authentication support."""
+
+import pytest
+from datetime import datetime, timedelta
+from unittest.mock import patch
+
+from datadog_api_client.api_client import ApiClient, Endpoint as _Endpoint
+from datadog_api_client.configuration import Configuration
+from datadog_api_client.delegated_auth import (
+    DelegatedTokenCredentials,
+    DelegatedTokenConfig,
+    DelegatedTokenProvider,
+)
+
+
+class TestBearerTokenConfiguration:
+    """Test access_token field on Configuration for bearer auth."""
+
+    def test_bearer_token_stored(self):
+        config = Configuration(access_token="ddpat_test123")
+        assert config.access_token == "ddpat_test123"
+
+    def test_bearer_token_default_none(self):
+        config = Configuration()
+        assert config.access_token is None
+
+    @patch.dict("os.environ", {"DD_BEARER_TOKEN": "ddpat_from_env"})
+    def test_bearer_token_env_var(self):
+        config = Configuration()
+        assert config.access_token == "ddpat_from_env"
+
+    @patch.dict("os.environ", {"DD_BEARER_TOKEN": "ddpat_from_env"})
+    def test_bearer_token_env_var_no_override(self):
+        config = Configuration(access_token="ddpat_explicit")
+        assert config.access_token == "ddpat_explicit"
+
+
+class TestAuthSettingsWithBearerToken:
+    """Test auth_settings() with access_token configured."""
+
+    def test_auth_settings_includes_bearer(self):
+        config = Configuration(access_token="ddpat_test123")
+        auth = config.auth_settings()
+        assert "bearerAuth" in auth
+        assert auth["bearerAuth"]["type"] == "bearer"
+        assert auth["bearerAuth"]["in"] == "header"
+        assert auth["bearerAuth"]["key"] == "Authorization"
+        assert auth["bearerAuth"]["value"] == "Bearer ddpat_test123"
+
+    def test_auth_settings_without_bearer(self):
+        config = Configuration()
+        auth = config.auth_settings()
+        assert "bearerAuth" not in auth
+
+
+class TestUpdateParamsForAuthWithBearerToken:
+    """Test that update_params_for_auth uses bearer token correctly."""
+
+    def _make_endpoint(self, config, auth_schemes):
+        """Helper to create an Endpoint with given auth schemes."""
+        api_client = ApiClient(config)
+        return _Endpoint(
+            settings={
+                "response_type": None,
+                "auth": auth_schemes,
+                "endpoint_path": "/api/v2/test",
+                "operation_id": "test_op",
+                "http_method": "GET",
+                "version": "v2",
+            },
+            params_map={},
+            headers_map={"accept": ["application/json"]},
+            api_client=api_client,
+        )
+
+    def test_bearer_sends_only_authorization_header(self):
+        """When access_token is set and bearerAuth is in auth, only Authorization: Bearer is sent."""
+        config = Configuration(
+            api_key={"apiKeyAuth": "test-api-key", "appKeyAuth": "test-app-key"},
+            access_token="ddpat_test_pat",
+        )
+        endpoint = self._make_endpoint(config, ["apiKeyAuth", "appKeyAuth", "bearerAuth"])
+        headers = {}
+        queries = []
+        endpoint.update_params_for_auth(headers, queries)
+
+        assert headers["Authorization"] == "Bearer ddpat_test_pat"
+        assert "DD-API-KEY" not in headers
+        assert "DD-APPLICATION-KEY" not in headers
+
+    def test_bearer_without_api_keys(self):
+        """Bearer token works even without any API keys configured."""
+        config = Configuration(access_token="ddpat_test_pat")
+        endpoint = self._make_endpoint(config, ["apiKeyAuth", "appKeyAuth", "bearerAuth"])
+        headers = {}
+        queries = []
+        endpoint.update_params_for_auth(headers, queries)
+
+        assert headers["Authorization"] == "Bearer ddpat_test_pat"
+        assert "DD-API-KEY" not in headers
+        assert "DD-APPLICATION-KEY" not in headers
+
+    def test_no_bearer_when_not_in_endpoint_auth(self):
+        """access_token set but endpoint doesn't declare bearerAuth — uses regular auth."""
+        config = Configuration(
+            api_key={"apiKeyAuth": "test-api-key", "appKeyAuth": "test-app-key"},
+            access_token="ddpat_test_pat",
+        )
+        endpoint = self._make_endpoint(config, ["apiKeyAuth", "appKeyAuth"])
+        headers = {}
+        queries = []
+        endpoint.update_params_for_auth(headers, queries)
+
+        assert headers["DD-API-KEY"] == "test-api-key"
+        assert headers["DD-APPLICATION-KEY"] == "test-app-key"
+
+    def test_regular_auth_without_bearer(self):
+        config = Configuration(
+            api_key={"apiKeyAuth": "test-api-key", "appKeyAuth": "test-app-key"},
+        )
+        endpoint = self._make_endpoint(config, ["apiKeyAuth", "appKeyAuth", "bearerAuth"])
+        headers = {}
+        queries = []
+        endpoint.update_params_for_auth(headers, queries)
+
+        assert headers["DD-API-KEY"] == "test-api-key"
+        assert headers["DD-APPLICATION-KEY"] == "test-app-key"
+        assert "Authorization" not in headers
+
+    def test_bearer_takes_priority_over_delegated_auth(self):
+        """When both bearer token and delegated auth are configured, bearer wins."""
+
+        class MockProvider(DelegatedTokenProvider):
+            def authenticate(self, config, api_config):
+                return DelegatedTokenCredentials(
+                    org_uuid="test-org",
+                    delegated_token="delegated-token-123",
+                    delegated_proof="proof",
+                    expiration=datetime.now() + timedelta(minutes=10),
+                )
+
+        config = Configuration(
+            api_key={"apiKeyAuth": "test-api-key", "appKeyAuth": "test-app-key"},
+            access_token="ddpat_test_pat",
+            delegated_auth_provider=MockProvider(),
+            delegated_auth_org_uuid="test-org",
+        )
+        endpoint = self._make_endpoint(config, ["apiKeyAuth", "appKeyAuth", "bearerAuth"])
+        headers = {}
+        queries = []
+        endpoint.update_params_for_auth(headers, queries)
+
+        # Bearer token takes priority
+        assert headers["Authorization"] == "Bearer ddpat_test_pat"
+        assert "DD-API-KEY" not in headers
+        assert "DD-APPLICATION-KEY" not in headers
