{{ message }}
Rename gateway “API key” surface to Agent ID with compat aliases and X-Agent-ID routing#7114
Merged
Merged
Conversation
Copilot
AI
changed the title
[WIP] Rename 'API key' to 'Agent ID' to reduce security testing confusion
Rename gateway “API key” surface to Agent ID with compat aliases and X-Agent-ID routing
Jun 6, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates MCP Gateway’s terminology and interfaces to treat the session-routing identifier as an Agent ID (primary) rather than an “API key”, while maintaining backward-compatible aliases and introducing explicit X-Agent-ID-based session routing.
Changes:
- Migrates gateway configuration surface to
agent_id/agentIdas the primary identifier, with legacyapi_key/apiKeykept as deprecated aliases (including env var + Go accessors). - Adds header-based session routing precedence:
X-Agent-IDfirst, thenAuthorizationfallback. - Aligns schema, docs, examples, and integration/unit tests with the new terminology and compatibility behavior.
Show a summary per file
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 37/37 changed files
- Comments generated: 6
Comment on lines
+123
to
130
| agentIDHeader := r.Header.Get("X-Agent-ID") | ||
| authHeader := r.Header.Get("Authorization") | ||
| sessionID := auth.ExtractSessionID(authHeader) | ||
| sessionID := auth.ExtractSessionIDFromHeaders(agentIDHeader, authHeader) | ||
|
|
||
| if sessionID == "" { | ||
| logSession.Printf("Session extraction failed: missing or invalid Authorization header, remote=%s", r.RemoteAddr) | ||
| logger.LogError("client", "Rejected MCP client connection: missing or invalid Authorization header, remote=%s, path=%s", r.RemoteAddr, r.URL.Path) | ||
| logSession.Printf("Session extraction failed: missing or invalid X-Agent-ID/Authorization header, remote=%s", r.RemoteAddr) | ||
| logger.LogError("client", "Rejected MCP client connection: missing or invalid X-Agent-ID/Authorization header, remote=%s, path=%s", r.RemoteAddr, r.URL.Path) | ||
| return "" |
Comment on lines
301
to
315
| @@ -282,14 +310,14 @@ func TestValidateExecutionEnvironment(t *testing.T) { | |||
| os.Setenv("MCP_GATEWAY_DOMAIN", origDomain) | |||
| } | |||
| if origAPIKey != "" { | |||
| os.Setenv("MCP_GATEWAY_API_KEY", origAPIKey) | |||
| os.Setenv("MCP_GATEWAY_AGENT_ID", origAPIKey) | |||
| } | |||
| }() | |||
Comment on lines
328
to
332
| t.Run("with missing env vars", func(t *testing.T) { | ||
| os.Unsetenv("MCP_GATEWAY_PORT") | ||
| os.Unsetenv("MCP_GATEWAY_DOMAIN") | ||
| os.Unsetenv("MCP_GATEWAY_API_KEY") | ||
| os.Unsetenv("MCP_GATEWAY_AGENT_ID") | ||
|
|
| require.NotNil(t, stdinCfg.Gateway.Port, "Gateway port is nil") | ||
| assert.Equal(t, port, *stdinCfg.Gateway.Port, "Gateway port not correct") | ||
| assert.Equal(t, "test-key", stdinCfg.Gateway.APIKey, "Gateway API key not correct") | ||
| assert.Equal(t, "test-key", stdinCfg.Gateway.AgentID, "Gateway API key not correct") |
Comment on lines
+1544
to
1547
| t.Run("Legacy APIKey still maps to agent ID", func(t *testing.T) { | ||
| cfg := &Config{Gateway: &GatewayConfig{AgentID: "legacy-id"}} | ||
| assert.Equal(t, "legacy-id", cfg.GetAgentID()) | ||
| }) |
Comment on lines
+460
to
+463
| // TestGetAgentID_LegacyAPIKeyFallback verifies that GetAgentID falls back to APIKey alias. | ||
| func TestGetAgentID_LegacyAPIKeyFallback(t *testing.T) { | ||
| cfg := &Config{Gateway: &GatewayConfig{AgentID: "legacy-id"}} | ||
| assert.Equal(t, "legacy-id", cfg.GetAgentID()) |
Collaborator
|
@copilot address review feedback |
Contributor
Author
Add pre-agent-steps to all smoke test workflows that build a Docker image from the current checkout and tag it as :local. This ensures smoke tests validate the actual code on the branch rather than the latest published container image from main. Changes: - Add pre-agent-steps with docker build to all 9 smoke workflows - Change sandbox.mcp.version from 'latest' to 'local' - Recompile all affected lock files Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The Docker build requires guards/github-guard/github-guard-rust.wasm which is gitignored and must be built from source. Add Rust toolchain setup with wasm32-wasip1 target and run make -C guards/github-guard build before docker build. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Revert smoke .md files to use sandbox.mcp.version: 'latest' (so gh aw compile produces valid lock files), and add a post-compilation script that patches the .lock.yml files to build from source. The script injects a build step AFTER 'Download container images' so the locally-built image overwrites the pulled registry image. This ensures smoke tests validate the actual code on the branch. Usage: gh aw compile smoke-copilot && scripts/patch-smoke-local-build.sh # To revert: gh aw compile Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Extract Python injection logic into scripts/_inject_local_build.py to avoid shell escaping issues that broke YAML indentation and dollar-sign handling. Recompile and re-patch all smoke lock files. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Rename user-facing log messages and error strings to use 'agent ID' terminology instead of 'API key', reflecting the true purpose of this identifier as a session routing value rather than a secret. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This was referenced Jun 7, 2026
github-actions Bot
added a commit
that referenced
this pull request
Jun 7, 2026
The Agent ID rename (PR #7114) introduced four deprecated one-liner wrapper functions that forward calls to the new AgentID-named functions. These create a maintenance burden and IDE confusion (autocomplete suggests the old names). All callers have been migrated: - Remove ValidateAPIKey(): no non-test callers; remove TestValidateAPIKeyAlias - Remove GetAPIKey() on Config: no callers outside its own definition - Remove GetGatewayAPIKeyFromEnv(): no callers outside its own definition - Rename GenerateRandomAPIKey() → GenerateRandomAgentID(): update the single production caller in internal/cmd/root.go and rename all tests in internal/auth/apikey_test.go Also update the stale ValidateAPIKey() reference in the authMiddleware doc comment in internal/server/middleware.go. Closes #7136 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
lpcox
added a commit
that referenced
this pull request
Jun 7, 2026
) 🤖 *This PR was created by Repo Assist, an automated AI assistant.* ## Summary PR #7114 renamed the gateway's "API key" surface to "Agent ID" but left four deprecated one-liner wrapper functions in place as backwards-compat aliases. These create IDE confusion (autocomplete surfaces the old names) and an ongoing maintenance burden. This PR removes them. ## Changes | Location | Change | |---|---| | `internal/auth/header.go` | Remove `ValidateAPIKey()` deprecated alias; rename `GenerateRandomAPIKey()` → `GenerateRandomAgentID()` | | `internal/auth/header_test.go` | Remove `TestValidateAPIKeyAlias` (tests a now-deleted function) | | `internal/auth/apikey_test.go` | Rename all test functions and call sites to `GenerateRandomAgentID` | | `internal/cmd/root.go` | Update the single production caller to use `GenerateRandomAgentID()` | | `internal/config/config_core.go` | Remove `GetAPIKey()` deprecated alias (no non-definition callers) | | `internal/config/config_env.go` | Remove `GetGatewayAPIKeyFromEnv()` deprecated alias (no non-definition callers) | | `internal/server/middleware.go` | Update stale `ValidateAPIKey()` reference in doc comment | ## Verification Confirmed no remaining references to the removed/renamed symbols via `grep` across the full source tree. ## Test Status Build and tests could not be run — `proxy.golang.org` is blocked in this environment (pre-existing infrastructure limitation). The changes are syntactically verified by inspection: - All callers of removed functions have been updated or removed - No remaining references to deprecated names in production code or tests - The rename is a mechanical sed-replace with no logic changes Closes #7136 > [!WARNING] > <details> > <summary>Firewall blocked 2 domains</summary> > > The following domains were blocked by the firewall during workflow execution: > > - `proxy.golang.org` > - `releaseassets.githubusercontent.com` >> To allow these domains, add them to the `network.allowed` list in your workflow frontmatter: > > ```yaml > network: > allowed: > - defaults > - "proxy.golang.org" > - "releaseassets.githubusercontent.com" > ``` > > See [Network Configuration](https://github.github.com/gh-aw/reference/network/) for more information. > > </details> > Generated by [Repo Assist](https://github.com/github/gh-aw-mcpg/actions/runs/27093463357) · sonnet46 8M · [◷](https://github.com/search?q=repo%3Agithub%2Fgh-aw-mcpg+%22gh-aw-workflow-id%3A+repo-assist%22&type=pullrequests) > <details> <summary>Add this agentic workflows to your repo</summary> To install this agentic workflow, run ``` gh aw add githubnext/agentics@851905c ``` </details> <!-- gh-aw-agentic-workflow: Repo Assist, engine: copilot, version: 1.0.52, model: claude-sonnet-4.6, id: 27093463357, workflow_id: repo-assist, run: https://github.com/github/gh-aw-mcpg/actions/runs/27093463357 --> <!-- gh-aw-workflow-id: repo-assist -->
This was referenced Jun 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.

The gateway currently labels a session-routing identifier as an “API key,” which creates security-review confusion and blurs auth vs identity semantics. This change promotes Agent ID terminology as primary, keeps legacy names as deprecated aliases, and adds explicit header-based session routing via
X-Agent-ID.Config/API terminology migration (non-breaking)
gateway.agent_idgateway.agentIdMCP_GATEWAY_AGENT_IDGetAgentID(),ValidateAgentID()api_key,apiKey,MCP_GATEWAY_API_KEY,GetAPIKey(),ValidateAPIKey()Session identity routing behavior
ExtractSessionIDFromHeaders(xAgentID, authorization)and wired server session extraction to:X-Agent-IDfor session routingAuthorizationfor legacy/current behaviorAuthorizationsemantics; routing and auth are no longer implicitly conflated in naming.Schema/docs/examples alignment
agentIdas primary andapiKeyas deprecated alias.X-Agent-IDas preferred routing header with Authorization fallback.Test updates
agentId/agent_idpaths.X-Agent-IDprecedence coverage in session extraction and auto-init header forwarding.