Skip to content

Library share token does not authorize linked shared doc via agent API #35

Open
Open
Library share token does not authorize linked shared doc via agent API#35
@vitalyis

Description

@vitalyis
vitalyis
opened on Mar 25, 2026

Summary

A tokenized Proof library document can be accessed via the agent API, but the same token does not authorize access to a linked shared document listed inside that library. From the user perspective this is surprising because the library exposes the linked document, yet an external agent still cannot join the linked doc or show presence there.

Reproduction

  1. Use a tokenized library URL:
    https://www.proofeditor.ai/d/w0pyqpl4?token=<library-token>
  2. Call:
    POST /api/agent/w0pyqpl4/presence
  3. Call:
    GET /api/agent/w0pyqpl4/state
  4. Observe the library content lists a linked shared doc:
    /open/dkib5ilz (QuickCal 1-Day Tactical Sprint Plan)
  5. Reuse the same token against the linked doc with each of these forms:
    • Authorization: Bearer <library-token>
    • x-share-token: <library-token>
    • ?token=<library-token>
  6. Call both:
    • GET /api/agent/dkib5ilz/state
    • POST /api/agent/dkib5ilz/presence

Expected

One of these should be true:

  • the library token should authorize agent access to the linked shared doc surfaced from that library, or
  • Proof should expose a clear way to exchange or resolve the per-doc token for linked shared docs, or
  • the library should not present the linked doc in a way that suggests agents can open it directly.

Actual

The library token works for w0pyqpl4, but every attempt to use that same token on dkib5ilz returns:

{"success":false,"error":"Missing or invalid share token","code":"UNAUTHORIZED"}

This blocks agent presence and state reads on the linked doc.

Verified Evidence

Successful library presence:

  • POST https://www.proofeditor.ai/api/agent/w0pyqpl4/presence
  • Status: 200
  • Response excerpt:
{"success":true,"slug":"w0pyqpl4","collabApplied":true}

Successful library state:

  • GET https://www.proofeditor.ai/api/agent/w0pyqpl4/state
  • Status: 200
  • Response included:
    • QuickCal 1-Day Tactical Sprint Plan as /open/dkib5ilz

Failed linked-doc state:

  • GET https://www.proofeditor.ai/api/agent/dkib5ilz/state
  • Status: 401
  • Response:
{"success":false,"error":"Missing or invalid share token","code":"UNAUTHORIZED"}

Failed linked-doc presence:

  • POST https://www.proofeditor.ai/api/agent/dkib5ilz/presence
  • Status: 401
  • Response:
{"success":false,"error":"Missing or invalid share token","code":"UNAUTHORIZED"}

Also tested the same token via:

  • Authorization: Bearer <token>
  • x-share-token: <token>
  • query parameter ?token=<token>

All produced the same 401 for dkib5ilz.

Notes

A plain non-tokenized URL for dkib5ilz also returns the same 401, which is expected. The surprising behavior is specifically that a valid token for the library doc does not help an agent access the linked shared doc that the library exposes.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions