From 8e551e47265d8560f3de675c4b88bb6b97392549 Mon Sep 17 00:00:00 2001 From: Patrick Nikoletich Date: Sat, 7 Feb 2026 14:45:55 -0800 Subject: [PATCH] Clarify BYOK token usage and limitations --- docs/auth/byok.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/docs/auth/byok.md b/docs/auth/byok.md index 6c836743..b244c453 100644 --- a/docs/auth/byok.md +++ b/docs/auth/byok.md @@ -272,19 +272,23 @@ provider: { } ``` +> **Note:** The `bearerToken` option accepts a **static token string** only. The SDK does not refresh this token automatically. If your token expires, requests will fail and you'll need to create a new session with a fresh token. + ## Limitations When using BYOK, be aware of these limitations: ### Identity Limitations -BYOK authentication is **key-based only**. The following identity providers are NOT supported: +BYOK authentication uses **static credentials only**. The following identity providers are NOT supported: - ❌ **Microsoft Entra ID (Azure AD)** - No support for Entra managed identities or service principals - ❌ **Third-party identity providers** - No OIDC, SAML, or other federated identity - ❌ **Managed identities** - Azure Managed Identity is not supported -You must use an API key or bearer token that you manage yourself. +You must use an API key or static bearer token that you manage yourself. + +**Why not Entra ID?** While Entra ID does issue bearer tokens, these tokens are short-lived (typically 1 hour) and require automatic refresh via the Azure Identity SDK. The `bearerToken` option only accepts a static string—there is no callback mechanism for the SDK to request fresh tokens. For long-running workloads requiring Entra authentication, you would need to implement your own token refresh logic and create new sessions with updated tokens. ### Feature Limitations