fix: use Bearer auth when key comes from ANTHROPIC_AUTH_TOKEN

[worldofgeese]

Problem

When ANTHROPIC_AUTH_TOKEN is used (instead of ANTHROPIC_API_KEY), the request still sends the key via the x-api-key header. Most proxy endpoints expect Authorization: Bearer <token> instead — this is how Claude Code handles it when ANTHROPIC_AUTH_TOKEN is set.

This causes 403 errors when using corporate/custom Anthropic-compatible proxies (LiteLLM, Azure AI Gateway, etc.), as reported in #135.

Solution

Adds a ProxyBearer auth path variant alongside the existing ApiKey and OAuthToken paths:

• ApiKey → x-api-key: <key> (native Anthropic, unchanged)
• OAuthToken → Authorization: Bearer + Claude Code identity headers (unchanged)
• ProxyBearer (new) → Authorization: Bearer only, no identity headers

Auth source tracking via use_bearer_auth on ProviderConfig, set automatically when the key originates from ANTHROPIC_AUTH_TOKEN in both load_from_env and from_toml code paths.

This aligns with Claude Code's third-party integrations behavior.

Changes

• src/llm/anthropic/auth.rs — ProxyBearer variant, updated detect_auth_path(token, force_bearer), updated apply_auth_headers, new tests
• src/config.rs — use_bearer_auth field on ProviderConfig, auth source detection in both loading paths
• src/llm/anthropic/params.rs — threads force_bearer through build_anthropic_request
• src/llm/model.rs — passes use_bearer_auth from provider config
• src/api/providers.rs, src/llm/manager.rs — use_bearer_auth: false on all other provider constructions

Testing

• Added 4 new unit tests for ProxyBearer path (bearer header, no identity headers, correct beta flags)
• Updated existing tests for new detect_auth_path signature
• No behavioral change for existing ANTHROPIC_API_KEY users

Closes the auth header issue reported in #135 (comment)

Note

Automated Summary

This PR implements Bearer token authentication for proxy-compatible Anthropic endpoints when ANTHROPIC_AUTH_TOKEN is used. The core changes add a new ProxyBearer auth path that sends Authorization: Bearer headers without Claude Code identity headers, allowing seamless integration with corporate proxies and Anthropic-compatible services. Configuration detection automatically sets the use_bearer_auth flag when the token originates from the ANTHROPIC_AUTH_TOKEN environment variable (prioritizing it over ANTHROPIC_API_KEY). The implementation is backward compatible—existing API key users are unaffected—and includes 4 new unit tests validating the Bearer auth flow.

_{Written by Tembo for commit 313c6f6}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 313c6f6 and 78e0418.

📒 Files selected for processing (1)

• src/config.rs

🚧 Files skipped from review as they are similar to previous changes (1)

• src/config.rs

---

Walkthrough

Adds a new public boolean field use_bearer_auth to ProviderConfig, detects proxy-style Anthropic auth from ANTHROPIC_AUTH_TOKEN / TOML sources, and threads this flag through config loading, auth selection, and Anthropic request construction to enable Proxy Bearer authentication.

Changes

Cohort / File(s)	Summary
Configuration & Provider Setup src/config.rs, src/api/providers.rs	Add pub use_bearer_auth: bool to ProviderConfig. Detect proxy-style Anthropic auth in env/TOML loaders and set the flag for Anthropic; initialize flag (false) at provider construction sites; update Debug output.
Anthropic Authentication Handler src/llm/anthropic/auth.rs	Add AnthropicAuthPath::ProxyBearer. Change detect_auth_path(token, force_bearer) and apply_auth_headers(..., force_bearer) signatures. Implement ProxyBearer header handling (Bearer Authorization, omit Claude identity headers, streaming beta handling); add tests for force_bearer behavior.
Request Building & Orchestration src/llm/anthropic/params.rs, src/llm/model.rs, src/llm/manager.rs	Extend build_anthropic_request(...) signature with force_bearer/use_bearer_auth bool and propagate it to auth functions. Thread provider use_bearer_auth into request construction; add explicit use_bearer_auth: false initializers in manager where applicable.

Sequence Diagram

sequenceDiagram
    participant Config as Config Loader
    participant Provider as ProviderConfig
    participant Model as SpacebotModel
    participant Builder as Request Builder
    participant Auth as Auth Handler
    Config->>Config: load_from_env / from_toml
    Config->>Provider: set use_bearer_auth (anthropic detection)
    Model->>Provider: read provider_config.use_bearer_auth
    Model->>Builder: build_anthropic_request(..., force_bearer)
    Builder->>Auth: detect_auth_path(token, force_bearer)
    alt ProxyBearer chosen
        Auth->>Auth: return ProxyBearer
        Auth->>Builder: apply Bearer Authorization header (no Claude identity)
    else Standard path
        Auth->>Auth: return OAuth/APIKey variant
        Auth->>Builder: apply standard Anthropic headers (with identity)
    end
    Builder->>Model: return configured RequestBuilder

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I found a flag that hops and gleams,
It tells requests to bear the beams.
Through config, headers, paths it flies,
A proxy bearer in disguise.
Hooray—auth hops to new routines! 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: enabling Bearer authentication for tokens from ANTHROPIC_AUTH_TOKEN, which is the core purpose of this PR.
Description check	✅ Passed	The description provides comprehensive context about the problem, solution, changes made, and testing approach, all directly related to the changeset.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

src/llm/manager.rs (1)

178-189: ⚠️ Potential issue | 🟠 Major

Clear use_bearer_auth when swapping in Anthropic OAuth tokens.

When OAuth credentials are present, this branch overwrites provider.api_key but retains use_bearer_auth. If the static provider was sourced from ANTHROPIC_AUTH_TOKEN, that flag will force ProxyBearer and drop OAuth identity headers/tool normalization. Reset the flag when you replace the key with an OAuth token.

Proposed fix

-            (Some(mut provider), Some(token)) => {
-                provider.api_key = token;
-                Ok(provider)
-            }
+            (Some(mut provider), Some(token)) => {
+                provider.api_key = token;
+                provider.use_bearer_auth = false;
+                Ok(provider)
+            }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/llm/manager.rs` around lines 178 - 189, In the (Some(mut provider),
Some(token)) branch where you replace provider.api_key with an OAuth token, also
clear provider.use_bearer_auth (set it to false) so the swapped-in OAuth
identity is used instead of ProxyBearer; ensure ProviderConfig creation for the
(None, Some(token)) branch remains with use_bearer_auth = false (ProviderConfig
and ApiType::Anthropic are the relevant symbols to check).

src/config.rs (1)

2541-2705: ⚠️ Potential issue | 🟠 Major

Handle env:ANTHROPIC_AUTH_TOKEN sources in TOML configs.

Line 2541 and Line 2668: when TOML uses anthropic_key = "env:ANTHROPIC_AUTH_TOKEN" or an explicit [llm.provider.*] entry with api_key = "env:ANTHROPIC_AUTH_TOKEN", use_bearer_auth stays false. That yields x-api-key headers and breaks proxy auth. You should treat env-referenced AUTH_TOKEN as a bearer source in both the shorthand and provider-table paths.

💡 Suggested fix

-        let toml_llm_anthropic_key_was_none = toml
-            .llm
-            .anthropic_key
-            .as_deref()
-            .and_then(resolve_env_value)
-            .is_none();
+        let toml_anthropic_key_raw = toml.llm.anthropic_key.as_deref();
+        let toml_anthropic_key_is_auth_token = toml_anthropic_key_raw
+            .and_then(|value| value.strip_prefix("env:"))
+            .is_some_and(|name| name.eq_ignore_ascii_case("ANTHROPIC_AUTH_TOKEN"));
+        let toml_llm_anthropic_key_was_none = toml_anthropic_key_raw
+            .and_then(resolve_env_value)
+            .is_none();

@@
-        let anthropic_from_auth_token = toml_llm_anthropic_key_was_none
-            && std::env::var("ANTHROPIC_API_KEY").is_err()
-            && std::env::var("ANTHROPIC_AUTH_TOKEN").is_ok();
+        let anthropic_from_auth_token = toml_anthropic_key_is_auth_token
+            || (toml_llm_anthropic_key_was_none
+                && std::env::var("ANTHROPIC_API_KEY").is_err()
+                && std::env::var("ANTHROPIC_AUTH_TOKEN").is_ok());

@@
-                    Ok((
-                        provider_id.to_lowercase(),
-                        ProviderConfig {
-                            api_type: config.api_type,
-                            base_url: config.base_url,
-                            api_key,
-                            name: config.name,
-                            use_bearer_auth: false,
-                        },
-                    ))
+                    let use_bearer_auth = config.api_type == ApiType::Anthropic
+                        && config
+                            .api_key
+                            .strip_prefix("env:")
+                            .is_some_and(|name| name.eq_ignore_ascii_case("ANTHROPIC_AUTH_TOKEN"));
+                    Ok((
+                        provider_id.to_lowercase(),
+                        ProviderConfig {
+                            api_type: config.api_type,
+                            base_url: config.base_url,
+                            api_key,
+                            name: config.name,
+                            use_bearer_auth,
+                        },
+                    ))

Also applies to: 2668-2680

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/config.rs` around lines 2541 - 2705, The Anthropic auth token sourced via
env reference isn't being marked as bearer, causing x-api-key headers; update
the logic that builds LlmConfig (the llm.anthropic_key branch and the providers
map created in from_toml) to detect when an API key came from the
ANTHROPIC_AUTH_TOKEN env var (i.e., when resolve_env_value or the provider
config's api_key reference resolves to the ANTHROPIC_AUTH_TOKEN variable) and
set ProviderConfig.use_bearer_auth = true for the "anthropic" provider; reuse
toml_llm_anthropic_key_was_none and anthropic_from_auth_token checks for the
shorthand path and add equivalent detection when mapping toml.llm.providers
(inside the providers .map closure) so any provider entry whose resolved api_key
originates from ANTHROPIC_AUTH_TOKEN toggles use_bearer_auth.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@src/config.rs`:
- Around line 2541-2705: The Anthropic auth token sourced via env reference
isn't being marked as bearer, causing x-api-key headers; update the logic that
builds LlmConfig (the llm.anthropic_key branch and the providers map created in
from_toml) to detect when an API key came from the ANTHROPIC_AUTH_TOKEN env var
(i.e., when resolve_env_value or the provider config's api_key reference
resolves to the ANTHROPIC_AUTH_TOKEN variable) and set
ProviderConfig.use_bearer_auth = true for the "anthropic" provider; reuse
toml_llm_anthropic_key_was_none and anthropic_from_auth_token checks for the
shorthand path and add equivalent detection when mapping toml.llm.providers
(inside the providers .map closure) so any provider entry whose resolved api_key
originates from ANTHROPIC_AUTH_TOKEN toggles use_bearer_auth.

In `@src/llm/manager.rs`:
- Around line 178-189: In the (Some(mut provider), Some(token)) branch where you
replace provider.api_key with an OAuth token, also clear
provider.use_bearer_auth (set it to false) so the swapped-in OAuth identity is
used instead of ProxyBearer; ensure ProviderConfig creation for the (None,
Some(token)) branch remains with use_bearer_auth = false (ProviderConfig and
ApiType::Anthropic are the relevant symbols to check).

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7170ca0 and 313c6f6.

📒 Files selected for processing (6)

• src/api/providers.rs
• src/config.rs
• src/llm/anthropic/auth.rs
• src/llm/anthropic/params.rs
• src/llm/manager.rs
• src/llm/model.rs

[tembo]

Looks like anthropic_from_auth_token only flips on when [llm].anthropic_key is absent and the env fallback picks ANTHROPIC_AUTH_TOKEN. If TOML sets anthropic_key = "env:ANTHROPIC_AUTH_TOKEN", this stays false and we’d still send x-api-key.

Suggested change

	let anthropic_from_auth_token = toml_llm_anthropic_key_was_none
	let anthropic_from_auth_token =
	matches!(toml.llm.anthropic_key.as_deref(), Some("env:ANTHROPIC_AUTH_TOKEN"))
	|| (toml_llm_anthropic_key_was_none
	&& std::env::var("ANTHROPIC_API_KEY").is_err()
	&& std::env::var("ANTHROPIC_AUTH_TOKEN").is_ok());

[tembo]

Minor test hardening: avoid to_str().unwrap() here (panics on non-UTF8 header values).

Suggested change

	let ua = request.headers().get("user-agent").map(|v| v.to_str().unwrap().to_string());
	let ua = request
	.headers()
	.get("user-agent")
	.and_then(|value| value.to_str().ok());
	assert!(ua.map_or(true, |ua| !ua.contains("claude-code")));