Content
View differences
Updated by Jan Sandbrink about 16 hours ago
**As** a user
**I want to** use API keys as bearer tokens,
**so that** I can easily copy & paste them into tools that ask me to specify an HTTP header.
**Acceptance criteria**
* API Keys (personal access tokens) can be passed as Bearer tokens and are accepted
* Passing API Keys via HTTP Basic auth is still possible
* Any API keys generated in the past must at least work via HTTP Basic auth
**Context**
Some MCP clients, such as Claude Code, don't properly support registering themselves as static OAuth clients. They would support dynamic client registration, but that's rather complex for us to implement and brings additional risks.
On the other hand, those clients usually support adding simple keys/tokens that are valid for a longer period of time. This is what OpenProject offers through API keys. The only problem is that these can so far only be passed via HTTP Basic auth, which makes copy&pasting them harder (or for clients only supporting Bearer tokens: impossible).
**QA Notes**
* This can be tested on any APIv3 endpoint (choose your favorite one, e.g. `/api/v3/users/me`)
* Create a new API token and use it in Postman (or any other tool) as a "Bearer token"
* HTTP Header would be: Authorization: Bearer <your-token>
**I want to** use API keys as bearer tokens,
**so that** I can easily copy & paste them into tools that ask me to specify an HTTP header.
**Acceptance criteria**
* API Keys (personal access tokens) can be passed as Bearer tokens and are accepted
* Passing API Keys via HTTP Basic auth is still possible
* Any API keys generated in the past must at least work via HTTP Basic auth
**Context**
Some MCP clients, such as Claude Code, don't properly support registering themselves as static OAuth clients. They would support dynamic client registration, but that's rather complex for us to implement and brings additional risks.
On the other hand, those clients usually support adding simple keys/tokens that are valid for a longer period of time. This is what OpenProject offers through API keys. The only problem is that these can so far only be passed via HTTP Basic auth, which makes copy&pasting them harder (or for clients only supporting Bearer tokens: impossible).
**QA Notes**
* This can be tested on any APIv3 endpoint (choose your favorite one, e.g. `/api/v3/users/me`)
* Create a new API token and use it in Postman (or any other tool) as a "Bearer token"
* HTTP Header would be: Authorization: Bearer <your-token>