docs: add bearer token authentication to profiles documentation

- Add nifi_bearer_token to configuration structure and keys
- Document bearer as highest priority NiFi auth method
- Add bearer-token profile example in profiles.yml
- Add NIFI_BEARER_TOKEN environment variable mapping

Author: Chaffelson

docs/profiles.rst

@@ -37,6 +37,7 @@ Quick Start
 - ``secure-ldap`` - LDAP authentication over TLS
 - ``secure-mtls`` - Mutual TLS certificate authentication
 - ``secure-oidc`` - OpenID Connect (OAuth2) authentication
+- ``bearer-token`` - Pre-obtained JWT bearer token
 - ``env`` - Pure environment variable configuration (no profiles file required)
 
 Why Use Profiles?
@@ -88,6 +89,7 @@ Default profiles are defined in ``examples/profiles.yml`` (JSON is also supporte
       # Authentication credentials
       nifi_user: "einstein"
       nifi_pass: "password1234"
+      nifi_bearer_token: null
       registry_user: "einstein"
       registry_pass: "password1234"
 
@@ -133,6 +135,7 @@ Core connection settings:
 
 Authentication credentials:
   - ``nifi_user`` / ``nifi_pass`` - NiFi Basic authentication credentials
+  - ``nifi_bearer_token`` - Pre-obtained JWT bearer token for NiFi
   - ``registry_user`` / ``registry_pass`` - Registry Basic authentication credentials
 
 Shared SSL/TLS certificates (simple PKI - convenience options where both NiFi and Registry share configuration):
@@ -155,7 +158,7 @@ Advanced settings:
   - ``nifi_proxy_identity`` - Identity for NiFi → Registry proxied requests
 
 Authentication method control:
-  - ``nifi_auth_method`` - Explicit authentication method for NiFi (overrides auto-detection). Valid values: ``oidc``, ``mtls``, ``basic``
+  - ``nifi_auth_method`` - Explicit authentication method for NiFi (overrides auto-detection). Valid values: ``bearer``, ``oidc``, ``mtls``, ``basic``
   - ``registry_auth_method`` - Explicit authentication method for Registry (overrides auto-detection). Valid values: ``mtls``, ``basic``, ``unauthenticated``
 
 OIDC authentication:
@@ -170,7 +173,7 @@ Profile Switching Behavior
 1. **Explicit method specification** (highest priority): If ``nifi_auth_method`` or ``registry_auth_method`` are set, that method is used regardless of other available credentials.
 2. **Auto-detection** (fallback): When no explicit method is specified, the system auto-detects based on available credentials. Detection order varies by service:
 
-   - **NiFi**: **1) OIDC** (``oidc_token_endpoint``), **2) mTLS** (``client_cert`` + ``client_key``), **3) Basic Auth** (``nifi_user`` + ``nifi_pass``)
+   - **NiFi**: **1) Bearer Token** (``nifi_bearer_token``), **2) OIDC** (``oidc_token_endpoint``), **3) mTLS** (``client_cert`` + ``client_key``), **4) Basic Auth** (``nifi_user`` + ``nifi_pass``)
    - **Registry**: **1) mTLS** (``client_cert`` + ``client_key``), **2) Basic Auth** (``registry_user`` + ``registry_pass``), **3) Unauthenticated** (no credentials required)
 
 For predictable behavior, either use explicit method specification or design profiles with only one authentication method per environment.
@@ -318,6 +321,37 @@ OpenID Connect (OAuth2) authentication:
 
 **Use case**: Modern OAuth2 integration, external identity providers
 
+bearer-token (Simplest Configuration)
+--------------------------------------
+
+Pre-obtained JWT bearer token authentication - the simplest possible configuration:
+
+.. code-block:: python
+
+    nipyapi.profiles.switch('bearer-token')
+
+**Authentication method**: Bearer Token (detected by presence of ``nifi_bearer_token``)
+
+**Required properties**:
+  - ``nifi_bearer_token: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."`` (your JWT token)
+
+**Additional properties used**:
+  - ``nifi_url: https://nifi.example.com/nifi-api``
+  - ``nifi_verify_ssl: true`` (or false for self-signed certificates)
+
+**Use case**: CI/CD pipelines, GitHub Actions, Kubernetes jobs, or any scenario where you have a pre-obtained JWT token from your identity provider. This is the simplest authentication method - just a URL and a token.
+
+**Example using environment variables only**:
+
+.. code-block:: shell
+
+    # Set environment variables
+    export NIFI_API_ENDPOINT=https://nifi.production.example.com/nifi-api
+    export NIFI_BEARER_TOKEN=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
+
+    # Use the 'env' profile to load from environment
+    python -c "import nipyapi; nipyapi.profiles.switch('env')"
+
 cli-properties
 --------------
 
@@ -410,6 +444,7 @@ URLs and credentials:
   - ``REGISTRY_API_ENDPOINT`` → ``registry_url``
   - ``NIFI_USERNAME`` → ``nifi_user``
   - ``NIFI_PASSWORD`` → ``nifi_pass``
+  - ``NIFI_BEARER_TOKEN`` → ``nifi_bearer_token``
   - ``REGISTRY_USERNAME`` → ``registry_user``
   - ``REGISTRY_PASSWORD`` → ``registry_pass``
 

examples/profiles.yml

@@ -85,6 +85,14 @@ secure-oidc:
   oidc_client_id: "nipyapi-client"
   oidc_client_secret: "nipyapi-secret"
 
+# Bearer token profile - simplest possible configuration
+# Use when you have a pre-obtained JWT token (e.g., from CI/CD, identity provider)
+# This is ideal for GitHub Actions, Kubernetes jobs, or any environment with injected tokens
+bearer-token:
+  nifi_url: https://nifi.example.com/nifi-api
+  nifi_bearer_token: null  # Set via NIFI_BEARER_TOKEN environment variable
+  nifi_verify_ssl: true
+
 # GitHub CI/CD profile - NiFi only, for testing Git-based registry workflows
 # Uses GitHub Registry Client instead of NiFi Registry
 # GitHub registry configuration is handled by nipyapi-actions, not nipyapi profiles

nipyapi/profiles.py

@@ -16,6 +16,7 @@
     "registry_internal_url": None,
     "nifi_user": None,
     "nifi_pass": None,
+    "nifi_bearer_token": None,
     "registry_user": None,
     "registry_pass": None,
     "ca_path": None,
@@ -51,6 +52,7 @@
     ("registry_url", "REGISTRY_API_ENDPOINT"),
     ("nifi_user", "NIFI_USERNAME"),
     ("nifi_pass", "NIFI_PASSWORD"),
+    ("nifi_bearer_token", "NIFI_BEARER_TOKEN"),
     ("registry_user", "REGISTRY_USERNAME"),
     ("registry_pass", "REGISTRY_PASSWORD"),
     # Basic certificate paths and security config
@@ -109,6 +111,11 @@
 
 # Authentication method definitions - data-driven approach for extensibility
 NIFI_AUTH_METHODS = {
+    "bearer": {
+        "detection_keys": ["nifi_bearer_token"],
+        "required_keys": ["nifi_bearer_token"],
+        "optional_keys": [],
+    },
     "oidc": {
         "detection_keys": ["oidc_token_endpoint"],
         "required_keys": [
@@ -554,6 +561,16 @@ def switch(profile_name, profiles_file=None, login=True):
                 log.debug("OIDC authentication completed")
             else:
                 log.debug("OIDC configuration completed (no login attempted)")
+        elif nifi_auth_method == "bearer":
+            log.debug("Configuring bearer token authentication for NiFi...")
+            if login:
+                security.set_service_auth_token(
+                    token=nifi_auth_params["nifi_bearer_token"],
+                    service="nifi",
+                )
+                log.debug("Bearer token authentication completed")
+            else:
+                log.debug("Bearer token configuration completed (no login attempted)")
         elif nifi_auth_method == "mtls":
             log.debug("Configuring mTLS authentication for NiFi...")
             # Apply client certificates for mTLS