feat(middleware): Add AI agent friendly responses for unauthenticated requests

[dcramer]

Add middleware that returns helpful markdown guidance when AI agents (Claude Code, Cursor, Copilot, etc.) make unauthenticated requests to frontend UI routes.

When an anonymous request with Accept: text/markdown or text/x-markdown hits a non-API route, the middleware returns a friendly response explaining how to properly access Sentry:

• MCP Server - Pre-configured URL with org/project context extracted from the request path
• REST API - Authentication instructions and documentation links

Example response for /organizations/my-org/projects/my-project/:

# Hey, you've hit the Sentry web UI

This URL serves HTML for humans in browsers. You probably want one of these instead:

## MCP Server (recommended for AI agents)

Add to your MCP client config:

{
  "mcpServers": {
    "sentry": {
      "url": "https://mcp.sentry.dev/mcp/my-org/my-project",
    }
  }
}

More info: https://mcp.sentry.dev

## REST API (for scripts and integrations)

curl https://sentry.io/api/0/projects/ \
  -H "Authorization: Bearer <token>"

Docs: https://docs.sentry.io/api/

Fixes #106334

[evanpurkhiser]

should it say like "Your user can get a token from" so the agent doesn't try and hit this URL to get a token like a dum dum

[dcramer]

tbqh this is wrong, stupid bot

[evanpurkhiser]

@cursoragent can u check if there's a better way to do this in the codebase, i thought there was

[evanpurkhiser]

does this work can I just tag it

[cursor]

Based on my search of the codebase, there's a cleaner pattern used throughout Sentry. The current implementation can be simplified to match the established pattern.

Here's what I found:

Current implementation:

def _is_anonymous_request(request: HttpRequest) -> bool:
    """Check if the request is anonymous (no authenticated user, no auth token)."""
    if getattr(request, "auth", None) is not None:
        return False

    user = getattr(request, "user", None)
    return user is None or user.is_anonymous

Better pattern (used throughout the codebase):

The codebase consistently uses request.user.is_authenticated rather than checking for None or is_anonymous. I found this exact pattern in src/sentry/auth/access.py:942:

    if request.auth is not None and not request.user.is_authenticated:
        return from_rpc_auth(request.auth, rpc_user_org_context)

Recommended change:

def _is_anonymous_request(request: HttpRequest) -> bool:
    """Check if the request is anonymous (no authenticated user, no auth token)."""
    return request.auth is None and not request.user.is_authenticated

This is:

• ✅ More concise
• ✅ Matches the established pattern used in 166+ places in the codebase
• ✅ Doesn't need getattr() since Django middleware guarantees request.user and request.auth are set by the AuthenticationMiddleware (which runs before this middleware)

 

[dcramer]

yeah tho it will likely fuck it up all because it lacks useful context ("do what")

[dcramer]

damn

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[BYK]

Only major concern is the auth endpoints bypass.

[BYK]

Would be ideal if these patterns were shared with the main route patterns

[dcramer]

too overkill

[BYK]

Would also add text/html test, just in case

[BYK]

Shall we also explicitly exclude our auth endpoints? Or maybe we can add a property on the views themselves in the future: has_markdown and only allow those?

[dcramer]

you mean the oauth stuff? i think its fine as no one should be sending a user agent that would hit this that would also hit those

the only reason we do /api/ is because it actually is machines sending those requests

[BYK]

Some of the new ones from #105675 might be worth it:

• /oauth/device_authorization
• /oauth/token
• /oauth/device