feat: add --token flag to kagent invoke for API key passthrough (#1465)

EItanya · claude · web-flow · commit 0575dff65fe2 · 2026-03-09T16:04:52.000-04:00
## Summary - Add `--token` flag to `kagent invoke` that injects an `Authorization: Bearer` header into A2A requests - Enables using the API key passthrough feature (#1327) from the CLI, where the Bearer token is forwarded directly to LLM providers - Uses a custom `http.RoundTripper` to inject the header on every request made by the A2A client ## Test plan - [x] Tested with valid OpenAI API key as Bearer token — agent responds normally - [x] Tested without token — fails with "api_key client option must be set" - [x] Tested with invalid token — fails with 401 auth error - [x] Tested streaming mode with token — works correctly - [x] Verified mutual exclusion CRD validation (apiKeyPassthrough + apiKeySecret rejected) 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Signed-off-by: Eitan Yarmush <eitan.yarmush@solo.io> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/go/core/cli/cmd/kagent/main.go b/go/core/cli/cmd/kagent/main.go
@@ -95,6 +95,7 @@ func main() {
 	invokeCmd.Flags().StringVarP(&invokeCfg.File, "file", "f", "", "File to read the task from")
 	invokeCmd.Flags().StringVarP(&invokeCfg.URLOverride, "url-override", "u", "", "URL override")
 	invokeCmd.Flags().MarkHidden("url-override") //nolint:errcheck
+	invokeCmd.Flags().StringVar(&invokeCfg.Token, "token", "", "Bearer token to include in A2A requests (for API key passthrough)")
 
 	bugReportCmd := &cobra.Command{
 		Use:   "bug-report",
diff --git a/go/core/cli/internal/cli/agent/invoke.go b/go/core/cli/internal/cli/agent/invoke.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"net/http"
 	"os"
 	"strings"
 	"time"
@@ -21,6 +22,19 @@ type InvokeCfg struct {
 	Agent       string
 	Stream      bool
 	URLOverride string
+	Token       string
+}
+
+// bearerTokenTransport is an http.RoundTripper that injects an Authorization: Bearer header.
+type bearerTokenTransport struct {
+	base  http.RoundTripper
+	token string
+}
+
+func (t *bearerTokenTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	req = req.Clone(req.Context())
+	req.Header.Set("Authorization", "Bearer "+t.token)
+	return t.base.RoundTrip(req)
 }
 
 func InvokeCmd(ctx context.Context, cfg *InvokeCfg) {
@@ -64,10 +78,22 @@ func InvokeCmd(ctx context.Context, cfg *InvokeCfg) {
 		return
 	}
 
+	var a2aClientOpts []a2aclient.Option
+	a2aClientOpts = append(a2aClientOpts, a2aclient.WithTimeout(cfg.Config.Timeout))
+
+	if cfg.Token != "" {
+		a2aClientOpts = append(a2aClientOpts, a2aclient.WithHTTPClient(&http.Client{
+			Transport: &bearerTokenTransport{
+				base:  http.DefaultTransport,
+				token: cfg.Token,
+			},
+		}))
+	}
+
 	var a2aClient *a2aclient.A2AClient
 	var err error
 	if cfg.URLOverride != "" {
-		a2aClient, err = a2aclient.NewA2AClient(cfg.URLOverride, a2aclient.WithTimeout(cfg.Config.Timeout))
+		a2aClient, err = a2aclient.NewA2AClient(cfg.URLOverride, a2aClientOpts...)
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "Error creating A2A client: %v\n", err)
 			return
@@ -85,7 +111,7 @@ func InvokeCmd(ctx context.Context, cfg *InvokeCfg) {
 		}
 
 		a2aURL := fmt.Sprintf("%s/api/a2a/%s/%s", cfg.Config.KAgentURL, cfg.Config.Namespace, cfg.Agent)
-		a2aClient, err = a2aclient.NewA2AClient(a2aURL, a2aclient.WithTimeout(cfg.Config.Timeout))
+		a2aClient, err = a2aclient.NewA2AClient(a2aURL, a2aClientOpts...)
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "Error creating A2A client: %v\n", err)
 			return
