feat-use-api-key-first (#39)

mateoCuervo · web-flow · commit cfa1f71e174d · 2025-11-26T13:29:07.000-05:00
Ticket: https://linear.app/onkernel/issue/KERNEL-487/cli-set-api-key-auth-priority-higher-than-oauth ## Tested ### Current state ```sh # Using KERNEL_API_KEY it uses my current org I called it Nov 25 ORG notice last browser name ➜ cli git:(feat-use-api-key-first) ✗ ./bin/kernel browsers list Browser ID | Created At | Persisten... | Profile | CDP WS URL | Live View URL ca3u5hijj15ifurm3ujxztml | 2025-11-25... | 9878979987 | - | httof idle browser in... | https://apterygial-mu... jo2n7c4zgl70zzlnzgmy3t8h | 2025-11-25... | 1223132213 | - | httof idle browser in... | https://apterygial-mu... hj5tjjncxfkewvor5fsprck0 | 2025-11-25... | Nov25-Org... | - | httof idle browser in... | https://apterygial-mu... # Log in with and select org "Mateos org" ➜ cli git:(feat-use-api-key-first) ✗ ./bin/kernel login INFO Starting Kernel authentication... INFO This will open your browser to complete the OAuth flow INFO Authentication URL: http://localhost:3002/authorize?client_id=J7i8BKwyFBoyPQN3&code_challenge=XPFk4ct2f3mLWg85mgKPZ01yeFdqQnSlR98Ew2pK87g&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A58432%2Fcallback&response_type=code&scope=openid+email&state=eyJjc3JmIjoiSGk0dWg0c0VBMTRFVzUwY3c1NjltUnZpZkx1S0tnSUsifQ%3D%3D SUCCESS Authentication successful! SUCCESS ✓ Successfully authenticated with Kernel! INFO You can now use other Kernel CLI commands without setting KERNEL_API_KEY # Now it should browsers from my other org "Mateos org" ➜ cli git:(feat-use-api-key-first) ✗ ./bin/kernel browsers list [DEBUG] Using OAuth token authentication (token length: 918 chars) [DEBUG] Token preview: eyJhbGciOiJSUzI1NiIs...C87PgKujVC4nYMU8zDGA Browser ID | Created At | Persisten... | Profile | CDP WS URL | Live View URL tmww8k86b170jh8kqxjtzhqu | 2025-11-25... | mateos-Or... | - | httof idle browser in... | https://apterygial-mu... ``` ### After changes ```sh # Using KERNEL_API_KEY it uses my current org I called it Nov 25 ORG notice last browser name ➜ cli git:(feat-use-api-key-first) ✗ ./bin/kernel browsers list Browser ID | Created At | Persistent ID | Profile | CDP WS URL | Live View URL ca3u5hijj15ifurm3ujxztml | 2025-11-25 13:... | 9878979987 | - | httof idle browser instances in... | https://apterygial-multiflorous... jo2n7c4zgl70zzlnzgmy3t8h | 2025-11-25 14:... | 1223132213 | - | httof idle browser instances in... | https://apterygial-multiflorous... hj5tjjncxfkewvor5fsprck0 | 2025-11-25 14:... | Nov25-OrgPer... | - | httof idle browser instances in... | https://apterygial-multiflorous... # Log in with and select org "Mateos org" ➜ cli git:(feat-use-api-key-first) ✗ ./bin/kernel login INFO Starting Kernel authentication... INFO This will open your browser to complete the OAuth flow INFO Authentication URL: http://localhost:3002/authorize?client_id=J7i8BKwyFBoyPQN3&code_challenge=qaTOaQ1yIwkNnde8QHJ2sBT4IKqjBly0EfXQ4Gqoe2c&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A58432%2Fcallback&response_type=code&scope=openid+email&state=eyJjc3JmIjoiaW8xVTluSzh5a0xXR0lkSXFjdnBvb20tc09nelEyZU4ifQ%3D%3D SUCCESS Authentication successful! SUCCESS ✓ Successfully authenticated with Kernel! INFO You can now use other Kernel CLI commands without setting KERNEL_API_KEY # Now it should browsers from my other org "Mateos org" ➜ cli git:(feat-use-api-key-first) ✗ ./bin/kernel browsers list [DEBUG] Using OAuth token authentication (token length: 918 chars) [DEBUG] Token preview: eyJhbGciOiJSUzI1NiIs...pm2ig2L1X7nM9EASXU7Q Browser ID | Created At | Persistent ID | Profile | CDP WS URL | Live View URL tmww8k86b170jh8kqxjtzhqu | 2025-11-25 14:... | mateos-OrgPe... | - | httof idle browser instances in... | https://apterygial-multiflorous... # Now I trigger re build with my latest changes ➜ cli git:(feat-use-api-key-first) ✗ make build go build -o bin/kernel ./cmd/kernel # It gives precedence to API KEY ➜ cli git:(feat-use-api-key-first) ✗ ./bin/kernel browsers list Browser ID | Created At | Persistent ID | Profile | CDP WS URL | Live View URL ca3u5hijj15ifurm3ujxztml | 2025-11-25 13:... | 9878979987 | - | httof idle browser instances in... | https://apterygial-multiflorous... jo2n7c4zgl70zzlnzgmy3t8h | 2025-11-25 14:... | 1223132213 | - | httof idle browser instances in... | https://apterygial-multiflorous... hj5tjjncxfkewvor5fsprck0 | 2025-11-25 14:... | Nov25-OrgPer... | - | httof idle browser instances in... | https://apterygial-multiflorous... # I do logout ➜ cli git:(feat-use-api-key-first) ✗ ./bin/kernel logout INFO Logging out... SUCCESS ✓ Successfully logged out INFO Run 'kernel login' to authenticate again # Now login again to "Mateos org" ➜ cli git:(feat-use-api-key-first) ✗ ./bin/kernel login INFO Starting Kernel authentication... INFO This will open your browser to complete the OAuth flow INFO Authentication URL: http://localhost:3002/authorize?client_id=J7i8BKwyFBoyPQN3&code_challenge=jQg_U5OE4av1FtB1dBwjibFnSLvSrM1jqXsl8DLa70E&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A58432%2Fcallback&response_type=code&scope=openid+email&state=eyJjc3JmIjoidEEwckg5UWh3cktILWFKNWpNaXctRUlWdFFyTE1ncEMifQ%3D%3D SUCCESS Authentication successful! SUCCESS ✓ Successfully authenticated with Kernel! INFO You can now use other Kernel CLI commands without setting KERNEL_API_KEY # It still gives precedence to my org named "Nov 25" this is the one in API_KEY ➜ cli git:(feat-use-api-key-first) ✗ ./bin/kernel browsers list Browser ID | Created At | Persistent ID | Profile | CDP WS URL | Live View URL ca3u5hijj15ifurm3ujxztml | 2025-11-25 13:58:01 EST | 9878979987 | - | httof idle browser instances in the pops://apte... | https://apterygial-multiflorous-magaly.ngrok-fr... jo2n7c4zgl70zzlnzgmy3t8h | 2025-11-25 14:05:16 EST | 1223132213 | - | httof idle browser instances in the pops://apte... | https://apterygial-multiflorous-magaly.ngrok-fr... hj5tjjncxfkewvor5fsprck0 | 2025-11-25 14:08:57 EST | Nov25-OrgPersistent | - | httof idle browser instances in the pops://apte... | https://apterygial-multiflorous-magaly.ngrok-fr... ```
diff --git a/pkg/auth/client.go b/pkg/auth/client.go
@@ -12,7 +12,17 @@ import (
 
 // GetAuthenticatedClient returns a Kernel client with appropriate authentication
 func GetAuthenticatedClient(opts ...option.RequestOption) (*kernel.Client, error) {
-	// Try to use stored OAuth tokens first
+	// Try to use API key first if available
+	apiKey := os.Getenv("KERNEL_API_KEY")
+	if apiKey != "" {
+		pterm.Debug.Println("Using API key authentication")
+
+		authOpts := append(opts, option.WithHeader("Authorization", "Bearer "+apiKey))
+		client := kernel.NewClient(authOpts...)
+		return &client, nil
+	}
+
+	// Fallback to OAuth tokens if no API key is available
 	tokens, err := LoadTokens()
 	if err == nil {
 		// Check if access token is expired and refresh if needed
@@ -41,15 +51,6 @@ func GetAuthenticatedClient(opts ...option.RequestOption) (*kernel.Client, error
 		return &client, nil
 	}
 
-	// Fallback to API key if no OAuth tokens are available
-	apiKey := os.Getenv("KERNEL_API_KEY")
-	if apiKey == "" {
-		return nil, fmt.Errorf("no authentication available. Please run 'kernel login' or set KERNEL_API_KEY environment variable")
-	}
-
-	pterm.Debug.Println("Using API key authentication (fallback)")
-
-	authOpts := append(opts, option.WithHeader("Authorization", "Bearer "+apiKey))
-	client := kernel.NewClient(authOpts...)
-	return &client, nil
+	// No authentication available
+	return nil, fmt.Errorf("no authentication available. Please run 'kernel login' or set KERNEL_API_KEY environment variable")
 }
diff --git a/pkg/auth/oauth.go b/pkg/auth/oauth.go
@@ -25,11 +25,22 @@ var successHTML string
 
 const (
 	// MCP Server OAuth endpoints (which proxy to Clerk)
+	// Production
 	AuthURL  = "https://auth.onkernel.com/authorize"
 	TokenURL = "https://auth.onkernel.com/token"
+	
+	// Staging
+	// AuthURL  = "https://auth.dev.onkernel.com/authorize"
+	// TokenURL = "https://auth.dev.onkernel.com/token"
+	
+	// Local
+	// AuthURL  = "http://localhost:3002/authorize"
+	// TokenURL = "http://localhost:3002/token"
 
 	// OAuth client configuration
 	ClientID    = "hmFrJn9hKDV2N02M" // Prod Kernel CLI OAuth Client ID
+	// ClientID    = "gkUVbm11p6EqKd7r" // Staging Kernel CLI OAuth Client ID
+	// ClientID    = "J7i8BKwyFBoyPQN3" // Local Kernel CLI OAuth Client ID
 	RedirectURI = "http://localhost"
 
 	// OAuth scopes - openid for the MCP server flow
