Skip to content

feat(gateway): auth middleware — Better Auth session + API key validation #8

New issue
New issue
Open
Open
feat(gateway): auth middleware — Better Auth session + API key validation#8
Labels
enhancementNew feature or request
@Shanvit7

Description

@Shanvit7
Shanvit7
opened on Mar 19, 2026

Description

Add authentication middleware to all /api/v1/* routes. . The middleware supports two auth schemes:

  1. Better Auth session cookie — for browser-based clients (dashboard). Calls Better Auth's session resolution to get the authenticated user.
  2. API key (Authorization: Bearer ozk_) — for programmatic clients (SDK, A2A). Hashes the provided key with SHA-256 and looks it up via apiKeyQueries.getApiKeyByHash. Updates last_used_at on successful validation.
    Routes that must remain public (no auth): /health, /.well-known/agent.json, /api/auth/     (Better Auth's own sign-in/sign-up routes).

Motivation

Every gateway route is currently unprotected. The API key management endpoints we just shipped can create and list keys, but nothing validates them on incoming requests. The dashboard cannot implement user sessions, and the SDK cannot authenticate with API keys. Auth is the prerequisite for rate limiting, usage tracking, and every downstream feature that needs to know who is making a request.

Affected package(s)

No response

Alternatives considered

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions