[Feature] Add OAuth2 authentication and profile management system #12
+1,689
−35
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Implements a comprehensive authentication system with OAuth2 PKCE flow and multi-profile support: Authentication Features: - OAuth2 login with PKCE (Proof Key for Code Exchange) flow using Braintrust MCP endpoints - API key authentication fallback for headless/CI environments - Automatic token refresh for expired OAuth2 tokens - Profile-based credential storage in ~/.config/bt/config.json - Support for multiple named profiles with --profile flag (default: "DEFAULT") Profile Management: - Store API URL, access token, refresh token, expiry, org_name, and default project per profile - bt auth login - OAuth2 or API key login - bt auth token - Display current token and TTL - bt auth logout - Remove profile Credential Resolution: - Priority: --api-key flag > profile auth > SDK fallback - OAuth2 tokens work without org_name (JWT contains identity) - API keys require org_name for x-bt-org-name header - Project resolution: --project flag > BRAINTRUST_DEFAULT_PROJECT env > profile.project Projects API Updates: - Conditional org_name handling for OAuth2 vs API key authentication - list_projects, create_project, get_project_by_name support both auth methods Test Coverage: - 20 new tests for auth.rs covering PKCE generation, token refresh, OAuth parsing - 10 new tests for config.rs covering profile CRUD operations - All 51 unit tests passing Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
ankrgyl
reviewed
Feb 9, 2026
Comment on lines
+23
to
+24
| // OAuth2 tokens don't need org_name filtering | ||
| "/v1/project".to_string() |
Contributor
There was a problem hiding this comment.
they do, actually. in fact, oauth tokens are not scoped to orgs, but api keys are.
in general, this code should be not any different based on what type of token you use.
Comment on lines
+14
to
+17
| /// Auth profile to use | ||
| #[arg(long, env = "BRAINTRUST_PROFILE", default_value = "DEFAULT")] | ||
| pub profile: String, | ||
|
|
Contributor
There was a problem hiding this comment.
what is an auth profile in the context of braintrust?
Comment on lines
+29
to
+45
| pub struct LoginArgs { | ||
| /// Profile name to use | ||
| #[arg(long, default_value = "DEFAULT")] | ||
| pub profile: String, | ||
|
|
||
| /// API URL (defaults to https://api.braintrust.dev) | ||
| #[arg(long)] | ||
| pub api_url: Option<String>, | ||
|
|
||
| /// Use API key instead of OAuth2 (for headless/CI) | ||
| #[arg(long)] | ||
| pub api_key: bool, | ||
|
|
||
| /// Optional default project for this profile | ||
| #[arg(long)] | ||
| pub project: Option<String>, | ||
| } |
Contributor
There was a problem hiding this comment.
these arguments should not be duplicated from the base
| return Ok(orgs[selection].clone()); | ||
| } | ||
|
|
||
| // Fallback: prompt user for org name with helpful guidance |
Contributor
There was a problem hiding this comment.
these fallbacks are usually bugs
| .context("failed to parse OAuth discovery response") | ||
| } | ||
|
|
||
| fn generate_code_verifier() -> String { |
Contributor
There was a problem hiding this comment.
would rather use an oauth library
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Implements a comprehensive authentication system with OAuth2 PKCE flow and multi-profile support:
Authentication Features:
~/.config/bt/config.json--profileflag (default: "DEFAULT")Profile Management:
bt auth login- OAuth2 or API key loginbt auth token- Display current token and TTLbt auth logout- Remove profileCredential Resolution:
--api-keyflag > profile auth > SDK fallbackorg_name(JWT contains identity)org_nameforx-bt-org-nameheader--projectflag >BRAINTRUST_DEFAULT_PROJECTenv >profile.projectProjects API Updates:
org_namehandling for OAuth2 vs API key authenticationlist_projects,create_project,get_project_by_namesupport both auth methodsTest Coverage:
Recording
cli_update.mov