Skip to content

fix(mcp): send Org-Id/Workspace-Id tenancy headers on platform token requests#334

Merged
initializ-mk merged 2 commits into
mainfrom
fix/platform-token-tenancy-headers
Jul 18, 2026
Merged

fix(mcp): send Org-Id/Workspace-Id tenancy headers on platform token requests#334
initializ-mk merged 2 commits into
mainfrom
fix/platform-token-tenancy-headers

Conversation

@initializ-mk

Copy link
Copy Markdown
Contributor

What

The MCP platform-token resolver (forge-core/mcp/platform_token.go) fetched short-lived agent-principal tokens from agent-builder POST /api/v1/mcp/token sending only Authorization: Bearer ${FORGE_PLATFORM_TOKEN} — no tenancy headers. The platform verifies a per-org HS256 token and needs Org-Id to select the signing secret before it can validate the bearer, so the call failed with 401 "missing org-id header" (hit live on the FanDuel test env).

Change

  • Send Org-Id + Workspace-Id from FORGE_ORG_ID / FORGE_WORKSPACE_ID on every platform-token request, matching the pattern already used by admission_loader.go / remote_session_store.go.
  • Record the platform-integration contracts in CLAUDE.md (tenancy headers, MCP auth types, DEFER keying <server>__<op>, RFC 9728→8414→7591 path-qualified issuer well-known insertion).

Test

  • cd forge-core && go test ./... green.
  • Refresh token / client secret never leave the platform (access token only in the response).

🤖 Generated with Claude Code

initializ-mk and others added 2 commits July 17, 2026 09:48
…aders

A deployed agent's auth.type=platform read failed at startup with
'platform token endpoint returned 401: missing org-id header'. The
platform verifies a PER-ORG HS256 token, so it needs Org-Id to select
the signing secret BEFORE it can validate the bearer — and Workspace-Id
to authorize the request against the registry entry (entitlement). The
token request sent only the bearer.

Now sends both from the standard FORGE_ORG_ID / FORGE_WORKSPACE_ID env
the platform injects (omitted when empty), exactly as the admission and
remote-session-store clients already do. Test asserts the resolver
receives them.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…th types, DEFER, OAuth discovery)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@initializ-mk
initializ-mk merged commit 1a6d886 into main Jul 18, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant