Bind tenant/project into anonymous session JWTs for global apps (#2924)

amikofalvy · claude · web-flow · commit 704026c89543 · 2026-03-31T03:02:39.000Z
For global apps, embed the tenant/project from request headers into the
anonymous session JWT at creation time. On refresh, preserve the original
JWT's tenant binding instead of re-reading from headers. In the run auth
middleware, extract tid/pid from the anonymous JWT payload and use them
for scope resolution instead of falling back to request headers.

Co-authored-by: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.changeset/then-gold-deer.md b/.changeset/then-gold-deer.md
@@ -0,0 +1,5 @@
+---
+"@inkeep/agents-api": patch
+---
+
+Bind tenant/project into anonymous session JWTs for global apps
diff --git a/agents-api/src/domains/run/routes/auth.ts b/agents-api/src/domains/run/routes/auth.ts
@@ -180,6 +180,8 @@ app.openapi(
 
     const secret = getAnonJwtSecret();
     let anonUserId: string | undefined;
+    let refreshTenantId: string | null | undefined;
+    let refreshProjectId: string | null | undefined;
 
     const authHeader = c.req.header('Authorization');
     if (authHeader?.startsWith('Bearer ')) {
@@ -196,6 +198,8 @@ app.openapi(
           payload.sub.startsWith('anon_')
         ) {
           anonUserId = payload.sub;
+          refreshTenantId = typeof payload.tid === 'string' ? payload.tid : null;
+          refreshProjectId = typeof payload.pid === 'string' ? payload.pid : null;
         } else {
           logger.debug(
             { appId, tokenApp: payload.app, tokenType: payload.type },
@@ -222,14 +226,21 @@ app.openapi(
       anonUserId = `anon_${crypto.randomUUID()}`;
     }
 
+    const tenantId = isRefresh
+      ? (refreshTenantId ?? appRecord.tenantId)
+      : appRecord.tenantId || c.req.header('x-inkeep-tenant-id') || null;
+    const projectId = isRefresh
+      ? (refreshProjectId ?? appRecord.projectId)
+      : appRecord.projectId || c.req.header('x-inkeep-project-id') || null;
+
     const lifetimeSeconds = env.INKEEP_ANON_SESSION_LIFETIME_SECONDS;
     const now = Math.floor(Date.now() / 1000);
     const exp = now + lifetimeSeconds;
     const expiresAt = new Date(exp * 1000).toISOString();
 
     const token = await new SignJWT({
-      tid: appRecord.tenantId,
-      pid: appRecord.projectId,
+      tid: tenantId,
+      pid: projectId,
       app: appId,
       type: 'anonymous',
     })

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"@inkeep/agents-api": patch
 +---
++
 +Bind tenant/project into anonymous session JWTs for global apps