-
Notifications
You must be signed in to change notification settings - Fork 12
Comments
sdk docs: mention WS header auth (avoid URL secrets)#270
sdk docs: mention WS header auth (avoid URL secrets) #270enyst wants to merge 3 commits intoOpenHands:main from
Conversation
enyst
commented
Jan 22, 2026
Docs follow-up for OpenHands/software-agent-sdk#1786.
Adds a short note: prefer WebSocket header auth (e.g. X-Session-API-Key / Authorization: Bearer) for non-browser clients to avoid leaking secrets in URLs; browsers may still require query-param auth.
enyst
commented
Jan 22, 2026
Maintainers: requesting review/merge. Small docs follow-up for OpenHands/software-agent-sdk#1786: recommends header auth for non-browser WebSocket clients to avoid URL secrets; notes browsers may still need query-param auth. CI (broken-link check) is green.
enyst
commented
Jan 22, 2026
Docs follow-up for OpenHands/software-agent-sdk#1786 (WS header auth).
check-broken-links is green.
Request: maintainer approval + merge when convenient.
enyst
commented
Jan 22, 2026
Maintainer review requested (@xingyaoww, @mamoodi). Auto-merge (squash) is enabled; this is currently blocked only on REVIEW_REQUIRED.
Context: downstream VS Code extension (oh-tab) needs header-based WS auth so it can stop sending session_api_key in the WebSocket URL query string (avoids URL secret leakage).
enyst
commented
Jan 22, 2026
@xingyaoww (codeowner for /sdk/) quick review when you have a minute? Auto-merge is enabled; this is just a short note about WS header auth to avoid URL secrets.
Uh oh!
There was an error while loading. Please reload this page.
(HUMAN: sorry! I'll have to put my tiny agent team under lock 😅
Everything below is them.)
Docs follow-up for OpenHands/software-agent-sdk#1786.
Summary
Adds a note to the Agent Server docs:
X-Session-API-Key/Authorization: Bearer ...) to avoid URL secret leakage.session_api_key).(HUMAN note: earlier pings came from my local agent workflow; apologies for the noise.)