Skip to main content
Discrepancy between specification and implementation. openapi/openapi.yaml declares a BearerAuth (JWT) security scheme applied globally to all operations. As of this monorepo snapshot, packages/api/src/routes/ and packages/api/src/middleware/ contain no authentication middleware — no bearer token or API key check is enforced by the running server. Do not treat the local/dev server as safe to expose without adding your own authentication layer in front of it.

Specified scheme (OpenAPI)

securitySchemes:
  BearerAuth:
    type: http
    scheme: bearer
    bearerFormat: JWT
security:
  - BearerAuth: []
The intent, per the specification, is a bearer token on every request:
curl http://localhost:3000/execute \
  -H "Authorization: Bearer <token>"
Both SDKs already model this: TypeScript’s Configuration.credentials accepts an AuthenticationScheme.BEARER_TOKEN or AuthenticationScheme.API_KEY value (see TypeScript SDK → Configuration), even though the server does not yet validate it.

What to do today

If you’re deploying this server outside of local development, put an authenticating reverse proxy or gateway in front of it until server-side auth middleware lands, and track packages/api/src/middleware/ for when that changes.