Skip to content

[BUG]: JWT token creation divergence between CLI and API #2261

Closed
Bug
#2263
Closed
[BUG]: JWT token creation divergence between CLI and API#2261
Bug
#2263
Assignees
madhav165
Labels
SHOULDP2: Important but not vital; high-value items that are not crucial for the immediate releasebugSomething isn't working
Milestone
Release 1.0.0-RC1
@madhav165

Description

@madhav165
madhav165
opened on Jan 21, 2026

🐞 Bug Summary

There are two different JWT token creation paths that produce incompatible token formats:

CLI Tokens (create_jwt_token.py)

  • Minimal claims: sub, iat, iss, aud, jti, exp, env
  • Missing: user, teams, namespaces, scopes
  • Usage: README.md, api-usage.md examples

API Tokens (/tokens endpoint via token_catalog_service.py)

  • Rich claims: sub, iat, iss, aud, jti, exp, user, teams, namespaces, scopes
  • Created via: /tokens API endpoint with full validation

Impact

  1. CLI tokens lack admin support - No user.is_admin flag → admins can't use CLI tokens for admin operations
  2. CLI tokens are public-only - No teams field → non-admins always get public-only access
  3. Documentation misleads users - Suggests using CLI tokens for API testing but they have limited capabilities
  4. Code duplication - Token creation logic duplicated between CLI and API paths

Expected Behavior

  • CLI and API should produce identical token formats when given the same parameters
  • CLI tokens should support admin, team, and scope claims for development/testing
  • Token creation logic should be unified in a single location
  • Documentation should clearly explain security implications of CLI token generation

Proposed Solution

  1. Enhance _create_jwt_token() to accept optional rich claims (user_data, teams, namespaces, scopes)
  2. Update token_catalog_service._generate_token() to delegate to enhanced utility
  3. Add CLI flags: --admin, --teams, --scopes, --full-name
  4. Display security warnings when creating tokens with elevated claims
  5. Update documentation with clear security guidance

Security Considerations

The CLI tool has access to JWT_SECRET_KEY and can create tokens with any claims, bypassing all API security controls:

  • User authentication/authorization
  • Team membership validation
  • Permission scope containment
  • Audit logging

This is by design for development/testing. Production token management should use the /tokens API endpoint which enforces all security controls.

🧩 Affected Component

Select the area of the project impacted:

  • mcpgateway - API
  • mcpgateway - UI (admin panel)
  • mcpgateway.wrapper - stdio wrapper
  • Federation or Transports
  • CLI, Makefiles, or shell scripts
  • Container setup (Docker/Podman/Compose)
  • Other (explain below)

Metadata

Metadata

Assignees

Labels

SHOULDP2: Important but not vital; high-value items that are not crucial for the immediate releasebugSomething isn't working

Type

Bug

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions