Skip to content

Authentication adjustments for JB integration#350

Merged
benbrandt merged 8 commits intozed-industries:mainfrom
AlexandrSuhinin:gateway-authorization
Mar 3, 2026
Merged

Authentication adjustments for JB integration#350
benbrandt merged 8 commits intozed-industries:mainfrom
AlexandrSuhinin:gateway-authorization

Conversation

@AlexandrSuhinin
Copy link
Contributor

@AlexandrSuhinin AlexandrSuhinin commented Feb 26, 2026

Updated authentication methods for IDEA compatibility and SDK compliance

New authentication type: gateway (url + custom headers)

  • Required to support native IDEA authentication flows

Process argument to hide Claude Code authentication

  • Ensures compliance with Anthropic’s third-party authentication policies.

https://platform.claude.com/docs/en/agent-sdk/overview

Unless previously approved, Anthropic does not allow third party developers to offer claude.ai login or rate limits for their products, including agents built on the Claude Agent SDK. Please use the API key authentication methods described in this document instead.

@cla-bot
Copy link

cla-bot bot commented Feb 26, 2026

We require contributors to sign our Contributor License Agreement, and we don't have @AlexandrSuhinin on file. You can sign our CLA at https://zed.dev/cla. Once you've signed, post a comment here that says '@cla-bot check'.

@AlexandrSuhinin
Copy link
Contributor Author

AlexandrSuhinin commented Feb 26, 2026

@cla-bot check

@cla-bot cla-bot bot added the cla-signed label Feb 26, 2026
@cla-bot
Copy link

cla-bot bot commented Feb 26, 2026

The cla-bot has been summoned, and re-checked this pull request!

@josevalim
Copy link
Contributor

josevalim commented Feb 26, 2026

@AlexandrSuhinin is there a RFD that discusses the gateway approach? Or is this a one-off solution specific to Claude Agent SDK? If so, what would be the best place for it to be documented then?

benbrandt
benbrandt reviewed Feb 26, 2026
View reviewed changes
Copy link
Member

@benbrandt benbrandt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall the approach seems pretty good, however, I feel like this gateway needs to be opt-in. I can also play around with it tomorrow

benbrandt added 4 commits March 3, 2026 16:04
@benbrandt
Gate gateway auth on client capability flag
212c286 
Only include the gateway auth method when the client advertises
`auth._meta.gateway`. Add a temporary extended capabilities type
until the ACP SDK schema includes `auth`, and update authorization
tests to cover both offered and hidden gateway behavior.
@benbrandt
Merge branch 'main' into gateway-authorization
521c732
@benbrandt
Merge branch 'main' into gateway-authorization
923d603
@benbrandt
Block claude.ai subscriptions if that auth method is disabled too
6ef4c32
@benbrandt
Copy link
Member

benbrandt commented Mar 3, 2026
edited
Loading

@AlexandrSuhinin I pushed some changes

  1. I have the gateway auth behind an auth._meta capability
  2. If you don't want claude auth, we also block sessions if you are currently logged in with claude auth

Basically it is more opt-in if we show the gateway, and also actually blocks usage if you are worried about it

Let me know what you think

cc @anna239

@benbrandt benbrandt merged commit edf6486 into zed-industries:main Mar 3, 2026
2 checks passed
femto added a commit to femto/claude-agent-acp that referenced this pull request Mar 4, 2026
@femto @claude
fix: allow Foundry/Bedrock/API key auth when subscriptionType exists
e9b624d 
The authentication check introduced in zed-industries#350 blocks users who have
previously logged into claude.ai but are now using alternative
authentication methods (Foundry, Bedrock, or API key).

This fix adds a check for alternative auth methods before throwing
the "Authentication Required" error.

Fixes zed-industries#376

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@femto femto mentioned this pull request Mar 4, 2026
Closed
3 tasks
@AlexandrSuhinin
Copy link
Contributor Author

AlexandrSuhinin commented Mar 4, 2026
edited
Loading

@benbrandt , can we drop the commit 'Block claude.ai subscriptions if that auth method is disabled too'?
As far as I understand, we are restricted from advertising the Claude login, but it's fine to reuse existing authentication. I would like to let clients use whatever authentication they have already configured globally.

Can we move the auth capability into _meta, since it's not part of the official protocol and would require a binary update of the library?

I can open a new PR if you fine with these suggestion.

@AlexandrSuhinin
Copy link
Contributor Author

AlexandrSuhinin commented Mar 4, 2026

@josevalim There is no official RFD for this yet; the plan is to check first if it works reasonably well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@benbrandt benbrandt benbrandt left review comments

Assignees

No one assigned

Labels

cla-signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AlexandrSuhinin @josevalim @benbrandt