Description
Every outgoing request must carry an Authorization: Bearer <secret_key> header derived from the active config. This logic must live in the HTTP client, not scattered across resource methods, so it is impossible to accidentally omit it.
Proposed Steps
- In
_SyncHTTPClient and _AsyncHTTPClient, accept api_key in the constructor.
- Merge
{"Authorization": f"Bearer {api_key}"} into the default headers on every request.
- Never log or include the full key in debug output — mask to
sk_live_****xxxx.
- Ensure public key (
pk_) cannot be used for mutating requests (POST/PATCH/DELETE) — raise AuthenticationError.
Acceptance Criteria
- Every request carries an
Authorization header with the correct bearer token.
- Debug logs show a masked key, never the full secret.
- Using a public key for a write request raises
AuthenticationError before the network call.
- Changing
api_key on the client causes subsequent requests to use the new key.
Description
Every outgoing request must carry an
Authorization: Bearer <secret_key>header derived from the active config. This logic must live in the HTTP client, not scattered across resource methods, so it is impossible to accidentally omit it.Proposed Steps
_SyncHTTPClientand_AsyncHTTPClient, acceptapi_keyin the constructor.{"Authorization": f"Bearer {api_key}"}into the default headers on every request.sk_live_****xxxx.pk_) cannot be used for mutating requests (POST/PATCH/DELETE) — raiseAuthenticationError.Acceptance Criteria
Authorizationheader with the correct bearer token.AuthenticationErrorbefore the network call.api_keyon the client causes subsequent requests to use the new key.