feat-use-api-key-first #39
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Mesa DescriptionTL;DRRefactored authentication logic to prioritize the Why we made these changesTo ensure that when What changed?
ValidationCurrent state# Using KERNEL_API_KEY it uses my current org I called it Nov 25 ORG notice last browser name
➜ cli git:(feat-use-api-key-first) ✗ ./bin/kernel browsers list
Browser ID | Created At | Persisten... | Profile | CDP WS URL | Live View URL
ca3u5hijj15ifurm3ujxztml | 2025-11-25... | 9878979987 | - | httof idle browser in... | https://apterygial-mu...
jo2n7c4zgl70zzlnzgmy3t8h | 2025-11-25... | 1223132213 | - | httof idle browser in... | https://apterygial-mu...
hj5tjjncxfkewvor5fsprck0 | 2025-11-25... | Nov25-Org... | - | httof idle browser in... | https://apterygial-mu...
# Log in with and select org "Mateos org"
➜ cli git:(feat-use-api-key-first) ✗ ./bin/kernel login
INFO Starting Kernel authentication...
INFO This will open your browser to complete the OAuth flow
INFO Authentication URL:
http://localhost:3002/authorize?client_id=J7i8BKwyFBoyPQN3&code_challenge=XPFk4ct2f3mLWg85mgKPZ01yeFdqQnSlR98Ew2pK87g&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A58432%2Fcallback&response_type=code&scope=openid+email&state=eyJjc3JmIjoiSGk0dWg0c0VBMTRFVzUwY3c1NjltUnZpZkx1S0tnSUsifQ%3D%3D
SUCCESS Authentication successful!
SUCCESS ✓ Successfully authenticated with Kernel!
INFO You can now use other Kernel CLI commands without setting KERNEL_API_KEY
# Now it should browsers from my other org "Mateos org"
➜ cli git:(feat-use-api-key-first) ✗ ./bin/kernel browsers list
[DEBUG] Using OAuth token authentication (token length: 918 chars)
[DEBUG] Token preview: eyJhbGciOiJSUzI1NiIs...C87PgKujVC4nYMU8zDGA
Browser ID | Created At | Persisten... | Profile | CDP WS URL | Live View URL
tmww8k86b170jh8kqxjtzhqu | 2025-11-25... | mateos-Or... | - | httof idle browser in... | https://apterygial-mu...After changes# Using KERNEL_API_KEY it uses my current org I called it Nov 25 ORG notice last browser name
➜ cli git:(feat-use-api-key-first) ✗ ./bin/kernel browsers list
Browser ID | Created At | Persistent ID | Profile | CDP WS URL | Live View URL
ca3u5hijj15ifurm3ujxztml | 2025-11-25 13:... | 9878979987 | - | httof idle browser instances in... | https://apterygial-multiflorous...
jo2n7c4zgl70zzlnzgmy3t8h | 2025-11-25 14:... | 1223132213 | - | httof idle browser instances in... | https://apterygial-multiflorous...
hj5tjjncxfkewvor5fsprck0 | 2025-11-25 14:... | Nov25-OrgPer... | - | httof idle browser instances in... | https://apterygial-multiflorous...
# Log in with and select org "Mateos org"
➜ cli git:(feat-use-api-key-first) ✗ ./bin/kernel login
INFO Starting Kernel authentication...
INFO This will open your browser to complete the OAuth flow
INFO Authentication URL:
http://localhost:3002/authorize?client_id=J7i8BKwyFBoyPQN3&code_challenge=qaTOaQ1yIwkNnde8QHJ2sBT4IKqjBly0EfXQ4Gqoe2c&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A58432%2Fcallback&response_type=code&scope=openid+email&state=eyJjc3JmIjoiaW8xVTluSzh5a0xXR0lkSXFjdnBvb20tc09nelEyZU4ifQ%3D%3D
SUCCESS Authentication successful!
SUCCESS ✓ Successfully authenticated with Kernel!
INFO You can now use other Kernel CLI commands without setting KERNEL_API_KEY
# Now it should browsers from my other org "Mateos org"
➜ cli git:(feat-use-api-key-first) ✗ ./bin/kernel browsers list
[DEBUG] Using OAuth token authentication (token length: 918 chars)
[DEBUG] Token preview: eyJhbGciOiJSUzI1NiIs...pm2ig2L1X7nM9EASXU7Q
Browser ID | Created At | Persistent ID | Profile | CDP WS URL | Live View URL
tmww8k86b170jh8kqxjtzhqu | 2025-11-25 14:... | mateos-OrgPe... | - | httof idle browser instances in... | https://apterygial-multiflorous...
# Now I trigger re build with my latest changes
➜ cli git:(feat-use-api-key-first) ✗ make build
go build -o bin/kernel ./cmd/kernel
# It gives precedence to API KEY
➜ cli git:(feat-use-api-key-first) ✗ ./bin/kernel browsers list
Browser ID | Created At | Persistent ID | Profile | CDP WS URL | Live View URL
ca3u5hijj15ifurm3ujxztml | 2025-11-25 13:... | 9878979987 | - | httof idle browser instances in... | https://apterygial-multiflorous...
jo2n7c4zgl70zzlnzgmy3t8h | 2025-11-25 14:... | 1223132213 | - | httof idle browser instances in... | https://apterygial-multiflorous...
hj5tjjncxfkewvor5fsprck0 | 2025-11-25 14:... | Nov25-OrgPer... | - | httof idle browser instances in... | https://apterygial-multiflorous...
# I do logout
➜ cli git:(feat-use-api-key-first) ✗ ./bin/kernel logout
INFO Logging out...
SUCCESS ✓ Successfully logged out
INFO Run 'kernel login' to authenticate again
# Now login again to "Mateos org"
➜ cli git:(feat-use-api-key-first) ✗ ./bin/kernel login
INFO Starting Kernel authentication...
INFO This will open your browser to complete the OAuth flow
INFO Authentication URL:
http://localhost:3002/authorize?client_id=J7i8BKwyFBoyPQN3&code_challenge=jQg_U5OE4av1FtB1dBwjibFnSLvSrM1jqXsl8DLa70E&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A58432%2Fcallback&response_type=code&scope=openid+email&state=eyJjc3JmIjoidEEwckg5UWh3cktILWFKNWpNaXctRUlWdFFyTE1ncEMifQ%3D%3D
SUCCESS Authentication successful!
SUCCESS ✓ Successfully authenticated with Kernel!
INFO You can now use other Kernel CLI commands without setting KERNEL_API_KEY
# It still gives precedence to my org named "Nov 25" this is the one in API_KEY
➜ cli git:(feat-use-api-key-first) ✗ ./bin/kernel browsers list
Browser ID | Created At | Persistent ID | Profile | CDP WS URL | Live View URL
ca3u5hijj15ifurm3ujxztml | 2025-11-25 13:58:01 EST | 9878979987 | - | httof idle browser instances in the pops://apte... | https://apterygial-multiflorous-magaly.ngrok-fr...
jo2n7c4zgl70zzlnzgmy3t8h | 2025-11-25 14:05:16 EST | 1223132213 | - | httof idle browser instances in the pops://apte... | https://apterygial-multiflorous-magaly.ngrok-fr...
hj5tjjncxfkewvor5fsprck0 | 2025-11-25 14:08:57 EST | Nov25-OrgPersistent | - | httof idle browser instances in the pops://apte... | https://apterygial-multiflorous-magaly.ngrok-fr...Description generated by Mesa. Update settings |
![mesa-dot-dev[bot]](https://avatars.githubusercontent.com/in/1050077?s=60&v=4){kind=small}
There was a problem hiding this comment.
Performed full review of 01dc4cd...f17b89f
Analysis
-
Authentication priority inversion from OAuth-first to API-key-first fundamentally changes security model, with environment variables now taking precedence over user login sessions.
-
Potential for unexpected authentication behavior where users with both OAuth login and environment variables set will silently use API keys instead of their OAuth credentials.
-
Documentation update required to communicate this significant change to users, particularly for developers who work in both local development and CI/CD environments.
Tip
Help
Slash Commands:
/review- Request a full code review/review latest- Review only changes since the last review/describe- Generate PR description. This will update the PR body or issue comment depending on your configuration/help- Get help with Mesa commands and configuration options
1 files reviewed | 0 comments | Edit Agent Settings • Read Docs
There was a problem hiding this comment.
Performed full review of 01dc4cd...f17b89f
Analysis
-
The PR reverses authentication priority, making
KERNEL_API_KEYthe primary method over OAuth tokens, which could silently change behavior for users with both configured. -
By prioritizing stateless API keys over stateful OAuth tokens, the system will bypass OAuth's automatic refresh mechanism when both are present, potentially leading to unexpected authentication failures when API keys expire.
-
This authentication strategy change lacks explicit configuration options, forcing environment-based priority that may not align with all user expectations or workflows.
-
The change lacks sufficient documentation or user notifications to alert users about this potentially breaking change in authentication behavior.
Tip
Help
Slash Commands:
/review- Request a full code review/review latest- Review only changes since the last review/describe- Generate PR description. This will update the PR body or issue comment depending on your configuration/help- Get help with Mesa commands and configuration options
1 files reviewed | 0 comments | Edit Agent Settings • Read Docs
Sayan-
approved these changes
Nov 26, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Ticket: https://linear.app/onkernel/issue/KERNEL-487/cli-set-api-key-auth-priority-higher-than-oauth
Tested
Current state
After changes