The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
agents-api	Ready	Preview, Comment	Mar 30, 2026 8:51pm
agents-docs	Ready	Preview, Comment	Mar 30, 2026 8:51pm
agents-manage-ui	Ready	Preview, Comment	Mar 30, 2026 8:51pm

🦋 Changeset detected

Latest commit: 28f89b2

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

TL;DR — Origin validation failures for web_client apps now return a 403 Forbidden with an actionable error message instead of a misleading 401 Invalid Token that surfaced as an internal_server_error.

Key changes

• Return 403 Forbidden for origin mismatch in tryAppCredentialAuth — throws createApiError({ code: 'forbidden' }) directly instead of returning a failure result that was later wrapped as a generic 401, aligning with the existing pattern used in the anonymous session route.
• Update test assertions and mock setup for the new error shape — the "should reject when origin is not allowed" test now asserts status 403, code forbidden, and the correct detail message; the mock uses vi.importActual to pass through the real createApiError.
• Add changeset — patch bump for @inkeep/agents-api describing the fix.

_{Summary ｜ 3 files ｜ 3 commits ｜ base: main ← worktree-spec+better-401-error-messages}

Before: A disallowed origin returned { code: "internal_server_error", status: 401, detail: "Error processing request: Invalid Token" } — unhelpful for debugging and semantically wrong (the token was valid; the origin was not).
After: Returns { code: "forbidden", status: 403, detail: "Origin not allowed for this app" } — correctly identifies the issue as an authorization failure, not an authentication one.

In tryAppCredentialAuth, when validateOrigin fails the function previously returned { authResult: null, failureMessage }. The caller treated this the same as a missing or invalid token, producing a 401. Now it throws via createApiError with a forbidden code, which the framework maps to a 403 response — matching how the anonymous session route already handles this case.

Why change the mock setup in the test?

The test previously mocked the entire @inkeep/agents-core module with stubs. Since the middleware now calls the real createApiError to throw a structured error, the mock needs to pass through the actual implementation via vi.importActual so the error shape is preserved in the test environment.

runAuth.ts · app-credential-auth.test.ts · better-origin-error.md

  ^{｜ View workflow run ｜ Triggered by Pullfrog ｜ Using Claude Opus ｜ 𝕏}

Claude encountered an error —— View job

Invalid branch name: "worktree-spec+better-401-error-messages". Branch names must start with an alphanumeric character and contain only alphanumeric characters, forward slashes, hyphens, underscores, or periods.

I'll analyze this and get back to you.

No documentation updates needed for this fix. The existing App Credentials docs describe the domain allowlist feature without specifying error codes, and this improvement aligns the API behavior with standard HTTP semantics (403 for origin restrictions).

Ito Test Report ✅

14 test cases ran. 14 passed.

All 14 origin-validation and app-credential tests passed (14/14) in local verification, confirming that allowed-origin anonymous session minting works and legitimate wildcard subdomains (for example, *.example.com) are correctly accepted on protected Run endpoints. The run also verified strong deny behavior and stability: disallowed or missing Origin headers consistently returned explicit 403 forbidden with the expected origin-denied contract across chat and conversation routes (including burst and mobile attempts), while spoofed/lookalike origins, cross-origin token replay, cross-app token/app-id mismatch, and disallowed deep-link conversation reads were blocked with no data leakage, port matching remained strict, and requests without x-inkeep-app-id stayed on the non-app auth path.

✅ Passed (14)

Category	Summary	Screenshot
Adversarial	Spoofed lookalike origin was denied with 403 forbidden and no data exposure.
Adversarial	Same token succeeded on allowed origin and was denied on disallowed origin replay.
Adversarial	Cross-app token/app-id mismatch was denied on re-check and did not grant app B access.
Adversarial	Repeated disallowed-origin deep-link conversation reads returned 403 with no leakage.
Adversarial	Under mobile viewport emulation, rapid disallowed-origin /run/api/chat attempts all returned consistent explicit 403 forbidden responses with identical origin-denied detail and no mobile-specific bypass.
Edge	When Origin header was omitted, endpoint still returned explicit 403 forbidden with origin-not-allowed detail and no 401 regression.
Edge	Wildcard allowedDomains accepted https://docs.example.com on /run/api/chat with HTTP 200 after fixture seeding.
Edge	Port-sensitive origin handling is correct: matching host+port is accepted while mismatched port is rejected with 403 forbidden.
Edge	Requests without x-inkeep-app-id stayed on the non-app auth path and did not misclassify as origin-forbidden.
Edge	Two immediate 10-request parallel bursts to /run/v1/chat/completions from disallowed origin consistently returned explicit 403 forbidden responses with identical code/detail and no 401/500/timeout.
Happy-path	Allowed-origin anonymous session request returned 200 with token/expiresAt and valid anon JWT claims.
Happy-path	Disallowed origin request returned deterministic HTTP 403 with forbidden code and exact origin-denied detail.
Happy-path	Disallowed origin on /run/api/chat produced the same explicit 403 forbidden contract and detail string as /run/v1/chat/completions.
Happy-path	Conversation list endpoint rejected disallowed origin with 403 forbidden and did not expose conversation list data.

Commit: 28f89b2

View Full Run

Tell us how we did: Give Ito Feedback