Skip to content

Fix auth on EU workspaces: preserve Authorization across regional redirect#13

Open
kevduc wants to merge 2 commits into
segment-integrations:masterfrom
kevduc:fix/eu-redirect-auth
Open

Fix auth on EU workspaces: preserve Authorization across regional redirect#13
kevduc wants to merge 2 commits into
segment-integrations:masterfrom
kevduc:fix/eu-redirect-auth

Conversation

@kevduc
Copy link
Copy Markdown

@kevduc kevduc commented May 1, 2026
edited
Loading

Summary

EU-region Segment workspaces could not authenticate via segmentcli: auth and every subsequent command returned Supplied token is not authorized. (or Authorization header is required). Root cause is that api.segmentapis.com 30x's to a regional host (e.g. eu1.api.segmentapis.com) for EU workspaces, and Apple's URLSession strips the Authorization header on redirect by default — the followed request arrives unauthenticated.

This PR adds a URLSessionTaskDelegate that re-attaches Authorization (and Accept) on redirect, exposes a shared PAPI.session built with that delegate, and routes every PAPI endpoint (/, /sources, /sources/<id>/edge-functions/...) through it instead of URLSession.shared.

Also adds a Claude Code skill (.claude/skills/segmentcli/SKILL.md) documenting the CLI's commands, auth/profile model, and read-only vs side-effecting operations.

Commits

  1. Preserve Authorization across regional redirects in PAPI session — adds PAPIRedirectDelegate, PAPI.session, and Accept: application/vnd.segment.v1+json; routes the auth probe, sources, and edge-functions through the redirect-aware session.
  2. Add Claude Code skill for segmentcli — repo-shipped skill auto-loaded by Claude Code.

Test plan

Tested against an EU workspace:

  • segmentcli auth <Profile> <Token> — succeeds (previously failed with Supplied token is not authorized.)
  • segmentcli profile list — shows the saved workspace
  • segmentcli sources list — returns the full source list (previously failed with 401)
  • segmentcli liveplugins latest <sourceId> — authenticates, server reports per-source state
  • Build passes (sudo make install, release config)

No public-facing API or flag changes — --staging still works, no new --eu flag (Public API is single-host; the redirect is server-driven).

@kevduc kevduc marked this pull request as ready for review May 1, 2026 01:07
kevduc and others added 2 commits May 1, 2026 03:09
@kevduc @claude
Preserve Authorization across regional redirects in PAPI session
a121e58 
Segment Public API redirects api.segmentapis.com to a regional host
(e.g. eu1.api.segmentapis.com) for EU workspaces. URLSession strips
Authorization on redirect by default, so the followed request arrives
unauthenticated and Segment responds with 401 "Authorization header is
required" — surfaced by the CLI as "Supplied token is not authorized."

Fix:
- Add a URLSessionTaskDelegate that re-attaches Authorization (and
  Accept) on redirect.
- Expose a shared PAPI.session built with that delegate.
- Route every PAPI endpoint (auth probe, sources, edge-functions)
  through PAPI.session instead of URLSession.shared.
- Set Accept: application/vnd.segment.v1+json on the auth probe.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
@kevduc @claude
Add Claude Code skill for segmentcli
f786dad 
Documents the CLI's commands, auth/profile model, EU-workspace behavior
(redirect-aware), read-only vs side-effecting commands, and common
workflows. Loaded automatically by Claude Code when working in this repo.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
@kevduc kevduc force-pushed the fix/eu-redirect-auth branch from 6b2b226 to f786dad Compare May 1, 2026 01:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kevduc