Highlights
Bug fix — OIDC JWTs now authenticate on /v1/*. Previously the inbound auth chain held only the API-key and static-bearer authenticators; the OIDC validator was built but only wired into the portal browser-session flow. Any Authorization: Bearer <jwt> from the configured IdP was rejected with 401 {"error":"invalid credential"}, even when the JWT carried the correct issuer and audience. This was the only auth mode the config advertised as production-ready, so deployments with oidc.enabled: true, auth.allow_anonymous: false were effectively unable to authenticate API clients.
The chain is now ordered apikey → oidc → bearer:
- A real JWT from the configured IdP authenticates as the JWT subject.
- A foreign-issuer JWT 401s without falling through to the static bearer list.
- A static dev bearer token still works — the OIDC adapter returns "no credential" for non-JWT bearers so the chain falls through.
Fixes #10. The OIDC validator is constructed once at startup and shared with the portal's BrowserAuth, so discovery + JWKS fetch only runs once.
Changelog
Upgrade notes
No config changes required. Deployments already running with oidc.enabled: true will start accepting OIDC JWTs on /v1/* immediately after upgrade. Static bearer tokens, API keys, and portal session login continue to work unchanged.
Installation
Container
docker pull ghcr.io/plexara/api-test:v1.1.2Binary (macOS / Linux)
curl -L -o api-test.tar.gz \
https://github.com/plexara/api-test/releases/download/v1.1.2/api-test_1.1.2_$(uname -s | tr '[:upper:]' '[:lower:]')_$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/').tar.gz
tar -xzf api-test.tar.gz
./api-test --versionDocumentation
Full docs at https://api-test.plexara.io.
Open source by Plexara, the commercial MCP + API gateway with configurable enrichment built in.
