Skip to content

Implementation: Admin Auth JWT Only

Overview

This document summarizes the changes made to completely phase out the deprecated ADMIN_API_KEY and X-Admin-Key header, making Supabase JWT roles the sole source of truth for administrative operations in the BacMR backend.

Changes Made

  1. Configuration: Removed ADMIN_API_KEY from app/core/config.py, render.yaml, .env.example, and test environment setup.
  2. Postman Collections: Removed all adminKey variables and headers from the local, staging, and production environments. Updated the Postman collection to no longer pass the X-Admin-Key header. Updated postman/README.md to reflect these changes.
  3. Documentation Updates:
    • docs/10_current_state/overview.md: Removed mentions of legacy settings.
    • docs/10_current_state/runtime-config.md: Removed ADMIN_API_KEY from the config table.
    • docs/20_architecture/target-state-overview.md: Removed notes about the deprecated admin key warning.
    • docs/30_decisions/adr-0001-auth-admin-jwt-role.md: Updated the consequences/decisions to indicate complete removal.
    • docs/50_data_model/access-control.md: Removed the secondary authorization mechanism.
    • docs/70_runbooks/postman-and-api-testing.md & postman-and-api-testing-legacy.md: Removed legacy testing runbooks relying on X-Admin-Key.
    • docs/70_runbooks/rls-verification.md: Removed test scenarios validating X-Admin-Key.
    • docs/80_deployment/release-verification.md: Removed backward compatibility notices for ADMIN_API_KEY.

Verification Steps

  • Run pytest to ensure all existing tests pass and correctly reject unauthenticated users on admin endpoints.
  • Check Render environment variable requirements to ensure deployments won't break when ADMIN_API_KEY is omitted.
  • Confirm JWT roles are being successfully enforced via app/core/auth.py.