HOTFIX: AuthenticationError blocks API key auth fallback (OPE-91 root cause)

DevanshuNEU · DevanshuNEU · commit 2a072c5ab70c · 2026-03-07T14:01:45.000-05:00
_validate_jwt caught AuthenticationError and raised HTTPException 401
immediately, preventing _validate_api_key from ever running.

ci_ API keys hit verify_jwt -&gt; fail local decode -&gt; fall back to
Supabase API call -&gt; also fails -&gt; raises AuthenticationError.
The middleware treated this as a hard failure instead of allowing
the API key path to try next.

Fix: catch AuthenticationError and return None (same as InvalidTokenError).
Root cause of all MCP 401 errors since day one.
diff --git a/backend/middleware/auth.py b/backend/middleware/auth.py
@@ -88,8 +88,9 @@ def _validate_jwt(token: str) -> Optional[AuthContext]:
     except InvalidTokenError:
         # Could be a non-JWT token (API key) -- allow fallback
         return None
-    except AuthenticationError as e:
-        raise HTTPException(status_code=401, detail=str(e))
+    except AuthenticationError:
+        # Could be a non-JWT token (API key) -- allow fallback
+        return None
     except Exception:
         return None
 
