HOTFIX: AuthenticationError blocks API key auth fallback (OPE-91 root cause)

DevanshuNEU · DevanshuNEU · commit db699459ef63 · 2026-03-07T13:57:03.000-05:00
_validate_jwt catches InvalidTokenError and returns None to allow the
API key path to run. But AuthenticationError (raised when Supabase API
verification also fails) was caught separately and raised HTTPException
401 immediately -- preventing _validate_api_key from ever executing.

Non-JWT tokens like ci_ API keys hit verify_jwt, fail local decode,
fall back to Supabase API call, which also fails and raises
AuthenticationError. The middleware treated this as a hard auth failure
instead of allowing the API key code path.

Fix: catch AuthenticationError and return None, same as InvalidTokenError.

This was the root cause of all MCP server 401 errors since day one.
diff --git a/backend/middleware/auth.py b/backend/middleware/auth.py
@@ -88,8 +88,9 @@ def _validate_jwt(token: str) -> Optional[AuthContext]:
     except InvalidTokenError:
         # Could be a non-JWT token (API key) -- allow fallback
         return None
-    except AuthenticationError as e:
-        raise HTTPException(status_code=401, detail=str(e))
+    except AuthenticationError:
+        # Could be a non-JWT token (API key) -- allow fallback
+        return None
     except Exception:
         return None
 
