Skip to content

Channels: Sink authentication #4404

New issue
New issue
Open
Open
Channels: Sink authentication#4404
Labels
channels
@stuartc

Description

@stuartc
stuartc
opened on Feb 9, 2026

User story

We need to inject outbound authentication headers when forwarding requests to the sink, using the channel's configured sink credential.

Details

Design discussion needed. Same credential association questions as #4403 (source auth) apply here. The supported credential types for sink auth may differ from source auth — see open questions.

Inject authentication headers on outbound requests to the sink. The channel's sink credential (a project_credential reference) determines the auth scheme. For MVP, the two concrete methods are:

  • Bearer token (Authorization: Bearer <token>)
  • HTTP Basic Auth (Authorization: Basic <base64>)

As with source auth, the design should account for credential type diversity — only credential types that map to outbound HTTP authentication should be usable as sink credentials.

Implementation notes

Dependencies: #4399 (credential associations), #4401 (proxy pipeline)

Can run in parallel with: #4403 (source auth)

Key technical considerations:

  • Credentials decrypted at request time via existing Lightning credential infrastructure
  • Outbound Authorization header must be redacted in any logged/observed data (replaced with [REDACTED])
  • Credential decryption failure should return 502 to client and log error

Open questions (shared with #4403):

  • Which credential types are valid for sink auth? Likely overlaps with but may differ from source auth types.
  • Is the same facade/abstraction from source auth reusable here, or does outbound auth need its own interface?

Release notes

N/A — internal authentication layer, not directly user-facing.

User acceptance criteria

  • Bearer token: credential body's token value injected as Authorization: Bearer <token> on outbound request
  • Basic Auth: credential body's username/password injected as Authorization: Basic <base64> on outbound request
  • Credentials decrypted at request time via existing Lightning credential infrastructure
  • Outbound Authorization header redacted in any logged/observed data (replaced with [REDACTED])
  • Channel with no sink credential configured sends request without auth headers
  • Credential decryption failure returns 502 to client and logs error
  • Unsupported credential types rejected at channel configuration time

Metadata

Metadata

Assignees

No one assigned

    Labels

    channels

    Type

    No type

    Projects

    v2

    Status

    Ready

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions