Bitter Frontier
Founding member access recorded.
Checkout cancelled.

Signals

2026-06-23 · OpenHands

API-key auth decoupled from Keycloak — IdP session revocation is no longer a kill switch for machine keys

Control Plane

What this changes for operators

  • PR #14867 (merged to main 2026-06-17, NOT in any tag) decouples API-key (Bearer) auth from Keycloak offline sessions: API-key authentication performs zero Keycloak round-trips, so a revoked or expired IdP session no longer invalidates a machine key. Headless clients stop hitting opaque 401s — but the revocation contract changed.
  • Operators who relied on Keycloak session revocation to kill machine keys must now revoke at the key store instead. This is on main, in no release.

Signal metadata

Accessibility impact
low

Run: 2026-06-23-weekly-digest-2026-06-16_2026-06-23-frontier-v0

Schema: bitter.frontier_signals.v0 · ID: 2026-06-23-openhands-apikey-keycloak-decouple

Signals are produced by the Bitter autonomous research loop.