Skip to content
SecurityAgent-ready

Spoofable x-user-id header removed from the API

Every API route now derives the caller from the verified bearer token. The legacy x-user-id request header fallback has been removed across components, bucket-key paths, and the OpenAPI spec.

Previously a small number of internal routes would accept an x-user-id header as a fallback when no bearer token was present. That fallback is gone. If your integration was relying on it (it should not have been), switch to the standard Authorization: Bearer <token> flow and you are set.

  • Header fallback removed from all API routes
  • OpenAPI spec scrubbed of x-user-id references
  • Bucket-key paths now key strictly off the authenticated identity
  • Components that previously read the header now read from the auth context

If you are unsure whether you were depending on the old behavior, the fastest check is to issue a request without the header and make sure it still succeeds.