Summary
The gRPC server currently has no authentication — anyone who can reach
the port can call any RPC. Add an API key middleware so the server can
be safely exposed on a network.
Design
- API key passed in gRPC metadata:
authorization: Bearer <key>
- Keys configured via env var
NEXUS_API_KEYS (comma-separated) or a keys file
- Unary + streaming interceptors check the key before forwarding
HealthCheck RPC is exempt (used by load balancers)- Invalid key →
codes.Unauthenticated with a clear message
Acceptance criteria
Summary
The gRPC server currently has no authentication — anyone who can reach
the port can call any RPC. Add an API key middleware so the server can
be safely exposed on a network.
Design
authorization: Bearer <key>NEXUS_API_KEYS(comma-separated) or a keys fileHealthCheckRPC is exempt (used by load balancers)codes.Unauthenticatedwith a clear messageAcceptance criteria
internal/grpc/auth/interceptor.go— unary + streaming interceptorsNEXUS_API_KEYSenv var or--api-keys-fileflagHealthCheckskipped by auth interceptordocs/transports.mdupdated with auth setup instructions