pcli/openspec/changes/archive/2026-02-11-replace-auth-with-api-key/proposal.md

Why

Planka now supports user-level API key authentication. The current pcli authentication uses session-based JWT tokens (via Authorization: Bearer <token>) with an optional OIDC httpOnlyToken cookie path. API keys are simpler, long-lived, and eliminate the need for multiple auth modes. Replacing the current auth with API key auth simplifies both the codebase and the user experience.

What Changes

• BREAKING: Replace Authorization: Bearer <token> header with x-api-key: <key> header on all API requests
• BREAKING: Rename environment variable PLANKA_TOKEN → PLANKA_API_KEY
• BREAKING: Rename CLI flag --token → --api-key
• Remove PLANKA_HTTP_TOKEN environment variable support
• Remove --http-token CLI flag
• Remove HttpOnlyToken field from the Client struct and all OIDC cookie logic
• Simplify NewClient constructor to accept only base URL, API key, and logger

Capabilities

New Capabilities

(none)

Modified Capabilities

• api-client: Authentication header changes from Authorization: Bearer to x-api-key. Client struct drops HttpOnlyToken field. NewClient signature simplifies. OIDC cookie logic removed.
• cli-commands: Root command global flags change: --token → --api-key, --http-token removed. Environment variable changes: PLANKA_TOKEN → PLANKA_API_KEY, PLANKA_HTTP_TOKEN removed.

Impact

• Code: client/client.go (struct, constructor, Do() method), cmd/root.go (flags, env vars, client init)
• Users: All existing users must update their environment variables and any scripts from PLANKA_TOKEN to PLANKA_API_KEY and generate an API key in Planka
• Dependencies: No dependency changes
• API: No Planka API endpoint changes — only the authentication mechanism used by pcli changes