v1.24.0 — Two-Token Auth

Released 2026-03-07. GitHub release.

v1.24.0 replaces the single token auth architecture with a two-token architecture in which a long-lived external bearer token is exchanged for a short-lived internal access token. It also includes major improvements to agent rules, agent skills and documentation.

What’s New

  • Bearer token issuer replacing the token issuer for long-lived external tokens
  • New access token issuer for short-lived internal tokens
  • Coalescing of calls to Refresh in the configurator
  • HTTP ingress proxy no longer respects an inbound Request-Timeout header
  • Time budget defaults to 20 sec and capped at 15 min universally
  • OnStartup, OnShutdown, OnObserverMetrics and OnConfigChanged callbacks on the Connector were simplified to a single callback
  • Agent skill for architectural review
  • The project init agent skill sets up auth
  • Upgrade agent skills moved to a dedicated subdirectory

Breaking Changes

  • SetActor only works in TESTING. Use SetToken instead.
  • The signature of the validator function passed to the Authorization middleware changed from func(ctx context.Context, token string) (actor any, valid bool, err error) to func(ctx context.Context, bearerToken string) (accessToken string, err error).
  • The new bearer token issuer replaces the now deprecated token issuer.
  • Bearer and access token issuers need to be added to the main app instead of the deprecated token issuer.
  • The connector’s OnStartup, OnShutdown, OnConfigChanged and OnObserveMetrics were simplified to only a single callback.
  • Tracing: span.Log("xxx", ...) was changed to span.LogXXX(...).
  • act.Of signature extended to return an error.
Backward v1.26.0 v1.23.0 Forward