chore(cli-auth): publishable key no longer required for cli auth (#1590)

## Summary by cubic CLI authentication no longer requires a publishable client key. Login works with only a project ID; pass `publishable_client_key` only if the project has `requirePublishableClientKey` enabled. - **New Features** - In `stack-auth-cli-template.py`, `publishable_client_key` is optional; requests send `x-hexclave-project-id` and `x-hexclave-access-type: client`, and include `x-hexclave-publishable-client-key` only when provided. - Updated docs and generated prompts to remove the key from examples and explain when it’s needed. - **Migration** - No changes required; existing calls that pass `publishable_client_key` still work. - You can remove the argument from `prompt_cli_login(...)` unless your project requires it. <sup>Written for commit 1f0e66ee74. Summary will update on new commits.</sup> <a href="https://cubic.dev/pr/hexclave/hexclave/pull/1590?utm_source=github" target="_blank" rel="noopener noreferrer" data-no-image-dialog="true"><picture><source media="(prefers-color-scheme: dark)" srcset="https://www.cubic.dev/buttons/review-in-cubic-dark.svg"><source media="(prefers-color-scheme: light)" srcset="https://www.cubic.dev/buttons/review-in-cubic-light.svg"><img alt="Review in cubic" src="https://www.cubic.dev/buttons/review-in-cubic-dark.svg"></picture></a>
2026-06-19 21:00:40 +08:00 · 2026-06-12 10:12:27 -07:00 · 2026-06-12 10:12:27 -07:00 · 21c5198255
commit 21c5198255
parent 64eeedce9f
7 changed files with 20 additions and 23 deletions
--- a/docs-mintlify/guides/apps/authentication/cli-authentication.mdx
+++ b/docs-mintlify/guides/apps/authentication/cli-authentication.mdx
@ -18,7 +18,7 @@ To do so, we provide a Python template that you can use as a starting point. [Do
   └─ stack_auth_cli_template.py  # <- the file you just downloaded (rename to use underscores for Python import)
 ```

-Then, you can import the `prompt_cli_login` function:
+Then, you can import the `prompt_cli_login` function. The project ID is enough for most projects; only pass `publishable_client_key` if the project has `requirePublishableClientKey` enabled.

 ```py
 from stack_auth_cli_template import prompt_cli_login
@ -27,7 +27,6 @@ from stack_auth_cli_template import prompt_cli_login
 refresh_token = prompt_cli_login(
  app_url="https://your-app-url.example.com",
  project_id="your-project-id-here",
-  publishable_client_key="your-publishable-client-key-here",
 )

 if refresh_token is None:
@ -46,7 +45,7 @@ def get_access_token(refresh_token):
    'post',
    '/api/v1/auth/sessions/current/refresh',
    headers={
-      'x-stack-refresh-token': refresh_token,
+      'x-hexclave-refresh-token': refresh_token,
    }
  )

@ -57,7 +56,7 @@ def get_user_object(access_token):
    'get',
    '/api/v1/users/me',
    headers={
-      'x-stack-access-token': access_token,
+      'x-hexclave-access-token': access_token,
    }
  )

--- a/docs-mintlify/guides/getting-started/setup.mdx
+++ b/docs-mintlify/guides/getting-started/setup.mdx
--- a/docs-mintlify/llms-full.txt
+++ b/docs-mintlify/llms-full.txt
@ -1047,7 +1047,7 @@ Follow these instructions to authenticate users in a command line application wi
  </Step>

  <Step title="Prompt the user to log in">
-    Import and call `prompt_cli_login`. It opens the browser, lets the user authenticate, and returns a refresh token.
+    Import and call `prompt_cli_login`. It opens the browser, lets the user authenticate, and returns a refresh token. The project ID is enough for most projects; only pass `publishable_client_key` if the project has `requirePublishableClientKey` enabled.

    ```py main.py
    from hexclave_cli_template import prompt_cli_login
@ -1055,7 +1055,6 @@ Follow these instructions to authenticate users in a command line application wi
    refresh_token = prompt_cli_login(
      app_url="https://your-app-url.example.com",
      project_id="your-project-id-here",
-      publishable_client_key="your-publishable-client-key-here",
    )

    if refresh_token is None:
--- a/docs-mintlify/snippets/home-prompt-island.jsx
+++ b/docs-mintlify/snippets/home-prompt-island.jsx
--- a/docs/content/docs/(guides)/others/cli-authentication.mdx
+++ b/docs/content/docs/(guides)/others/cli-authentication.mdx
@ -13,7 +13,7 @@ To do so, we provide a Python template that you can use as a starting point. [Do
   └─ stack_auth_cli_template.py  # <- the file you just downloaded (rename to use underscores for Python import)
 ```

-Then, you can import the `prompt_cli_login` function:
+Then, you can import the `prompt_cli_login` function. The project ID is enough for most projects; only pass `publishable_client_key` if the project has `requirePublishableClientKey` enabled.

 ```py
 from stack_auth_cli_template import prompt_cli_login
@ -22,7 +22,6 @@ from stack_auth_cli_template import prompt_cli_login
 refresh_token = prompt_cli_login(
  app_url="https://your-app-url.example.com",
  project_id="your-project-id-here",
-  publishable_client_key="your-publishable-client-key-here",
 )

 if refresh_token is None:
--- a/docs/public/stack-auth-cli-template.py
+++ b/docs/public/stack-auth-cli-template.py
@ -2,31 +2,33 @@ import time
 import requests
 import webbrowser
 import urllib.parse
+from typing import Optional

 def prompt_cli_login(
  *,
  base_url: str = "https://api.stack-auth.com",
  app_url: str,
  project_id: str,
-  publishable_client_key: str,
+  publishable_client_key: Optional[str] = None,
 ):
  if not app_url:
    raise Exception("app_url is required and must be set to the URL of the app you're authenticating with")
  if not project_id:
    raise Exception("project_id is required")
-  if not publishable_client_key:
-    raise Exception("publishable_client_key is required")

  def post(endpoint, json):
+    headers = {
+      'Content-Type': 'application/json',
+      'x-hexclave-project-id': project_id,
+      'x-hexclave-access-type': 'client',
+    }
+    if publishable_client_key is not None:
+      headers['x-hexclave-publishable-client-key'] = publishable_client_key
+
    return requests.request(
      'POST',
      f'{base_url}{endpoint}',
-      headers={
-        'Content-Type': 'application/json',
-        'x-stack-project-id': project_id,
-        'x-stack-access-type': 'client',
-        'x-stack-publishable-client-key': publishable_client_key,
-      },
+      headers=headers,
      json=json,
    )

--- a/packages/shared/src/ai/unified-prompts/skill-site-prompt-parts/ai-setup-prompt.ts
+++ b/packages/shared/src/ai/unified-prompts/skill-site-prompt-parts/ai-setup-prompt.ts
@ -275,7 +275,7 @@ export const cliSetupPrompt = deindent`
    </Step>

    <Step title="Prompt the user to log in">
-      Import and call \`prompt_cli_login\`. It opens the browser, lets the user authenticate, and returns a refresh token.
+      Import and call \`prompt_cli_login\`. It opens the browser, lets the user authenticate, and returns a refresh token. The project ID is enough for most projects; only pass \`publishable_client_key\` if the project has \`requirePublishableClientKey\` enabled.

      \`\`\`py main.py
      from hexclave_cli_template import prompt_cli_login
@ -283,7 +283,6 @@ export const cliSetupPrompt = deindent`
      refresh_token = prompt_cli_login(
        app_url="https://your-app-url.example.com",
        project_id="your-project-id-here",
-        publishable_client_key="your-publishable-client-key-here",
      )

      if refresh_token is None: