Jody Roberts / artifacts / OAuth smoke test — safe to delete

OAuth smoke test — safe to delete

Created 2026-04-13 via CLI end-to-end smoke test of the new Supabase-JWT OAuth flow (PR #22). Apr 14, 2026 markdown

OAuth smoke test — PR #22

This artifact was created end-to-end via:

  1. Claude Desktop-style OAuth 2.1 flow → /authorize with PKCE
  2. Login via Supabase password
  3. Consent screen → Approve
  4. /token exchange returned a real Supabase JWT (ES256, iss tdjyqykkngyflqkjuzai.supabase.co/auth/v1)
  5. MCP server validated the JWT via supabase.auth.getUser()
  6. Tool handler pulled the JWT from extra.authInfo.token and passed it as authToken to odFetch
  7. Main app's requireAuth validated the same JWT, identified the caller as 74ef4da3-... (me)
  8. Owner check passed, artifact inserted

The whole chain works. Same JWT flows through both hops. One auth realm. No custom token store. No AsyncLocalStorage forwarding magic.

Safe to delete — this was a smoke test.

← all artifacts