Update remoting.md with bearer auth, API keys, and error handling #46
Description
Context
SPE 9.0 adds bearer token authentication with JWT scope claims, API Key support, and structured error responses for restriction violations (#1426 in Console repo). The remoting.md page needs updating.
Changes Needed
Bearer Token Authentication Section (New)
Add a section covering:
- JWT bearer tokens as an alternative to SOAP-based
New-ScriptSession - Scope claim mapping to restriction profiles
- Example:
$token = New-Jwt -Algorithm HS256 -Issuer "SPE Remoting" `
-Audience "https://spe.dev.local" `
-Name "sitecore\api-user" `
-SecretKey $sharedSecret `
-Scope "read-only"API Key Usage Section (New)
- How to use API Key shared secrets from the client side
- Difference between API Key auth and legacy shared secret auth
Handling Restriction Responses (New)
Document the new error responses clients may encounter:
- 403 Forbidden with
X-SPE-BlockedCommandheader when a command is restricted - 429 Too Many Requests with
Retry-Afterheader when throttled Invoke-RemoteScriptautomatic handling of these responses
Response Headers Reference
| Header | When | Purpose |
|---|---|---|
X-SPE-Restriction |
Always (when profile active) | Active profile name |
X-SPE-BlockedCommand |
On 403 | Blocked command name |
X-SPE-Profile |
Always (when profile active) | Resolved profile name |
X-RateLimit-Limit |
When throttled key | Total request limit |
X-RateLimit-Remaining |
When throttled key | Remaining requests |
X-RateLimit-Reset |
When throttled key | Window reset timestamp |
Retry-After |
On 429 | Seconds to wait |
Cross-References
- Link to security/restriction-profiles.md
- Link to security/api-keys.md
Related
- Depends on Console repo feature/clm branch (#1426)
- Depends on: Add Restriction Profiles page (security/restriction-profiles.md) #41, Add API Keys page (security/api-keys.md) #42