[DX] GAP-24: IXP DU API auth fails on Orchestrator — functions have no env config tab, robot token scopes undocumented, dotenv truncates secrets with #

[AlexBizon]

Summary

Three related issues affecting the IXP Document Understanding Public API when called from a functions package on Orchestrator: (1) functions processes have no Environment Configuration tab, making it impossible to inject secrets via env vars; (2) the robot token on Orchestrator already carries DU scopes, making a separate External App credential unnecessary but undocumented; (3) .env secret values containing # are silently truncated by python-dotenv.

Root Cause

Part 1 — Functions processes have no Environment Configuration tab

On Orchestrator, agent processes expose an Environment Configuration tab for injecting env vars at runtime. Functions processes (type: "function") do not. So IXP_APP_ID and IXP_APP_SECRET (credentials for a DU-scoped External App) effectively cannot be injected into functions packages via env var on Orchestrator — they must be hardcoded (bad) or sourced from Orchestrator Assets (workaround).

Part 2 — Robot token already has DU scopes (undocumented)

On Orchestrator, the runtime automatically injects UIPATH_ACCESS_TOKEN as a robot bearer token. That token already includes Du.Digitization.Api and Du.Extraction.Api scopes. A separate External Application is redundant on Orchestrator. This is not documented anywhere — the DU docs imply a separate External App is always required.

Part 3 — python-dotenv truncates secrets containing #

python-dotenv treats # as a comment delimiter in unquoted values. A rotated secret containing # (common in auto-generated secrets) is silently truncated at that character locally.

# .env
IXP_APP_SECRET=abc123#xyz  # python-dotenv reads this as "abc123", not "abc123#xyz"
IXP_APP_SECRET="abc123#xyz"  # correct: quoted value

Recommended Pattern

def _get_du_token() -> str:
    settings = get_settings()
    if settings.ixp_app_id and settings.ixp_app_secret:
        # Local dev: exchange External App credentials for a DU-scoped token
        resp = httpx.post(
            f"{settings.uipath_identity_url}/connect/token",
            data={
                "grant_type": "client_credentials",
                "client_id": settings.ixp_app_id,
                "client_secret": settings.ixp_app_secret,
                "scope": "Du.Digitization.Api Du.Extraction.Api",
            }
        )
        return resp.json()["access_token"]
    # Orchestrator: robot token already carries DU scopes
    return settings.uipath_access_token

Suggested Fix

1. Document that UIPATH_ACCESS_TOKEN on Orchestrator already carries DU scopes — no External App is needed for functions calling the IXP DU Public API from within an Orchestrator job.
2. Expose an Environment Configuration tab (or equivalent secrets injection) for functions processes, not just agent processes.
3. Warn during uipath pack if .env contains values not declared in bindings or a supported injection mechanism (they will be absent on Orchestrator).
4. Document that .env values containing # must be quoted.

Impact

• Severity: High
• Functions that call the IXP DU API fail on Orchestrator even when they work perfectly locally
• Three separate root causes compound the issue, making it very hard to diagnose