descope · itaihanski · Jan 15, 2026 · Copilot · Jan 15, 2026 · Copilot
diff --git a/src/main/java/com/descope/client/Config.java b/src/main/java/com/descope/client/Config.java
@@ -30,6 +30,13 @@ public class Config {
   // fail.
   private String managementKey;
 
+  // AuthManagementKey (optional, "") - used to provide a management key to use
+  // with Authentication APIs whose public access has been disabled.
+  // If empty, this value is retrieved from the DESCOPE_AUTH_MANAGEMENT_KEY
+  // environment variable instead. If neither values are set then any disabled
+  // authentication methods API calls will fail.
+  private String authManagementKey;
+
   // PublicKey (optional, "") - used to override or implicitly use a dedicated public key in order
   // to decrypt and validate the JWT tokens during ValidateSessionRequest().
   // If empty, will attempt to fetch all public keys from the specified project id.
@@ -73,4 +80,11 @@ public String initializeManagementKey() {
     }
     return this.managementKey;
   }
+
+  public String initializeAuthManagementKey() {
+    if (StringUtils.isBlank(this.authManagementKey)) {
+      this.authManagementKey = EnvironmentUtils.getAuthManagementKey();
+    }
+    return this.authManagementKey;
+  }
 }
diff --git a/src/main/java/com/descope/client/DescopeClient.java b/src/main/java/com/descope/client/DescopeClient.java
@@ -49,6 +49,7 @@ public DescopeClient(Config config) throws DescopeException {
       log.debug("Provided public key is set, forcing only provided public key validation");
     }
     config.initializeManagementKey();
+    config.initializeAuthManagementKey();
     config.initializeBaseURL();
 
     Client client = getClient(config);
@@ -69,6 +70,7 @@ private static Client getClient(Config config) {
         .uri(StringUtils.isBlank(config.getDescopeBaseUrl()) ? baseUrl : config.getDescopeBaseUrl())
         .projectId(projectId)
         .managementKey(config.getManagementKey())
+        .authManagementKey(config.getAuthManagementKey())
         .headers(
             Collections.isEmpty(config.getCustomDefaultHeaders())
               ? new HashMap<>() : new HashMap<>(config.getCustomDefaultHeaders()))

diff --git a/src/main/java/com/descope/literals/AppConstants.java b/src/main/java/com/descope/literals/AppConstants.java
@@ -7,6 +7,7 @@ public class AppConstants {
   public static final String PROJECT_ID_ENV_VAR = "DESCOPE_PROJECT_ID";
   public static final String PUBLIC_KEY_ENV_VAR = "DESCOPE_PUBLIC_KEY";
   public static final String MANAGEMENT_KEY_ENV_VAR = "DESCOPE_MANAGEMENT_KEY";
+  public static final String AUTH_MANAGEMENT_KEY_ENV_VAR = "DESCOPE_AUTH_MANAGEMENT_KEY";
   public static final String BASE_URL_ENV_VAR = "DESCOPE_BASE_URL";
   public static final String AUTHORIZATION_HEADER_NAME = "Authorization";
   public static final String BEARER_AUTHORIZATION_PREFIX = "Bearer ";

diff --git a/src/main/java/com/descope/model/client/Client.java b/src/main/java/com/descope/model/client/Client.java
@@ -18,6 +18,7 @@ public class Client {
   private String uri;
   private String projectId;
   private String managementKey;
+  private String authManagementKey;
   private Map<String, String> headers;
   private SdkInfo sdkInfo;
   private Key providedKey;

diff --git a/src/main/java/com/descope/sdk/auth/impl/AuthenticationsBase.java b/src/main/java/com/descope/sdk/auth/impl/AuthenticationsBase.java
@@ -37,7 +37,11 @@ abstract class AuthenticationsBase extends SdkServicesBase implements Authentica
 
   ApiProxy getApiProxy() {
     String projectId = client.getProjectId();
+    String authManagementKey = client.getAuthManagementKey();
     if (StringUtils.isNotBlank(projectId)) {
+      if (StringUtils.isNotBlank(authManagementKey)) {
+        return ApiProxyBuilder.buildProxy(() -> String.format("Bearer %s:%s", projectId, authManagementKey), client);
+      }
       return ApiProxyBuilder.buildProxy(() -> "Bearer " + projectId, client);
     }
     return ApiProxyBuilder.buildProxy(client.getSdkInfo());
@@ -49,7 +53,13 @@ ApiProxy getApiProxy(String refreshToken) {
       return getApiProxy();
     }
 
-    String token = String.format("Bearer %s:%s", projectId, refreshToken);
+    String authManagementKey = client.getAuthManagementKey();
+    String token;
+    if (StringUtils.isNotBlank(authManagementKey)) {
+      token = String.format("Bearer %s:%s:%s", projectId, refreshToken, authManagementKey);
+    } else {
+      token = String.format("Bearer %s:%s", projectId, refreshToken);
+    }
     return ApiProxyBuilder.buildProxy(() -> token, client);
   }
 

diff --git a/src/main/java/com/descope/utils/EnvironmentUtils.java b/src/main/java/com/descope/utils/EnvironmentUtils.java
@@ -1,5 +1,6 @@
 package com.descope.utils;
 
+import static com.descope.literals.AppConstants.AUTH_MANAGEMENT_KEY_ENV_VAR;
 import static com.descope.literals.AppConstants.BASE_URL_ENV_VAR;
 import static com.descope.literals.AppConstants.MANAGEMENT_KEY_ENV_VAR;
 import static com.descope.literals.AppConstants.PROJECT_ID_ENV_VAR;
@@ -27,4 +28,8 @@ public static String getPublicKey() {
   public static String getManagementKey() {
     return dotenv.get(MANAGEMENT_KEY_ENV_VAR);
   }
+
+  public static String getAuthManagementKey() {
+    return dotenv.get(AUTH_MANAGEMENT_KEY_ENV_VAR);
+  }
 }