PTHMINT-116: Add scoped credential resolver and client support#55
Merged
danielcivit merged 3 commits intomasterfrom Apr 27, 2026
Merged
PTHMINT-116: Add scoped credential resolver and client support#55danielcivit merged 3 commits intomasterfrom
danielcivit merged 3 commits intomasterfrom
Conversation
Introduce a CredentialResolver protocol, AuthScope dataclass and a default ScopedCredentialResolver to support resolving API keys by auth scope (default_account, partner_affiliate, terminal_group). Update Client and Sdk to accept an optional credential_resolver (and make api_key optional when a resolver is provided), add Client._resolve_api_key and auth_scope plumbing for request creation, and export ScopedCredentialResolver from the package. Add validation to require at least one credential source and improve error messages for missing/unknown scoped keys. Update and add unit tests to cover resolver behavior, header wiring, and SDK initialization with resolver-only configuration.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #55 +/- ##
==========================================
+ Coverage 90.94% 91.82% +0.87%
==========================================
Files 147 148 +1
Lines 2607 2655 +48
==========================================
+ Hits 2371 2438 +67
+ Misses 236 217 -19 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a scoped credential resolution mechanism to the MultiSafepay SDK so API keys can be resolved dynamically per request based on an authentication scope, while keeping existing API-key usage working.
Changes:
- Introduces
CredentialResolver+ScopedCredentialResolverand anAuthScopepayload to support default, partner-affiliate, and terminal-group authentication. - Updates
ClientandSdkto accept an optional credential resolver and to resolve the Authorization header per request (with optionalauth_scopeper request). - Extends unit tests to cover resolver behavior and resolver-based SDK/client initialization and header wiring.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/multisafepay/unit/test_unit_sdk.py | Adds SDK tests for resolver-only initialization and resolver + transport header wiring. |
| tests/multisafepay/unit/client/test_unit_credential_resolver.py | New unit tests for ScopedCredentialResolver scope selection and error cases. |
| tests/multisafepay/unit/client/test_unit_client.py | Adds unit tests that Authorization headers are sent and that resolver-based auth is preferred. |
| src/multisafepay/sdk.py | Makes api_key optional when a resolver is provided and wires resolver into Client. |
| src/multisafepay/client/credential_resolver.py | New resolver protocol + default scoped resolver implementation. |
| src/multisafepay/client/client.py | Adds resolver support, per-request auth_scope, and API key resolution logic for Authorization header. |
| src/multisafepay/client/init.py | Exports ScopedCredentialResolver for from multisafepay.client import ScopedCredentialResolver. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
danielcivit
approved these changes
Apr 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces a new flexible credential resolution system to the MultiSafepay SDK, allowing API keys to be resolved dynamically based on authentication scope. The changes add the
CredentialResolverprotocol and a defaultScopedCredentialResolverimplementation, update theClientandSdkclasses to support this new mechanism, and extend tests to cover resolver-based authentication. This enables more advanced use cases, such as partner and group-based authentication, while maintaining backward compatibility.The most important changes are:
Credential Resolution System:
credential_resolver.pycontaining theCredentialResolverprotocol,AuthScopedataclass, and theScopedCredentialResolverimplementation for resolving API keys by scope and group. This supports default, partner affiliate, and terminal group authentication scenarios.Clientto accept either anapi_keyor acredential_resolver(or both), and to resolve the API key per request using the new resolver logic. The client now supports anauth_scopeparameter for each request method, and exposes constants for supported scopes. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]SDK and API Surface Updates:
Sdkclass to accept acredential_resolverand pass it to theClient, allowing SDK users to leverage the new credential resolution mechanism. [1] [2] [3]ScopedCredentialResolverfrom the package's__init__.pyfor easier imports.Testing Enhancements: