feat(seer): Add signed viewer context header to Seer API requests#109626
Merged
feat(seer): Add signed viewer context header to Seer API requests#109626
Conversation
Add optional viewer_context parameter to make_signed_seer_api_request that writes organization_id and user_id as a signed X-Viewer-Context header. The context is HMAC-SHA256 signed with the shared secret, allowing Seer to verify the caller's identity for access control. Co-Authored-By: Claude <noreply@anthropic.com>
github-actions
bot
added
the
Scope: Backend
![sentry-warden[bot]](https://avatars.githubusercontent.com/in/2755838?s=60&v=4){kind=small}
Match the existing pattern in sign_with_seer_secret by checking that SEER_API_SHARED_SECRET is set before attempting to sign the viewer context. Log a warning instead of crashing with AttributeError. Co-Authored-By: Claude <noreply@anthropic.com>
gricha
approved these changes
Feb 28, 2026
jan-auer
added a commit
that referenced
this pull request
Mar 2, 2026
…ept-encoding * origin/master: (63 commits) fix(api): Add missing cursor query parameter to paginated endpoint OpenAPI schemas (#109642) docs(sentry-apps): Add sentryAppId to sentry-app-installations API schema (#109628) feat(occurrences on eap): Implement double reads from EAP in organization events trace API endpoint (#109391) feat(occurrences on eap): Implement double reads from EAP for reprocessing2 flow (#109345) feat(ci): report backend test fails (#109543) feat(seer): Add signed viewer context header to Seer API requests (#109626) devenv: cleanup devenv-managed uv (#109617) feat(seer): Iterate on the instructions at the top of seer settings pages (#109586) ref(seer): Add typed wrappers for remaining Seer API callsites (#109607) feat(preprod): Make snapshots endpoint org scoped (#109575) chore: capture exception (#109620) fix(formatting): run ruff format (#109618) feat(preprod): Create admin gated recompare snapshots endpoint (#109546) feat(cells): expand locality/cell distinction (#109538) feat(cells): add db migration for synapse (#109615) feat(preprod): Add public install-details endpoint and shared utilities (#109583) fix(tests): Fix flaky test_cross_trace_query_with_spans_and_logs (#109572) fix(grouping): Resolve mypy possibly-undefined errors in grouphash caching (#109602) fix(dashboards): Default axisRange to auto for existing widgets in builder (#109598) fix(billing): Fix category display names in pending changes (#109612) ...
azulus
added a commit
that referenced
this pull request
Mar 2, 2026
…109697) ## Summary - Propagates the optional `viewer_context: SeerViewerContext | None` kwarg through all 51 wrapper functions across 15 files that call `make_signed_seer_api_request()` - Enables callers to pass organization and user context which gets HMAC-signed into `X-Viewer-Context` / `X-Viewer-Context-Signature` headers for Seer access control - All new params default to `None` — no call sites are changed yet Builds on #109626 which added `viewer_context` support to `make_signed_seer_api_request()`. ## Test plan - All changes are additive (new optional param defaulting to `None`), so existing behavior is unchanged - Pre-commit passes on all 15 modified files - CI should validate no regressions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add an optional
viewer_contextparameter tomake_signed_seer_api_requestthat allows callers to passorganization_idand/oruser_id. When provided, these are serialized as JSON into anX-Viewer-Contextheader and HMAC-SHA256 signed into a companionX-Viewer-Context-Signatureheader using the shared Seer secret.This gives Seer a verified way to know which organization and user originated a request, enabling access control and audit logging on their side. No callers pass this yet — this just adds the plumbing.