From c0b41ee200c1d328d8675d357cf94cddb12df8f1 Mon Sep 17 00:00:00 2001
From: Vojtech Vitek <vv@horizon.io>
Date: Tue, 15 Apr 2025 12:21:36 +0200
Subject: [PATCH 1/2] Support AccessKeys in S2S client

---
 s2s.go | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/s2s.go b/s2s.go
index 14dd3fe..4187105 100644
--- a/s2s.go
+++ b/s2s.go
@@ -1,6 +1,7 @@
 package authcontrol
 
 import (
+	"fmt"
 	"maps"
 	"net/http"
 	"time"
@@ -12,6 +13,7 @@ import (
 type S2SClientConfig struct {
 	Service       string
 	JWTSecret     string
+	AccessKey     string
 	DebugRequests bool
 }
 
@@ -20,17 +22,24 @@ func S2SClient(cfg *S2SClientConfig) *http.Client {
 	httpClient := &http.Client{
 		Transport: transport.Chain(http.DefaultTransport,
 			traceid.Transport,
-			transport.SetHeaderFunc("Authorization", func(req *http.Request) string {
-				return "BEARER " + S2SToken(cfg.JWTSecret, map[string]any{"service": cfg.Service})
-			}),
-			transport.If(cfg.DebugRequests, transport.LogRequests(transport.LogOptions{Concise: true, CURL: true})),
+			transport.SetHeader("User-Agent", fmt.Sprintf("sequence/%s", cfg.Service)),
+			transport.If(cfg.JWTSecret != "",
+				transport.SetHeaderFunc("Authorization", func(req *http.Request) string {
+					return "BEARER " + S2SToken(cfg.JWTSecret, map[string]any{"service": cfg.Service})
+				}),
+			),
+			transport.If(cfg.AccessKey != "",
+				transport.SetHeader("X-Access-Key", cfg.AccessKey),
+			),
+			transport.If(cfg.DebugRequests,
+				transport.LogRequests(transport.LogOptions{Concise: true, CURL: true}),
+			),
 		),
 	}
-
 	return httpClient
 }
 
-// Create short-lived service-to-service JWT token for internal communication between Sequence services.
+// Create a short-lived service-to-service JWT token for internal communication between Sequence services.
 func S2SToken(jwtSecret string, claims map[string]any) string {
 	jwtAuth, _ := NewAuth(jwtSecret).GetVerifier(nil)
 	now := time.Now().UTC()

From b39f7ab89eed6661abc1166afae10f11b7e8e306 Mon Sep 17 00:00:00 2001
From: Vojtech Vitek <vv@horizon.io>
Date: Tue, 15 Apr 2025 12:48:46 +0200
Subject: [PATCH 2/2] Set default service name (binary), if not provided

---
 s2s.go | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/s2s.go b/s2s.go
index 4187105..49deae7 100644
--- a/s2s.go
+++ b/s2s.go
@@ -1,9 +1,12 @@
 package authcontrol
 
 import (
+	"cmp"
 	"fmt"
 	"maps"
 	"net/http"
+	"os"
+	"path/filepath"
 	"time"
 
 	"github.com/go-chi/traceid"
@@ -19,13 +22,15 @@ type S2SClientConfig struct {
 
 // Service-to-service HTTP client for internal communication between Sequence services.
 func S2SClient(cfg *S2SClientConfig) *http.Client {
+	serviceName := cmp.Or(cfg.Service, filepath.Base(os.Args[0]))
+
 	httpClient := &http.Client{
 		Transport: transport.Chain(http.DefaultTransport,
 			traceid.Transport,
-			transport.SetHeader("User-Agent", fmt.Sprintf("sequence/%s", cfg.Service)),
+			transport.SetHeader("User-Agent", fmt.Sprintf("sequence/%s", serviceName)),
 			transport.If(cfg.JWTSecret != "",
 				transport.SetHeaderFunc("Authorization", func(req *http.Request) string {
-					return "BEARER " + S2SToken(cfg.JWTSecret, map[string]any{"service": cfg.Service})
+					return "BEARER " + S2SToken(cfg.JWTSecret, map[string]any{"service": serviceName})
 				}),
 			),
 			transport.If(cfg.AccessKey != "",