From 8af4a3f9d55b72e7d7e59d7b8e04a78d196a3b10 Mon Sep 17 00:00:00 2001
From: Anish Sarkar <104695310+AnishSarkar22@users.noreply.github.com>
Date: Fri, 19 Jun 2026 20:29:30 +0530
Subject: [PATCH] feat: update extension clients for PAT auth

---
 .../routes/pages/ApiKeyForm.tsx                  | 16 ++++++++--------
 surfsense_obsidian/README.md                     |  7 +------
 surfsense_obsidian/src/api-client.ts             |  4 ++--
 surfsense_obsidian/src/main.ts                   |  2 +-
 surfsense_obsidian/src/settings.ts               |  2 +-
 5 files changed, 13 insertions(+), 18 deletions(-)

diff --git a/surfsense_browser_extension/routes/pages/ApiKeyForm.tsx b/surfsense_browser_extension/routes/pages/ApiKeyForm.tsx
index 537eba3da..d045d8129 100644
--- a/surfsense_browser_extension/routes/pages/ApiKeyForm.tsx
+++ b/surfsense_browser_extension/routes/pages/ApiKeyForm.tsx
@@ -16,7 +16,7 @@ const ApiKeyForm = () => {
 
 	const validateForm = () => {
 		if (!apiKey) {
-			setError("API key is required");
+			setError("Personal access token is required");
 			return false;
 		}
 		setError("");
@@ -39,11 +39,11 @@ const ApiKeyForm = () => {
 			setLoading(false);
 
 			if (response.ok) {
-				// Store the API key as the token
+				// Store the PAT as the bearer token for existing background handlers.
 				await storage.set("token", apiKey);
 				navigation("/");
 			} else {
-				setError("Invalid API key. Please check and try again.");
+				setError("Invalid personal access token. Please check and try again.");
 			}
 		} catch (error) {
 			setLoading(false);
@@ -67,15 +67,15 @@ const ApiKeyForm = () => {
 
 				<div className="bg-gray-800/70 backdrop-blur-sm rounded-xl shadow-xl border border-gray-700 p-6">
 					<div className="space-y-6">
-						<h2 className="text-xl font-medium text-white">Enter your API Key</h2>
+						<h2 className="text-xl font-medium text-white">Enter your personal access token</h2>
 						<p className="text-gray-400 text-sm">
-							Your API key connects this extension to the SurfSense.
+							Your personal access token connects this extension to SurfSense.
 						</p>
 
 						<form onSubmit={handleSubmit} className="space-y-4">
 							<div className="space-y-2">
 								<label htmlFor="apiKey" className="text-sm font-medium text-gray-300">
-									API Key
+									Personal access token
 								</label>
 								<input
 									type="text"
@@ -83,7 +83,7 @@ const ApiKeyForm = () => {
 									value={apiKey}
 									onChange={(e) => setApiKey(e.target.value)}
 									className="w-full px-3 py-2 bg-gray-900/50 border border-gray-700 rounded-md focus:outline-none focus:ring-2 focus:ring-teal-500 text-white placeholder:text-gray-500"
-									placeholder="Enter your API key"
+									placeholder="Enter your personal access token"
 								/>
 								{error && <p className="text-red-400 text-sm mt-1">{error}</p>}
 							</div>
@@ -106,7 +106,7 @@ const ApiKeyForm = () => {
 
 						<div className="text-center mt-4">
 							<p className="text-sm text-gray-400">
-								Need an API key?{" "}
+								Need a personal access token?{" "}
 								<a
 									href="https://www.surfsense.com"
 									target="_blank"
diff --git a/surfsense_obsidian/README.md b/surfsense_obsidian/README.md
index 71cb8566e..6c4befcc9 100644
--- a/surfsense_obsidian/README.md
+++ b/surfsense_obsidian/README.md
@@ -51,7 +51,7 @@ Open **Settings → SurfSense** in Obsidian and fill in:
 | Setting | Value |
 | --- | --- |
 | Server URL | `https://surfsense.com` for SurfSense Cloud, or your self-hosted URL |
-| API token | Copy from the *Connectors → Obsidian* dialog in the SurfSense web app |
+| API token | Create a personal access token from the *Connectors → Obsidian* dialog or *User settings → API access* in the SurfSense web app |
 | Search space | Pick the search space this vault should sync into |
 | Vault name | Defaults to your Obsidian vault name; rename if you have multiple vaults |
 | Sync mode | *Auto* (recommended) or *Manual* |
@@ -62,11 +62,6 @@ The connector row appears automatically inside SurfSense the first time the
 plugin successfully calls `/obsidian/connect`. You can manage or delete it
 from *Connectors → Obsidian* in the web app.
 
-> **Token lifetime.** The web app currently issues 24-hour JWTs. If you see
-> *"token expired"* in the plugin status bar, paste a fresh token from the
-> SurfSense web app. Long-lived personal access tokens are coming in a future
-> release.
-
 ## Mobile
 
 The plugin works on Obsidian for iOS and Android. Sync runs whenever the
diff --git a/surfsense_obsidian/src/api-client.ts b/surfsense_obsidian/src/api-client.ts
index 37f5ebb65..114e531f7 100644
--- a/surfsense_obsidian/src/api-client.ts
+++ b/surfsense_obsidian/src/api-client.ts
@@ -22,11 +22,11 @@ import type {
  *
  * Auth + wire contract:
  *   - Every request carries `Authorization: Bearer <token>` only. No
- *     custom headers — the backend identifies the caller from the JWT
+ *     custom headers — the backend identifies the caller from the PAT
  *     and feature-detects the API via the `capabilities` array on
  *     `/health` and `/connect`.
  *   - 401 surfaces as `AuthError` so the orchestrator can show the
- *     "token expired, paste a fresh one" UX.
+ *     "token invalid or expired" UX.
  *   - HealthResponse / ConnectResponse use index signatures so any
  *     additive backend field (e.g. new capabilities) parses without
  *     breaking the decoder. This mirrors `ConfigDict(extra='ignore')`
diff --git a/surfsense_obsidian/src/main.ts b/surfsense_obsidian/src/main.ts
index 1dea47b95..6600b7145 100644
--- a/surfsense_obsidian/src/main.ts
+++ b/surfsense_obsidian/src/main.ts
@@ -248,7 +248,7 @@ export default class SurfSensePlugin extends Plugin {
 		const now = Date.now();
 		if (now - this.lastAuthToastAt < 10_000) return;
 		this.lastAuthToastAt = now;
-		new Notice("Surfsense: API token expired or invalid. Paste a fresh token in settings.", 8000);
+		new Notice("Surfsense: API token is invalid or expired. Check your token in settings.", 8000);
 	}
 
 	async loadSettings() {
diff --git a/surfsense_obsidian/src/settings.ts b/surfsense_obsidian/src/settings.ts
index 6a01f2fd1..7f404fc97 100644
--- a/surfsense_obsidian/src/settings.ts
+++ b/surfsense_obsidian/src/settings.ts
@@ -67,7 +67,7 @@ export class SurfSenseSettingTab extends PluginSettingTab {
 		new Setting(containerEl)
 			.setName("API token")
 			.setDesc(
-				"Paste your Surfsense API token (expires after 24 hours; re-paste when you see an auth error).",
+				"Paste your Surfsense personal access token from the web app.",
 			)
 			.addText((text) => {
 				text.inputEl.type = "password";