feat: add selectedTenant to AccessKeyLoginOptions for access key exchange (#768)

itamartal · Itamar Tal · ampcode-com · web-flow · commit 0f601835bad4 · 2026-02-23T14:51:32.000+02:00
Amp-Thread-ID: https://ampcode.com/threads/T-019c7af6-3c5a-709c-886e-e51681bc3d8a Co-authored-by: Itamar Tal <itamar.tal4@hotmail.com> Co-authored-by: Amp <amp@ampcode.com> Co-authored-by: Aviad Lichtenstadt <aviad@descope.com>
diff --git a/descope/auth.py b/descope/auth.py
@@ -251,7 +251,11 @@ def exchange_access_key(
     ) -> dict:
         uri = EndpointsV1.exchange_auth_access_key_path
         body = {
-            "loginOptions": login_options.__dict__ if login_options else {},
+            "loginOptions": {
+                k: v for k, v in login_options.__dict__.items() if v is not None
+            }
+            if login_options
+            else {},
         }
         server_response = self._http.post(uri, body=body, pswd=access_key)
         json_body = server_response.json()
diff --git a/descope/common.py b/descope/common.py
@@ -135,8 +135,10 @@ class AccessKeyLoginOptions:
     def __init__(
         self,
         custom_claims: Optional[dict] = None,
+        selected_tenant: Optional[str] = None,
     ):
         self.customClaims = custom_claims
+        self.selectedTenant = selected_tenant
 
 
 def validate_refresh_token_provided(
diff --git a/tests/test_auth.py b/tests/test_auth.py
@@ -451,6 +451,40 @@ def test_exchange_access_key(self):
                 timeout=DEFAULT_TIMEOUT_SECONDS,
             )
 
+        # Test success flow with selected tenant
+        with patch("requests.post") as mock_post:
+            my_mock_response = mock.Mock()
+            my_mock_response.ok = True
+            data = {"sessionJwt": valid_jwt_token}
+            my_mock_response.json.return_value = data
+            mock_post.return_value = my_mock_response
+            jwt_response = auth.exchange_access_key(
+                access_key=dummy_access_key,
+                login_options=AccessKeyLoginOptions(
+                    custom_claims={"k1": "v1"}, selected_tenant="t1"
+                ),
+            )
+            self.assertEqual(jwt_response["keyId"], "U2Cu0j0WPw3YOiPISJb52L0wUVMg")
+
+            mock_post.assert_called_with(
+                f"{common.DEFAULT_BASE_URL}{EndpointsV1.exchange_auth_access_key_path}",
+                headers={
+                    **common.default_headers,
+                    "Authorization": f"Bearer {self.dummy_project_id}:dummy access key",
+                    "x-descope-project-id": self.dummy_project_id,
+                },
+                params=None,
+                json={
+                    "loginOptions": {
+                        "customClaims": {"k1": "v1"},
+                        "selectedTenant": "t1",
+                    }
+                },
+                allow_redirects=False,
+                verify=True,
+                timeout=DEFAULT_TIMEOUT_SECONDS,
+            )
+
     def test_exchange_token_success_and_empty_code(self):
         auth = Auth(
             self.dummy_project_id,
