# Secure Modal Klein Endpoint ## Why The Modal Klein worker exposes `POST /generate` without an app-level token. Modal URLs are not meant to be treated as secrets, and image generation can consume paid compute. The endpoint should support a simple shared-token guard while keeping local fallback behavior unchanged. ## What Changes - Add optional `KLEIN_MODAL_TOKEN` configuration. - Send the token from Tiny Narrator to the Modal worker when configured. - Require the token in the Modal worker when configured there. - Keep unauthenticated behavior only when no token is configured, so local tests and demos remain simple. - Ensure runtime setup/status never exposes the token value. ## Capabilities - `modal-klein-token-auth`: protect live Klein generation with bearer or app token headers. - `safe-modal-status`: perform health checks with auth when required. - `secret-redaction`: document and verify that token values are never leaked. ## Non-Goals - Do not add user accounts or browser login. - Do not require auth for local fallback generation. - Do not change the `/api/generate-image` browser-facing contract. - Do not hard-code secrets in code, docs, or verifier fixtures. ## Impact - `app.py` will read `KLEIN_MODAL_TOKEN` and attach it to Modal worker requests. - `modal_workers/klein_image.py` will validate the incoming token when configured. - `.env.example`, README, and runtime setup text will document the token. - `scripts/verify.py` will check auth wiring and secret redaction.