Summary
A tokenized Proof library document can be accessed via the agent API, but the same token does not authorize access to a linked shared document listed inside that library. From the user perspective this is surprising because the library exposes the linked document, yet an external agent still cannot join the linked doc or show presence there.
Reproduction
- Use a tokenized library URL:
https://www.proofeditor.ai/d/w0pyqpl4?token=<library-token>
- Call:
POST /api/agent/w0pyqpl4/presence
- Call:
GET /api/agent/w0pyqpl4/state
- Observe the library content lists a linked shared doc:
/open/dkib5ilz (QuickCal 1-Day Tactical Sprint Plan)
- Reuse the same token against the linked doc with each of these forms:
Authorization: Bearer <library-token>x-share-token: <library-token>?token=<library-token>
- Call both:
GET /api/agent/dkib5ilz/statePOST /api/agent/dkib5ilz/presence
Expected
One of these should be true:
- the library token should authorize agent access to the linked shared doc surfaced from that library, or
- Proof should expose a clear way to exchange or resolve the per-doc token for linked shared docs, or
- the library should not present the linked doc in a way that suggests agents can open it directly.
Actual
The library token works for w0pyqpl4, but every attempt to use that same token on dkib5ilz returns:
{"success":false,"error":"Missing or invalid share token","code":"UNAUTHORIZED"}This blocks agent presence and state reads on the linked doc.
Verified Evidence
Successful library presence:
POST https://www.proofeditor.ai/api/agent/w0pyqpl4/presence- Status:
200
- Response excerpt:
{"success":true,"slug":"w0pyqpl4","collabApplied":true}Successful library state:
GET https://www.proofeditor.ai/api/agent/w0pyqpl4/state- Status:
200
- Response included:
QuickCal 1-Day Tactical Sprint Plan as /open/dkib5ilz
Failed linked-doc state:
GET https://www.proofeditor.ai/api/agent/dkib5ilz/state- Status:
401
- Response:
{"success":false,"error":"Missing or invalid share token","code":"UNAUTHORIZED"}Failed linked-doc presence:
POST https://www.proofeditor.ai/api/agent/dkib5ilz/presence- Status:
401
- Response:
{"success":false,"error":"Missing or invalid share token","code":"UNAUTHORIZED"}Also tested the same token via:
Authorization: Bearer <token>x-share-token: <token>- query parameter
?token=<token>
All produced the same 401 for dkib5ilz.
Notes
A plain non-tokenized URL for dkib5ilz also returns the same 401, which is expected. The surprising behavior is specifically that a valid token for the library doc does not help an agent access the linked shared doc that the library exposes.
Summary
A tokenized Proof library document can be accessed via the agent API, but the same token does not authorize access to a linked shared document listed inside that library. From the user perspective this is surprising because the library exposes the linked document, yet an external agent still cannot join the linked doc or show presence there.
Reproduction
https://www.proofeditor.ai/d/w0pyqpl4?token=<library-token>POST /api/agent/w0pyqpl4/presenceGET /api/agent/w0pyqpl4/state/open/dkib5ilz(QuickCal 1-Day Tactical Sprint Plan)Authorization: Bearer <library-token>x-share-token: <library-token>?token=<library-token>GET /api/agent/dkib5ilz/statePOST /api/agent/dkib5ilz/presenceExpected
One of these should be true:
Actual
The library token works for
w0pyqpl4, but every attempt to use that same token ondkib5ilzreturns:{"success":false,"error":"Missing or invalid share token","code":"UNAUTHORIZED"}This blocks agent presence and state reads on the linked doc.
Verified Evidence
Successful library presence:
POST https://www.proofeditor.ai/api/agent/w0pyqpl4/presence200{"success":true,"slug":"w0pyqpl4","collabApplied":true}Successful library state:
GET https://www.proofeditor.ai/api/agent/w0pyqpl4/state200QuickCal 1-Day Tactical Sprint Planas/open/dkib5ilzFailed linked-doc state:
GET https://www.proofeditor.ai/api/agent/dkib5ilz/state401{"success":false,"error":"Missing or invalid share token","code":"UNAUTHORIZED"}Failed linked-doc presence:
POST https://www.proofeditor.ai/api/agent/dkib5ilz/presence401{"success":false,"error":"Missing or invalid share token","code":"UNAUTHORIZED"}Also tested the same token via:
Authorization: Bearer <token>x-share-token: <token>?token=<token>All produced the same
401fordkib5ilz.Notes
A plain non-tokenized URL for
dkib5ilzalso returns the same401, which is expected. The surprising behavior is specifically that a valid token for the library doc does not help an agent access the linked shared doc that the library exposes.