fix: rename http response headers key to http_headers to avoid collision#192
Merged
fix: rename http response headers key to http_headers to avoid collision#192
Conversation
…ion with email headers Fixes a regression introduced in v2.23.0 where injecting HTTP response headers under the 'headers' key would overwrite the email MIME headers field present in ReceivedEmail responses. - Rename injected key from 'headers' to 'http_headers' in request.py - Update BaseResponse TypedDict field accordingly - Add regression test that mocks at HTTP client level (not make_request) to ensure the injection code is exercised - Add test for SendParams['headers'] custom email headers - Update examples to document all three header types
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
3 issues found across 8 files
Confidence score: 3/5
- There is a concrete user-facing risk in
examples/with_headers.py:Emails.Receiving.get()may fail with a standardRESEND_API_KEYbecause it needs broader key permissions thanEmails.send(). - Both example header-handling paths (
examples/receiving_email.pyandexamples/with_headers.py) use incorrect rate-limit header keys, so real responses will returnNoneand rate-limit reporting/tracking in the examples will not work. - Given the high-confidence, medium-to-high severity example issues, this carries some merge risk even if impact is likely scoped to example behavior rather than core SDK internals.
- Pay close attention to
examples/with_headers.py,examples/receiving_email.py- API-key permission assumptions andx-ratelimit-*header name mismatches can cause misleading or failing example flows.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="examples/with_headers.py">
<violation number="1" location="examples/with_headers.py:39">
P2: These `http_headers` lookups use the wrong header names; the SDK still exposes `x-ratelimit-*`, so this example will print `None` and skip rate-limit tracking.</violation>
<violation number="2" location="examples/with_headers.py:49">
P1: Custom agent: **API Key Permission Check SDK Methods**
`Emails.Receiving.get()` is a new Resend SDK operation that needs broader API-key permissions than `Emails.send()`, but this example still reuses `RESEND_API_KEY` without calling out the full-access requirement. Under the API Key Permission Check SDK Methods rule, document that permission here so send-only production keys do not fail on this new path.</violation>
</file>
<file name="examples/receiving_email.py">
<violation number="1" location="examples/receiving_email.py:56">
P2: Use the actual `x-ratelimit-*` header names here; the current keys will always print `None` for real SDK responses.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| received_email_id = os.environ.get("RECEIVED_EMAIL_ID", "") | ||
|
|
||
| if received_email_id: | ||
| received: resend.ReceivedEmail = resend.Emails.Receiving.get( |
Contributor
There was a problem hiding this comment.
P1: Custom agent: API Key Permission Check SDK Methods
Emails.Receiving.get() is a new Resend SDK operation that needs broader API-key permissions than Emails.send(), but this example still reuses RESEND_API_KEY without calling out the full-access requirement. Under the API Key Permission Check SDK Methods rule, document that permission here so send-only production keys do not fail on this new path.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At examples/with_headers.py, line 49:
<comment>`Emails.Receiving.get()` is a new Resend SDK operation that needs broader API-key permissions than `Emails.send()`, but this example still reuses `RESEND_API_KEY` without calling out the full-access requirement. Under the API Key Permission Check SDK Methods rule, document that permission here so send-only production keys do not fail on this new path.</comment>
<file context>
@@ -1,44 +1,78 @@
+received_email_id = os.environ.get("RECEIVED_EMAIL_ID", "")
+
+if received_email_id:
+ received: resend.ReceivedEmail = resend.Emails.Receiving.get(
+ email_id=received_email_id
+ )
</file context>
Suggested change
| received: resend.ReceivedEmail = resend.Emails.Receiving.get( | |
| # `Emails.Receiving.get()` uses Resend's receiving/read API and requires a full-access API key, not a send-only key. | |
| received: resend.ReceivedEmail = resend.Emails.Receiving.get( |
gabrielmfern
approved these changes
Mar 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fixes: #191