Skip to content

posthog.com spec: hardcoded US host breaks EU accounts with a misleading 401 — servers should use a {region} variable (fix tested end-to-end) #21886

Description

@ash-jentic

Problem

The PostHog spec (apis/openapi/posthog.com/posthog-api/1.0/openapi.json) hardcodes a single server:

"servers": [{ "url": "https://app.posthog.com" }]

PostHog is region-split: US and EU cloud projects live on different hosts (us.posthog.com / eu.posthog.com; app.posthog.com is a legacy US alias). A valid EU personal API key sent to the US host fails with upstream 401 "Personal API key found in request Authorization header is invalid." — an error that misattributes a host/region problem to the credential. An EU user following this spec can never succeed, and the error text sends them to debug the wrong thing (we lost significant time to exactly this).

Proposed fix (content change — hence an issue per AGENTS.md)

Express the region as an OpenAPI server variable so one catalogue entry serves both regions:

"servers": [
  {
    "url": "https://{region}.posthog.com",
    "variables": {
      "region": {
        "default": "us",
        "enum": ["us", "eu"],
        "description": "PostHog data region (US or EU) - must match your project's region; the wrong region returns 401 invalid key."
      }
    }
  }
]
  • default: "us" preserves today's behaviour for existing US users (backward-compatible).
  • The description matters: it surfaces in tooling as inline guidance for the exact failure mode.
  • One entry, no separate us/eu spec duplicates.

Verified working

We tested this exact change end-to-end on a self-hosted Jentic One instance (2026-07-14): the credential UI auto-renders a Region dropdown from the variable, the broker substitutes it into the upstream URL, and a previously always-401 EU key returned 200 with real project data the moment requests hit eu.posthog.com. (TLS-level confirmation: server_hostname='eu.posthog.com'.)

Notes

  • Same pattern already used correctly elsewhere in the catalogue: sentry.io ({region}.sentry.io), mailchimp.com ({dc}.api.mailchimp.com), atlassian.com ({your-domain}.atlassian.net) — PostHog just needs the same treatment.
  • This is one instance of a general class (region-split SaaS: Mixpanel, Amplitude, Segment, Braze, SendGrid, PagerDuty, Intercom, …). Happy to follow up with the broader list if useful.
  • Separately (not this issue): the spec declares only bearerAuth; PostHog also supports OAuth, which the spec omits — noting for completeness.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions