stellar · philipliu · Feb 6, 2026 · Dec 16, 2025 · Dec 20, 2025 · Dec 22, 2025
diff --git a/.github/workflows/on_pull_request.yml b/.github/workflows/on_pull_request.yml
@@ -27,7 +27,7 @@ jobs:
   complete:
     if: always()
     needs: [ gradle_build, essential_tests, extended_tests, rust_build ]
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')
         run: exit 1
diff --git a/.github/workflows/sub_extended_tests.yml b/.github/workflows/sub_extended_tests.yml
@@ -157,7 +157,7 @@ jobs:
         uses: mydea/action-wait-for-api@v1
         with:
           url: "http://localhost:8085/health"
-          expected-status: "403"
+          expected-status: "200"
           interval: "1"
           timeout: "600"
 
@@ -183,7 +183,7 @@ jobs:
         uses: mydea/action-wait-for-api@v1
         with:
           url: "http://localhost:8085/health"
-          expected-status: "403"
+          expected-status: "200"
           interval: "1"
           timeout: "600"
 

diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 [![License](https://badgen.net/badge/license/Apache%202/blue?icon=github&label=License)](https://github.com/stellar/anchor-platform/blob/develop/LICENSE)
 [![GitHub Version](https://badgen.net/github/release/stellar/anchor-platform?icon=github&label=Latest%20release)](https://github.com/stellar/anchor-platform/releases)
-[![Docker](https://badgen.net/badge/Latest%20Release/v4.1.6/blue?icon=docker)](https://hub.docker.com/r/stellar/anchor-platform/tags?page=1&name=4.1.6)
+[![Docker](https://badgen.net/badge/Latest%20Release/v4.1.7/blue?icon=docker)](https://hub.docker.com/r/stellar/anchor-platform/tags?page=1&name=4.1.7)
 ![Develop Branch](https://github.com/stellar/anchor-platform/actions/workflows/on_push_to_develop.yml/badge.svg?branch=develop)
 
 <div style="text-align: center">

diff --git a/build.gradle.kts b/build.gradle.kts
@@ -213,7 +213,7 @@ subprojects {
 
 allprojects {
   group = "org.stellar.anchor-sdk"
-  version = "4.1.6"
+  version = "4.1.7"
 
   tasks.jar {
     manifest {

diff --git a/core/src/main/java/org/stellar/anchor/filter/AbstractJwtFilter.java b/core/src/main/java/org/stellar/anchor/filter/AbstractJwtFilter.java
@@ -49,6 +49,11 @@ public void doFilter(
         request.getRequestURL().toString(),
         request.getQueryString());
 
+    if (shouldSkip(request)) {
+      filterChain.doFilter(servletRequest, servletResponse);
+      return;
+    }
+
     if (request.getMethod().equals("OPTIONS")) {
       filterChain.doFilter(servletRequest, servletResponse);
       return;
@@ -88,6 +93,10 @@ public abstract void check(
       String jwtCipher, HttpServletRequest request, ServletResponse servletResponse)
       throws Exception;
 
+  protected boolean shouldSkip(HttpServletRequest request) {
+    return false;
+  }
+
   private static void sendForbiddenError(HttpServletResponse response) throws IOException {
     error("Forbidden: JwtTokenFilter failed to authenticate the request.");
     response.setStatus(HttpStatus.SC_FORBIDDEN);

diff --git a/core/src/main/java/org/stellar/anchor/filter/ApiKeyFilter.java b/core/src/main/java/org/stellar/anchor/filter/ApiKeyFilter.java
@@ -47,6 +47,11 @@ public void doFilter(
         request.getRequestURL().toString(),
         request.getQueryString());
 
+    if (shouldSkip(request)) {
+      filterChain.doFilter(servletRequest, servletResponse);
+      return;
+    }
+
     if (request.getMethod().equals(OPTIONS)) {
       filterChain.doFilter(servletRequest, servletResponse);
       return;
@@ -63,6 +68,10 @@ public void doFilter(
     filterChain.doFilter(servletRequest, servletResponse);
   }
 
+  protected boolean shouldSkip(HttpServletRequest request) {
+    return "/health".equals(FilterUtils.getRequestPath(request));
+  }
+
   private static void sendForbiddenError(HttpServletResponse response) throws IOException {
     error("Forbidden: ApiKeyFilter failed to authenticate the request.");
     response.setStatus(HttpStatus.SC_FORBIDDEN);

diff --git a/core/src/main/java/org/stellar/anchor/filter/FilterUtils.java b/core/src/main/java/org/stellar/anchor/filter/FilterUtils.java
@@ -0,0 +1,31 @@
+package org.stellar.anchor.filter;
+
+import jakarta.servlet.http.HttpServletRequest;
+
+final class FilterUtils {
+  static String getRequestPath(HttpServletRequest request) {
+    String servletPath = request.getServletPath();
+    if (servletPath != null && !servletPath.isEmpty()) {
+      return servletPath;
+    }
+
+    String pathInfo = request.getPathInfo();
+    if (pathInfo != null && !pathInfo.isEmpty()) {
+      return pathInfo;
+    }
+
+    String requestUri = request.getRequestURI();
+    if (requestUri == null) {
+      return "";
+    }
+
+    String contextPath = request.getContextPath();
+    if (contextPath != null && !contextPath.isEmpty() && requestUri.startsWith(contextPath)) {
+      return requestUri.substring(contextPath.length());
+    }
+
+    return requestUri;
+  }
+
+  private FilterUtils() {}
+}
diff --git a/core/src/main/java/org/stellar/anchor/filter/PlatformAuthJwtFilter.java b/core/src/main/java/org/stellar/anchor/filter/PlatformAuthJwtFilter.java
@@ -12,6 +12,11 @@ public PlatformAuthJwtFilter(JwtService jwtService, String authorizationHeader)
     super(jwtService, authorizationHeader);
   }
 
+  @Override
+  protected boolean shouldSkip(HttpServletRequest request) {
+    return "/health".equals(FilterUtils.getRequestPath(request));
+  }
+
   @Override
   public void check(String jwtCipher, HttpServletRequest request, ServletResponse servletResponse)
       throws Exception {

diff --git a/core/src/main/java/org/stellar/anchor/sep12/Sep12Service.java b/core/src/main/java/org/stellar/anchor/sep12/Sep12Service.java
@@ -70,7 +70,7 @@ public Sep12GetCustomerResponse getCustomer(WebAuthJwt token, Sep12GetCustomerRe
     populateRequestFromTransactionId(request);
 
     validateGetOrPutRequest(request, token);
-    if (request.getId() == null && request.getAccount() == null && token.getAccount() != null) {
+    if (request.getAccount() == null && token.getAccount() != null) {
       request.setAccount(token.getAccount());
     }
 

diff --git a/core/src/test/kotlin/org/stellar/anchor/filter/ApiKeyFilterTest.kt b/core/src/test/kotlin/org/stellar/anchor/filter/ApiKeyFilterTest.kt
@@ -111,6 +111,18 @@ internal class ApiKeyFilterTest {
     verify { mockFilterChain.doFilter(request, response) }
   }
 
+  @Test
+  fun `health endpoint bypasses api key auth`() {
+    every { request.method } returns "GET"
+    every { request.servletPath } returns "/health"
+    every { request.getHeader("X-Api-Key") } returns null
+
+    apiKeyFilter.doFilter(request, response, mockFilterChain)
+
+    verify { mockFilterChain.doFilter(request, response) }
+    verify(exactly = 0) { response.setStatus(HttpStatus.SC_FORBIDDEN) }
+  }
+
   @ParameterizedTest
   @ValueSource(strings = ["GET", "PUT", "POST", "DELETE"])
   fun `make sure FORBIDDEN is returned when the filter requires header names other than X-Api-Key`(

diff --git a/core/src/test/kotlin/org/stellar/anchor/filter/PlatformAuthJwtFilterTest.kt b/core/src/test/kotlin/org/stellar/anchor/filter/PlatformAuthJwtFilterTest.kt
@@ -0,0 +1,42 @@
+package org.stellar.anchor.filter
+
+import io.mockk.every
+import io.mockk.mockk
+import io.mockk.spyk
+import io.mockk.verify
+import jakarta.servlet.FilterChain
+import jakarta.servlet.http.HttpServletRequest
+import jakarta.servlet.http.HttpServletResponse
+import org.apache.hc.core5.http.HttpStatus
+import org.junit.jupiter.api.BeforeEach
+import org.junit.jupiter.api.Test
+import org.stellar.anchor.auth.JwtService
+
+internal class PlatformAuthJwtFilterTest {
+  private lateinit var jwtService: JwtService
+  private lateinit var request: HttpServletRequest
+  private lateinit var response: HttpServletResponse
+  private lateinit var mockFilterChain: FilterChain
+
+  @BeforeEach
+  fun setup() {
+    this.jwtService = mockk(relaxed = true)
+    this.request = mockk(relaxed = true)
+    this.response = mockk(relaxed = true)
+    this.mockFilterChain = mockk(relaxed = true)
+  }
+
+  @Test
+  fun `health endpoint bypasses jwt auth`() {
+    every { request.method } returns "GET"
+    every { request.servletPath } returns "/health"
+    every { request.getHeader("Authorization") } returns null
+    val filter = spyk(PlatformAuthJwtFilter(jwtService, "Authorization"))
+
+    filter.doFilter(request, response, mockFilterChain)
+
+    verify { mockFilterChain.doFilter(request, response) }
+    verify(exactly = 0) { response.setStatus(HttpStatus.SC_FORBIDDEN) }
+    verify(exactly = 0) { filter.check(any(), any(), any()) }
+  }
+}
diff --git a/core/src/test/kotlin/org/stellar/anchor/sep12/Sep12ServiceTest.kt b/core/src/test/kotlin/org/stellar/anchor/sep12/Sep12ServiceTest.kt
@@ -516,6 +516,43 @@ class Sep12ServiceTest {
     assertEquals(TEST_ACCOUNT, mockGetRequest.account)
   }
 
+  @Test
+  fun `Test get customer request with id injects account`() {
+    val callbackApiGetRequestSlot = slot<GetCustomerRequest>()
+    val mockCallbackApiGetCustomerResponse = GetCustomerResponse()
+    mockCallbackApiGetCustomerResponse.id = "customer-id"
+    every { customerIntegration.getCustomer(capture(callbackApiGetRequestSlot)) } returns
+      mockCallbackApiGetCustomerResponse
+
+    val mockGetRequest = Sep12GetCustomerRequest.builder().id("customer-id").build()
+    val jwtToken = createJwtToken(TEST_ACCOUNT)
+
+    assertDoesNotThrow { sep12Service.getCustomer(jwtToken, mockGetRequest) }
+
+    val wantCallbackApiGetRequest =
+      GetCustomerRequest.builder().id("customer-id").account(TEST_ACCOUNT).build()
+    assertEquals(wantCallbackApiGetRequest, callbackApiGetRequestSlot.captured)
+    assertEquals(TEST_ACCOUNT, mockGetRequest.account)
+  }
+
+  @Test
+  fun `Test put customer request with id injects account`() {
+    val callbackApiPutRequestSlot = slot<PutCustomerRequest>()
+    val mockCallbackApiPutCustomerResponse = PutCustomerResponse.builder().id("customer-id").build()
+    every { customerIntegration.putCustomer(capture(callbackApiPutRequestSlot)) } returns
+      mockCallbackApiPutCustomerResponse
+
+    val mockPutRequest = Sep12PutCustomerRequest.builder().id("customer-id").build()
+    val jwtToken = createJwtToken(TEST_ACCOUNT)
+
+    assertDoesNotThrow { sep12Service.putCustomer(jwtToken, mockPutRequest) }
+
+    val wantCallbackApiPutRequest =
+      PutCustomerRequest.builder().id("customer-id").account(TEST_ACCOUNT).build()
+    assertEquals(wantCallbackApiPutRequest, callbackApiPutRequestSlot.captured)
+    assertEquals(TEST_ACCOUNT, mockPutRequest.account)
+  }
+
   @Test
   fun `test delete customer validation`() {
     every { customerIntegration.deleteCustomer(any()) } just Runs

diff --git a/docs/resources/deployment-examples/example-fargate/Dockerfile b/docs/resources/deployment-examples/example-fargate/Dockerfile
@@ -1,4 +1,4 @@
-FROM ubuntu:22.04
+FROM ubuntu:24.04
 RUN mkdir /config_files
 ENV STELLAR_ANCHOR_CONFIG=file:/config/anchor-config.yaml
 ENV REFERENCE_SERVER_CONFIG_ENV=file:/config/reference-config.yaml

diff --git a/helm-charts/reference-server/templates/configmap.yaml b/helm-charts/reference-server/templates/configmap.yaml
@@ -16,7 +16,7 @@ data:
       custodyEnabled: false
 
     auth:
-      type: NONE
+      type: {{ .Values.config.auth.type | default "NONE" }}
 
     data:
-      database: postgres
+      database: postgres
diff --git a/helm-charts/reference-server/values.yaml b/helm-charts/reference-server/values.yaml
@@ -13,6 +13,8 @@ config:
     rpcEndpoint: https://soroban-testnet.stellar.org
     platformApiEndpoint: http://anchor-platform-svc-platform:8085
     rpcEnabled: false
+  auth:
+    type: NONE
   data:
     url: postgresql-ref:5432
 
@@ -37,4 +39,4 @@ ingress:
     host: reference-server.local
   className: nginx
   annotations:
-    nginx.ingress.kubernetes.io/rewrite-target: /
+    nginx.ingress.kubernetes.io/rewrite-target: /
diff --git a/helm-charts/secret-store/templates/secretstore.yaml b/helm-charts/secret-store/templates/secretstore.yaml
@@ -21,8 +21,10 @@ spec:
               "SEP10_SIGNING_SEED": "{{ .Values.sep10_signing_seed }}",
               "EVENTS_QUEUE_KAFKA_USERNAME": "user1",
               "EVENTS_QUEUE_KAFKA_PASSWORD": "123456789",
-              "SENTRY_AUTH_TOKEN": {{ default "\"\"" .Values.sentry_auth_token }}
-              "SEP45_JWT_SECRET": "1e5ba4a1da18dc6462b21bb720a5aceddb34a421e732e0f6615ad30b4a4aa50f"
+              "SENTRY_AUTH_TOKEN": {{ default "\"\"" .Values.sentry_auth_token }},
+              "SEP45_JWT_SECRET": "1e5ba4a1da18dc6462b21bb720a5aceddb34a421e732e0f6615ad30b4a4aa50f",
+              "CALLBACK_API_AUTH_SECRET": "myPlatformToAnchorSecret",
+              "PLATFORM_API_AUTH_SECRET": "myAnchorToPlatformSecret"
             }
         - key: {{ .Values.namespace }}/reference-server-secrets
           value: |
@@ -32,5 +34,5 @@ spec:
               "PAYMENT_SIGNING_SEED": "{{ .Values.payment_signing_seed }}",
               "SEP24_INTERACTIVE_JWT_KEY": "c5457e3a349df9002117543efa7e316dd89e666a5ce6f33a0deb13e90f3f1e9d",
               "PLATFORM_ANCHOR_SECRET": "myPlatformToAnchorSecret",
-              "ANCHOR_PLATFORM_SECRET": "myAnchorToPlatformSecret",
-            }
+              "ANCHOR_PLATFORM_SECRET": "myAnchorToPlatformSecret"
+            }
diff --git a/helm-charts/sep-service/templates/eventprocessor-deployment.yaml b/helm-charts/sep-service/templates/eventprocessor-deployment.yaml
@@ -68,6 +68,16 @@ spec:
                 secretKeyRef:
                   name: {{ .Values.fullName }}-secrets
                   key: SEP6_MORE_INFO_URL_JWT_SECRET
+            - name: SECRET_CALLBACK_API_AUTH_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.fullName }}-secrets
+                  key: CALLBACK_API_AUTH_SECRET
+            - name: SECRET_PLATFORM_API_AUTH_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.fullName }}-secrets
+                  key: PLATFORM_API_AUTH_SECRET
             - name: SECRET_EVENTS_QUEUE_KAFKA_USERNAME
               valueFrom:
                 secretKeyRef:

diff --git a/helm-charts/sep-service/templates/externalsecrets.yaml b/helm-charts/sep-service/templates/externalsecrets.yaml
@@ -54,3 +54,11 @@ spec:
       remoteRef:
         key: {{ .Values.namespace }}/{{ .Values.fullName }}-secrets
         property: SEP45_JWT_SECRET
+    - secretKey: CALLBACK_API_AUTH_SECRET
+      remoteRef:
+        key: {{ .Values.namespace }}/{{ .Values.fullName }}-secrets
+        property: CALLBACK_API_AUTH_SECRET
+    - secretKey: PLATFORM_API_AUTH_SECRET
+      remoteRef:
+        key: {{ .Values.namespace }}/{{ .Values.fullName }}-secrets
+        property: PLATFORM_API_AUTH_SECRET
diff --git a/helm-charts/sep-service/templates/observer-deployment.yaml b/helm-charts/sep-service/templates/observer-deployment.yaml
@@ -88,6 +88,16 @@ spec:
                 secretKeyRef:
                   name: {{ .Values.fullName }}-secrets
                   key: SEP6_MORE_INFO_URL_JWT_SECRET
+            - name: SECRET_CALLBACK_API_AUTH_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.fullName }}-secrets
+                  key: CALLBACK_API_AUTH_SECRET
+            - name: SECRET_PLATFORM_API_AUTH_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.fullName }}-secrets
+                  key: PLATFORM_API_AUTH_SECRET
             - name: SENTRY_AUTH_TOKEN
               valueFrom:
                 secretKeyRef:
@@ -103,4 +113,4 @@ spec:
       volumes:
         - name: config-volume
           configMap:
-            name: anchor-config
+            name: anchor-config
diff --git a/helm-charts/sep-service/templates/platform-deployment.yaml b/helm-charts/sep-service/templates/platform-deployment.yaml
@@ -118,6 +118,16 @@ spec:
                   name: {{ .Values.fullName }}-secrets
                   key: SEP45_JWT_SECRET
                   optional: true
+            - name: SECRET_CALLBACK_API_AUTH_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.fullName }}-secrets
+                  key: CALLBACK_API_AUTH_SECRET
+            - name: SECRET_PLATFORM_API_AUTH_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.fullName }}-secrets
+                  key: PLATFORM_API_AUTH_SECRET
           resources:
             requests:
               memory: {{ .Values.services.platform.deployment.resources.requests.memory }}

diff --git a/helm-charts/sep-service/templates/sepserver-deployment.yaml b/helm-charts/sep-service/templates/sepserver-deployment.yaml
@@ -119,6 +119,16 @@ spec:
                   name: {{ .Values.fullName }}-secrets
                   key: SEP45_JWT_SECRET
                   optional: true
+            - name: SECRET_CALLBACK_API_AUTH_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.fullName }}-secrets
+                  key: CALLBACK_API_AUTH_SECRET
+            - name: SECRET_PLATFORM_API_AUTH_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.fullName }}-secrets
+                  key: PLATFORM_API_AUTH_SECRET
           resources:
             requests:
               memory: {{ .Values.services.sep.deployment.resources.requests.memory }}