feat: Add optional JWT token authentication to multi-chain accounts API (#7165)

## Explanation

### What is the current state and why does it need to change?

Currently, the multi-chain accounts API calls in
`TokenDetectionController` and `TokenBalancesController` are made
without authentication. This limits the ability to provide user-specific
data and secure API endpoints that require authenticated requests.

### What is the solution and how does it work?

This PR adds optional JWT token authentication and timeout protection to
the accounts API calls:

1. **API Layer Changes** (`multi-chain-accounts.ts`):
- Added optional `jwtToken` parameter to `fetchMultiChainBalances` and
`fetchMultiChainBalancesV4`
- When a JWT token is provided, it's included in the `Authorization:
Bearer <token>` header
   - The token is optional to maintain backward compatibility

2. **Controller Integration**:
   - **TokenDetectionController**: 
- Fetches JWT token from `AuthenticationController:getBearerToken` and
passes it to `fetchMultiChainBalances` when detecting tokens via
Accounts API
- **TokenBalancesController**: Fetches JWT token and passes it through
the balance fetcher chain to `fetchMultiChainBalancesV4`

3. **Balance Fetcher Updates** (`api-balance-fetcher.ts`):
- Updated `AccountsApiBalanceFetcher` to accept and pass JWT token
through the fetch chain
- Token flows from `updateBalances` → `fetch` → `#fetchBalances` → API
calls

### Key Design Decisions

- **Optional Parameter**: The JWT token is optional throughout the call
chain, ensuring backward compatibility for environments where
authentication is not available or required
- **Graceful Degradation**: If no token is provided, API calls proceed
without authentication, allowing the system to work in both
authenticated and unauthenticated scenarios
- **No Breaking Changes**: Existing callers continue to work without
modification

## References

<!-- Add any related issue numbers here, for example:
- Related to #XXXXX (if there's a tracking issue for JWT authentication)
-->

## Checklist

- [x] I've updated the test suite for new or updated code as appropriate
- Added tests in `TokenDetectionController.test.ts` to verify JWT token
is passed correctly
- Added test in `TokenDetectionController.test.ts` to verify 30-second
timeout triggers RPC fallback
- Added tests in `TokenBalancesController.test.ts` to verify JWT token
flows through balance fetcher
- Added tests in `multi-chain-accounts.test.ts` to verify Authorization
header is set correctly
  - Added tests for both scenarios: with and without JWT token
- Verified timeout behavior using fake timers (sinon) and the
`advanceTime` helper
- [x] I've updated documentation (JSDoc, Markdown, etc.) for new or
updated code as appropriate
- Updated JSDoc comments for `fetchMultiChainBalances` and
`fetchMultiChainBalancesV4`
  - Updated JSDoc for controller methods that now handle JWT tokens
- Added inline comments explaining timeout logic and fallback mechanism
- [ ] I've communicated my changes to consumers by updating changelogs
for packages I've changed, highlighting breaking changes as necessary
- **Note**: No breaking changes - all JWT token parameters are optional
and timeout is an internal improvement
- [ ] I've prepared draft pull requests for clients and consumer
packages to resolve any breaking changes
  - **Note**: Not required - no breaking changes introduced


<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Adds optional JWT bearer authentication to multi‑chain Accounts API
calls and wires token retrieval through controllers, while lowering
timeouts to 10s and reducing API batch size to 20.
> 
> - **API/Services**:
> - Add optional `jwtToken` to
`fetchMultiChainBalances`/`fetchMultiChainBalancesV4`; include
`Authorization: Bearer <token>` header when provided.
> - Reduce Accounts API request timeout to `10s`; reduce V4 batch size
from `50` to `20`.
> - **Controllers**:
> - `TokenDetectionController` and `TokenBalancesController` fetch JWT
via `AuthenticationController:getBearerToken` and pass it through
balance/token detection flows.
>   - `TokenDetectionController` Accounts API timeout lowered to `10s`.
> - **Balance Fetcher**:
> - `AccountsApiBalanceFetcher` accepts/forwards `jwtToken`; applies 10s
timeout and 20-size batching.
> - **Tests**:
> - Add coverage for JWT header behavior (with/without token) and
updated batching/timeout.
> - Test scaffolding updated to mock
`AuthenticationController:getBearerToken` and token list state
injection.
> - **Dependencies/Meta**:
>   - Add `@metamask/profile-sync-controller` as dev/peer dep.
>   - Update `CHANGELOG.md` to document the new optional auth.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
d645dcf. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Author: salimtb

packages/assets-controllers/CHANGELOG.md

@@ -7,6 +7,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- **BREAKING:** Add optional JWT token authentication to multi-chain accounts API calls ([#7165](https://github.com/MetaMask/core/pull/7165))
+  - `fetchMultiChainBalances` and `fetchMultiChainBalancesV4` now accept an optional `jwtToken` parameter
+  - `TokenDetectionController` fetches and passes JWT token from `AuthenticationController` when using Accounts API
+  - `TokenBalancesController` fetches and passes JWT token through balance fetcher chain
+  - JWT token is included in `Authorization: Bearer <token>` header when provided
+  - Backward compatible: token parameter is optional and APIs work without authentication
+
 ## [91.0.0]
 
 ### Changed

packages/assets-controllers/package.json

@@ -96,6 +96,7 @@
     "@metamask/permission-controller": "^12.1.1",
     "@metamask/phishing-controller": "^16.1.0",
     "@metamask/preferences-controller": "^22.0.0",
+    "@metamask/profile-sync-controller": "^27.0.0",
     "@metamask/providers": "^22.1.0",
     "@metamask/snaps-controllers": "^14.0.1",
     "@metamask/transaction-controller": "^62.1.0",
@@ -124,6 +125,7 @@
     "@metamask/permission-controller": "^12.0.0",
     "@metamask/phishing-controller": "^16.0.0",
     "@metamask/preferences-controller": "^22.0.0",
+    "@metamask/profile-sync-controller": "^27.0.0",
     "@metamask/providers": "^22.0.0",
     "@metamask/snaps-controllers": "^14.0.0",
     "@metamask/transaction-controller": "^62.0.0",

packages/assets-controllers/src/TokenBalancesController.test.ts

@@ -95,6 +95,7 @@ const setupController = ({
       'AccountTrackerController:getState',
       'AccountTrackerController:updateNativeBalances',
       'AccountTrackerController:updateStakedBalances',
+      'AuthenticationController:getBearerToken',
     ],
     events: [
       'NetworkController:stateChange',

packages/assets-controllers/src/TokenBalancesController.ts

@@ -11,6 +11,7 @@ import type {
 import {
   BNToHex,
   isValidHexAddress,
+  safelyExecuteWithTimeout,
   toChecksumHexAddress,
   toHex,
 } from '@metamask/controller-utils';
@@ -32,6 +33,7 @@ import type {
   PreferencesControllerGetStateAction,
   PreferencesControllerStateChangeEvent,
 } from '@metamask/preferences-controller';
+import type { AuthenticationController } from '@metamask/profile-sync-controller';
 import type { Hex } from '@metamask/utils';
 import {
   isCaipAssetType,
@@ -130,7 +132,8 @@ export type AllowedActions =
   | AccountsControllerListAccountsAction
   | AccountTrackerControllerGetStateAction
   | AccountTrackerUpdateNativeBalancesAction
-  | AccountTrackerUpdateStakedBalancesAction;
+  | AccountTrackerUpdateStakedBalancesAction
+  | AuthenticationController.AuthenticationControllerGetBearerToken;
 
 export type AllowedEvents =
   | TokensControllerStateChangeEvent
@@ -640,6 +643,14 @@ export class TokenBalancesController extends StaticIntervalPollingController<{
     );
     const allAccounts = this.messenger.call('AccountsController:listAccounts');
 
+    const jwtToken = await safelyExecuteWithTimeout<string | undefined>(
+      () => {
+        return this.messenger.call('AuthenticationController:getBearerToken');
+      },
+      false,
+      5000,
+    );
+
     const aggregated: ProcessedBalance[] = [];
     let remainingChains = [...targetChains];
 
@@ -658,6 +669,7 @@ export class TokenBalancesController extends StaticIntervalPollingController<{
           queryAllAccounts: queryAllAccounts ?? this.#queryAllAccounts,
           selectedAccount: selected as ChecksumAddress,
           allAccounts,
+          jwtToken,
         });
 
         if (result.balances && result.balances.length > 0) {

packages/assets-controllers/src/TokenDetectionController.test.ts

@@ -204,6 +204,7 @@ function buildTokenDetectionControllerMessenger(
       'PreferencesController:getState',
       'TokensController:addTokens',
       'NetworkController:findNetworkClientIdByChainId',
+      'AuthenticationController:getBearerToken',
     ],
     events: [
       'AccountsController:selectedEvmAccountChange',
@@ -3748,15 +3749,7 @@ describe('TokenDetectionController', () => {
           options: {
             disabled: false,
           },
-        },
-        async ({
-          controller,
-          mockTokenListGetState,
-          callActionSpy,
-          triggerTokenListStateChange,
-        }) => {
-          const tokenListState = {
-            ...getDefaultTokenListState(),
+          mockTokenListState: {
             tokensChainsCache: {
               [chainId]: {
                 timestamp: 0,
@@ -3773,11 +3766,9 @@ describe('TokenDetectionController', () => {
                 },
               },
             },
-          };
-
-          mockTokenListGetState(tokenListState);
-          triggerTokenListStateChange(tokenListState);
-
+          },
+        },
+        async ({ controller, callActionSpy }) => {
           await controller.addDetectedTokensViaWs({
             tokensSlice: [mockTokenAddress],
             chainId: chainId as Hex,
@@ -3813,27 +3804,16 @@ describe('TokenDetectionController', () => {
           options: {
             disabled: false,
           },
-        },
-        async ({
-          controller,
-          mockTokenListGetState,
-          callActionSpy,
-          triggerTokenListStateChange,
-        }) => {
-          // Empty token cache - token not found
-          const tokenListState = {
-            ...getDefaultTokenListState(),
+          mockTokenListState: {
             tokensChainsCache: {
               [chainId]: {
                 timestamp: 0,
                 data: {},
               },
             },
-          };
-
-          mockTokenListGetState(tokenListState);
-          triggerTokenListStateChange(tokenListState);
-
+          },
+        },
+        async ({ controller, callActionSpy }) => {
           await controller.addDetectedTokensViaWs({
             tokensSlice: [mockTokenAddress],
             chainId: chainId as Hex,
@@ -3877,16 +3857,7 @@ describe('TokenDetectionController', () => {
             getSelectedAccount: selectedAccount,
             getAccount: selectedAccount,
           },
-        },
-        async ({
-          controller,
-          mockTokenListGetState,
-          callActionSpy,
-          triggerTokenListStateChange,
-        }) => {
-          // Set up token list with both tokens
-          const tokenListState = {
-            ...getDefaultTokenListState(),
+          mockTokenListState: {
             tokensChainsCache: {
               [chainId]: {
                 timestamp: 0,
@@ -3912,11 +3883,9 @@ describe('TokenDetectionController', () => {
                 },
               },
             },
-          };
-
-          mockTokenListGetState(tokenListState);
-          triggerTokenListStateChange(tokenListState);
-
+          },
+        },
+        async ({ controller, callActionSpy }) => {
           // Add both tokens via websocket
           await controller.addDetectedTokensViaWs({
             tokensSlice: [mockTokenAddress, secondTokenAddress],
@@ -3965,15 +3934,7 @@ describe('TokenDetectionController', () => {
             disabled: false,
             trackMetaMetricsEvent: mockTrackMetricsEvent,
           },
-        },
-        async ({
-          controller,
-          mockTokenListGetState,
-          callActionSpy,
-          triggerTokenListStateChange,
-        }) => {
-          const tokenListState = {
-            ...getDefaultTokenListState(),
+          mockTokenListState: {
             tokensChainsCache: {
               [chainId]: {
                 timestamp: 0,
@@ -3990,11 +3951,9 @@ describe('TokenDetectionController', () => {
                 },
               },
             },
-          };
-
-          mockTokenListGetState(tokenListState);
-          triggerTokenListStateChange(tokenListState);
-
+          },
+        },
+        async ({ controller, callActionSpy }) => {
           await controller.addDetectedTokensViaWs({
             tokensSlice: [mockTokenAddress],
             chainId: chainId as Hex,
@@ -4031,15 +3990,7 @@ describe('TokenDetectionController', () => {
           options: {
             disabled: false,
           },
-        },
-        async ({
-          controller,
-          mockTokenListGetState,
-          callActionSpy,
-          triggerTokenListStateChange,
-        }) => {
-          const tokenListState = {
-            ...getDefaultTokenListState(),
+          mockTokenListState: {
             tokensChainsCache: {
               [chainId]: {
                 timestamp: 0,
@@ -4056,11 +4007,9 @@ describe('TokenDetectionController', () => {
                 },
               },
             },
-          };
-
-          mockTokenListGetState(tokenListState);
-          triggerTokenListStateChange(tokenListState);
-
+          },
+        },
+        async ({ controller, callActionSpy }) => {
           // Call the public method directly on the controller instance
           await controller.addDetectedTokensViaWs({
             tokensSlice: [mockTokenAddress],
@@ -4157,7 +4106,9 @@ type WithControllerOptions = {
   mocks?: {
     getAccount?: InternalAccount;
     getSelectedAccount?: InternalAccount;
+    getBearerToken?: string;
   };
+  mockTokenListState?: Partial<TokenListState>;
 };
 
 type WithControllerArgs<ReturnValue> =
@@ -4177,7 +4128,7 @@ async function withController<ReturnValue>(
   ...args: WithControllerArgs<ReturnValue>
 ): Promise<ReturnValue> {
   const [{ ...rest }, fn] = args.length === 2 ? args : [{}, args[0]];
-  const { options, isKeyringUnlocked, mocks } = rest;
+  const { options, isKeyringUnlocked, mocks, mockTokenListState } = rest;
   const messenger = buildRootMessenger();
 
   const mockGetAccount = jest.fn<InternalAccount, []>();
@@ -4240,10 +4191,13 @@ async function withController<ReturnValue>(
     'TokensController:getState',
     mockTokensState.mockReturnValue({ ...getDefaultTokensState() }),
   );
-  const mockTokenListState = jest.fn<TokenListState, []>();
+  const mockTokenListStateFunc = jest.fn<TokenListState, []>();
   messenger.registerActionHandler(
     'TokenListController:getState',
-    mockTokenListState.mockReturnValue({ ...getDefaultTokenListState() }),
+    mockTokenListStateFunc.mockReturnValue({
+      ...getDefaultTokenListState(),
+      ...mockTokenListState,
+    }),
   );
   const mockPreferencesState = jest.fn<PreferencesState, []>();
   messenger.registerActionHandler(
@@ -4253,6 +4207,14 @@ async function withController<ReturnValue>(
     }),
   );
 
+  const mockGetBearerToken = jest.fn<Promise<string>, []>();
+  messenger.registerActionHandler(
+    'AuthenticationController:getBearerToken',
+    mockGetBearerToken.mockResolvedValue(
+      mocks?.getBearerToken ?? 'mock-jwt-token',
+    ),
+  );
+
   const mockFindNetworkClientIdByChainId = jest.fn<NetworkClientId, [Hex]>();
   messenger.registerActionHandler(
     'NetworkController:findNetworkClientIdByChainId',
@@ -4312,7 +4274,7 @@ async function withController<ReturnValue>(
         mockPreferencesState.mockReturnValue(state);
       },
       mockTokenListGetState: (state: TokenListState) => {
-        mockTokenListState.mockReturnValue(state);
+        mockTokenListStateFunc.mockReturnValue(state);
       },
       mockGetNetworkClientById: (
         handler: (