onekey-sec · qkaiser · Jun 3, 2026 · Jun 3, 2026 · Jun 3, 2026
diff --git a/onekey_client/__init__.py b/onekey_client/__init__.py
@@ -1,3 +1,5 @@
+from .client import APP_NAME as APP_NAME
+from .client import APP_VERSION as APP_VERSION
 from .client import Client as Client
 from .models import FirmwareMetadata as FirmwareMetadata
 from .models import Tenant as Tenant
diff --git a/onekey_client/cli/cli.py b/onekey_client/cli/cli.py
@@ -3,14 +3,15 @@
 import click
 import httpx
 
-from onekey_client import Client
+from onekey_client import APP_NAME, APP_VERSION, Client
 
 from .ci import ci_result
 from .firmware_upload import upload_firmware
 from .misc import get_tenant_token, list_tenants
 
 
 @click.group()
+@click.version_option(version=APP_VERSION, prog_name=APP_NAME)
 @click.option(
     "--api-url",
     default="https://app.eu.onekey.com/api",

diff --git a/onekey_client/client.py b/onekey_client/client.py
@@ -3,20 +3,23 @@
 import secrets
 import time
 from importlib import resources
+from importlib.metadata import version
 from pathlib import Path
 
 import httpx
 from authlib.jose import jwt
 from authlib.oidc.core import IDToken
 from httpx import URL
-from pydantic import parse_obj_as
+from pydantic import TypeAdapter
 
 from . import errors, keys
 from . import models as m
 from .queries import load_query
 
 CLIENT_ID = "ONEKEY Python SDK"
 TOKEN_NAMESPACE = "https://www.onekey.com/"  # noqa: S105 (hardcoded credential)
+APP_NAME = "onekey_client"
+APP_VERSION = version(APP_NAME)
 
 
 def _login_required(func):
@@ -63,17 +66,18 @@ def _setup_httpx_client(
         ca_bundle: Path | None = None,
         disable_tls_verify: bool | None = False,
     ):
+        headers = {"User-Agent": f"{APP_NAME}/{APP_VERSION}"}
         if disable_tls_verify:
-            return httpx.Client(base_url=api_url, verify=False)  # noqa: S501 (TLS certificate validation disabled)
+            return httpx.Client(base_url=api_url, headers=headers, verify=False)  # noqa: S501 (TLS certificate validation disabled)
 
         if ca_bundle is not None:
             ca = ca_bundle.expanduser()
             if not ca.exists():
                 raise errors.InvalidCABundle
 
-            return httpx.Client(base_url=api_url, verify=str(ca))
+            return httpx.Client(base_url=api_url, headers=headers, verify=str(ca))
         with resources.path(keys, "ca.pem") as ca:
-            return httpx.Client(base_url=api_url, verify=str(ca))
+            return httpx.Client(base_url=api_url, headers=headers, verify=str(ca))
 
     def _load_key(self, key_name: str, path: Path | None = None):
         if path is not None:
@@ -103,7 +107,7 @@ def login(self, email: str, password: str):
             claims_cls=IDToken,
         )
         tenants = id_token[TOKEN_NAMESPACE + "tenants"]
-        tenants = parse_obj_as(list[m.Tenant], tenants)
+        tenants = TypeAdapter(list[m.Tenant]).validate_python(tenants)
         self._state.tenants = {e.name: e for e in tenants}
         self._state.email = email
         self._state.raw_id_token = json_res["id_token"]