Skip to main content

Crate aa_auth

Crate aa_auth 

Source
Expand description

Shared HTTP authentication and authorization framework for Agent Assembly.

This leaf crate holds the transport-agnostic auth primitives that the API presentation layer (aa-api) — and, in a follow-up, the gateway — build on: API-key and JWT credential validation, scope levels, per-key rate limiting, and the deny-by-default authentication gate. It depends only on axum, http, serde, and the credential primitives, never on aa-core, aa-gateway, aa-runtime, or aa-api, so it stays a true leaf.

Auth is handled via Axum FromRequestParts extractors, not middleware layers. The AuthenticatedCaller extractor validates API keys or JWTs and enforces per-key rate limits. scope::RequireScope checks scope levels.

Modules§

api_key
API key generation, validation, and storage.
config
Authentication configuration from environment variables.
gate
Router-level authentication gate (AAASM-3125).
jwt
JWT signing and verification using HMAC-SHA256.
rate_limit
In-memory per-key rate limiter using token bucket algorithm.
scope
Authorization scope levels for API operations.

Structs§

AuthenticatedCaller
Populated by the FromRequestParts implementation, which validates either an API key (aa_…) or a JWT bearer token.
ProblemDetail
RFC 7807 Problem Details JSON body.
Tenant
The authenticated identity of a request caller.

Enums§

AuthError
Authentication / authorization errors returned by extractors.