Expand description
Shared HTTP authentication and authorization framework for Agent Assembly.
This leaf crate holds the transport-agnostic auth primitives that the API
presentation layer (aa-api) — and, in a follow-up, the gateway — build on:
API-key and JWT credential validation, scope levels, per-key rate limiting,
and the deny-by-default authentication gate. It depends only on axum,
http, serde, and the credential primitives, never on aa-core,
aa-gateway, aa-runtime, or aa-api, so it stays a true leaf.
Auth is handled via Axum FromRequestParts extractors, not middleware
layers. The AuthenticatedCaller extractor validates API keys or JWTs
and enforces per-key rate limits. scope::RequireScope checks scope levels.
Modules§
- api_key
- API key generation, validation, and storage.
- config
- Authentication configuration from environment variables.
- gate
- Router-level authentication gate (AAASM-3125).
- jwt
- JWT signing and verification using HMAC-SHA256.
- rate_
limit - In-memory per-key rate limiter using token bucket algorithm.
- scope
- Authorization scope levels for API operations.
Structs§
- Authenticated
Caller - Populated by the
FromRequestPartsimplementation, which validates either an API key (aa_…) or a JWT bearer token. - Problem
Detail - RFC 7807 Problem Details JSON body.
- Tenant
- The authenticated identity of a request caller.
Enums§
- Auth
Error - Authentication / authorization errors returned by extractors.