Expand description
Scope-based access control for tools.
Scopes provide a declarative security model where tools declare what scopes they require, and the framework automatically enforces them before execution.
§Overview
Unlike role-based access control (which maps users → roles → permissions), scope-based access works at the tool level:
- Tools declare required scopes via
Tool::required_scopes() - User scopes are resolved from session state, JWT claims, or a custom provider
- The
ScopeGuardchecks that the user has all required scopes
§Example
ⓘ
use adk_auth::{ScopeGuard, ContextScopeResolver};
// Tools declare their requirements
let transfer = FunctionTool::new("transfer", "Transfer funds", handler)
.with_scopes(&["finance:write", "verified"]);
// Guard enforces scopes automatically
let guard = ScopeGuard::new(ContextScopeResolver);
let protected = guard.protect(transfer);Structs§
- Context
Scope Resolver - Resolves user scopes from the
user_scopes()method onToolContext. - Scope
Denied - Error returned when a user lacks required scopes.
- Scope
Guard - Declarative scope enforcement for tools.
- Scoped
Tool - A tool wrapper that enforces scope requirements before execution.
- Scoped
Tool Dyn - Dynamic version of
ScopedToolforArc<dyn Tool>. - Static
Scope Resolver - A static resolver that always returns a fixed set of scopes.
Traits§
- Scope
Resolver - Resolves the set of scopes granted to the current user.
- Scope
Tool Ext - Extension trait for easily wrapping tools with scope enforcement.
Functions§
- check_
scopes - Checks whether a user’s scopes satisfy a tool’s requirements.