Struct AuthCache 

pub struct AuthCache { /* private fields */ }

TTL-based credential cache, keyed by (provider_name, agent_sub, token_fingerprint).

The token fingerprint is the SHA-256 of the raw inbound bearer truncated to 16 hex chars (or the empty string when no bearer was presented). We added this third dimension so a per-sandbox JWT (which rotates per request in some deployments) doesn’t either (a) cache one sandbox’s generated credential and serve it to another sandbox with the same sub, or (b) force every consumer to set cache_ttl_secs = 0. With the fingerprint in the key, legitimate same-sandbox reuse hits the cache and cross-sandbox reuse misses — even when sub happens to collide. See issue #115.

The fingerprint is a one-way hash, so the cache map never carries raw bearer bytes. Truncating to 16 hex chars (64 bits) is plenty for collision avoidance at this cache’s scale (provider × sub already partitions the keyspace; the token dimension just needs to distinguish concurrent per-request tokens for the same agent).

Implementations

impl AuthCache

pub fn new() -> Self

pub fn get( &self, provider: &str, sub: &str, token: &str, ) -> Option<GeneratedCredential>

pub fn insert( &self, provider: &str, sub: &str, token: &str, cred: GeneratedCredential, ttl_secs: u64, )

Trait Implementations

impl Default for AuthCache

fn default() -> Self

Returns the “default value” for a type.