pub async fn auth_middleware<S: WorkflowStore>(
__arg0: State<Arc<AppState<S>>>,
request: Request,
next: Next,
) -> ResponseExpand description
Axum middleware that enforces authentication based on the configured mode.
When both JWT and API-key auth are enabled, dispatch is based on token shape: if the Bearer token parses as a JWS header it takes the JWT path, otherwise the API-key path. A semantically-invalid JWT (expired, forged signature, wrong audience) is rejected and is not retried as an API key — a token that looks like a JWT is treated as a JWT.
Bootstrap window: POST /api/v1/api-keys is accepted without a Bearer
token iff the api_keys table is empty. This is the only way a freshly
deployed server running in API-key or combined mode can receive its first
credential without operator shell access. The window closes the moment any
key exists.