pub enum Auth {
ClientCredentials {
client_id: String,
client_secret: String,
},
Bearer {
token: String,
},
Password {
user: String,
pass: String,
},
RefreshToken {
refresh_token: String,
client_id: String,
},
}Expand description
How the SDK authenticates. Configure once when building the client.
The Debug impl redacts the secret-bearing fields (client_secret, pass,
token, refresh_token) so a stray {:?} in logs or an error report can’t leak credentials.
Variants§
ClientCredentials
Server-to-server OAuth2 client_credentials grant against /oauth/token, resolved once at
connect into a bearer token. Requires an OAuth2 application (client id/secret); see the
Authentication guide for the current availability caveat.
Fields
Bearer
A bearer token you already hold (e.g. the access token from a PKCE flow).
Password
OAuth2 password grant against /oauth/token (resolved once at connect).
RefreshToken
A refresh token from the Authorization Code + PKCE flow, exchanged once at connect into a bearer token.
Unlike the TypeScript/Go SDKs there is no transparent background refresh — the resolved
access token is used for the client’s lifetime. Because refresh tokens are rotated on every
use, the token passed here is consumed at connect and the newly issued one is discarded;
callers that need long-lived rotation should drive it manually via
mgr.auth.token("refresh_token", …) and rebuild the client (or use Auth::Bearer).