pub enum Auth {
ClientCredentials {
client_id: String,
client_secret: String,
},
Bearer {
token: String,
},
Password {
user: String,
pass: String,
client_id: Option<String>,
},
RefreshToken {
refresh_token: String,
client_id: String,
client_secret: Option<String>,
},
}Expand description
How the SDK authenticates. Configure once when building the client.
The Debug impl redacts the secret-bearing fields (client_secret, pass,
token, refresh_token) so a stray {:?} in logs or an error report can’t leak credentials.
Variants§
ClientCredentials
Server-to-server OAuth2 client_credentials grant against /oauth/token, resolved at
connect into a bearer token and transparently re-granted shortly before it expires.
Requires an OAuth2 application (client id/secret); see the Authentication guide for the
current availability caveat.
Fields
Bearer
A bearer token you already hold (e.g. the access token from a PKCE flow). Used as-is for the client’s lifetime — the SDK cannot renew a token it didn’t obtain itself.
Password
OAuth2 password grant against /oauth/token, resolved at connect and transparently
re-granted shortly before the token expires.
Fields
RefreshToken
A refresh token from the Authorization Code + PKCE flow, exchanged at connect into a bearer token and transparently re-exchanged shortly before that token expires — matching the TypeScript/Go SDKs. Refresh tokens are rotated on every use: the SDK captures the newly issued refresh token from each grant response and uses it for the next exchange.