aa-auth
Authentication primitives for Agent Assembly — API-key and JWT verification, credential-token checks, and the fail-closed auth posture the gateway enforces.
Owns the shared authentication types and verification logic so the gateway can
guard privileged surfaces (e.g. /admin/status) without pulling the full
gateway into its dependency graph. Deliberately a leaf crate: it holds the
auth mode (AuthMode), the API-key/JWT verifiers, and the request-extractor
contracts, and its bypass-default (AuthMode::Off unless auth is explicitly
configured) preserves the zero-config developer experience while failing closed
the moment auth is turned on.
Extracted from aa-gateway (AAASM-3898) so authentication is independently
testable and reusable across the HTTP (aa-api) and gRPC surfaces.
Part of Agent Assembly — documentation · monorepo.