Authentication module for the Blueprint SDK.
This module provides a three-tier token authentication system:
- API Keys (
ak_xxxxx.yyyyy) - Long-lived credentials for service authentication - Access Tokens (
v4.local.xxxxx) - Short-lived Paseto tokens for authorization - Legacy Tokens (
id|token) - Deprecated format for backward compatibility
Architecture
The authentication flow follows these steps:
- Client authenticates with API key
- API key is exchanged for a short-lived access token
- Access token is used for subsequent requests
- Token refresh happens automatically before expiration
Security Features
- Cryptographic tenant binding prevents impersonation
- Header re-validation prevents injection attacks
- Persistent key storage with secure permissions
- Automatic token rotation and refresh
Example
use blueprint_auth::proxy::AuthenticatedProxy;
fn main() -> Result<(), Box<dyn std::error::Error>> {
// Initialize proxy with persistent storage
let proxy = AuthenticatedProxy::new("/var/lib/auth/db")?;
// Start the proxy server
let router = proxy.router();
Ok(())
}