delegated-redis

Redis-backed TrustStateStore
and TrustStateAdmin
for multi-instance delegated deployments.
Install
[dependencies]
delegated = "0.2"
delegated-redis = "0.2"
Usage
use chrono::Utc;
use delegated::{Evaluator, OperationContext, PinnedIssuerKeys};
use delegated_redis::RedisTrustState;
# fn authorize(request: &[u8]) -> Result<bool, Box<dyn std::error::Error>> {
let keys = PinnedIssuerKeys::new();
let state = RedisTrustState::new("redis://127.0.0.1/")?;
let operation = OperationContext::new("calendar-api", "calendar.create")
.with_resource("calendar:alice");
let (decision, _audit) =
Evaluator::new(&keys, &state).evaluate(request, &operation, Utc::now());
# Ok(decision.allowed)
# }
Administrative mutations:
use delegated::TrustStateAdmin;
use delegated_redis::RedisTrustState;
# fn suspend_agent() -> Result<(), delegated::TrustStateError> {
let state = RedisTrustState::with_prefix("redis://127.0.0.1/", "prod-api")?;
state.revoke_token("https://issuer.example", "token-123")?;
state.deny_agent("https://issuer.example", "agent:compromised")?;
# Ok(())
# }
Nonce consumption uses SET key NX EX ttl so concurrent evaluators share replay
protection. Revocation and emergency-deny entries persist until operators remove
them.
Documentation
Requirements
- Redis 6+ reachable from every evaluator instance
- A unique key prefix per environment when multiple services share one cluster
- The core
delegated crate for evaluation