OAuth2 library for resource servers.
A resource server has two jobs: validate the access token presented with a request, and decide whether that token authorizes the request.
This crate does the first. A validator verifies the token
(signature/introspection, expiry, audience, and any sender-constraint
binding) and returns a ValidatedRequest
carrying its claims — from which your application makes the second decision.
When validation fails, rejection turns the failure into the matching
response: status code, WWW-Authenticate challenges, and DPoP-Nonce.
The huskarl ecosystem
This crate is one of three that fit together. Each carries its own how-to
guides and explanation in a _docs module:
huskarl—OAuth2clients: grants, token caching, and the request authorizer.huskarl-resource-server(this crate) — resource servers: access-token validation and request authorization.huskarl-core— the shared foundation the other two build on.
Example with RFC 9068 token validation:
use Arc;
use ;
let validator = builder
.issuer
.audience
.jws_verifier_factory
.build
.await?;
Guides and explanation
The API items here are the reference docs. For task-oriented how-to guides
(validating RFC 9068, custom, introspection, and multi-issuer tokens, plus
DPoP enforcement) and design explanation (choosing a validator, how
multi-issuer routing stays safe), see the _docs module.