# reauth-types
Shared types and crypto primitives for [Reauth](https://reauth.dev) authentication.
## Overview
This crate provides core types used by the Reauth SDK:
- **JWT Claims** - `DomainEndUserClaims`, `SubscriptionClaims`
- **Subscription Status** - `SubscriptionStatus` enum
- **API Response Types** - `UserDetails`
- **Crypto Primitives** - HKDF key derivation and JWT verification
## Installation
```bash
cargo add reauth-types
```
## Usage
```rust
use reauth_types::{
DomainEndUserClaims,
SubscriptionClaims,
SubscriptionStatus,
derive_jwt_secret,
verify_jwt,
};
// Derive JWT secret from API key
let secret = derive_jwt_secret("sk_live_...", "domain-id")?;
// Verify and decode a JWT
let claims: DomainEndUserClaims = verify_jwt(&token, &secret, 60)?;
// Check subscription status
match claims.subscription.status {
SubscriptionStatus::Active => println!("Active subscription"),
SubscriptionStatus::Trialing => println!("Trial period"),
SubscriptionStatus::PastDue => println!("Payment overdue"),
_ => println!("Other status"),
}
```
## Types
### DomainEndUserClaims
JWT claims for authenticated end users:
```rust
pub struct DomainEndUserClaims {
pub sub: Uuid, // User ID
pub aud: String, // Domain
pub roles: Vec<String>, // User roles
pub subscription: SubscriptionClaims,
pub exp: i64, // Expiration timestamp
pub iat: i64, // Issued at timestamp
}
```
### SubscriptionStatus
```rust
pub enum SubscriptionStatus {
Active,
PastDue,
Canceled,
Trialing,
Incomplete,
IncompleteExpired,
Unpaid,
Paused,
None,
Unknown, // Forward compatibility: any unrecognized status deserializes here
}
```
The `Unknown` variant uses `#[serde(other)]` so that unrecognized status strings from newer server versions deserialize gracefully instead of failing. Helper methods (`is_active()`, `has_access()`, `is_grace_period()`) return `false` for `Unknown`.
## License
MIT