reauth-types

Shared types and crypto primitives for Reauth authentication.

Overview

This crate provides core types used by the Reauth SDK:

• JWT Claims - DomainEndUserClaims, SubscriptionClaims
• Subscription Status - SubscriptionStatus enum
• API Response Types - UserDetails
• Crypto Primitives - HKDF key derivation and JWT verification

Installation

cargo add reauth-types

Usage

use reauth_types::{
    DomainEndUserClaims,
    SubscriptionClaims,
    SubscriptionStatus,
    derive_jwt_secret,
    verify_jwt,
};

// Derive JWT secret from API key
let secret = derive_jwt_secret("sk_live_...", "domain-id")?;

// Verify and decode a JWT
let claims: DomainEndUserClaims = verify_jwt(&token, &secret, 60)?;

// Check subscription status
match claims.subscription.status {
    SubscriptionStatus::Active => println!("Active subscription"),
    SubscriptionStatus::Trialing => println!("Trial period"),
    SubscriptionStatus::PastDue => println!("Payment overdue"),
    _ => println!("Other status"),
}

Types

DomainEndUserClaims

JWT claims for authenticated end users:

pub struct DomainEndUserClaims {
    pub sub: Uuid,           // User ID
    pub aud: String,         // Domain
    pub roles: Vec<String>,  // User roles
    pub subscription: SubscriptionClaims,
    pub exp: i64,            // Expiration timestamp
    pub iat: i64,            // Issued at timestamp
}

SubscriptionStatus

pub enum SubscriptionStatus {
    Active,
    PastDue,
    Canceled,
    Trialing,
    Incomplete,
    IncompleteExpired,
    Unpaid,
    Paused,
    None,
    Unknown,  // Forward compatibility: any unrecognized status deserializes here
}

The Unknown variant uses #[serde(other)] so that unrecognized status strings from newer server versions deserialize gracefully instead of failing. Helper methods (is_active(), has_access(), is_grace_period()) return false for Unknown.

License

MIT