stoat-core 0.1.0

Core logic for stoat (sans-IO) — config types, PKCE, request transformation
Documentation

stoat

CI crates.io License

Streaming OAuth Transformer

A config-driven local reverse proxy that manages OAuth token lifecycle and transforms requests so downstream clients can talk to OAuth-protected APIs using simple authentication.

What It Does

stoat sits between a client and an upstream API. The client sends requests with a simple API key (or no auth). stoat replaces the auth headers with OAuth bearer tokens, applies configurable request mutations (headers, query params), and streams the response back. The client never knows OAuth is involved.

graph LR
    Client -->|x-api-key| stoat -->|Bearer token| Upstream[Upstream API]
    Upstream -->|response| stoat -->|response| Client

Status

Early release (0.1.0). Core functionality is implemented: OAuth PKCE login flow, token storage and refresh, and streaming reverse proxy with configurable request transformation. See the implementation roadmap for details.

Installation

Pre-built binaries

Download from GitHub Releases. Binaries are available for:

  • Linux (x86_64, aarch64) -- statically linked
  • macOS (x86_64, Apple Silicon)
  • Windows (x86_64)

From source

cargo install stoat

Requires Rust 1.89 or later.

Usage

# One-time: complete the OAuth flow and store tokens
stoat login --config config.toml

# Start the proxy (prints port to stdout, logs to stderr)
stoat serve --config config.toml
# port=54321

# In another terminal, point your client at the proxy
SOME_API_BASE=http://127.0.0.1:54321 \
SOME_API_KEY=ignored \
some-client do-something

All provider-specific details (OAuth endpoints, client IDs, header rewrites) live in the user-supplied config file. The stoat binary itself contains no provider-specific code.

Documentation

Full project documentation is in docs/src/project/, covering:

License

Licensed under either of:

at your option.