Production infrastructure for AI agents
Website · Documentation · Guides · Core · Template · Discord
systemprompt-oauth
OAuth 2.0 / OIDC with PKCE, token introspection, and audience/issuer validation for systemprompt.io AI governance infrastructure. WebAuthn and JWT auth for the MCP governance pipeline with dynamic client registration, token revocation, and passwordless authentication.
Layer: Domain — business-logic modules that implement systemprompt.io features. Part of the systemprompt-core workspace.
Overview
Capabilities · Compliance
This crate implements a complete OAuth 2.0 authorization server with:
- Authorization Code Grant with PKCE
- Client Credentials Grant
- Refresh Token Grant
- Dynamic Client Registration (RFC 7591)
- Token Introspection (RFC 7662)
- Token Revocation (RFC 7009)
- WebAuthn/FIDO2 Passwordless Authentication
- OpenID Connect Discovery
Usage
[]
= "0.9.2"
use ;
use ;
File Structure
src/
├── lib.rs # Crate root, public exports
├── constants.rs # Shared constants (TTLs, claims, headers)
├── error.rs # OauthError / OauthResult
├── extension.rs # OauthExtension (schemas + migrations)
├── state.rs # OAuthState handle
├── models/ # Data structures
│ ├── mod.rs # Model exports
│ ├── analytics.rs # Session / login analytics types
│ ├── cimd.rs # Client-Initiated Metadata Discovery types
│ ├── clients/ # OAuth client models
│ │ ├── mod.rs # OAuthClient, OAuthClientRow, ClientRelations
│ │ └── api.rs # Create/Update/Response DTOs
│ └── oauth/ # OAuth protocol models
│ ├── mod.rs # GrantType, PkceMethod, JwtClaims, ResponseType...
│ ├── api.rs # Pagination types
│ └── dynamic_registration.rs # RFC 7591 request / response
├── queries/ # SQL query layer
│ ├── mod.rs
│ └── postgres/
│ └── mod.rs # PostgreSQL query implementations
├── repository/ # Data access layer
│ ├── mod.rs # Repository exports
│ ├── bridge_host_prefs.rs # Per-host bridge enable/disable
│ ├── bridge_session.rs # Bridge heartbeat sessions
│ ├── exchange_code.rs # Bridge exchange-code persistence
│ ├── setup_token.rs # Bootstrap / admin setup tokens
│ ├── webauthn.rs # WebAuthn credential storage
│ ├── client/ # Client repository
│ │ ├── mod.rs # ClientRepository
│ │ ├── queries.rs # Read operations
│ │ ├── mutations.rs # Write operations
│ │ ├── inserts.rs # Bulk insert helpers
│ │ ├── relations.rs # Load client relations
│ │ └── cleanup.rs # Stale client cleanup
│ └── oauth/ # OAuth repository
│ ├── mod.rs # OAuthRepository
│ ├── auth_code.rs # Authorization codes
│ ├── refresh_token.rs # Refresh tokens
│ ├── scopes.rs # Scope validation
│ ├── user.rs # User retrieval
│ └── cleanup.rs # Expired-record cleanup
└── services/ # Business logic
├── mod.rs # Service exports
├── bridge.rs # Bridge access tokens + exchange codes
├── generation.rs # Token / JWT / secret generation
├── http.rs # HTTP utilities (bearer / cookie extraction)
├── providers.rs # JwtValidationProviderImpl
├── templating.rs # HTML template rendering
├── cimd/ # Client metadata validation
│ ├── mod.rs
│ ├── fetcher.rs # Metadata URL fetching
│ └── validator.rs # Metadata validation
├── jwt/ # JWT handling
│ ├── mod.rs # TokenValidator trait, AuthService
│ ├── authentication.rs # Token authentication
│ └── authorization.rs # Permission authorization
├── session/ # Session management
│ ├── mod.rs # SessionCreationService
│ ├── lookup.rs # Session lookup / reuse
│ └── creation.rs # New session creation
├── validation/ # Request validation
│ ├── mod.rs
│ ├── audience.rs # JWT audience validation
│ ├── client_credentials.rs # Client secret validation
│ ├── jwt.rs # JWT token validation
│ ├── oauth_params.rs # OAuth parameter validation
│ └── redirect_uri.rs # Redirect URI validation
└── webauthn/ # WebAuthn / FIDO2 service
├── mod.rs
├── config.rs # WebAuthnConfig
├── jwt.rs # JwtTokenValidator for WebAuthn
├── registry.rs # Credential registry
├── token.rs # WebAuthn token helpers
├── user_service.rs # UserCreationService
└── service/ # WebAuthn operations
├── mod.rs # WebAuthnService
├── authentication.rs # Authentication flow
├── credentials.rs # Credential operations
├── link.rs # Account linking
└── registration.rs # Registration flow
Module Descriptions
models/
Data structures for OAuth clients, tokens, JWT claims, CIMD metadata, and analytics. Includes typed enums for grant types, response types, and PKCE methods.
queries/
PostgreSQL query implementations using compile-time-verified sqlx macros.
repository/
Data access layer with separate repositories for clients (ClientRepository), OAuth protocol records (OAuthRepository), bridge sessions (BridgeSessionRepository), bridge host preferences (BridgeHostPrefsRepository), exchange codes, setup tokens, and WebAuthn credentials.
services/
Business logic including:
- bridge: Bridge access-token issuance and short-lived exchange codes for the desktop bridge.
- cimd: Client-Initiated Metadata Discovery fetcher and validator.
- generation: Secure token, JWT, and client-secret generation.
- jwt:
TokenValidatorandAuthServicefor token authentication and authorisation. - providers:
JwtValidationProviderImplimplementing theJwtValidationProvidertrait. - session: Anonymous and authenticated session creation and lookup.
- templating: HTML template rendering for the OAuth consent / login pages.
- validation: Audience, client-credential, JWT, redirect-URI, and OAuth-parameter validation.
- webauthn: FIDO2 passwordless authentication, registration, and account linking.
Database Tables
| Table | Purpose |
|---|---|
oauth_clients |
Registered OAuth clients |
oauth_client_redirect_uris |
Allowed redirect URIs per client |
oauth_client_grant_types |
Supported grant types per client |
oauth_client_response_types |
Supported response types per client |
oauth_client_scopes |
Allowed scopes per client |
oauth_client_contacts |
Contact emails per client |
oauth_auth_codes |
Authorization codes (600s TTL) |
oauth_refresh_tokens |
Refresh tokens |
bridge_exchange_codes |
Short-lived bridge session exchange codes |
bridge_sessions |
Bridge heartbeat / active-session records |
setup_tokens |
Bootstrap and admin setup tokens |
webauthn_credentials |
FIDO2 / WebAuthn credentials |
webauthn_challenges |
WebAuthn challenge storage |
Trait Implementations
Implements traits from systemprompt-traits:
| Trait | Implementation | Purpose |
|---|---|---|
JwtValidationProvider |
JwtValidationProviderImpl |
Token validation |
UserProvider |
Consumed via Arc<dyn UserProvider> |
User lookup |
Dependencies
Internal Crates
systemprompt-config— Profile and config loadingsystemprompt-database—DbPooland SQLx abstractionsystemprompt-extension— Extension frameworksystemprompt-logging— Tracing setupsystemprompt-security— Crypto and auth primitives
Shared Crates
systemprompt-traits— Auth and provider traitssystemprompt-models— Shared domain typessystemprompt-identifiers— Typed identifiers (withsqlxfeature)
External
jsonwebtoken— JWT encoding / decodingbcrypt— Password and secret hashingwebauthn-rs— FIDO2 / WebAuthnaxum,http,reqwest— HTTP server and client typessqlx— Compile-time-verified PostgreSQL queriesvalidator,rand,base64,sha2— Validation and crypto helpers
Security Features
- PKCE required for authorization code flow
- S256 challenge method enforced (plain disallowed)
- Entropy validation for code challenges
- Constant-time client secret comparison
- Secure cookie attributes (HttpOnly, Secure, SameSite)
- Token revocation support
- WebAuthn for passwordless authentication
License
BSL-1.1 (Business Source License). Source-available for evaluation, testing, and non-production use. Production use requires a commercial license. Each version converts to Apache 2.0 four years after publication. See LICENSE.
systemprompt.io · Documentation · Guides · Live Demo · Template · crates.io · docs.rs · Discord
Domain layer · Own how your organization uses AI.