systemprompt-oauth 0.21.1

OAuth 2.0 / OIDC with PKCE, token introspection, and audience/issuer validation for systemprompt.io AI governance infrastructure. WebAuthn and JWT auth for the MCP governance pipeline.
Documentation

Production infrastructure for AI agents

Website · Documentation · Guides · Core · Template · Discord


systemprompt-oauth

Crates.io Docs.rs License: BSL-1.1 codecov

Your own authorization server, not a rented identity provider. OAuth 2.0 and OIDC with PKCE, dynamic client registration, token introspection and revocation, and WebAuthn passwordless login, all running in your binary against your PostgreSQL.

Layer: Domain — business-logic modules that implement systemprompt.io features. Part of the systemprompt-core workspace.

Overview

Capabilities · Compliance

This crate implements a complete OAuth 2.0 authorization server with:

  • Authorization Code Grant with PKCE
  • Client Credentials Grant
  • Refresh Token Grant
  • Dynamic Client Registration (RFC 7591)
  • Token Introspection (RFC 7662)
  • Token Revocation (RFC 7009)
  • WebAuthn/FIDO2 Passwordless Authentication
  • OpenID Connect Discovery

Usage

[dependencies]
systemprompt-oauth = "0.21"
use systemprompt_oauth::{
    OAuthRepository, OAuthState, OauthError, OauthExtension, OauthResult,
    SessionCreationService, TokenValidator, validate_jwt_token,
};
use systemprompt_oauth::services::{
    issue_bridge_access, issue_bridge_exchange_code, exchange_bridge_session_code,
};

Module Layout

Module Purpose
models/ OAuth client, token, and JWT-claim types, CIMD metadata, analytics, and typed grant/response/PKCE enums.
queries/ Compile-time-verified sqlx query layer: postgres/ analytics queries and seed/ WebAuthn client seeds.
repository/ Data access for clients, OAuth protocol records, bridge sessions and host prefs, exchange codes, setup tokens, and WebAuthn credentials.
services/ OAuth business logic: bridge, cimd, generation, jwt, session, validation, webauthn, plugin_token, providers, templating, and HTTP helpers.

models/

Data structures for OAuth clients, tokens, JWT claims, CIMD metadata, and analytics. Includes typed enums for grant types, response types, and PKCE methods.

queries/

PostgreSQL query implementations using compile-time-verified sqlx macros, plus queries/seed/ SQL for seeding the WebAuthn client and its scopes.

repository/

Data access layer with separate repositories for clients (ClientRepository), OAuth protocol records (OAuthRepository), bridge sessions (BridgeSessionRepository), bridge host preferences (BridgeHostPrefsRepository), exchange codes, setup tokens, and WebAuthn credentials.

services/

Business logic including:

  • bridge: Bridge access-token issuance and short-lived exchange codes for the desktop bridge.
  • cimd: Client-Initiated Metadata Discovery fetcher and validator.
  • generation: Secure token, JWT, and client-secret generation.
  • jwt: TokenValidator and AuthService for token authentication and authorisation.
  • plugin_token: PluginTokenService mints long-lived plugin-scoped JWTs (aud=hook) for hook/governance plugin credentials.
  • providers: JwtValidationProviderImpl implementing the JwtValidationProvider trait.
  • session: Anonymous and authenticated session creation and lookup.
  • templating: HTML template rendering for the OAuth consent / login pages.
  • validation: Audience, client-credential, JWT, redirect-URI, and OAuth-parameter validation.
  • webauthn: FIDO2 passwordless authentication, registration, and account linking.

Database Tables

Table Purpose
oauth_clients Registered OAuth clients
oauth_client_redirect_uris Allowed redirect URIs per client
oauth_client_grant_types Supported grant types per client
oauth_client_response_types Supported response types per client
oauth_client_scopes Allowed scopes per client
oauth_client_contacts Contact emails per client
oauth_auth_codes Authorization codes (600s TTL)
oauth_refresh_tokens Refresh tokens
oauth_state_bindings OAuth state-to-session bindings
oauth_jti_revocations Revoked JWT identifiers
bridge_exchange_codes Short-lived bridge session exchange codes
bridge_sessions Bridge heartbeat / active-session records
bridge_user_host_prefs Per-user, per-host bridge enable/disable preferences
bridge_user_host_model_prefs Per-user, per-host model preferences
id_jag_replay ID-JAG token replay protection
webauthn_setup_tokens Bootstrap and admin setup tokens
webauthn_credentials FIDO2 / WebAuthn credentials
webauthn_challenges WebAuthn challenge storage

Trait Implementations

Implements traits from systemprompt-traits:

Trait Implementation Purpose
JwtValidationProvider JwtValidationProviderImpl Token validation
UserProvider Consumed via Arc<dyn UserProvider> User lookup

Dependencies

Internal Crates

  • systemprompt-config — Profile and config loading
  • systemprompt-databaseDbPool and SQLx abstraction
  • systemprompt-extension — Extension framework
  • systemprompt-logging — Tracing setup
  • systemprompt-security — Crypto and auth primitives

Shared Crates

  • systemprompt-traits — Auth and provider traits
  • systemprompt-models — Shared domain types
  • systemprompt-identifiers — Typed identifiers (with sqlx feature)

External

  • jsonwebtoken — JWT encoding / decoding
  • bcrypt — Password and secret hashing
  • webauthn-rs — FIDO2 / WebAuthn
  • axum, http, reqwest — HTTP server and client types
  • sqlx — Compile-time-verified PostgreSQL queries
  • validator, rand, base64, sha2 — Validation and crypto helpers

Security Features

  • PKCE required for authorization code flow
  • S256 challenge method enforced (plain disallowed)
  • Entropy validation for code challenges
  • Constant-time client secret comparison
  • Secure cookie attributes (HttpOnly, Secure, SameSite)
  • Token revocation support
  • WebAuthn for passwordless authentication

License

BSL-1.1 (Business Source License). Source-available for evaluation, testing, and non-production use. Production use requires a commercial license. Each version converts to Apache 2.0 four years after publication. See LICENSE.


systemprompt.io · Documentation · Guides · Live Demo · Template · crates.io · docs.rs · Discord

Domain layer · Own how your organization uses AI.