Production infrastructure for AI agents
Website · Documentation · Guides · Core · Template · Discord
systemprompt-oauth
Your own authorization server, not a rented identity provider. OAuth 2.0 and OIDC with PKCE, dynamic client registration, token introspection and revocation, and WebAuthn passwordless login, all running in your binary against your PostgreSQL.
Layer: Domain — business-logic modules that implement systemprompt.io features. Part of the systemprompt-core workspace.
Overview
Capabilities · Compliance
This crate implements a complete OAuth 2.0 authorization server with:
- Authorization Code Grant with PKCE
- Client Credentials Grant
- Refresh Token Grant
- Dynamic Client Registration (RFC 7591)
- Token Introspection (RFC 7662)
- Token Revocation (RFC 7009)
- WebAuthn/FIDO2 Passwordless Authentication
- OpenID Connect Discovery
Usage
[]
= "0.21"
use ;
use ;
Module Layout
| Module | Purpose |
|---|---|
models/ |
OAuth client, token, and JWT-claim types, CIMD metadata, analytics, and typed grant/response/PKCE enums. |
queries/ |
Compile-time-verified sqlx query layer: postgres/ analytics queries and seed/ WebAuthn client seeds. |
repository/ |
Data access for clients, OAuth protocol records, bridge sessions and host prefs, exchange codes, setup tokens, and WebAuthn credentials. |
services/ |
OAuth business logic: bridge, cimd, generation, jwt, session, validation, webauthn, plugin_token, providers, templating, and HTTP helpers. |
models/
Data structures for OAuth clients, tokens, JWT claims, CIMD metadata, and analytics. Includes typed enums for grant types, response types, and PKCE methods.
queries/
PostgreSQL query implementations using compile-time-verified sqlx macros, plus queries/seed/ SQL for seeding the WebAuthn client and its scopes.
repository/
Data access layer with separate repositories for clients (ClientRepository), OAuth protocol records (OAuthRepository), bridge sessions (BridgeSessionRepository), bridge host preferences (BridgeHostPrefsRepository), exchange codes, setup tokens, and WebAuthn credentials.
services/
Business logic including:
- bridge: Bridge access-token issuance and short-lived exchange codes for the desktop bridge.
- cimd: Client-Initiated Metadata Discovery fetcher and validator.
- generation: Secure token, JWT, and client-secret generation.
- jwt:
TokenValidatorandAuthServicefor token authentication and authorisation. - plugin_token:
PluginTokenServicemints long-lived plugin-scoped JWTs (aud=hook) for hook/governance plugin credentials. - providers:
JwtValidationProviderImplimplementing theJwtValidationProvidertrait. - session: Anonymous and authenticated session creation and lookup.
- templating: HTML template rendering for the OAuth consent / login pages.
- validation: Audience, client-credential, JWT, redirect-URI, and OAuth-parameter validation.
- webauthn: FIDO2 passwordless authentication, registration, and account linking.
Database Tables
| Table | Purpose |
|---|---|
oauth_clients |
Registered OAuth clients |
oauth_client_redirect_uris |
Allowed redirect URIs per client |
oauth_client_grant_types |
Supported grant types per client |
oauth_client_response_types |
Supported response types per client |
oauth_client_scopes |
Allowed scopes per client |
oauth_client_contacts |
Contact emails per client |
oauth_auth_codes |
Authorization codes (600s TTL) |
oauth_refresh_tokens |
Refresh tokens |
oauth_state_bindings |
OAuth state-to-session bindings |
oauth_jti_revocations |
Revoked JWT identifiers |
bridge_exchange_codes |
Short-lived bridge session exchange codes |
bridge_sessions |
Bridge heartbeat / active-session records |
bridge_user_host_prefs |
Per-user, per-host bridge enable/disable preferences |
bridge_user_host_model_prefs |
Per-user, per-host model preferences |
id_jag_replay |
ID-JAG token replay protection |
webauthn_setup_tokens |
Bootstrap and admin setup tokens |
webauthn_credentials |
FIDO2 / WebAuthn credentials |
webauthn_challenges |
WebAuthn challenge storage |
Trait Implementations
Implements traits from systemprompt-traits:
| Trait | Implementation | Purpose |
|---|---|---|
JwtValidationProvider |
JwtValidationProviderImpl |
Token validation |
UserProvider |
Consumed via Arc<dyn UserProvider> |
User lookup |
Dependencies
Internal Crates
systemprompt-config— Profile and config loadingsystemprompt-database—DbPooland SQLx abstractionsystemprompt-extension— Extension frameworksystemprompt-logging— Tracing setupsystemprompt-security— Crypto and auth primitives
Shared Crates
systemprompt-traits— Auth and provider traitssystemprompt-models— Shared domain typessystemprompt-identifiers— Typed identifiers (withsqlxfeature)
External
jsonwebtoken— JWT encoding / decodingbcrypt— Password and secret hashingwebauthn-rs— FIDO2 / WebAuthnaxum,http,reqwest— HTTP server and client typessqlx— Compile-time-verified PostgreSQL queriesvalidator,rand,base64,sha2— Validation and crypto helpers
Security Features
- PKCE required for authorization code flow
- S256 challenge method enforced (plain disallowed)
- Entropy validation for code challenges
- Constant-time client secret comparison
- Secure cookie attributes (HttpOnly, Secure, SameSite)
- Token revocation support
- WebAuthn for passwordless authentication
License
BSL-1.1 (Business Source License). Source-available for evaluation, testing, and non-production use. Production use requires a commercial license. Each version converts to Apache 2.0 four years after publication. See LICENSE.
systemprompt.io · Documentation · Guides · Live Demo · Template · crates.io · docs.rs · Discord
Domain layer · Own how your organization uses AI.