Struct AuthConfig 

pub struct AuthConfig {

    pub enabled: bool,
    pub issuer: String,
    pub audience: String,
    pub read_scopes: Vec<String>,
    pub reload_scopes: Vec<String>,
    pub anonymous_read: bool,
    pub start_degraded: bool,
    pub algorithms: Vec<String>,
    pub leeway_secs: u64,
    pub jwks_refresh_secs: u64,
    pub tenant_claim: String,
    pub allowed_tenants: Vec<String>,
    pub admin_token_fallback: bool,
}

OIDC bearer-token enforcement for the HTTP API ([auth] block).

Disabled by default. When enabled = true, the server validates every request’s Authorization: Bearer … JWT against the JWKS discovered from the issuer’s OIDC metadata (<issuer>/.well-known/openid-configuration → jwks_uri), then enforces the configured scope requirements per route.

Only compiled in when the binary was built with the auth cargo feature. Without the feature, enabled = true is rejected at startup so a misconfigured production deployment can’t silently fall back to “no auth”.

The Swagger UI’s SSO support ([swagger.oauth2]) is independent of this block — [swagger.oauth2] only drives the UI’s login dialog; [auth] is what enforces tokens on the API.

Fields

enabled: bool

Master switch. false (default) skips all auth processing.

issuer: String

OIDC issuer URL — must match the iss claim of every accepted token. Required when enabled = true.

audience: String

Expected aud claim. When empty, audience validation is skipped (not recommended in production).

read_scopes: Vec<String>

Scopes a caller must hold to read datasets (GET endpoints + POST …/query and …/count). Empty list means “no scope check, just a valid token is enough”.

reload_scopes: Vec<String>

Scopes required for admin/mutation endpoints (POST …/reload). Empty list means “no scope check, just a valid token is enough”.

anonymous_read: bool

Allow unauthenticated GETs through. Useful for public datasets and demo deployments. Defaults to false.

start_degraded: bool

Continue serving even if the JWKS fetch fails at startup. When true (default), the server starts in a degraded mode that rejects every auth’d request with 503 until JWKS becomes reachable. When false, startup fails outright.

algorithms: Vec<String>

Allowed signing algorithms. Pinned to RS256 by default; never include HS* or none here unless you really know what you’re doing.

leeway_secs: u64

Clock-skew leeway for exp/nbf checks, in seconds.

jwks_refresh_secs: u64

How often (in seconds) the background refresher re-fetches the JWKS. On a kid cache miss the JWKS is also refreshed out-of-band.

tenant_claim: String

Optional JSON-pointer into the JWT claims that extracts a tenant identifier — attached to the principal and logged on every request. Example: "/tid" (Azure AD), "/org_id". When empty, no tenant is extracted.

allowed_tenants: Vec<String>

If non-empty, requests whose extracted tenant ID is not in this list are rejected with 403. Has no effect when tenant_claim is empty.

admin_token_fallback: bool

If true, POST …/reload accepts either a valid token with reload_scopes or the legacy X-Admin-Token header. Defaults to true for one-release backwards compatibility — flip to false once your automation has migrated to OIDC.

Trait Implementations

impl Clone for AuthConfig

fn clone(&self) -> AuthConfig

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for AuthConfig

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for AuthConfig

fn default() -> Self

Returns the “default value” for a type.

impl<'de> Deserialize<'de> for AuthConfig

where AuthConfig: Default,

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.