Expand description
§Hessra SDK
A Rust client library for interacting with Hessra authentication and authorization services.
The Hessra SDK provides a robust and flexible way to request and verify both identity tokens and authorization tokens for protected resources. Authentication can be done via mutual TLS (mTLS) or using identity tokens for most operations.
This crate combines functionality from:
hessra-token: Authorization token verification and attestationhessra-token-identity: Identity token creation, verification, and delegationhessra-config: Configuration managementhessra-api: HTTP client for the Hessra service
§Features
- Flexible configuration: Load configuration from various sources (environment variables, files, etc.)
- Protocol support: HTTP/1.1 support with optional HTTP/3 via feature flag
- Dual authentication: Support for both mTLS and identity token authentication
- Identity tokens: Hierarchical, delegatable identity tokens for authentication
- Authorization tokens: Request and verify authorization tokens for resources
- Local verification: Retrieve and store public keys for offline token verification
- Service chains: Support for service chain attestation and verification
§Feature Flags
http3: Enables HTTP/3 protocol supporttoml: Enables configuration loading from TOML fileswasm: Enables WebAssembly support for token verification
Structs§
- Authorization
Verifier - Builder for verifying Hessra authorization tokens with flexible configuration.
- Biscuit
- This structure represents a valid Biscuit token
- Hessra
- Unified SDK for Hessra authentication services
- Hessra
Builder - Builder for Hessra SDK instances
- Hessra
Client Builder - Builder for creating Hessra clients
- Hessra
Config - Configuration for Hessra SDK client
- Identity
Token Request - Request for minting a new identity token
- Identity
Token Response - Response from identity token operations
- Mint
Identity Token Request - Request for minting a new domain-restricted identity token
- Mint
Identity Token Response - Response from minting a domain-restricted identity token
- Public
KeyResponse - Response from a public key request
- Refresh
Identity Token Request - Request for refreshing an existing identity token
- Service
Chain - A chain of service nodes
- Service
Chain Builder - Builder for a service chain
- Service
Node - Sign
Token Request - Request structure for token signing operations
- Sign
Token Response - Response structure for token signing operations
- Signoff
Info - Information about required signoffs for multi-party tokens
- Stub
Token Request - Request to mint a stub token that requires prefix attestation before use.
- Stub
Token Response - Response from minting a stub token.
- Token
Request - Request payload for requesting an authorization token
- Token
Response - Enhanced token response that may include pending signoffs
- Verify
Service Chain Token Request - Request payload for verifying a service chain token
- Verify
Token Request - Request payload for verifying an authorization token
- Verify
Token Response - Response from a token verification operation
Enums§
- ApiError
- Config
Error - Errors that can occur when working with Hessra configuration
- Hessra
Client - The main Hessra client type providing token request and verification
- KeyPair
- pair of cryptographic keys used to sign a token’s block
- Protocol
- Protocol options for Hessra client communication
- Public
Key - the public part of a KeyPair
- SdkError
- Errors that can occur in the Hessra SDK
- Token
Error - Detailed error type for hessra-token operations with specific failure information
Functions§
- add_
identity_ attenuation_ to_ token - add_
prefix_ restriction - Add a prefix restriction to a token
- add_
prefix_ restriction_ to_ token - Add a prefix restriction to a base64-encoded token string
- add_
service_ node_ attestation - Add a service node attestation to a token
- create_
identity_ token - Creates a basic realm identity token (delegatable).
- create_
short_ lived_ identity_ token - Create a short-lived version of an identity token for just-in-time use
- decode_
token - Decode a URL-safe base64 encoded token string to binary
- encode_
token - Encode binary token data to URL-safe base64 string
- fetch_
ca_ cert - Fetch a CA certificate from the Hessra service
- fetch_
public_ key - Fetch a public key from the Hessra service
- parse_
server_ address - Parse a server address string into (host, port) components.
- verify_
biscuit_ local - Verifies a Biscuit authorization token locally without contacting the authorization server.
- verify_
identity_ token - Verifies the token as an identity token. This validates the expiration, the signature of the token, and the identity of the token.
- verify_
service_ chain_ biscuit_ local