Skip to main content

Module auth

hotdata

Module auth 

Source
Expand description

Transparent API-token -> JWT exchange for the Hotdata Rust SDK.

Hotdata authenticates API requests with short-lived JWTs. Users still configure the SDK with their long-lived hd_ API token, but every request should carry a fresh JWT instead. This module is the hand-written, regeneration-immune piece that makes that happen behind the scenes: TokenManager exchanges the API token for a JWT at POST {host}/v1/auth/jwt and keeps it fresh, mirroring the CLI’s jwt.rs and the Python SDK’s hotdata/_auth.py so the CLI and SDKs behave identically.

OpenAPI Generator only rewrites the files it emits, so this hand-added module survives regeneration (precedent: the Python SDK’s _auth.py). It is additionally listed in .openapi-generator-ignore as belt-and-suspenders.

Key behaviors:

  • Pass-through – a credential that already looks like a JWT (eyJ prefix, matching the Gateway’s own ^Bearer eyJ.* detection) is returned unchanged and never exchanged. Every other (opaque) credential is treated as an API token and exchanged. (Hotdata API tokens are bare hex; the hd_ prefix seen in docs is cosmetic and not enforced by the server, so we must not gate on it.)
  • Opt-out – if HOTDATA_DISABLE_JWT_EXCHANGE is set to an affirmative value (1/true/yes/on, trimmed + lowercased), the credential is always returned as-is (hard escape hatch for rollout / local dev). Other values (incl. 0/false/empty) do NOT opt out.
  • In-memory cache only – no disk writes. The server already de-duplicates mints (keyed by sha256(api_token)), so per-process caching is sufficient.
  • Thread-safe single-flight – a tokio::sync::Mutex held across the mint request ensures concurrent first-requests perform exactly one mint.
  • Refresh, then re-mint – prefer the refresh token when available; on any refresh failure, drop it and re-mint from the held API token (always possible since the SDK holds it). Matches the CLI.
  • TLS/proxy reuse – the exchange reuses the SDK’s configured reqwest::Client (cloned in by the crate::client::Client builder), so it honors the same TLS / proxy / timeout settings as every other request, with a bounded per-request timeout so a stalled token endpoint fails fast instead of hanging every call.

Structs§

TokenManager
Exchanges an API token for short-lived JWTs and keeps them fresh.
TokenManagerOptions
Tuning for TokenManager::with_options.

Enums§

TokenExchangeError
Raised when an API token cannot be exchanged for a JWT.

Constants§

CLIENT_ID
client_id sent with every token-exchange request. Distinct from the CLI’s hotdata-cli and the Python SDK’s hotdata-python-sdk so server-side logs can attribute mints to the Rust SDK.
LEEWAY_SECS
Refresh early so callers don’t race an expiring token (seconds).
TIMEOUT_SECS
Bounded timeout for the exchange request – never let a stalled token endpoint hang every request (seconds).

Traits§

BearerTokenProvider
A pluggable async source of bearer tokens.

Type Aliases§

PersistCallback
Callback fired after a successful mint so a host (e.g. the CLI) can persist the rotated tokens across process invocations.