Expand description
Bearer-token authentication for the generic tool proxy.
§Design
SessionToken wraps a 64-character hex string (32 random bytes). A fresh
token is minted at proxy startup and embedded into every generated client
artifact. Stale artifacts from previous sessions simply fail to
authenticate.
Token verification uses a constant-time comparison (byte-wise XOR fold) to
prevent timing side-channels — matching the Python hmac.compare_digest
behaviour.
§Wire format
Clients must send Authorization: Bearer <token> in every POST /exec
request. The verify method accepts the raw header value (everything
after the colon-space).
Structs§
- Session
Token - A session-scoped bearer token.