mcp_kit/auth/credentials.rs
1/// Raw credentials extracted from a request before validation.
2///
3/// This enum is transport-agnostic — it represents the normalized form of
4/// whatever the client sent, regardless of whether the transport is HTTP/SSE,
5/// stdio, or something else entirely.
6#[derive(Debug, Clone)]
7#[non_exhaustive]
8pub enum Credentials {
9 /// `Authorization: Bearer <token>` header.
10 Bearer { token: String },
11
12 /// `X-Api-Key: <key>` header, or `?api_key=<key>` query parameter.
13 ApiKey { key: String },
14
15 /// `Authorization: Basic <base64(username:password)>` header.
16 Basic { username: String, password: String },
17
18 /// A custom single-header credential.
19 /// The header name is normalized to lowercase.
20 CustomHeader { header_name: String, value: String },
21
22 /// Verified TLS peer certificate (mTLS).
23 /// Contains the DER-encoded bytes of the leaf certificate.
24 ClientCertificate { der: Vec<u8> },
25
26 /// No credentials were present in the request.
27 /// Used to distinguish "unauthenticated request" from "invalid credentials".
28 None,
29}
30
31impl Credentials {
32 /// Returns `true` if no credentials were provided.
33 pub fn is_none(&self) -> bool {
34 matches!(self, Self::None)
35 }
36
37 /// Returns a short label for logging/metrics (does not include secret values).
38 pub fn kind(&self) -> &'static str {
39 match self {
40 Self::Bearer { .. } => "bearer",
41 Self::ApiKey { .. } => "api_key",
42 Self::Basic { .. } => "basic",
43 Self::CustomHeader { .. } => "custom_header",
44 Self::ClientCertificate { .. } => "client_certificate",
45 Self::None => "none",
46 }
47 }
48}