Expand description
Token passthrough middleware for forwarding client credentials to backends.
When a backend has forward_auth = true, the client’s inbound bearer token
is extracted from RouterRequest.extensions and stored as a ClientToken
for downstream middleware and backend services to consume.
§Configuration
[[backends]]
name = "github"
transport = "http"
url = "http://github-mcp.internal:8080"
forward_auth = true # forward client's token to this backend
[[backends]]
name = "db"
transport = "http"
url = "http://db-mcp.internal:8080"
bearer_token = "${DB_API_KEY}" # static token for this backend§How it works
- The proxy’s auth layer (JWT/bearer) validates the inbound token and
stores
TokenClaimsin request extensions. - This middleware reads the
TokenClaimsand stores the subject (subclaim) and any available identity info as aClientTokenin extensions. - Backend-specific middleware or future transport enhancements can read
ClientTokento forward credentials.
Structs§
- Client
Token - A client’s identity token extracted from inbound authentication.
- Token
Passthrough Service - Middleware that extracts client identity from auth claims and makes it
available to backends configured with
forward_auth = true.