Module auth 

Bearer token sources.

A TokenSource loads (actor_id, token) pairs that the server uses to authenticate incoming bearer tokens. Plaintext tokens returned here are hashed immediately by AppState on ingest — see hash_bearer_token — and never persist past startup/refresh.

The trait exists so that additional backends (AWS Secrets Manager, HashiCorp Vault, etc.) can plug in behind feature flags without touching the server wiring.

Structs

EnvOrFileTokenSource

Reads bearer tokens from environment variables and / or files, matching the long-standing server configuration:

Constants

AWS_SECRET_ENV

Environment variable that, when set, selects AWS Secrets Manager as the token source. Its value is the secret ID or ARN. Only honored when the binary is compiled with --features aws.

Traits

TokenSource

A source of bearer tokens, returned as (actor_id, token) pairs in plaintext. The caller is expected to hash tokens before storing them.

Functions

resolve_token_source

Pick the token source based on configuration.