pub trait CredentialProvider:
Debug
+ Send
+ Sync {
// Required method
fn current<'life0, 'async_trait>(
&'life0 self,
) -> Pin<Box<dyn Future<Output = Result<String, ProviderError>> + Send + 'async_trait>>
where Self: 'async_trait,
'life0: 'async_trait;
// Provided method
fn invalidate<'life0, 'async_trait>(
&'life0 self,
) -> Pin<Box<dyn Future<Output = Result<(), ProviderError>> + Send + 'async_trait>>
where Self: 'async_trait,
'life0: 'async_trait { ... }
}Expand description
Pluggable source of the API key for a ModelConfig.
Long-running agents on short-lived credentials (AWS STS, OAuth, Workload-Identity)
would otherwise hit ProviderError::Auth mid-run and stop. Wiring a
CredentialProvider lets the agent resolve the current key per-call and refresh
on auth failures — the retry loop in streaming.rs calls invalidate() once on
Auth and retries the stream call before propagating.
The trait is intentionally tiny — implementors are free to cache, validate against an external metadata service, or block on a key-management API as needed.
§Example
use async_trait::async_trait;
use phi_core::provider::{CredentialProvider, ProviderError};
use std::sync::Mutex;
#[derive(Debug)]
struct StsProvider {
cached: Mutex<Option<String>>,
}
#[async_trait]
impl CredentialProvider for StsProvider {
async fn current(&self) -> Result<String, ProviderError> {
if let Some(k) = self.cached.lock().unwrap().clone() {
return Ok(k);
}
// Hit STS, cache, return... (omitted)
Err(ProviderError::Auth("STS unavailable".into()))
}
async fn invalidate(&self) -> Result<(), ProviderError> {
self.cached.lock().unwrap().take();
Ok(())
}
}Required Methods§
Sourcefn current<'life0, 'async_trait>(
&'life0 self,
) -> Pin<Box<dyn Future<Output = Result<String, ProviderError>> + Send + 'async_trait>>where
Self: 'async_trait,
'life0: 'async_trait,
fn current<'life0, 'async_trait>(
&'life0 self,
) -> Pin<Box<dyn Future<Output = Result<String, ProviderError>> + Send + 'async_trait>>where
Self: 'async_trait,
'life0: 'async_trait,
Return the current API key for this credential. Implementations may cache,
re-fetch from a metadata service, or compute on the fly. Called once per
StreamProvider::stream() invocation.
Provided Methods§
Sourcefn invalidate<'life0, 'async_trait>(
&'life0 self,
) -> Pin<Box<dyn Future<Output = Result<(), ProviderError>> + Send + 'async_trait>>where
Self: 'async_trait,
'life0: 'async_trait,
fn invalidate<'life0, 'async_trait>(
&'life0 self,
) -> Pin<Box<dyn Future<Output = Result<(), ProviderError>> + Send + 'async_trait>>where
Self: 'async_trait,
'life0: 'async_trait,
Hint that the current cached credential has been rejected by the upstream
API and a fresh value should be fetched on the next current() call.
Default impl is a no-op for providers that always re-fetch.
Dyn Compatibility§
This trait is dyn compatible.
In older versions of Rust, dyn compatibility was called "object safety".