Module auth 

Authentication providers for OUTGOING HTTP requests (OAPI-03 / D-05). Authentication providers for OUTGOING HTTP requests (OAPI-03 / D-05 / H1).

This module is the OUTBOUND counterpart to the inbound [crate::auth::AuthProvider] (pmcp::server::auth::AuthProvider, which authenticates an INCOMING MCP request). The two are kept deliberately distinct (Pitfall 1): the trait here is HttpAuthProvider and its method is apply — it MUTATES the headers / query of a request the toolkit is about to SEND to a REST backend. This module does NOT re-implement the inbound request-validation surface.

The six auth modes (D-05) split into two construction strategies

AuthConfig has SIX variants — None + five authenticated ones. They split by HOW the credential is obtained:

• Static (None/ApiKey/Bearer/Basic/OAuth2ClientCredentials): fully determined by config.toml (operator credentials / ${ENV} secrets). Built ONCE at startup via create_auth_provider and shared as Arc<dyn HttpAuthProvider>. They IGNORE any inbound MCP client token.
• Per-request passthrough (OAuthPassthrough): needs the INCOMING MCP client token for EACH request, so it cannot be fully built at startup. apply accepts an OPTIONAL inbound_token so a SINGLE trait serves both strategies — static providers ignore it, [OAuthPassthroughAuth] forwards it. Plan 04 carries the per-request token to apply; Plan 06 wires the inbound TokenCaptureAuthProvider so the captured token lands in AuthContext and is threaded into this apply.

Ownership

AuthConfig and the provider types are OWNED HERE so Plan 01 and Plan 02 changes stay confined — Plan 02 RE-EXPORTS pmcp_server_toolkit::http::auth::AuthConfig rather than redefining it.

Structs

ApiKeyAuth

API key authentication (query params and/or headers). STATIC: ignores inbound_token.

BasicAuth

HTTP Basic authentication. STATIC: ignores inbound_token.

BearerAuth

Bearer token authentication. STATIC: ignores inbound_token.

MissingTokenAuth

Provider that always fails — used when a required passthrough token is absent.

NoAuth

No authentication — a no-op provider.

OAuth2ClientCredentialsAuth

OAuth2 client-credentials authentication. STATIC config; ignores inbound_token.

OAuthPassthroughAuth

OAuth passthrough — forwards the INCOMING MCP client token to the backend (H1).

Enums

AuthConfig

Outgoing-HTTP authentication configuration (OAPI-03 / D-05).

Traits

HttpAuthProvider

Outbound HTTP authentication provider (OAPI-03).

Functions

create_auth_provider

create_passthrough_auth_provider

Build an auth provider, capturing an incoming_token for the AuthConfig::OAuthPassthrough per-request path (H1).