Expand description
DID-signed bearer token authentication for bridge HTTP endpoints.
Implements the authentication layer specified in spec section 12.10.2.
Bridge operators authenticate using DID-signed JWTs in the
Authorization: Bearer header. The node verifies the JWT signature
against the operator’s DID document (section 3.2).
For webhook callbacks (platform to bridge node), Ed25519 signatures in
the X-SCP-Signature header are verified against the platform’s
pre-registered public key.
§Error Codes
| Code | HTTP Status | Description |
|---|---|---|
BRIDGE_NOT_AUTHORIZED | 401 | Bearer token invalid or expired |
BRIDGE_SUSPENDED | 403 | Bridge is suspended by context governance |
See ADR-023 in .docs/adrs/phase-5.md and spec section 12.10.3.
Structs§
- Bridge
Auth Context - Validated bridge authentication context extracted by the middleware.
- Bridge
JwtClaims - JWT claims for bridge operator authentication.
Traits§
- Bridge
Lookup - Trait for looking up registered bridges and resolving DID documents.
Functions§
- bridge_
auth_ middleware - Axum middleware that validates DID-signed bearer tokens for bridge endpoints.
- create_
bridge_ jwt - Creates a DID-signed JWT for bridge authentication.
- verify_
webhook_ signature - Verifies an Ed25519 webhook signature from an external platform.
- webhook_
auth_ middleware - Axum middleware that validates webhook signatures from external platforms.