token

package
v0.7.19 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 6, 2026 License: MIT Imports: 8 Imported by: 0

Documentation

Overview

Package token mints and verifies per-run bearer JWTs. The signing key is derived from the process-wide master key via HKDF so it's distinct from any other HMAC keys we might derive in the future.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type RunClaims 

type RunClaims struct {
	RunID      uuid.UUID
	OrgID      uuid.UUID
	SecretRefs []string
	ExpiresAt  time.Time
}

RunClaims are the fields a per-run JWT carries.

type Signer 

type Signer struct {
	// contains filtered or unexported fields
}

Signer signs and verifies RunClaims tokens.

func New 

func New(master []byte) *Signer

New derives a 32-byte HMAC signing key from the master key via HKDF-SHA256. The master key must be 32 bytes (validated at the secretstore layer).

func (*Signer) HashToken 

func (s *Signer) HashToken(tok string) string

HashToken returns the hex-encoded sha256 of a bearer token. Deterministic across calls; stable for the same input.

func (*Signer) Sign 

func (s *Signer) Sign(c RunClaims) (tok, hash string, err error)

Sign returns (compact JWT, sha256-hex-hash) for the given claims. The hash is what the server stores in run.runner_token_hash so the plaintext bearer never needs to live in the database.

func (*Signer) Verify 

func (s *Signer) Verify(bearer string) (RunClaims, error)

Verify parses + cryptographically verifies a bearer token, returning its claims or an error. Expired tokens produce an error whose message contains "expired".

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.