authhttp

package
v0.59.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 23, 2026 License: MIT Imports: 40 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	ActionUpdateUsername           = "update_username"
	ActionRequestPasswordReset     = "request_password_reset"
	ActionRequestEmailVerification = "request_email_verification"
	ActionRequestPhoneVerification = "request_phone_verification"
)
View Source 
const (
	// 2FA-specific rate limit buckets
	RL2FAStartPhone      = "auth_2fa_start_phone"
	RL2FAStartTOTP       = "auth_2fa_start_totp"
	RL2FAEnable          = "auth_2fa_enable"
	RL2FADisable         = "auth_2fa_disable"
	RL2FARegenerateCodes = "auth_2fa_regenerate_codes"
	RL2FAVerify          = "auth_2fa_verify"

	RLAuthToken                = "auth_token"
	RLAuthRegister             = "auth_register"
	RLAuthRegisterAvailability = "auth_register_availability"
	RLAuthRegisterResendEmail  = "auth_register_resend_email"
	RLAuthRegisterResendPhone  = "auth_register_resend_phone"
	RLAuthRegisterAbandon      = "auth_register_abandon"
	RLPasswordLogin            = "auth_password_login"
	RLPasskeyRegister          = "auth_passkey_register"
	RLPasskeyLogin             = "auth_passkey_login"
	RLAuthLogout               = "auth_logout"
	RLAuthSessionsCurrent      = "auth_sessions_current"
	RLAuthSessionsList         = "auth_sessions_list"
	RLAuthSessionsRevoke       = "auth_sessions_revoke"
	RLAuthSessionsRevokeAll    = "auth_sessions_revoke_all"

	RLPasswordResetRequest = "auth_pwd_reset_request"
	RLPasswordResetConfirm = "auth_pwd_reset_confirm"
	RLEmailVerifyRequest   = "auth_email_verify_request"
	RLEmailVerifyConfirm   = "auth_email_verify_confirm"
	RLPhoneVerifyRequest   = "auth_phone_verify_request"
	RLPhoneVerifyConfirm   = "auth_phone_verify_confirm"

	RLOIDCStart    = "auth_oidc_start"
	RLOIDCCallback = "auth_oidc_callback"

	RLUserPasswordChange    = "auth_user_password_change"
	RLUserMe                = "auth_user_me"
	RLUserUpdateUsername    = "auth_user_update_username"
	RLUserPreferredLanguage = "auth_user_preferred_language"
	RLUserUpdateEmail       = "auth_user_update_email"

	RLUserEmailChangeRequest = "auth_user_email_change_request"
	RLUserEmailChangeConfirm = "auth_user_email_change_confirm"
	RLUserEmailChangeResend  = "auth_user_email_change_resend"
	RLUserEmailChangeCancel  = "auth_user_email_change_cancel"

	RLUserPhoneChangeRequest = "auth_user_phone_change_request"
	RLUserPhoneChangeConfirm = "auth_user_phone_change_confirm"
	RLUserPhoneChangeResend  = "auth_user_phone_change_resend"
	RLUserPhoneChangeCancel  = "auth_user_phone_change_cancel"

	RLUserDelete         = "auth_user_delete"
	RLUserUnlinkProvider = "auth_user_unlink_provider"

	RLAdminRolesGrant            = "auth_admin_roles_grant"
	RLAdminRolesRevoke           = "auth_admin_roles_revoke"
	RLAdminUserSessionsList      = "auth_admin_user_sessions_list"
	RLAdminUserSessionsRevoke    = "auth_admin_user_sessions_revoke"
	RLAdminUserSessionsRevokeAll = "auth_admin_user_sessions_revoke_all"
	RLAdminPasswordReset         = "auth_admin_password_reset"

	// Solana SIWS authentication
	RLSolanaChallenge = "auth_solana_challenge"
	RLSolanaLogin     = "auth_solana_login"
	RLSolanaLink      = "auth_solana_link"
)

Bucket names used by authkit endpoints.

View Source 
const (
	ServicePrincipalType       = verify.ServicePrincipalType
	RemoteApplicationTokenType = verify.RemoteApplicationTokenType
)
View Source 
const AccessTokenType = jwtkit.AccessTokenType

AccessTokenType is the canonical JOSE `typ` header value for an AuthKit user access token.

View Source 
const DefaultOutboundTimeout = 30 * time.Second

DefaultOutboundTimeout bounds AuthKit's first-party outbound HTTP calls that reach networked dependencies under partial attacker control — most notably the Verifier's JWKS fetches and remote-application issuer registration POST. Without a timeout a slow or hostile endpoint can wedge a request goroutine indefinitely; when the caller also single-flights (as the Verifier does on first use of an issuer or after an unknown-kid refetch), one hung fetch stalls every concurrent waiter — a cheap denial-of-service amplifier.

View Source 
const DelegatedAccessTokenType = jwtkit.DelegatedAccessTokenType

DelegatedAccessTokenType is the canonical JOSE `typ` header value for a delegated access token.

View Source 
const RemoteApplicationAccessTokenType = jwtkit.RemoteApplicationAccessTokenType

RemoteApplicationAccessTokenType is the JOSE `typ` for a remote application access token. AuthKit resolves authority from the stored remote_application assignment, never from role claims in the token.

Variables

View Source 
var (
	NewVerifier            = verify.NewVerifier
	Required               = verify.Required
	Optional               = verify.Optional
	RequireEntitlement     = verify.RequireEntitlement
	RequireAnyEntitlement  = verify.RequireAnyEntitlement
	RequireFreshAuth       = verify.RequireFreshAuth
	RequireAMR             = verify.RequireAMR
	RequireMFA             = verify.RequireMFA
	RequireACR             = verify.RequireACR
	Sensitive              = verify.Sensitive
	SensitiveClaims        = verify.SensitiveClaims
	ClaimsFromContext      = verify.ClaimsFromContext
	WithSkew               = verify.WithSkew
	WithAlgorithms         = verify.WithAlgorithms
	WithHTTPClient         = verify.WithHTTPClient
	WithSSRFGuard          = verify.WithSSRFGuard
	WithAPIKeyPrefix       = verify.WithAPIKeyPrefix
	WithPermissions        = verify.WithPermissions
	WithAttributesPolicy   = verify.WithAttributesPolicy
	WithAttributeHydration = verify.WithAttributeHydration

	RequiredServiceJWT             = verify.RequiredServiceJWT
	ServiceJWTPrincipalFromContext = verify.ServiceJWTPrincipalFromContext
	WithServiceJWTMaxLifetime      = verify.WithServiceJWTMaxLifetime
	WithServiceJWTReplayChecker    = verify.WithServiceJWTReplayChecker
	RemoteApplicationCORS          = verify.RemoteApplicationCORS
	RequireDelegatedOrigin         = verify.RequireDelegatedOrigin
	NewSSRFGuardedClient           = verify.NewSSRFGuardedClient
)

Functions

func AllowNamed 

func AllowNamed(r *http.Request, rl RateLimiter, bucket string) bool

AllowNamed applies a per-IP limit using the provided bucket name. It fails open on limiter error.

func DefaultRateLimits 

func DefaultRateLimits() map[string]Limit

DefaultRateLimits returns AuthKit's built-in per-endpoint rate limits.

These limits are enforced per client IP (as determined by the Service's ClientIPFunc). Hosts can override by supplying their own limiter via WithRateLimiter(...).

func JWKSHandler 

func JWKSHandler(jwks jwtkit.JWKS) http.Handler

JWKSHandler serves the public JWKS document for the given key set.

func LanguageMiddleware 

func LanguageMiddleware(cfg *LanguageConfig) func(http.Handler) http.Handler

LanguageMiddleware infers request language and attaches it to the request context.

func MintDelegatedAccessToken added in v0.12.0 

func MintDelegatedAccessToken(ctx context.Context, signer jwtkit.Signer, p DelegatedAccessParams) (string, error)

MintDelegatedAccessToken signs a canonical delegated access token with an explicit signer. It is a thin re-export of core.MintDelegatedAccessToken; embedders holding a *core.Service should prefer (*core.Service).MintDelegatedAccessToken so they never construct a signer.

func ToMemoryLimits 

func ToMemoryLimits(in map[string]Limit) map[string]memorylimiter.Limit

func ToRedisLimits 

func ToRedisLimits(in map[string]Limit) map[string]redislimiter.Limit

Types

type ActionAvailability added in v0.9.4 

type ActionAvailability struct {
	Action            string     `json:"action"`
	Allowed           bool       `json:"allowed"`
	Reason            string     `json:"reason,omitempty"`
	RetryAfterSeconds int64      `json:"retry_after_seconds,omitempty"`
	NextAllowedAt     *time.Time `json:"next_allowed_at,omitempty"`
	Limit             *int       `json:"limit,omitempty"`
	Remaining         *int       `json:"remaining,omitempty"`
	WindowSeconds     *int64     `json:"window_seconds,omitempty"`
	CooldownSeconds   *int64     `json:"cooldown_seconds,omitempty"`
}

type AttributeDefResolver added in v0.27.0 

type AttributeDefResolver = verify.AttributeDefResolver

type AttributesValidator added in v0.12.0 

type AttributesValidator = verify.AttributesValidator

type Claims 

type Claims = verify.Claims

type ClientIPFunc 

type ClientIPFunc func(r *http.Request) string

ClientIPFunc determines the client IP used for rate limiting and auditing.

Returning an empty string means "unknown" and causes rate limiting to fail open.

func ClientIPFromForwardedHeaders 

func ClientIPFromForwardedHeaders(trustedProxies []netip.Prefix) ClientIPFunc

ClientIPFromForwardedHeaders trusts CF-Connecting-IP and X-Forwarded-For only when the immediate peer (RemoteAddr) is in trustedProxies. Otherwise it falls back to DefaultClientIP behavior.

func DefaultClientIP 

func DefaultClientIP() ClientIPFunc

DefaultClientIP returns the immediate peer IP from RemoteAddr.

This intentionally includes private and loopback peers so embedded/local deployments still get default rate-limit protection. Hosts behind reverse proxies should use ClientIPFromForwardedHeaders with trusted proxy CIDRs when they need the original public client IP instead of the proxy peer.

func PublicRemoteAddrClientIP added in v0.9.1 

func PublicRemoteAddrClientIP() ClientIPFunc

PublicRemoteAddrClientIP returns the older conservative client IP strategy:

  • If RemoteAddr is a public IP, use it.
  • If RemoteAddr is private/loopback/etc, return "" (fail open) so we don't accidentally rate-limit a reverse proxy/ingress as a single client.

type DelegatedAccessParams added in v0.12.0 

type DelegatedAccessParams = core.DelegatedAccessParams

DelegatedAccessParams describes a delegated access token to mint. It is an alias for core.DelegatedAccessParams; the canonical definition (and the (*core.Service).MintDelegatedAccessToken mint method) live in package core so hosts can mint through the Service's internal signer without touching keys.

type DelegatedPrincipal added in v0.9.6 

type DelegatedPrincipal = verify.DelegatedPrincipal

type Enricher added in v0.45.0 

type Enricher = verify.Enricher

type ErrorCode added in v0.46.0 

type ErrorCode string

ErrorCode is a stable AuthKit HTTP wire error code. 

const (
	// ErrTwoFAChallengeFailed is the 2fa_challenge_failed AuthKit HTTP wire error code.
	ErrTwoFAChallengeFailed ErrorCode = "2fa_challenge_failed"

	// ErrTwoFASendFailed is the 2fa_send_failed AuthKit HTTP wire error code.
	ErrTwoFASendFailed ErrorCode = "2fa_send_failed"

	// ErrTwoFAEnrollmentRequired is the 2fa_enrollment_required AuthKit HTTP wire error code.
	ErrTwoFAEnrollmentRequired ErrorCode = "2fa_enrollment_required"

	// ErrAbandonFailed is the abandon_failed AuthKit HTTP wire error code.
	ErrAbandonFailed ErrorCode = "abandon_failed"

	// ErrAccessTokenCreateFailed is the access_token_create_failed AuthKit HTTP wire error code.
	ErrAccessTokenCreateFailed ErrorCode = "access_token_create_failed"

	// ErrAccessTokenListFailed is the access_token_list_failed AuthKit HTTP wire error code.
	ErrAccessTokenListFailed ErrorCode = "access_token_list_failed"

	// ErrAccessTokenNotFound is the access_token_not_found AuthKit HTTP wire error code.
	ErrAccessTokenNotFound ErrorCode = "access_token_not_found"

	// ErrAccessTokenRevokeFailed is the access_token_revoke_failed AuthKit HTTP wire error code.
	ErrAccessTokenRevokeFailed ErrorCode = "access_token_revoke_failed"

	// ErrAccountAlreadyClaimed is the account_already_claimed AuthKit HTTP wire error code.
	ErrAccountAlreadyClaimed ErrorCode = "account_already_claimed"

	// ErrAccountClaimUserFailed is the account_claim_user_failed AuthKit HTTP wire error code.
	ErrAccountClaimUserFailed ErrorCode = "account_claim_user_failed"

	// ErrAccountExistsLinkRequired is the account_exists_link_required AuthKit HTTP wire error code.
	ErrAccountExistsLinkRequired ErrorCode = "account_exists_link_required"

	// ErrAccountParkFailed is the account_park_failed AuthKit HTTP wire error code.
	ErrAccountParkFailed ErrorCode = "account_park_failed"

	// ErrAccountRestrictFailed is the account_restrict_failed AuthKit HTTP wire error code.
	ErrAccountRestrictFailed ErrorCode = "account_restrict_failed"

	// ErrAccountUnrestrictFailed is the account_unrestrict_failed AuthKit HTTP wire error code.
	ErrAccountUnrestrictFailed ErrorCode = "account_unrestrict_failed"

	// ErrAddMemberFailed is the add_member_failed AuthKit HTTP wire error code.
	ErrAddMemberFailed ErrorCode = "add_member_failed"

	// ErrAddressMismatch is the address_mismatch AuthKit HTTP wire error code.
	ErrAddressMismatch ErrorCode = "address_mismatch"

	// ErrAddressRequired is the address_required AuthKit HTTP wire error code.
	ErrAddressRequired ErrorCode = "address_required"

	// ErrAssignRoleFailed is the assign_role_failed AuthKit HTTP wire error code.
	ErrAssignRoleFailed ErrorCode = "assign_role_failed"

	// ErrAttributeDefNotFound is the attribute_def_not_found AuthKit HTTP wire error code.
	ErrAttributeDefNotFound ErrorCode = "attribute_def_not_found"

	// ErrAttributeDefRegisterFailed is the attribute_def_register_failed AuthKit HTTP wire error code.
	ErrAttributeDefRegisterFailed ErrorCode = "attribute_def_register_failed"

	// ErrAttributeDefResolveFailed is the attribute_def_resolve_failed AuthKit HTTP wire error code.
	ErrAttributeDefResolveFailed ErrorCode = "attribute_def_resolve_failed"

	// ErrAuthRequiredForLink is the auth_required_for_link AuthKit HTTP wire error code.
	ErrAuthRequiredForLink ErrorCode = "auth_required_for_link"

	// ErrAuthenticationFailed is the authentication_failed AuthKit HTTP wire error code.
	ErrAuthenticationFailed ErrorCode = "authentication_failed"

	// ErrAuthenticationRequired is the authentication_required AuthKit HTTP wire error code.
	ErrAuthenticationRequired ErrorCode = "authentication_required"

	// ErrAuthkitNotInitialized is the authkit_not_initialized AuthKit HTTP wire error code.
	ErrAuthkitNotInitialized ErrorCode = "authkit_not_initialized"

	// ErrAuthlogUnavailable is the authlog_unavailable AuthKit HTTP wire error code.
	ErrAuthlogUnavailable ErrorCode = "authlog_unavailable"

	// ErrCancelFailed is the cancel_failed AuthKit HTTP wire error code.
	ErrCancelFailed ErrorCode = "cancel_failed"

	// ErrCannotRemoveLastOwner is the cannot_remove_last_owner AuthKit HTTP wire error code.
	ErrCannotRemoveLastOwner ErrorCode = "cannot_remove_last_owner"

	// ErrCannotUnlinkLastLoginMethod is the cannot_unlink_last_login_method AuthKit HTTP wire error code.
	ErrCannotUnlinkLastLoginMethod ErrorCode = "cannot_unlink_last_login_method"

	// ErrChallengeExpired is the challenge_expired AuthKit HTTP wire error code.
	ErrChallengeExpired ErrorCode = "challenge_expired"

	// ErrChallengeFailed is the challenge_failed AuthKit HTTP wire error code.
	ErrChallengeFailed ErrorCode = "challenge_failed"

	// ErrChallengeVerifyFailed is the challenge_verify_failed AuthKit HTTP wire error code.
	ErrChallengeVerifyFailed ErrorCode = "challenge_verify_failed"

	// ErrDatabaseError is the database_error AuthKit HTTP wire error code.
	ErrDatabaseError ErrorCode = "database_error"

	// ErrDefineRoleFailed is the define_role_failed AuthKit HTTP wire error code.
	ErrDefineRoleFailed ErrorCode = "define_role_failed"

	// ErrDeleteRoleFailed is the delete_role_failed AuthKit HTTP wire error code.
	ErrDeleteRoleFailed ErrorCode = "delete_role_failed"

	// ErrDisableTwoFAFailed is the disable_2fa_failed AuthKit HTTP wire error code.
	ErrDisableTwoFAFailed ErrorCode = "disable_2fa_failed"

	// ErrDuplicateResource is the duplicate_resource AuthKit HTTP wire error code.
	ErrDuplicateResource ErrorCode = "duplicate_resource"

	// ErrEmailAlreadyVerified is the email_already_verified AuthKit HTTP wire error code.
	ErrEmailAlreadyVerified ErrorCode = "email_already_verified"

	// ErrEmailDeliveryFailed is the email_delivery_failed AuthKit HTTP wire error code.
	ErrEmailDeliveryFailed ErrorCode = "email_delivery_failed"

	// ErrEmailInUse is the email_in_use AuthKit HTTP wire error code.
	ErrEmailInUse ErrorCode = "email_in_use"

	// ErrEmailNotVerified is the email_not_verified AuthKit HTTP wire error code.
	ErrEmailNotVerified ErrorCode = "email_not_verified"

	// ErrEmailPasswordResetUnavailable is the email_password_reset_unavailable AuthKit HTTP wire error code.
	ErrEmailPasswordResetUnavailable ErrorCode = "email_password_reset_unavailable"

	// ErrEmailRegistrationUnavailable is the email_registration_unavailable AuthKit HTTP wire error code.
	ErrEmailRegistrationUnavailable ErrorCode = "email_registration_unavailable"

	// ErrEmailSenderUnavailable is the email_sender_unavailable AuthKit HTTP wire error code.
	ErrEmailSenderUnavailable ErrorCode = "email_sender_unavailable"

	// ErrEmailUnavailable is the email_unavailable AuthKit HTTP wire error code.
	ErrEmailUnavailable ErrorCode = "email_unavailable"

	// ErrEmailUnchanged is the email_unchanged AuthKit HTTP wire error code.
	ErrEmailUnchanged ErrorCode = "email_unchanged"

	// ErrEmailVerificationFailed is the email_verification_failed AuthKit HTTP wire error code.
	ErrEmailVerificationFailed ErrorCode = "email_verification_failed"

	// ErrEmailVerificationUnavailable is the email_verification_unavailable AuthKit HTTP wire error code.
	ErrEmailVerificationUnavailable ErrorCode = "email_verification_unavailable"

	// ErrEnableTwoFAFailed is the enable_2fa_failed AuthKit HTTP wire error code.
	ErrEnableTwoFAFailed ErrorCode = "enable_2fa_failed"

	// ErrEntitlementFilterUnavailable is the entitlement_filter_unavailable AuthKit HTTP wire error code.
	ErrEntitlementFilterUnavailable ErrorCode = "entitlement_filter_unavailable"

	// ErrExchangeFailed is the exchange_failed AuthKit HTTP wire error code.
	ErrExchangeFailed ErrorCode = "exchange_failed"

	// ErrFailedToBan is the failed_to_ban AuthKit HTTP wire error code.
	ErrFailedToBan ErrorCode = "failed_to_ban"

	// ErrFailedToDelete is the failed_to_delete AuthKit HTTP wire error code.
	ErrFailedToDelete ErrorCode = "failed_to_delete"

	// ErrFailedToList is the failed_to_list AuthKit HTTP wire error code.
	ErrFailedToList ErrorCode = "failed_to_list"

	// ErrFailedToListDeletedUsers is the failed_to_list_deleted_users AuthKit HTTP wire error code.
	ErrFailedToListDeletedUsers ErrorCode = "failed_to_list_deleted_users"

	// ErrFailedToListSignins is the failed_to_list_signins AuthKit HTTP wire error code.
	ErrFailedToListSignins ErrorCode = "failed_to_list_signins"

	// ErrFailedToListUsers is the failed_to_list_users AuthKit HTTP wire error code.
	ErrFailedToListUsers ErrorCode = "failed_to_list_users"

	// ErrFailedToLogout is the failed_to_logout AuthKit HTTP wire error code.
	ErrFailedToLogout ErrorCode = "failed_to_logout"

	// ErrFailedToRequestEmailChange is the failed_to_request_email_change AuthKit HTTP wire error code.
	ErrFailedToRequestEmailChange ErrorCode = "failed_to_request_email_change"

	// ErrFailedToRequestPhoneChange is the failed_to_request_phone_change AuthKit HTTP wire error code.
	ErrFailedToRequestPhoneChange ErrorCode = "failed_to_request_phone_change"

	// ErrFailedToRestoreUser is the failed_to_restore_user AuthKit HTTP wire error code.
	ErrFailedToRestoreUser ErrorCode = "failed_to_restore_user"

	// ErrFailedToRevoke is the failed_to_revoke AuthKit HTTP wire error code.
	ErrFailedToRevoke ErrorCode = "failed_to_revoke"

	// ErrFailedToRevokeAll is the failed_to_revoke_all AuthKit HTTP wire error code.
	ErrFailedToRevokeAll ErrorCode = "failed_to_revoke_all"

	// ErrFailedToRevokeSessions is the failed_to_revoke_sessions AuthKit HTTP wire error code.
	ErrFailedToRevokeSessions ErrorCode = "failed_to_revoke_sessions"

	// ErrFailedToSetPassword is the failed_to_set_password AuthKit HTTP wire error code.
	ErrFailedToSetPassword ErrorCode = "failed_to_set_password"

	// ErrFailedToUnban is the failed_to_unban AuthKit HTTP wire error code.
	ErrFailedToUnban ErrorCode = "failed_to_unban"

	// ErrFailedToUnlink is the failed_to_unlink AuthKit HTTP wire error code.
	ErrFailedToUnlink ErrorCode = "failed_to_unlink"

	// ErrFailedToUpdateBiography is the failed_to_update_biography AuthKit HTTP wire error code.
	ErrFailedToUpdateBiography ErrorCode = "failed_to_update_biography"

	// ErrFailedToUpdateEmail is the failed_to_update_email AuthKit HTTP wire error code.
	ErrFailedToUpdateEmail ErrorCode = "failed_to_update_email"

	// ErrFailedToUpdatePreferredLanguage is the failed_to_update_preferred_language AuthKit HTTP wire error code.
	ErrFailedToUpdatePreferredLanguage ErrorCode = "failed_to_update_preferred_language"

	// ErrFailedToUpdateUsername is the failed_to_update_username AuthKit HTTP wire error code.
	ErrFailedToUpdateUsername ErrorCode = "failed_to_update_username"

	// ErrForbidden is the forbidden AuthKit HTTP wire error code.
	ErrForbidden ErrorCode = "forbidden"

	// ErrHashFailed is the hash_failed AuthKit HTTP wire error code.
	ErrHashFailed ErrorCode = "hash_failed"

	// ErrInvalidAddress is the invalid_address AuthKit HTTP wire error code.
	ErrInvalidAddress ErrorCode = "invalid_address"

	// ErrInvalidAllowedOrigins is the invalid_allowed_origins AuthKit HTTP wire error code.
	ErrInvalidAllowedOrigins ErrorCode = "invalid_allowed_origins"

	// ErrInvalidBaseURL is the invalid_base_url AuthKit HTTP wire error code.
	ErrInvalidBaseURL ErrorCode = "invalid_base_url"

	// ErrInvalidChallenge is the invalid_challenge AuthKit HTTP wire error code.
	ErrInvalidChallenge ErrorCode = "invalid_challenge"

	// ErrInvalidCode is the invalid_code AuthKit HTTP wire error code.
	ErrInvalidCode ErrorCode = "invalid_code"

	// ErrInvalidCredentials is the invalid_credentials AuthKit HTTP wire error code.
	ErrInvalidCredentials ErrorCode = "invalid_credentials"

	// ErrInvalidDefinition is the invalid_definition AuthKit HTTP wire error code.
	ErrInvalidDefinition ErrorCode = "invalid_definition"

	// ErrInvalidEmail is the invalid_email AuthKit HTTP wire error code.
	ErrInvalidEmail ErrorCode = core.ErrCodeInvalidEmail

	// ErrInvalidExpiresAt is the invalid_expires_at AuthKit HTTP wire error code.
	ErrInvalidExpiresAt ErrorCode = "invalid_expires_at"

	// ErrInvalidExpiry is the invalid_expiry AuthKit HTTP wire error code.
	ErrInvalidExpiry ErrorCode = "invalid_expiry"

	// ErrInvalidFederationIssuer is the invalid_federation_issuer AuthKit HTTP wire error code.
	ErrInvalidFederationIssuer ErrorCode = "invalid_federation_issuer"

	// ErrInvalidFederationTrustSource is the invalid_federation_trust_source AuthKit HTTP wire error code.
	ErrInvalidFederationTrustSource ErrorCode = "invalid_federation_trust_source"

	// ErrInvalidIdentifier is the invalid_identifier AuthKit HTTP wire error code.
	ErrInvalidIdentifier ErrorCode = "invalid_identifier"

	// ErrInvalidMessageEncoding is the invalid_message_encoding AuthKit HTTP wire error code.
	ErrInvalidMessageEncoding ErrorCode = "invalid_message_encoding"

	// ErrInvalidMethod is the invalid_method AuthKit HTTP wire error code.
	ErrInvalidMethod ErrorCode = "invalid_method"

	// ErrInvalidOrExpiredCode is the invalid_or_expired_code AuthKit HTTP wire error code.
	ErrInvalidOrExpiredCode ErrorCode = "invalid_or_expired_code"

	// ErrInvalidOrExpiredResetSession is the invalid_or_expired_reset_session AuthKit HTTP wire error code.
	ErrInvalidOrExpiredResetSession ErrorCode = "invalid_or_expired_reset_session"

	// ErrInvalidOrExpiredToken is the invalid_or_expired_token AuthKit HTTP wire error code.
	ErrInvalidOrExpiredToken ErrorCode = "invalid_or_expired_token"

	// ErrInvalidOwnerNamespaceTransition is the invalid_owner_namespace_transition AuthKit HTTP wire error code.
	ErrInvalidOwnerNamespaceTransition ErrorCode = "invalid_owner_namespace_transition"

	// ErrInvalidPassword is the invalid_password AuthKit HTTP wire error code.
	ErrInvalidPassword ErrorCode = "invalid_password"

	// ErrInvalidPhoneNumber is the invalid_phone_number AuthKit HTTP wire error code.
	ErrInvalidPhoneNumber ErrorCode = core.ErrCodeInvalidPhoneNumber

	// ErrInvalidPreferredLanguage is the invalid_preferred_language AuthKit HTTP wire error code.
	ErrInvalidPreferredLanguage ErrorCode = "invalid_preferred_language"

	// ErrInvalidProvider is the invalid_provider AuthKit HTTP wire error code.
	ErrInvalidProvider ErrorCode = "invalid_provider"

	// ErrInvalidRefreshToken is the invalid_refresh_token AuthKit HTTP wire error code.
	ErrInvalidRefreshToken ErrorCode = "invalid_refresh_token"

	// ErrInvalidRequest is the invalid_request AuthKit HTTP wire error code.
	ErrInvalidRequest ErrorCode = "invalid_request"

	// ErrInvalidResource is the invalid_resource AuthKit HTTP wire error code.
	ErrInvalidResource ErrorCode = "invalid_resource"

	// ErrInvalidRole is the invalid_role AuthKit HTTP wire error code.
	ErrInvalidRole ErrorCode = "invalid_role"

	// ErrInvalidSignature is the invalid_signature AuthKit HTTP wire error code.
	ErrInvalidSignature ErrorCode = "invalid_signature"

	// ErrInvalidSignatureEncoding is the invalid_signature_encoding AuthKit HTTP wire error code.
	ErrInvalidSignatureEncoding ErrorCode = "invalid_signature_encoding"

	// ErrInvalidSlug is the invalid_slug AuthKit HTTP wire error code.
	ErrInvalidSlug ErrorCode = "invalid_slug"

	// ErrInvalidState is the invalid_state AuthKit HTTP wire error code.
	ErrInvalidState ErrorCode = "invalid_state"

	// ErrInvalidToken is the invalid_token AuthKit HTTP wire error code.
	ErrInvalidToken ErrorCode = "invalid_token"

	// ErrInvalidTrustSource is the invalid_trust_source AuthKit HTTP wire error code.
	ErrInvalidTrustSource ErrorCode = "invalid_trust_source"

	// ErrInvalidUI is the invalid_ui AuthKit HTTP wire error code.
	ErrInvalidUI ErrorCode = "invalid_ui"

	// ErrInvalidUntil is the invalid_until AuthKit HTTP wire error code.
	ErrInvalidUntil ErrorCode = "invalid_until"

	// ErrInvalidVersion is the invalid_version AuthKit HTTP wire error code.
	ErrInvalidVersion ErrorCode = "invalid_version"

	// ErrInviteNotFound is the invite_not_found AuthKit HTTP wire error code.
	ErrInviteNotFound ErrorCode = "invite_not_found"

	// ErrIssuerReserved is the issuer_reserved AuthKit HTTP wire error code.
	ErrIssuerReserved ErrorCode = "issuer_reserved"

	// ErrLinkFailed is the link_failed AuthKit HTTP wire error code.
	ErrLinkFailed ErrorCode = "link_failed"

	// ErrMemberPermissionsLookupFailed is the member_permissions_lookup_failed AuthKit HTTP wire error code.
	ErrMemberPermissionsLookupFailed ErrorCode = "member_permissions_lookup_failed"

	// ErrMemberRolesLookupFailed is the member_roles_lookup_failed AuthKit HTTP wire error code.
	ErrMemberRolesLookupFailed ErrorCode = "member_roles_lookup_failed"

	// ErrMissingFields is the missing_fields AuthKit HTTP wire error code.
	ErrMissingFields ErrorCode = "missing_fields"

	// ErrMissingName is the missing_name AuthKit HTTP wire error code.
	ErrMissingName ErrorCode = "missing_name"

	// ErrMissingRole is the missing_role AuthKit HTTP wire error code.
	ErrMissingRole ErrorCode = "missing_role"

	// ErrMissingSessionID is the missing_session_id AuthKit HTTP wire error code.
	ErrMissingSessionID ErrorCode = "missing_session_id"

	// ErrMissingSidClaim is the missing_sid_claim AuthKit HTTP wire error code.
	ErrMissingSidClaim ErrorCode = "missing_sid_claim"

	// ErrNoEmail is the no_email AuthKit HTTP wire error code.
	ErrNoEmail ErrorCode = "no_email"

	// ErrNoPendingEmailChange is the no_pending_email_change AuthKit HTTP wire error code.
	ErrNoPendingEmailChange ErrorCode = "no_pending_email_change"

	// ErrNoPendingPhoneChange is the no_pending_phone_change AuthKit HTTP wire error code.
	ErrNoPendingPhoneChange ErrorCode = "no_pending_phone_change"

	// ErrNotAuthenticated is the not_authenticated AuthKit HTTP wire error code.
	ErrNotAuthenticated ErrorCode = "not_authenticated"

	// ErrNotFound is the not_found AuthKit HTTP wire error code.
	ErrNotFound ErrorCode = "not_found"

	// ErrOIDCBeginFailed is the oidc_begin_failed AuthKit HTTP wire error code.
	ErrOIDCBeginFailed ErrorCode = "oidc_begin_failed"

	// ErrOIDCExchangeFailed is the oidc_exchange_failed AuthKit HTTP wire error code.
	ErrOIDCExchangeFailed ErrorCode = "oidc_exchange_failed"

	// ErrOwnerMembershipRequired is the owner_membership_required AuthKit HTTP wire error code.
	ErrOwnerMembershipRequired ErrorCode = "owner_membership_required"

	// ErrOwnerNamespaceInfoFailed is the owner_namespace_info_failed AuthKit HTTP wire error code.
	ErrOwnerNamespaceInfoFailed ErrorCode = "owner_namespace_info_failed"

	// ErrOwnerSlugTaken is the owner_slug_taken AuthKit HTTP wire error code.
	ErrOwnerSlugTaken ErrorCode = core.ErrCodeOwnerSlugTaken

	// ErrOwnerUserNotFound is the owner_user_not_found AuthKit HTTP wire error code.
	ErrOwnerUserNotFound ErrorCode = "owner_user_not_found"

	// ErrPasswordChangeFailed is the password_change_failed AuthKit HTTP wire error code.
	ErrPasswordChangeFailed ErrorCode = "password_change_failed"

	// ErrPasswordResetRequestFailed is the password_reset_request_failed AuthKit HTTP wire error code.
	ErrPasswordResetRequestFailed ErrorCode = "password_reset_request_failed"

	// ErrPasswordResetRequired is the password_reset_required AuthKit HTTP wire error code.
	ErrPasswordResetRequired ErrorCode = "password_reset_required"

	// ErrPasskeyFailed is the passkey_failed AuthKit HTTP wire error code.
	ErrPasskeyFailed ErrorCode = "passkey_failed"

	// ErrPasswordTooShort is the password_too_short AuthKit HTTP wire error code.
	ErrPasswordTooShort ErrorCode = core.ErrCodePasswordTooShort

	// ErrPendingRegistrationNotFound is the pending_registration_not_found AuthKit HTTP wire error code.
	ErrPendingRegistrationNotFound ErrorCode = "pending_registration_not_found"

	// ErrPermissionCheckFailed is the permission_check_failed AuthKit HTTP wire error code.
	ErrPermissionCheckFailed ErrorCode = "permission_check_failed"

	// ErrPermissionGrantDenied is the permission_grant_denied AuthKit HTTP wire error code.
	ErrPermissionGrantDenied ErrorCode = "permission_grant_denied"

	// ErrPermissionValidateFailed is the permission_validate_failed AuthKit HTTP wire error code.
	ErrPermissionValidateFailed ErrorCode = "permission_validate_failed"

	// ErrPermissionsLookupFailed is the permissions_lookup_failed AuthKit HTTP wire error code.
	ErrPermissionsLookupFailed ErrorCode = "permissions_lookup_failed"

	// ErrPhoneTwoFAUnavailable is the phone_2fa_unavailable AuthKit HTTP wire error code.
	ErrPhoneTwoFAUnavailable ErrorCode = "phone_2fa_unavailable"

	// ErrPhoneAlreadyVerified is the phone_already_verified AuthKit HTTP wire error code.
	ErrPhoneAlreadyVerified ErrorCode = "phone_already_verified"

	// ErrPhoneAndCodeRequired is the phone_and_code_required AuthKit HTTP wire error code.
	ErrPhoneAndCodeRequired ErrorCode = "phone_and_code_required"

	// ErrPhoneChangeUnavailable is the phone_change_unavailable AuthKit HTTP wire error code.
	ErrPhoneChangeUnavailable ErrorCode = "phone_change_unavailable"

	// ErrPhoneInUse is the phone_in_use AuthKit HTTP wire error code.
	ErrPhoneInUse ErrorCode = "phone_in_use"

	// ErrPhoneNotVerified is the phone_not_verified AuthKit HTTP wire error code.
	ErrPhoneNotVerified ErrorCode = "phone_not_verified"

	// ErrPhoneNumberMustBeE164 is the phone_number_must_be_e164 AuthKit HTTP wire error code.
	ErrPhoneNumberMustBeE164 ErrorCode = "phone_number_must_be_e164"

	// ErrPhoneRegistrationUnavailable is the phone_registration_unavailable AuthKit HTTP wire error code.
	ErrPhoneRegistrationUnavailable ErrorCode = "phone_registration_unavailable"

	// ErrPhoneUnavailable is the phone_unavailable AuthKit HTTP wire error code.
	ErrPhoneUnavailable ErrorCode = "phone_unavailable"

	// ErrPhoneUnchanged is the phone_unchanged AuthKit HTTP wire error code.
	ErrPhoneUnchanged ErrorCode = "phone_unchanged"

	// ErrPhoneVerificationFailed is the phone_verification_failed AuthKit HTTP wire error code.
	ErrPhoneVerificationFailed ErrorCode = "phone_verification_failed"

	// ErrPhoneVerificationUnavailable is the phone_verification_unavailable AuthKit HTTP wire error code.
	ErrPhoneVerificationUnavailable ErrorCode = "phone_verification_unavailable"

	// ErrPKCEGenerationFailed is the pkce_generation_failed AuthKit HTTP wire error code.
	ErrPKCEGenerationFailed ErrorCode = "pkce_generation_failed"

	// ErrPreferredLanguageLookupFailed is the preferred_language_lookup_failed AuthKit HTTP wire error code.
	ErrPreferredLanguageLookupFailed ErrorCode = "preferred_language_lookup_failed"

	// ErrProtectedRole is the protected_role AuthKit HTTP wire error code.
	ErrProtectedRole ErrorCode = "protected_role"

	// ErrProviderAlreadyLinked is the provider_already_linked AuthKit HTTP wire error code.
	ErrProviderAlreadyLinked ErrorCode = "provider_already_linked"

	// ErrProviderLinkFailed is the provider_link_failed AuthKit HTTP wire error code.
	ErrProviderLinkFailed ErrorCode = "provider_link_failed"

	// ErrProviderNotLinked is the provider_not_linked AuthKit HTTP wire error code.
	ErrProviderNotLinked ErrorCode = "provider_not_linked"

	// ErrRateLimited is the rate_limited AuthKit HTTP wire error code.
	ErrRateLimited ErrorCode = "rate_limited"

	// ErrReauthFailed is the reauth_failed AuthKit HTTP wire error code.
	ErrReauthFailed ErrorCode = "reauth_failed"

	// ErrReauthRequired is the reauth_required AuthKit HTTP wire error code.
	ErrReauthRequired ErrorCode = "reauth_required"

	// ErrRegenerateCodesFailed is the regenerate_codes_failed AuthKit HTTP wire error code.
	ErrRegenerateCodesFailed ErrorCode = "regenerate_codes_failed"

	// ErrRegistrationDisabled is the registration_disabled AuthKit HTTP wire error code.
	ErrRegistrationDisabled ErrorCode = "registration_disabled"

	// ErrRegistrationFailed is the registration_failed AuthKit HTTP wire error code.
	ErrRegistrationFailed ErrorCode = "registration_failed"

	// ErrRemoteApplicationDeleteFailed is the remote_application_delete_failed AuthKit HTTP wire error code.
	ErrRemoteApplicationDeleteFailed ErrorCode = "remote_application_delete_failed"

	// ErrRemoteApplicationLookupFailed is the remote_application_lookup_failed AuthKit HTTP wire error code.
	ErrRemoteApplicationLookupFailed ErrorCode = "remote_application_lookup_failed"

	// ErrRemoteApplicationMembershipFailed is the remote_application_membership_failed AuthKit HTTP wire error code.
	ErrRemoteApplicationMembershipFailed ErrorCode = "remote_application_membership_failed"

	// ErrRemoteApplicationNotFound is the remote_application_not_found AuthKit HTTP wire error code.
	ErrRemoteApplicationNotFound ErrorCode = "remote_application_not_found"

	// ErrRemoteApplicationOwnerLookupFailed is the remote_application_owner_lookup_failed AuthKit HTTP wire error code.
	ErrRemoteApplicationOwnerLookupFailed ErrorCode = "remote_application_owner_lookup_failed"

	// ErrRemoteApplicationRegisterFailed is the remote_application_register_failed AuthKit HTTP wire error code.
	ErrRemoteApplicationRegisterFailed ErrorCode = "remote_application_register_failed"

	// ErrRemoveMemberFailed is the remove_member_failed AuthKit HTTP wire error code.
	ErrRemoveMemberFailed ErrorCode = "remove_member_failed"

	// ErrRenameRateLimited is the rename_rate_limited AuthKit HTTP wire error code.
	ErrRenameRateLimited ErrorCode = core.ErrCodeRenameRateLimited

	// ErrResendFailed is the resend_failed AuthKit HTTP wire error code.
	ErrResendFailed ErrorCode = "resend_failed"

	// ErrReservedAccountNotFound is the reserved_account_not_found AuthKit HTTP wire error code.
	ErrReservedAccountNotFound ErrorCode = "reserved_account_not_found"

	// ErrResourceScopeDenied is the resource_scope_denied AuthKit HTTP wire error code.
	ErrResourceScopeDenied ErrorCode = "resource_scope_denied"

	// ErrRoleExceedsGrantor is the role_exceeds_grantor AuthKit HTTP wire error code.
	ErrRoleExceedsGrantor ErrorCode = "role_exceeds_grantor"

	// ErrRoleNotFound is the role_not_found AuthKit HTTP wire error code.
	ErrRoleNotFound ErrorCode = "role_not_found"

	// ErrRoleNotGrantableToAPIKey is the role_not_grantable_to_api_key AuthKit HTTP wire error code.
	ErrRoleNotGrantableToAPIKey ErrorCode = "role_not_grantable_to_api_key"

	// ErrRolePermissionsLookupFailed is the role_permissions_lookup_failed AuthKit HTTP wire error code.
	ErrRolePermissionsLookupFailed ErrorCode = "role_permissions_lookup_failed"

	// ErrRolePermissionsUpdateFailed is the role_permissions_update_failed AuthKit HTTP wire error code.
	ErrRolePermissionsUpdateFailed ErrorCode = "role_permissions_update_failed"

	// ErrSendCodeFailed is the send_code_failed AuthKit HTTP wire error code.
	ErrSendCodeFailed ErrorCode = "send_code_failed"

	// ErrSessionCreationFailed is the session_creation_failed AuthKit HTTP wire error code.
	ErrSessionCreationFailed ErrorCode = "session_creation_failed"

	// ErrSessionIssueFailed is the session_issue_failed AuthKit HTTP wire error code.
	ErrSessionIssueFailed ErrorCode = "session_issue_failed"

	// ErrSMSDeliveryFailed is the sms_delivery_failed AuthKit HTTP wire error code.
	ErrSMSDeliveryFailed ErrorCode = "sms_delivery_failed"

	// ErrSMSUnavailable is the sms_unavailable AuthKit HTTP wire error code.
	ErrSMSUnavailable ErrorCode = "sms_unavailable"

	// ErrStateStoreFailed is the state_store_failed AuthKit HTTP wire error code.
	ErrStateStoreFailed ErrorCode = "state_store_failed"

	// ErrTokenCreationFailed is the token_creation_failed AuthKit HTTP wire error code.
	ErrTokenCreationFailed ErrorCode = "token_creation_failed"

	// ErrTokenIssueFailed is the token_issue_failed AuthKit HTTP wire error code.
	ErrTokenIssueFailed ErrorCode = "token_issue_failed"

	// ErrUnassignRoleFailed is the unassign_role_failed AuthKit HTTP wire error code.
	ErrUnassignRoleFailed ErrorCode = "unassign_role_failed"

	// ErrUnauthorized is the unauthorized AuthKit HTTP wire error code.
	ErrUnauthorized ErrorCode = "unauthorized"

	// ErrUnknownPermission is the unknown_permission AuthKit HTTP wire error code.
	ErrUnknownPermission ErrorCode = "unknown_permission"

	// ErrUnknownProvider is the unknown_provider AuthKit HTTP wire error code.
	ErrUnknownProvider ErrorCode = "unknown_provider"

	// ErrUnknownRole is the unknown_role AuthKit HTTP wire error code.
	ErrUnknownRole ErrorCode = "unknown_role"

	// ErrUserBanned is the user_banned AuthKit HTTP wire error code.
	ErrUserBanned ErrorCode = "user_banned"

	// ErrUserCreationFailed is the user_creation_failed AuthKit HTTP wire error code.
	ErrUserCreationFailed ErrorCode = "user_creation_failed"

	// ErrUserInvitesLookupFailed is the user_invites_lookup_failed AuthKit HTTP wire error code.
	ErrUserInvitesLookupFailed ErrorCode = "user_invites_lookup_failed"

	// ErrUserLookupFailed is the user_lookup_failed AuthKit HTTP wire error code.
	ErrUserLookupFailed ErrorCode = "user_lookup_failed"

	// ErrUserNotFound is the user_not_found AuthKit HTTP wire error code.
	ErrUserNotFound ErrorCode = "user_not_found"

	// ErrUserRecoverFailed is the user_recover_failed AuthKit HTTP wire error code.
	ErrUserRecoverFailed ErrorCode = "user_recover_failed"

	// ErrUserinfoFailed is the userinfo_failed AuthKit HTTP wire error code.
	ErrUserinfoFailed ErrorCode = "userinfo_failed"

	// ErrUsernameCannotContainAt is the username_cannot_contain_at AuthKit HTTP wire error code.
	ErrUsernameCannotContainAt ErrorCode = core.ErrCodeUsernameCannotContainAt

	// ErrUsernameCannotStartWithPlus is the username_cannot_start_with_plus AuthKit HTTP wire error code.
	ErrUsernameCannotStartWithPlus ErrorCode = core.ErrCodeUsernameCannotStartWithPlus

	// ErrUsernameInUse is the username_in_use AuthKit HTTP wire error code.
	ErrUsernameInUse ErrorCode = "username_in_use"

	// ErrUsernameInvalidCharacters is the username_invalid_characters AuthKit HTTP wire error code.
	ErrUsernameInvalidCharacters ErrorCode = core.ErrCodeUsernameInvalidCharacters

	// ErrUsernameMissing is the username_missing AuthKit HTTP wire error code.
	ErrUsernameMissing ErrorCode = "username_missing"

	// ErrUsernameMustStartWithLetter is the username_must_start_with_letter AuthKit HTTP wire error code.
	ErrUsernameMustStartWithLetter ErrorCode = core.ErrCodeUsernameMustStartWithLetter

	// ErrUsernameNotAllowed is the username_not_allowed AuthKit HTTP wire error code.
	ErrUsernameNotAllowed ErrorCode = core.ErrCodeUsernameNotAllowed

	// ErrUsernameTooLong is the username_too_long AuthKit HTTP wire error code.
	ErrUsernameTooLong ErrorCode = core.ErrCodeUsernameTooLong

	// ErrUsernameTooShort is the username_too_short AuthKit HTTP wire error code.
	ErrUsernameTooShort ErrorCode = core.ErrCodeUsernameTooShort

	// ErrVerificationLinkExpired is the verification_link_expired AuthKit HTTP wire error code.
	ErrVerificationLinkExpired ErrorCode = "verification_link_expired"

	// ErrVerificationRequestFailed is the verification_request_failed AuthKit HTTP wire error code.
	ErrVerificationRequestFailed ErrorCode = "verification_request_failed"

	// ErrWalletAlreadyLinked is the wallet_already_linked AuthKit HTTP wire error code.
	ErrWalletAlreadyLinked ErrorCode = "wallet_already_linked"
)

func (ErrorCode) String added in v0.46.0 

func (c ErrorCode) String() string

String returns the wire value.

type InternalErrorEvent added in v0.8.7 

type InternalErrorEvent struct {
	Route  string
	Stage  string
	Code   string
	Method string
	Path   string
	Err    error
}

InternalErrorEvent captures a swallowed internal handler error so host apps can log it without exposing implementation details to clients.

func (InternalErrorEvent) Error added in v0.8.7 

func (e InternalErrorEvent) Error() string

type IssuerKey 

type IssuerKey = verify.IssuerKey

type IssuerOptions 

type IssuerOptions = verify.IssuerOptions

type LanguageConfig 

type LanguageConfig struct {
	Supported  []string
	Default    string
	QueryParam string
	CookieName string
}

type Limit 

type Limit struct {
	Limit    int
	Window   time.Duration
	Cooldown time.Duration
}

Limit configures a named rate limit bucket.

type Option added in v0.46.0 

type Option func(*Server)

Option configures a Server at construction. Options are applied INSIDE NewServer, before the core service is built, so a half-built Server is never observable. This is the ONLY way to wire optional dependencies — the chainable WithX builder methods were removed in #108.

func WithAuthLogReader added in v0.46.0 

func WithAuthLogReader(r core.AuthEventLogReader) Option

WithAuthLogReader supplies the session-event reader (admin sign-in views).

func WithAuthLogger added in v0.46.0 

func WithAuthLogger(l core.AuthEventLogger) Option

WithAuthLogger supplies the session-event audit sink.

func WithClientIPFunc added in v0.46.0 

func WithClientIPFunc(fn ClientIPFunc) Option

WithClientIPFunc sets the client-IP extraction strategy (rate limiting + auditing).

func WithEmailSender added in v0.46.0 

func WithEmailSender(es core.EmailSender) Option

WithEmailSender supplies the email provider.

func WithEntitlements added in v0.46.0 

func WithEntitlements(p core.EntitlementsProvider) Option

WithEntitlements supplies the entitlements provider.

func WithEphemeralStore added in v0.46.0 

func WithEphemeralStore(store core.EphemeralStore, mode core.EphemeralMode) Option

WithEphemeralStore overrides the ephemeral store + mode.

func WithErrorLogger added in v0.46.0 

func WithErrorLogger(fn func(context.Context, InternalErrorEvent)) Option

WithErrorLogger supplies the internal-error observability hook.

func WithLanguageConfig added in v0.46.0 

func WithLanguageConfig(cfg LanguageConfig) Option

WithLanguageConfig sets the i18n language configuration.

func WithRateLimiter added in v0.46.0 

func WithRateLimiter(rl RateLimiter) Option

WithRateLimiter overrides the default in-memory rate limiter.

func WithRedis added in v0.46.0 

func WithRedis(rd *redis.Client) Option

WithRedis supplies the Redis client: the ephemeral store + the OIDC state cache.

func WithSMSSender added in v0.46.0 

func WithSMSSender(sender core.SMSSender) Option

WithSMSSender supplies the SMS provider.

func WithSolanaDomain added in v0.46.0 

func WithSolanaDomain(domain string) Option

WithSolanaDomain sets the domain used in SIWS sign-in messages.

func WithSolanaSNSResolver added in v0.47.0 

func WithSolanaSNSResolver(r core.SolanaSNSResolver) Option

WithSolanaSNSResolver enables Solana Name Service resolution via the host resolver.

func WithoutRateLimiter added in v0.46.0 

func WithoutRateLimiter() Option

WithoutRateLimiter disables rate limiting.

type PermissionValidator added in v0.12.0 

type PermissionValidator = verify.PermissionValidator

type RateLimitResult added in v0.9.1 

type RateLimitResult struct {
	Allowed      bool
	RetryAfter   time.Duration
	Availability *ActionAvailability
}

type RateLimiter 

type RateLimiter interface {
	AllowNamed(bucket string, key string) (bool, error)
}

RateLimiter is a minimal interface used by adapters.

type RateLimiterWithResult added in v0.9.4 

type RateLimiterWithResult interface {
	AllowNamedResult(bucket string, key string) (ratelimit.Result, error)
}

type RateLimiterWithRetryAfter added in v0.9.1 

type RateLimiterWithRetryAfter interface {
	AllowNamedWithRetryAfter(bucket string, key string) (bool, time.Duration, error)
}

type RemoteApplicationIssuerRegistration added in v0.56.0 

type RemoteApplicationIssuerRegistration struct {
	// Slug is this remote_application's slug on the receiving service.
	Slug string
	// Issuer is THIS platform's issuer URL (the `iss` of delegated tokens).
	Issuer string
	// JWKSURI is where the resource server fetches THIS platform's public keys
	// (jwks mode — preferred). Mutually exclusive with PublicKeys.
	JWKSURI string
	// PublicKeys is the static-mode key list for platforms without a JWKS
	// endpoint (#74). Mutually exclusive with JWKSURI.
	PublicKeys []core.RemoteAppKey
	// AllowedOrigins is the exact browser Origin allow-list the resource server
	// should accept for delegated browser requests signed by this issuer.
	AllowedOrigins []string
}

RemoteApplicationIssuerRegistration is the payload published to a resource server.

type RemoteApplicationIssuersClient added in v0.56.0 

type RemoteApplicationIssuersClient struct {
	// contains filtered or unexported fields
}

RemoteApplicationIssuersClient publishes this remote application's issuer registration to a resource server's inbound accept endpoint. It is the outbound half of the AuthKit-owned federation handshake: the platform/IdP side tells a resource server "trust delegated tokens I mint with this issuer + JWKS URL".

func NewRemoteApplicationIssuersClient added in v0.56.0 

func NewRemoteApplicationIssuersClient(opts ...RemoteApplicationIssuersClientOption) *RemoteApplicationIssuersClient

NewRemoteApplicationIssuersClient creates a RemoteApplicationIssuersClient.

func (*RemoteApplicationIssuersClient) RegisterIssuer added in v0.56.0 

func (fc *RemoteApplicationIssuersClient) RegisterIssuer(ctx context.Context, acceptURL string, reg RemoteApplicationIssuerRegistration) error

RegisterIssuer POSTs this remote_application's registration to the resource server's accept endpoint (acceptURL is the fully-qualified URL of the inbound handler, e.g. "https://tensorhub.example/api/v1/remote-applications"). It returns an error for non-2xx responses.

type RemoteApplicationIssuersClientOption added in v0.56.0 

type RemoteApplicationIssuersClientOption func(*RemoteApplicationIssuersClient)

RemoteApplicationIssuersClientOption configures a RemoteApplicationIssuersClient.

func WithRemoteApplicationIssuersAuthToken added in v0.56.0 

func WithRemoteApplicationIssuersAuthToken(token string) RemoteApplicationIssuersClientOption

WithRemoteApplicationIssuersAuthToken sets the Bearer token used to authenticate to the resource server's accept endpoint.

func WithRemoteApplicationIssuersHTTPClient added in v0.56.0 

func WithRemoteApplicationIssuersHTTPClient(c *http.Client) RemoteApplicationIssuersClientOption

WithRemoteApplicationIssuersHTTPClient sets the HTTP client used for registration calls.

type RemoteApplicationSource added in v0.27.0 

type RemoteApplicationSource = verify.RemoteApplicationSource

type RouteGroup added in v0.8.5 

type RouteGroup string

RouteGroup identifies a prefix-neutral AuthKit route capability. Host applications can mount all default groups or select only the capabilities they want to expose. 

const (
	RoutePublic      RouteGroup = "public"
	RouteRegister    RouteGroup = "register"
	RouteSession     RouteGroup = "session"
	RouteUser        RouteGroup = "user"
	RouteAdmin       RouteGroup = "admin"
	RouteBrowserOIDC RouteGroup = "browser_oidc"
	RoutePasskeys    RouteGroup = "passkeys"
)
const RoutePermissionGroups RouteGroup = "permission_groups"

RoutePermissionGroups is the route group for the auto-generated per-persona group-management surface plus the cross-persona /me/groups discovery route.

type RouteSpec added in v0.8.5 

type RouteSpec struct {
	Method  string
	Path    string
	Group   RouteGroup
	Handler http.Handler
}

RouteSpec is a concrete, prefix-neutral route with its AuthKit handler attached. Path parameters use net/http ServeMux syntax, e.g. "/namespaces/{slug}".

type Routes added in v0.8.5 

type Routes struct {
	// contains filtered or unexported fields
}

Routes provides access to AuthKit's canonical route groups.

func (Routes) DefaultAPI added in v0.8.5 

func (r Routes) DefaultAPI() []RouteSpec

DefaultAPI returns every AuthKit JSON API route enabled by this service.

func (Routes) Groups added in v0.8.5 

func (r Routes) Groups(groups ...RouteGroup) []RouteSpec

Groups returns every enabled AuthKit JSON API route in the requested groups.

func (Routes) OIDCBrowser added in v0.8.5 

func (r Routes) OIDCBrowser() []RouteSpec

OIDCBrowser returns browser redirect OIDC routes without a mount prefix. Host applications choose where to mount them, commonly "/oidc".

func (Routes) PermissionGroups added in v0.49.0 

func (r Routes) PermissionGroups() []RouteSpec

PermissionGroups returns the auto-generated per-persona group-management routes (members, roles, etc.) implied by this service's declared permission-group schema, plus the cross-persona GET /me/groups discovery route. These are also included in DefaultAPI; this accessor lets a host mount only the group-management surface. See Service.PermissionGroupRoutes.

type SensitiveOptions added in v0.54.0 

type SensitiveOptions = verify.SensitiveOptions

type Server added in v0.46.0 

type Server = Service

Server is the net/http mounting wrapper around core.Service. It is the canonical name; Service is retained as an alias to disambiguate from core.Service (#109).

func NewServer added in v0.46.0 

func NewServer(cfg core.Config, pg *pgxpool.Pool, opts ...Option) (*Server, error)

NewServer constructs the auth Server. Postgres is REQUIRED (the durable user/ role and permission-group store has no in-memory fallback and is a positional argument the type system enforces (#106); pure token verification with no storage uses authhttp.NewVerifier / authkit/verify instead. Every optional dependency is a functional option: 

srv, err := authhttp.NewServer(cfg, pg,
    authhttp.WithRedis(rdb),
    authhttp.WithEmailSender(mailer),
)

type Service 

type Service struct {
	// contains filtered or unexported fields
}

Service wraps the internal AuthKit engine with net/http mounting helpers.

func (*Service) APIHandler 

func (s *Service) APIHandler() http.Handler

APIHandler returns a handler that serves prefix-neutral JSON API routes. It is intended to be mounted under the host's mux/router at the host's chosen API prefix.

func (*Service) APIRoutes added in v0.8.5 

func (s *Service) APIRoutes(groups ...RouteGroup) []RouteSpec

APIRoutes returns AuthKit's enabled JSON API routes. With no groups it returns the default API surface. With groups, it returns only matching routes.

func (*Service) CheckSMSHealth added in v0.15.4 

func (s *Service) CheckSMSHealth(ctx context.Context) error

CheckSMSHealth probes (without sending an SMS) whether the configured sender can actually deliver, caching the result to gate phone-based flows. Returns the probe error (nil = healthy) so the host app can log it at startup.

func (*Service) Core 

func (s *Service) Core() *core.Service

func (*Service) JWKSHandler 

func (s *Service) JWKSHandler() http.Handler

JWKSHandler returns a handler for GET /.well-known/jwks.json.

func (*Service) OIDCBrowserRoutes added in v0.8.5 

func (s *Service) OIDCBrowserRoutes(groups ...RouteGroup) []RouteSpec

OIDCBrowserRoutes returns browser redirect routes with no mount prefix.

func (*Service) OIDCHandler 

func (s *Service) OIDCHandler() http.Handler

OIDCHandler returns a handler that serves browser redirect flows: - GET /oidc/{provider}/login - GET /oidc/{provider}/callback - GET /oidc/{provider}/reauth/callback

func (*Service) PermissionGroupRoutes added in v0.49.0 

func (s *Service) PermissionGroupRoutes() []RouteSpec

PermissionGroupRoutes returns the auto-generated management routes implied by this Service's declared permission-group schema, plus the cross-persona GET /me/groups discovery route. Mirrors APIRoutes: prefix-neutral RouteSpecs in the RoutePermissionGroups group, language-wrapped and auth-required. The set is fully config-derived from svc.PermissionGroupSchema().GeneratedRoutes(); a capability a profile disables is simply absent (=> 404).

func (*Service) Routes added in v0.8.5 

func (s *Service) Routes() Routes

Routes returns AuthKit's canonical route registry for this service.

func (*Service) SMSAvailable added in v0.15.4 

func (s *Service) SMSAvailable() bool

SMSAvailable reports whether phone-based flows should be offered (a sender is configured and, if checked, found able to deliver).

func (*Service) SMSHealthReason added in v0.15.4 

func (s *Service) SMSHealthReason() string

SMSHealthReason returns why SMS was last found unhealthy, if any.

func (*Service) SMSHealthy added in v0.15.4 

func (s *Service) SMSHealthy() bool

SMSHealthy reports the last CheckSMSHealth result (true until a check runs).

func (*Service) SetEntitlementsProvider added in v0.48.0 

func (s *Service) SetEntitlementsProvider(p core.EntitlementsProvider)

SetEntitlementsProvider installs the entitlements provider on the underlying core service after construction. It is the sanctioned late-binding seam for the embedded-billing entitlements cycle (an embedded engine authenticates through this server's Verifier/Core yet also supplies the provider). Call it during wiring, before serving. See core.Service.SetEntitlementsProvider.

func (*Service) Verifier 

func (s *Service) Verifier() *Verifier

type ServiceJWTPrincipal added in v0.13.1 

type ServiceJWTPrincipal = verify.ServiceJWTPrincipal

type ServiceJWTReplayChecker added in v0.13.1 

type ServiceJWTReplayChecker = verify.ServiceJWTReplayChecker

type ServiceJWTVerifyOption added in v0.13.1 

type ServiceJWTVerifyOption = verify.ServiceJWTVerifyOption

type Verifier 

type Verifier = verify.Verifier

type VerifierOption 

type VerifierOption = verify.VerifierOption

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.