Rust · axum

Authentication for axum

Session middleware, an AuthContext extractor, a require_auth gate, and a logout handler for Rust backends. Validate Authdog sessions on every request — on the same wire as the Node SDKs.

Start building Read the docs

Wire the middleware

main.rs

// main.rs
let authdog = Authdog::new(&pk).expect("invalid public key");
 
let app = Router::new()
  .route("/me", get(me).layer(from_fn(require_auth)))
  .layer(from_fn_with_state(authdog.clone(), attach_session));

Idiomatic axum, not a framework

Everything axum APIs need

Session middleware, an extractor, and a require_auth gate — wire-compatible with the rest of your Authdog stack.

axum middleware + extractor

attach_session resolves the session for every request and AuthContext is also an extractor, so any handler can take it as an argument — token, user, and is_authenticated.

require_auth gate

Layer require_auth on protected routes and axum responds 401 for unauthenticated requests before your handler runs. This is the security boundary.

Validated at startup

Authdog::new parses and validates the public key once at boot, so a malformed or untrusted key errors immediately instead of at the first request.

Skip the userinfo round-trip

Build with .fetch_user(false) for high-throughput services that validate tokens elsewhere, and supply your own reqwest client when you need to.

Reads the cookie itself

attach_session reads the authdog-session cookie or an Authorization: Bearer header directly, and logout expires the cookie with HttpOnly and SameSite=Lax.

Same wire as Node

It mirrors @authdog/express and @authdog/fastify on the wire, so one Authdog environment serves your Node and Rust services interchangeably.

Read the session as an extractor

Resolve the user with AuthContext

Once attach_session is layered, any handler can take AuthContext as an argument to read the verified user — and require_auth rejects unauthenticated requests before the handler runs.

handlers.rs

// handlers.rs
async fn me(ctx: AuthContext) -> Json<Value> {
  Json(ctx.user.unwrap_or(Value::Null))
}

Ship fast, secure Rust services

Authdog's axum SDK validates sessions on every request and enforces auth at a single gate, with the public key checked once at startup.

1 layer

To resolve sessions everywhere

Add attach_session as a router layer once and every request carries an AuthContext — usable as an extractor in any handler.

require_auth

The single enforcement point

Layer require_auth on a route and unauthenticated requests are rejected with 401 before your handler runs.

fetch_user

Opt out of the userinfo call

High-throughput services can build with .fetch_user(false) and own token validation, keeping the hot path allocation-light.

Add auth to your axum API.

Add the crate, layer the middleware, and gate your routes with require_auth today. Free to start, with secure defaults built in.

Start Building