Flexible, type-safe authentication and authorization for Axum using JWTs and optional OAuth2. - Cookie and bearer authentication - OAuth2 Authorization Code + PKCE flow that issues first-party JWT cookies - Hierarchical roles, groups, and string-based permissions - Ready-to-use login/logout handlers - Optional anonymous user context and static-token mode for internal services - In-memory and optional database-backed repositories - Feature-gated audit logging and Prometheus metrics
This crate re-exports jsonwebtoken, cookie, uuid, axum_extra (and optionally prometheus) because those types appear in the public API, and it provides a convenience prelude via axum_gate::prelude::*.
[dependencies]
axum = "0.8"
tokio = { version = "1", features = ["full"] }
serde = { version = "1", features = ["derive"] }
axum-gate = { version = "1" }
Optional features:
- storage-surrealdb — SurrealDB repositories
- storage-seaorm — SeaORM repositories (mutually exclusive with storage-seaorm-v2)
- storage-seaorm-v2 — SeaORM v2 repositories (mutually exclusive with storage-seaorm)
- audit-logging — structured audit events
- prometheus — metrics for audit (implies audit-logging)
- insecure-fast-hash — faster Argon2 preset for development only
- aws_lc_rs — Use AWS Libcrypto for JWT cryptographic operations
This crate supports two cryptographic backends for JWT operations:
| Backend | Default | Description |
|---|---|---|
rust_crypto |
✅ | Pure Rust implementation, works on all platforms without system dependencies |
aws_lc_rs |
❌ | AWS Libcrypto implementation, potentially faster on some platforms |
The crate uses rust_crypto by default, which requires no additional setup:
[dependencies]
axum-gate = "1" # Uses rust_crypto by default
To use the AWS Libcrypto backend for potentially better performance:
[dependencies]
axum-gate = { version = "1", default-features = false, features = ["aws_lc_rs"] }
Note: The aws_lc_rs backend may require additional build tools depending on your platform.
See the aws-lc-rs build documentation for details.
audit-logging and prometheus features for observability; never log secrets, tokens, or cookie valuesExamples and complete usage are available in the crate documentation on docs.rs; the repository also includes curated examples (e.g., examples/oauth2-github for a full GitHub OAuth2 flow): https://docs.rs/axum-gate
For common integration issues and practical debugging tips, see TROUBLESHOOTING.md (covers CookieGate, OAuth2 flows, and Bearer/Static token usage).
storage-surrealdb pulls in SurrealDB, which is licensed under the Business Source License 1.1 (not OSI-approved).memory, storage-seaorm, or storage-seaorm-v2 backends. Note: storage-seaorm and storage-seaorm-v2 are mutually exclusive — enable only one of these features per build.$ claude mcp add axum-gate \
-- python -m otcore.mcp_server <graph>