authkeep
SIG Protocol alpha·dff0564

API Overview

Rust crate architecture and API reference.

The SIG protocol implementation is split into focused crates. Four are Rust libraries (authkeep-core, authkeep-jose, authkeep-server, authkeep-client), and three are binaries (authkeep-cli, authkeep-api, authkeep-web).

Crate Dependency Graph

authkeep-client ──┬── authkeep-jose ──── authkeep-core

authkeep-server ──┘
authkeep-cli  ────────┬── authkeep-client
                 ├── authkeep-server
                 ├── authkeep-jose
                 └── authkeep-core
authkeep-api  ────────┬── authkeep-client
                 └── authkeep-core
authkeep-web  ────────┬── axum/tokio
                 └── shared serde/time/base64 tooling
  • authkeep-core has no internal dependencies. It relies on serde, serde_json, time, and thiserror for serialization, date handling, and error definitions.
  • authkeep-jose depends on authkeep-core and adds cryptographic operations using ed25519-dalek, base64, and rand.
  • authkeep-server depends on both authkeep-core and authkeep-jose to provide issuer-side feed management.
  • authkeep-client depends on both authkeep-core and authkeep-jose, and uses reqwest for HTTP fetching of remote feeds.
  • authkeep-cli is the operator/developer CLI binary built on the library crates.
  • authkeep-api is the HTTP API binary that exposes check, verify, and dump-state over JSON.
  • authkeep-web is the reference app binary that serves a browser login flow plus challenge/attestation endpoints. It embeds static web assets from crates/authkeep-cli/web-ui.

Crate Summary

CratePurposeKey Responsibility
authkeep-coreData model and validationEvent types, validation rules, state replay
authkeep-joseCryptographic operationsJWS signing, verification, JWK/JWKS handling
authkeep-serverIssuer operationsFeed initialization, event appending, metadata generation
authkeep-clientConsumer operationsFeed verification, state derivation, authorization checks
authkeep-cliCLI binaryore command for issuer/consumer workflows
authkeep-apiAPI binaryGET /healthz, POST /v1/check, POST /v1/verify, POST /v1/dump-state
authkeep-webWeb binaryGET /, POST /v1/auth/challenge/create, POST /v1/auth/attestation/verify

Design Principles

  • authkeep-core is intentionally free of cryptographic and I/O dependencies so it can be used in constrained environments or compiled to WebAssembly.
  • authkeep-jose encapsulates all Ed25519 and JWS logic, keeping cryptographic concerns isolated from business logic.
  • authkeep-server and authkeep-client represent the two sides of the protocol: issuers publish feeds, consumers verify them. Neither crate depends on the other, reflecting the decoupled nature of the SIG architecture. Each crate has a dedicated page documenting its key types and functions.