AuthorizedSubjectID returns the requested JWT subject if it matches.

ParseBearerAuthorizationHeader parses the given bearer authorization token; returns the parsed JWT token if valid.

RequireGin initializes the gin configuration.

RequireJWT allows a package to conditionally require a valid JWT configuration in the ident environment; at least one RS256 keypair must be configured using the JWT_SIGNER_PRIVATE_KEY and JWT_SIGNER_PUBLIC_KEY environment variables.

RequireJWTVerifiers allows a package to conditionally require RS256 signature verification in the configured environment via JWT_SIGNER_PUBLIC_KEY; the use-case for this support is when another microservice is depending on the token authorization middleware provided in this package.

RequireVault panics if the VAULT_REFRESH_TOKEN is not given or an access token is otherwise unable to be obtained; attepts to unseal the vault if possible.

ResolveCapabilitiesManifest attempts to resolve the capabilities manifest from S3.

ResolveJWTKeypair returns the configured public/private signing keypair and its fingerprint, if one has been configured; this impl will be upgraded soon to allow many key to be configured.

SealVault seals the configured vault context.

TrackAPICalls returns gin middleware for tracking API calls.

UnsealVault unseals the configured vault context.

CertificatePath is the SSL certificate path used by HTTPS listener.

DefaultVaultAccessJWT for the default vault context.

JWTAlternativeAuthorizationAudiences are additional valid audiences who will consume signed JWTs, keyed on a scope; these will be allowed to be set as the JWT "aud" claim.

JWTApplicationClaimsKey is the key within the JWT payload where application-specific claims are encoded.

JWTAuthorizationAudience is the audience who will consume the JWT; this will be set as the JWT "aud" claim.

JWTAuthorizationIssuer is the common name of the operator of the token vending machine; this will be set as the JWT "iss" claim.

JWTAuthorizationTTL is the ttl in milliseconds for new token authorizations, calculated from the issued at timestamp ("iat" claim).

JWTNatsAuthorizationAudience is the audience who will consume the NATS bearer authorization JWT; this will be set as the JWT "aud" claim.

JWTNatsClaimsKey is the key within the JWT claims payload where NATS-specific claims are encoded.

ListenAddr is the http server listen address.

ListenPort is the http server listen port.

PrivateKeyPath is the private key path used by HTTPS listener.

ServeTLS is true when CertificatePath and PrivateKeyPath are valid.

Vault is the vault instance.

JWTKeypair enables private key or vault-based JWT signing and verification.

SigningMethodEdDSA enables Ed25519.