This repository has been archived by the owner. It is now read-only.
Macaroons: bearer credentials with caveats for distributed authorization
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Macaroons (for Rust!) Latest Version Build Status Apache 2 licensed

A better kind of cookie.

Macaroons are a bearer credential format built around "caveats", i.e. conditions that must hold for a particular credential to be authorized. Using neat crypto tricks, anyone holding a Macaroon can add more caveats to a Macaroon, but once caveats are added they cannot be removed.

Is it any good?


Is it "Production Ready™"?

The library is ready for eager early adopters. If you're using Rust, you're probably one of those anyway.

The following features have been implemented:

  • Creating Macaroons
  • Verifying Macaroons
  • First-party caveats
  • Third-party caveats
  • Serializing to base64url-encoded binary format
  • Deserializing base64url-encoded Macaroons
  • Verifying first-party caveats

The following features still need to be implemented:

  • Discharge macaroons
  • Verifying third-party caveats

Additional planned work:

  • Nom-based parser (may require API changes)

V2 Format Support

The Macaroons format is changing!

A specification for a new, more compact "V2" format has been published.

This library has begun to implement it. In the process, the API is changing so that it can support both the old and new formats.

Pardon our dust.

Help and Discussion

Interested in Macaroons? Join the Macaroons Google Group:!forum/macaroons

You can also join by email by sending an email message here:

We're also on IRC at #macaroons on


Coming soon!

Additional Reading


Copyright (c) 2015-2016 Tony Arcieri. Distributed under the MIT License. See LICENSE.txt for further details.