feat(clients): Add static token auth, consolidate token generator#330
Merged
feat(clients): Add static token auth, consolidate token generator#330
Conversation
Add a `token` option that accepts a pre-signed JWT string and sets it as the Authorization header on every request. This is intended for external services that receive a token from another source and don't have access to the EdDSA signing key. The static token takes precedence over a TokenGenerator if both are configured. Documentation across both clients clarifies when to use each option.
Semver Impact of This PR🟡 Minor (new features) 📋 Changelog PreviewThis is how your changes will appear in the changelog. New Features ✨
Bug Fixes 🐛
🤖 This preview updates automatically when you update the PR. |
A token is scoped to a specific usecase and scope, so it belongs on the session rather than the client. Rust: Session::with_token() builder method Python: token parameter on Client.session()
When both a TokenGenerator and a static token are configured, the TokenGenerator now takes precedence since it generates fresh, properly-scoped tokens for each request.
Prevent the JWT from leaking in logs by implementing Debug manually instead of deriving it, matching the pattern used by SecretKey.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
jan-auer
reviewed
Feb 24, 2026
…ken param Introduce a TokenProvider enum (Rust) and Token type alias (Python) that accepts either a TokenGenerator or a static JWT string. Authentication is now configured once on the Client/ClientBuilder instead of being split between Client and Session.
lcian
changed the title
# Conflicts: # clients/python/src/objectstore_client/client.py
lcian
changed the title
Member
Author
|
bugbot run |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
… usage Rename the Python type alias from Token to TokenProvider to match Rust. Add documentation on how to obtain a static token from a TokenGenerator.
Expose a public sign() method on TokenGenerator so that callers can produce a static JWT to hand off to external consumers. Update README with an example.
…ign()" This reverts commit 97d00bb.
This reverts commit 23935c7.
Expose a public sign() method on TokenGenerator that takes a &Scope, allowing callers to produce static JWT tokens for external consumers. Update README and Client docstring with usage examples.
Remove unused std::intrinsics::unreachable import and dead inner() method. Fix cross-crate doc link in InvalidScopeError::Unreachable.
jan-auer
approved these changes
Feb 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
tokenparameter onClient/ClientBuilderTokenProviderenum withStaticandGeneratorvariants,ClientBuilder::token(impl Into<TokenProvider>)Token = TokenGenerator | strtype alias,Client(token=...)