feat(authkit): add JWT-first access token flow by jmgilman · Pull Request #45 · meigma/authkit

jmgilman · 2026-05-14T16:24:27Z

Summary

add an authkit-owned access JWT issuer/verifier package
add JWT-first protected-resource authentication that resolves principals from access JWTs
add API-token-to-access-JWT exchange and remove runtime API-token authentication
update notes example, tests, and docs for the exchange-first shape

This intentionally removes apikey.NewAuthenticator, Service.VerifyToken, and compose.APIToken because authkit is still pre-stable and API tokens are now exchange credentials only.
OIDC remains on the temporary identity-based path for a follow-up exchange slice.

jmgilman added 6 commits May 13, 2026 21:14

feat(accessjwt): add internal access JWT package

d4226e7

feat(authkit): add JWT-first runtime auth flow

c512a8c

feat(exchange): add API token access JWT exchange

1844629

refactor(apikey): remove runtime API token authentication

a28c889

fix(store): enforce principal-bound API tokens

1f25649

fix(accessjwt): reject critical JWS headers

478ade3

jmgilman marked this pull request as ready for review May 14, 2026 16:57

jmgilman merged commit 8e15d75 into master May 14, 2026
2 checks passed

jmgilman deleted the session-024/access-jwt branch May 14, 2026 16:58

meigma-release-please Bot mentioned this pull request May 14, 2026

chore(master): release 0.4.0 #42

Open