Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
a public key backed client/server authentication system

This branch is 33 commits behind spotify:master

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.


crtauth - a public key backed client/server authentication system

The latest version of this software can be fetched from

crtauth is a system for authenticating a user to a centralized server. The
initial use case is to create a convenient authentication for command line
tools that interacts with a central server without resorting to authentication
using a shared secret, such as a password.

crtauth leverages the public key cryptography mechanisms that is commonly
used by ssh(1) to authenticate users to remote systems. The goal of the
system is to make the user experience as seamless as possible using the
ssh-agent program to manage access to encrypted private keys without asking
for a password each time the command is run

The name of the project is derived from the central concepts challenge,
response, token and authentication, while at the same time reminding us old
timers of the soon to be forgotten cathode ray tube screen technology.

Technical details

Command line tools that connect to a central server to perform some action or
fetch some information can be a very useful thing. Let's say you have a service
that exposes information about servers using an http based API.

The basic operation of the protocol follows the following pattern

# The client requests a challenge from the server, providing a username.
# The server creates a challenge that gets sent back to the client.
# The client signs the challenge and returns the response to the server.
# The server verifies that the response is valid and if so it issues an access
  token to the client.
# The access token is provided to when calling protected services.
# The server validates that the token is valid and if so, provides access
  to the client.

The that implement this mechanism has two parts, one for the server and one
for the client. A server that wants to authenticate clients instantiates an
AuthServer instance (defined in the crtauth.server module) with a secret and
a KeyProvider instance as constructor arguments. The very simple FileKeyProvider
reads public keys from a filesystem directory.

Once there is an AuthServer instance, it can generate a challenge string for
a specific user using the create_challenge() method.

The client part of the mechanism is also contained in the crtauth.server module,
in the create_response() function. It takes a challenge string provided by the
server and returns a response string suitable for sending back to the server.

The server in turn validates the response from the client and if it checks out
it returns an access token that can be used by the client to make authenticated
requests. This validation is done in the create_token() method of the AuthServer

For subsequent calls to protected services, the provided access token can be
verified using the validate_token() method of the AuthServer instance.


crtauth is free software, this code is released under the Apache
Software License, version 2. The original code is written by Noa Resare with
contributions from John-John Tedro, Erwan Lemmonier, Martin Parm and Gunnar

All code is Copyright (c) 2011-2013 Spotify AB
Something went wrong with that request. Please try again.