Status: alpha scaffold — not production-functional yet. Read Roadmap before integrating.
The planned unified API gateway for TKAWEN Sovereign Cloud — the api.tkawen.com endpoint that fronts seven cloud APIs (Identity, Connect, Pay, Commerce, Knowledge, Logistics, Developer) behind one authentication scheme.
api.tkawen.com/v1/identity/* → Authentik
api.tkawen.com/v1/connect/* → LIQAA Cloud
api.tkawen.com/v1/pay/* → TKAWEN Pay
api.tkawen.com/v1/commerce/* → MyStoq backend
api.tkawen.com/v1/knowledge/* → Certify backend
api.tkawen.com/v1/logistics/* → Traccar + carriers
api.tkawen.com/v1/usage → this service (billing layer)
This scaffold deliberately ships honest behaviour so SDK developers can integrate against it without waiting for full backends:
| Endpoint | Behaviour |
|---|---|
GET /v1/health |
Real JSON listing all 7 pillars as scaffold |
GET /v1/usage (auth) |
Mock usage data for SDK integration testing |
GET /v1/keys (auth) |
Empty list placeholder |
POST /v1/keys (auth) |
503 with implementation roadmap pointer |
* /v1/<pillar>/* |
503 with JSON pointing to developer docs — explicit, never silent |
GET / |
Small HTML landing explaining alpha status |
GET /healthz |
ok for load balancers |
Auth middleware validates the shape of the Bearer token (sk_live_* or sk_sandbox_*, 32+ chars) but does not yet verify against a real key store.
git clone https://github.com/tkawen/tkawen-api.git
cd tkawen-api
cargo build --release
./target/release/tkawen-api
# → http://127.0.0.1:9099
curl http://127.0.0.1:9099/v1/health
# {"status":"ok","version":"0.1.0-alpha","gateway":"tkawen-api","upstream_status":{...}}
curl -H "Authorization: Bearer sk_sandbox_test_xxxxxxxxxxxxxxxx" \
http://127.0.0.1:9099/v1/connect/rooms
# 503 Service Unavailable
# {"error":"upstream_not_yet_implemented","pillar":"connect", ...}| Layer | Choice |
|---|---|
| HTTP server | Axum 0.7 |
| HTTP client (upstreams) | reqwest 0.12 (rustls) |
| Middleware | tower + tower-http (compression, CORS, security headers) |
| Auth verification | HMAC-SHA256 for webhook sig; future: JWKs against Authentik |
| Runtime | Tokio multi-threaded |
- Replace skeleton auth with Authentik OIDC token verification (JWKs)
- API key model in Postgres — issue, rotate, revoke, scope per pillar
- Redis-backed rate limiting (per key, per pillar)
- Wire
/v1/connect/*to LIQAA Cloud with token translation - Request/response logging to Postgres
- Integration tests against real LIQAA backend
- Identity, Pay, Commerce, Knowledge, Logistics
- Each requires the upstream backend to expose a stable
/v1/...surface
- Real-time usage tracking with billing recompute every 10 minutes
- Stripe-style "next invoice" endpoint
- Tie into payment processor for actual charging
- OpenAPI 3.1 spec auto-generated from routes
- Trigger SDK rebuild for all 4 languages on spec change
- Publish at
api.tkawen.com/openapi.json+.yaml
┌───────────────────────┐
│ api.tkawen.com │
│ (TLS edge) │
└───────────┬───────────┘
│
┌───────────▼───────────┐
│ tkawen-api (Rust) │
│ Auth · Rate limit · │
│ Usage · Routing │
└───────────┬───────────┘
│
┌───────┬───────────┼───────────┬───────────┐
▼ ▼ ▼ ▼ ▼
Authentik LIQAA Chargily MyStoq Traccar
(Identity) (Connect) (Pay) (Commerce) (Logistics)
Sovereign infrastructure means inspectable infrastructure. If a regulated buyer wants to fork this and run their own gateway, they should be able to.
Commercial value is in the operated service — the SLA, the data residency story, the support — not in the source being secret.
See CONTRIBUTING.md. Especially welcome at this stage: code review on the auth middleware, OpenAPI spec contributions, test infrastructure.
SECURITY.md — please do not open public issues for security vulnerabilities.