Skip to Content
How-To GuidesRustEnabling Authentication on Rust HTTP Endpoints

Enabling Authentication on Rust HTTP Endpoints

Overview

Golem supports authentication on HTTP endpoints via OIDC providers. Authentication is enabled in the agent code and configured via security schemes in golem.yaml. See the golem-configure-api-domain skill for details on setting up security schemes and domain deployments.

Enabling Auth on All Endpoints (Mount Level)

Set auth = true on #[agent_definition] to require authentication for all endpoints:

#[agent_definition(mount = "/secure/{name}", auth = true)]
pub trait SecureAgent {
    fn new(name: String) -> Self;
    // All endpoints require authentication
}

Enabling Auth on Individual Endpoints

Set auth = true on specific #[endpoint] attributes:

#[agent_definition(mount = "/api/{name}")]
pub trait ApiAgent {
    fn new(name: String) -> Self;
 
    #[endpoint(get = "/public")]
    fn public_data(&self) -> String;
 
    #[endpoint(get = "/private", auth = true)]
    fn private_data(&self) -> String;
}

Overriding Mount-Level Auth

Per-endpoint auth overrides the mount-level setting:

#[agent_definition(mount = "/api/{name}", auth = true)]
pub trait MostlySecureAgent {
    fn new(name: String) -> Self;
 
    #[endpoint(get = "/health", auth = false)]
    fn health(&self) -> String; // No auth required
 
    #[endpoint(get = "/data")]
    fn get_data(&self) -> Data; // Auth required (inherited)
}

Deployment Configuration

After enabling auth = true in code, you must configure a security scheme in golem.yaml. See the golem-configure-api-domain skill for the full details. Quick reference:

httpApi:
  deployments:
    local:
    - domain: my-app.localhost:9006
      agents:
        SecureAgent:
          securityScheme: my-oidc            # For production OIDC
        # or for development:
        # SecureAgent:
        #   testSessionHeaderName: X-Test-Auth
Last updated on
Custom Snapshots in RustEnabling OpenTelemetry for a Rust Agent