The Rust SDK includes bearer tokens, signed JWTs, and anonymous auth for local or trusted deployments.
Spec reference: §6.1.
Use BearerAuthenticator for static bearer tokens:
use arcp::auth::BearerAuthenticator;
let auth = BearerAuthenticator::new().with_token("secret-token", "alice@example.com");The principal is attached to accepted sessions and jobs for authorization and audit decisions.
Use the JWT authenticator when a deployment already issues signed tokens. The authenticator validates signature and claims before accepting the session.
NoneAuthenticator allows sessions with Credentials::None. Advertise
Capabilities { anonymous: Some(true), .. } when this is intentional.
Anonymous auth is useful for local examples and tests, not for public network listeners.
Implement Authenticator to integrate an identity provider, mTLS verifier, or
host-specific session policy. Return an authenticated principal on success and
an ARCP auth error on failure.
Resume must preserve the original session authority. A production implementation should bind resume credentials to the same principal that opened the session.