Add owner-agnostic service tokens

Introduces ServiceKey, a parallel primitive to APIKey for server-to-server auth where the owner is not an authkit user (e.g. an application or tenant row the consumer manages). owner_id has no FK and no RBAC linkage; cascade on owner-delete is the consumer's responsibility. AuthenticateServiceKey returns *ServiceKey directly rather than *Principal since service tokens have no user. Also exports MintOpaqueSecret / HashOpaqueSecret / ParseOpaqueSecret so both API-key and service-key code share one mint/parse implementation instead of duplicating it. Deps.ServiceKeys is required (panics in New if nil) — existing call sites must add ServiceKeys: stores.ServiceKeys. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-26 19:54:26 +00:00 · 2026-04-26 19:54:26 +00:00 · 4942e4dbdc
commit 4942e4dbdc
parent 9aae7b1c12
16 changed files with 664 additions and 24 deletions
--- a/authkit.go
+++ b/authkit.go
@ -18,6 +18,7 @@ type Deps struct {
 	Sessions    SessionStore
 	Tokens      TokenStore
 	APIKeys     APIKeyStore
+	ServiceKeys ServiceKeyStore
 	Roles       RoleStore
 	Permissions PermissionStore
 	Hasher      Hasher
@ -69,8 +70,8 @@ type Auth struct {
 // returning an error — these are programmer errors, not runtime ones.
 func New(deps Deps, cfg Config) *Auth {
 	if deps.Users == nil || deps.Sessions == nil || deps.Tokens == nil ||
-		deps.APIKeys == nil || deps.Roles == nil || deps.Permissions == nil ||
-		deps.Hasher == nil {
+		deps.APIKeys == nil || deps.ServiceKeys == nil || deps.Roles == nil ||
+		deps.Permissions == nil || deps.Hasher == nil {
 		panic(errx.New("authkit.New", "all Deps fields are required"))
 	}
 	if len(cfg.JWTSecret) == 0 {