Replace the single `API_TOKEN` env var with JWT + API-token verification against `auth.nuts.services`. See `AUTH_PLAN.md` in the repo root for the full design.
Auth policy:
- GTR-T5-base (`role=organize`) operations are free — no token required
- ada-002 (`role=retrieve`) operations require a valid nuts-auth token
- Management endpoints (list, delete, info, agent crypto, invert) require a token
Token types accepted (both via `Authorization: Bearer`):
- JWT (RS256, verified locally against JWKS at `/.well-known/jwks.json`)
- API token (`ahp_` prefix, validated via `POST /api/validate` on auth.nuts.services)
New files/deps:
- `src/auth.rs` — `NutsAuth` struct, `verify_jwt`, `validate_api_token`, JWKS cache
- `jsonwebtoken = "9"` added to `Cargo.toml`
New env vars:
When `NUTS_AUTH_JWKS_URL` is not set the service runs in open dev mode (same as today without `API_TOKEN`).
Replace the single `API_TOKEN` env var with JWT + API-token verification against `auth.nuts.services`. See `AUTH_PLAN.md` in the repo root for the full design.
Auth policy:
Token types accepted (both via `Authorization: Bearer`):
New files/deps:
New env vars:
When `NUTS_AUTH_JWKS_URL` is not set the service runs in open dev mode (same as today without `API_TOKEN`).