Skip to Content
Authentication

Authentication

KalamDB supports user/password bootstrap and JWT bearer tokens. For long-lived services, prefer JWT with refresh or a dynamic auth provider.

Auth types

RUST
use kalam_client::AuthProvider; AuthProvider::basic_auth("admin".into(), "kalamdb123".into()); // login bootstrapAuthProvider::jwt_token("eyJhbGci...".into());               // bearer tokenAuthProvider::system_user_auth("kalamdb123".into());         // root system userAuthProvider::none();                                          // localhost bypass

Pass credentials to the builder:

RUST
let client = KalamLinkClient::builder()    .base_url("http://localhost:2900")    .auth(AuthProvider::basic_auth("admin".into(), "kalamdb123".into()))    .build()?;

Basic auth bootstrap

AuthProvider::basic_auth(user, password) does not send HTTP Basic on every request. The client exchanges credentials on POST /v1/api/auth/login and then uses the returned JWT for SQL, files, topics, and WebSocket traffic.

You never call apply_to_request with basic credentials directly — that method returns an error for BasicAuth by design.

JWT auth

When you already have a token:

RUST
let client = KalamLinkClient::builder()    .base_url("http://localhost:2900")    .auth(AuthProvider::jwt_token(access_token))    .build()?;

Or use the builder shortcut:

RUST
KalamLinkClient::builder()    .base_url("http://localhost:2900")    .jwt_token(access_token)    .build()?;

Explicit login and refresh

login and refresh_access_token require the auth-flows feature (included in default native-sdk).

RUST
let bootstrap = KalamLinkClient::builder()    .base_url("http://localhost:2900")    .build()?; let login = bootstrap.login("admin", "kalamdb123").await?; let client = KalamLinkClient::builder()    .base_url("http://localhost:2900")    .auth(AuthProvider::jwt_token(login.access_token))    .build()?;

Refresh:

RUST
let refreshed = client.refresh_access_token(&refresh_token).await?;

Update auth on an existing client

RUST
client.set_auth(AuthProvider::jwt_token(new_token));// or, for shared clones:client.update_shared_auth(AuthProvider::jwt_token(new_token));

For dynamic providers, see Auth-Aware Client.

TOKEN_EXPIRED recovery

Pass an auth_refresher callback when building the client to recover from expired tokens on query or subscription paths:

RUST
use std::{future::Future, pin::Pin, sync::Arc};use kalam_client::{AuthProvider, AuthRefreshCallback, Result}; let refresher: AuthRefreshCallback = Arc::new(|| {    Box::pin(async {        let token = fetch_fresh_token().await?;        Ok(AuthProvider::jwt_token(token))    }) as Pin<Box<dyn Future<Output = Result<AuthProvider>> + Send>>}); let client = KalamLinkClient::builder()    .base_url("http://localhost:2900")    .auth(AuthProvider::jwt_token(initial_token))    .auth_refresher(refresher)    .build()?;

System user convenience

AuthProvider::system_user_auth(password) is shorthand for basic auth as user root. Common in examples and internal tools:

RUST
let auth = AuthProvider::system_user_auth(    std::env::var("KALAMDB_ROOT_PASSWORD").unwrap_or_else(|_| "kalamdb123".into()),);

Next

Last updated on
Setup & Quick StartAuth-Aware Client