Auth-Aware Client

If your service uses expiring tokens or loads user context separately from raw auth, your Kalam client should follow the same lifecycle: build once, refresh credentials when auth changes, and start subscriptions only when the session is ready.

This avoids a common failure mode — opening live subscriptions before you know which user or tenant the worker operates as.

Recommended lifecycle

1. Build a shared KalamLinkClient (or Arc<KalamLinkClient>) at service startup.
2. Resolve auth with AuthProvider::jwt_token(...) or a DynamicAuthProvider.
3. Call connect() before live work when you want the WebSocket warm.
4. Start live() or consumer() loops only after credentials and namespace context are known.
5. Call disconnect(), close subscriptions/consumers, and drop the client on shutdown.

See also Authentication, Realtime Subscriptions, and Client Lifecycle.

Dynamic auth provider

Use DynamicAuthProvider when credentials must be fetched lazily on every connect or reconnect — OAuth/OIDC flows, secret managers, or rotating refresh tokens.

1use std::{future::Future, pin::Pin, sync::Arc};2 3use kalam_client::{AuthProvider, DynamicAuthProvider, KalamLinkClient, Result};4 5struct TokenStore {6    // e.g. Arc<RwLock<Option<String>>>7}8 9impl DynamicAuthProvider for TokenStore {10    fn get_auth(11        &self,12    ) -> Pin<Box<dyn Future<Output = Result<AuthProvider>> + Send + '_>> {13        Box::pin(async move {14            let token = load_fresh_jwt().await?;15            Ok(AuthProvider::jwt_token(token))16        })17    }18}19 20let client = KalamLinkClient::builder()21    .base_url("http://localhost:2900")22    .auth_provider(Arc::new(TokenStore { /* ... */ }))23    .build()?;

The provider is invoked when the client needs fresh credentials for connect or reconnect.

Shared client in a Tokio service

1use std::sync::Arc;2use kalam_client::{AuthProvider, KalamLinkClient};3 4async fn run_service() -> Result<(), Box<dyn std::error::Error>> {5    let client = Arc::new(6        KalamLinkClient::builder()7            .base_url("http://localhost:2900")8            .auth_provider(Arc::new(my_token_store))9            .build()?,10    );11 12    client.connect().await?;13 14    let worker = {15        let client = Arc::clone(&client);16        tokio::spawn(async move {17            run_live_loop(&client).await18        })19    };20 21    worker.await??;22    client.disconnect().await;23    Ok(())24}

Refresh without rebuilding the client

When you control token rotation in application code:

1let fresh = client.fresh_auth().await?; // re-runs DynamicAuthProvider if configured2client.update_shared_auth(fresh);

Or push a known token:

1client.update_shared_auth(AuthProvider::jwt_token(new_token));

Pair with auth_refresher on the builder for automatic TOKEN_EXPIRED recovery during queries — see Authentication.

When to call connect()

• HTTP-only workers — skip connect() if you only call execute_query.
• Live-query services — call connect() before the first live() / live_events() so all subscriptions share one socket.
• Eager warm-up — set ConnectionOptions::default().with_ws_lazy_connect(false) on the builder if the first subscription must not pay socket setup latency.

Next

• Authentication
• Client Lifecycle
• Realtime Subscriptions