Credential-type registry — how a request was authenticated.
Three builtins: session (cookie-based), api_token (HTTP Bearer
token), daemon_token (filesystem proof for the keeper account).
Open-string registry on top so consumers can declare additional
credential types (e.g. 'sso_assertion', 'agent_token') without an
upstream release. RoleSpec.required_credential_types references
entries from this registry; v1 keeps the field informative-only
(consumed by auth/middleware.ts and the dispatcher). Mirrors the
open-registry pattern used for RoleName, ScopeKindName,
GrantPathName, and AuditEventTypeName.
The Hono-side wire-validated CredentialType Zod enum (in hono_context.ts) is the closed-set narrow type middleware sets on the context; the constants below are the source of truth for those three string values. Future builtin credential types added here propagate to the wire enum by editing the import list.
11 declarations
auth/credential_type_schema.ts view source
ReadonlyMap<string, CredentialTypeMeta> Builtin credential-type metadata. Not overridable by consumers.
Typed ReadonlyMap for the contract — but JS Maps don't honor
Object.freeze for .set / .delete / .clear (they mutate
internal slots, not own properties), so freeze adds no runtime guard
here. Read once at startup by create_credential_type_schema;
runtime mutation has no effect on already-built schemas.
auth/credential_type_schema.ts view source
readonly ["session", "api_token", "daemon_token"] The builtin credential-type names as a const tuple.
auth/credential_type_schema.ts view source
ZodEnum<{ session: "session"; api_token: "api_token"; daemon_token: "daemon_token"; }> Zod enum for builtin credential types only.
auth/credential_type_schema.ts view source
(consumer_types?: Record<string, CredentialTypeMeta>): CredentialTypeSchemaResult Create a credential-type schema from the builtin set plus optional consumer-declared additions.
Builtins (session, api_token, daemon_token) are always present;
consumer entries that collide with a builtin name throw at
construction. Pass the result into create_role_schema's optional
credential_types parameter so each role's
required_credential_types entries are validated against this set
at construction time.
consumer_typesoptional consumer-declared credential-type set with optional metadata
Record<string, CredentialTypeMeta>{}CredentialTypeSchemaResult {CredentialType, credential_types} — Zod schema and metadata map
Error - if any `consumer_types` key fails the `CredentialTypeName` regex, collides with a builtin name, or appears more than once// simple — builtins only
const {CredentialType, credential_types} = create_credential_type_schema();
// with consumer extensions
const {CredentialType} = create_credential_type_schema({
sso_assertion: {description: 'OIDC SSO assertion bound to an IdP-asserted account.'},
});auth/credential_type_schema.ts view source
"api_token" HTTP Authorization: Bearer API token credential. The wire literal
'api_token' aligns with the api_token storage table name; the
constant is named _API_TOKEN (not _BEARER) to keep wire and
storage nomenclature in lockstep.
auth/credential_type_schema.ts view source
"daemon_token" Daemon-token credential — filesystem proof for the keeper account.
auth/credential_type_schema.ts view source
RegExp Letter (lowercase a-z) start and end (or single letter), with letters and underscores in between. Mirrors RoleName, ScopeKindName, GrantPathName. Rejects empty strings, leading or trailing underscores, uppercase, and digits.
auth/credential_type_schema.ts view source
"session" Cookie-based session credential.
auth/credential_type_schema.ts view source
CredentialTypeMeta Per-credential-type metadata. description is admin-UI-facing copy
(mirrors RoleSpec.description and ScopeKindMeta.description).
Open shape so v2 can extend without a breaking change.
descriptionstringauth/credential_type_schema.ts view source
ZodString Zod schema for valid credential-type name strings.
auth/credential_type_schema.ts view source
CredentialTypeSchemaResult The result of create_credential_type_schema — a Zod schema and metadata map.
CredentialTypeZod schema that validates credential-type name strings against the
registered set (builtins + consumer-declared). Use at I/O
boundaries (admin UIs, codegen) and as the construction-time check
inside create_role_schema for every
RoleSpec.required_credential_types entry.
z.ZodType<string>credential_typesMap of every registered credential-type to its metadata. Keyed by name. Read at startup by admin / codegen surfaces.
ReadonlyMap<string, CredentialTypeMeta>