Service auth (inter-service JWT tokens) #13

New issue

Closed

opened 2026-03-03 17:53:31 +00:00 by Grandiras · 0 comments

Grandiras commented

2026-03-03 17:53:31 +00:00

Owner

Service Auth (inter-service JWT tokens)

Add support for generating outgoing service authentication JWTs for inter-service communication.

Features

Service JWT generation: Create signed JWTs for authenticating to other AT Protocol services
Token format: iss (service DID), aud (target service DID), exp, lxm (XRPC method)
Signing: Sign with K-256 or P-256 keys (depends on #10 Cryptography utilities)

API Surface

var serviceAuth = new ServiceAuthGenerator(serviceDid, signingKey);
var jwt = serviceAuth.CreateToken(
    audience: "did:web:bsky.social",
    lxm: "com.atproto.repo.getRecord");

Context

The SDK has AtProtoAuthenticationHandler for validating incoming service auth JWTs but cannot generate outgoing ones. This is needed for building relay services, feed generators, and labelers.

Reference

AT Protocol Service Auth spec

## Service Auth (inter-service JWT tokens) Add support for generating outgoing service authentication JWTs for inter-service communication. ### Features - **Service JWT generation**: Create signed JWTs for authenticating to other AT Protocol services - **Token format**: `iss` (service DID), `aud` (target service DID), `exp`, `lxm` (XRPC method) - **Signing**: Sign with K-256 or P-256 keys (depends on #10 Cryptography utilities) ### API Surface ```csharp var serviceAuth = new ServiceAuthGenerator(serviceDid, signingKey); var jwt = serviceAuth.CreateToken( audience: "did:web:bsky.social", lxm: "com.atproto.repo.getRecord"); ``` ### Context The SDK has `AtProtoAuthenticationHandler` for validating incoming service auth JWTs but cannot generate outgoing ones. This is needed for building relay services, feed generators, and labelers. ### Reference - [AT Protocol Service Auth spec](https://atproto.com/specs/xrpc#service-auth)