Introduction
Authkestra is a modular, framework-agnostic authentication orchestration system for Rust. designed to be idiomatic and emphasize explicit control flow, strong typing, and composability.
What is Authkestra?
Unlike authentication solutions common in other ecosystems that rely heavily on dynamic middleware and implicit context, Authkestra follows Rust's philosophy of being explicit, composable, and type-safe. Authentication context is never implicitly available—users must explicitly request it via extractors.
use authkestra::flow::Authkestra;
use authkestra::axum::AuthSession;
// Initialize Authkestra with typestate pattern
let auth = Authkestra::builder()
.session_store(Arc::new(MemoryStore::default()))
.jwt_secret(b"your-secret")
.build();
// Explicit injection via extractors - no magic!
async fn protected(AuthSession(session): AuthSession) -> impl IntoResponse {
let user = session.identity;
format!("Hello, {}!", user.username.unwrap_or_default())
}Framework Agnostic Core
The core authentication logic in authkestra-flow is
pure Rust, completely independent of any web framework. Framework adapters like
authkestra-axum provide the integration layer.
Key Features
Modular Design
Strictly separated concerns with composable crates
Explicit Control Flow
No magic middleware or implicit context
Provider Agnostic
Easily implement new OAuth providers via traits
Session & JWT Support
Flexible session stores and stateless token management
Workspace Crates
Authkestra is organized as a Cargo workspace with specialized crates for different
responsibilities. You can use the authkestra facade
crate with feature flags, or import individual crates directly.
| Crate | Responsibility |
|---|---|
authkestra | Primary facade - re-exports all crates behind features |
authkestra-core | Foundational types and traits (Identity, OAuthProvider, SessionStore) |
authkestra-flow | Orchestrates OAuth2/OIDC flows (Authorization Code, PKCE, Device Flow) |
authkestra-session | Session persistence layer (Memory, Redis, SQL) |
authkestra-guard | Authentication guard for multi-strategy orchestration |
authkestra-token | JWT signing, verification, and offline validation |
authkestra-oidc | OpenID Connect discovery and validation |
authkestra-macros | Derive macros to reduce boilerplate (e.g., AuthkestraFromRef) |
authkestra-axum | Axum integration with extractors and route helpers |
authkestra-actix | Actix-web integration |
authkestra-providers-* | Concrete provider implementations (GitHub, Google, Discord) |
Design Philosophy
Authkestra favors compile-time guarantees over runtime flexibility:
- Trait-Based Extension: Customization is achieved by implementing traits, not configuring dynamic strategies
- Explicit Injection: Authentication context is never implicitly available; use extractors like
AuthSession - Framework Agnostic Core: The flow crate is pure Rust logic, completely independent of any web framework
- Typestate Pattern: The
Authkestraservice uses typestates to ensure that only configured features (like sessions or tokens) are accessible at compile-time.