SDKsServerside SDKsRust

Tesseral for Axum

Add B2B auth support to your Axum app in just a few lines of code.

Tesseral’s Axum SDK lets you add authentication to your Rust Axum backend.

Getting Started

Add the Tesseral Axum SDK to your Cargo.toml:

$cargo add tesseral-axum

Then, in the file where you create your Axum router, apply the require_auth middleware:

1use axum::{Router, routing::get};
2use tesseral_axum::{Auth, Authenticator, require_auth};
3
4// Create an authenticator with your publishable key
5let authenticator = Authenticator::new("publishable_key_...".into());
6
7// Apply the authentication middleware to your router
8let app: Router = Router::new()
9    .route("/", get(handler))
10    .layer(require_auth(authenticator));
11
12// Your handler can now access the Auth object
13async fn handler(auth: Auth) -> String {
14    format!("You work for {}", auth.organization_id())
15}

Replace publishable_key_... with your project’s Publishable Key. You can find it in the API Keys Settings of the Tesseral Console.

Once you’ve added require_auth, all HTTP requests to your server will be authenticated. Inauthentic requests will receive a 401 Unauthorized error before they reach your route handlers.

Accessing details about the authenticated request

The Tesseral middleware adds an Auth object to the request extensions. You can extract this object in your handlers by adding it as a parameter:

1async fn handler(auth: Auth) -> String {
2    format!("You work for {}", auth.organization_id())
3}

Getting the current Organization

To access the Organization the request is for, use auth.organization_id():

1async fn handler(auth: Auth) -> String {
2    let org_id = auth.organization_id();  // returns a string like "org_..."
3    format!("You work for {}", org_id)
4}

This is the most common identifier you’ll use in a B2B SaaS application.

Getting the request’s authenticated credentials

If you need to forward along the request’s credentials, use auth.credentials():

1async fn handler(auth: Auth) -> String {
2    let credentials = auth.credentials();
3    // Use credentials for service-to-service authentication
4    // ...
5}

Do not log or expose this value. You usually don’t need to use this unless you’re building internal service-to-service calls.

Getting details about the current User

To access extra details about the authenticated User, use auth.access_token_claims():

1async fn handler(auth: Auth) -> String {
2    if let Some(access_token_claims) = auth.access_token_claims() {
3        dbg!(access_token_claims.user.email);
4    }
5}

If the request is from an API Key, then auth.access_token_claims() is None.

We recommend that you mostly use auth.organization_id() in the vast majority of your code; that is almost always the correct piece of information for most B2B SaaS code should pay attention to. For more details, see B2B Multitenancy.