tana-auth
| Crates.io | tana-auth |
| lib.rs | tana-auth |
| version | 0.1.1 |
| created_at | 2025-12-06 18:57:38.509637+00 |
| updated_at | 2025-12-06 19:06:06.155567+00 |
| description | Authentication and JWT utilities for Tana with Ed25519 signatures |
| homepage | |
| repository | https://github.com/tananetwork/tana-auth |
| max_upload_size | |
| id | 1970591 |
| size | 64,921 |
Sami Fouad (samifouad)
documentation
README
tana-auth
Authentication and JWT utilities for Tana with Ed25519 signatures.
Status: ✅ TypeScript implementation complete (8/8 tests passing) | ⚙️ Rust implementation ready for WASM compilation
Features
- User-signed JWTs - Unlike traditional JWTs signed by servers, Tana JWTs are signed by users with their private keys
- Ed25519 signatures - Same crypto as Tana transactions, compatible with existing key infrastructure
- Blockchain verification - JWTs are verified against public keys stored on the blockchain (trustless)
- Dual implementation - Available for both Rust (native) and TypeScript/Bun (WASM)
Architecture
Traditional JWTs use server secrets (HS256) or server keypairs (RS256). Tana uses a different model:
┌─────────────┐ ┌──────────────┐
│ User │ │ Blockchain │
│ │ │ (Ledger) │
│ Private Key │──┐ │ │
│ Public Key │ │ │ Public Key │
└─────────────┘ │ └──────────────┘
│ ▲
│ Sign JWT │ Verify
│ with private key │ against public key
▼ │
┌────────────────┐ │
│ JWT │────────────────┘
│ (self-signed) │
└────────────────┘
This creates a git-like trust model where:
- Users sign their own credentials
- The blockchain is the source of truth for identity
- No central authority can forge JWTs
Installation
Rust
[dependencies]
tana-auth = "0.1"
TypeScript/Bun
npm install @tananetwork/auth
# or
bun add @tananetwork/auth
Usage
TypeScript/Bun
import { create_jwt, verify_jwt } from '@tananetwork/auth'
// Create JWT signed by user's private key
const jwt = create_jwt(
"ed25519_a1b2c3...", // user's private key
"@alice", // username
90 // days until expiration
)
// Verify JWT against user's public key from blockchain
const result = verify_jwt(jwt, "ed25519_d4e5f6...")
if (result.valid) {
console.log(`JWT valid for user: ${result.username}`)
console.log(`Expires: ${new Date(result.expires_at * 1000)}`)
} else {
console.error(`JWT invalid: ${result.error}`)
}
Rust
use tana_auth::{create_jwt, verify_jwt};
// Create JWT signed by user's private key
let jwt = create_jwt(
"ed25519_a1b2c3...",
"@alice",
90
)?;
// Verify JWT
let result = verify_jwt(&jwt, "ed25519_d4e5f6...")?;
if result.valid {
println!("JWT valid for user: {}", result.username.unwrap());
} else {
println!("JWT invalid: {}", result.error.unwrap());
}
Integration with Tana CLI
The Tana CLI manages user keys in ~/.config/tana/users/:
# Show current user
tana whoami
# Switch active user
tana use @alice
# Generate JWT for git authentication
tana auth login # Creates JWT, saves to ~/.config/tana/jwt
The CLI reads the active user's private key from config and creates a JWT that lasts 90 days. This JWT is then used for:
- Git push/pull authentication
- API access
- Build triggers
- Other automated workflows
JWT Format
Tana JWTs follow standard JWT format with EdDSA algorithm:
{header}.{payload}.{signature}
Header:
{
"alg": "EdDSA",
"typ": "JWT"
}
Payload:
{
"sub": "@alice", // username
"iat": 1234567890, // issued at (Unix timestamp)
"exp": 1242343890, // expiration (Unix timestamp)
"iss": "self" // always self-signed
}
Signature:
- Ed25519 signature of SHA-256 hash of
{header}.{payload} - Signed with user's private key
- Verified against user's public key from blockchain
Building from Source
Build Rust library
cargo build --release
Build WASM for Node.js/Bun
npm run build
# or
bun run build
Build WASM for browsers
npm run build:web
# or
bun run build:web
Run tests
# Rust tests
cargo test
# WASM tests
bun run test
Publishing
Publish Rust crate
cargo publish
Publish NPM package
npm run build
npm publish
License
Dual-licensed under MIT OR Apache-2.0