| title | Authentication | |
|---|---|---|
| sdk | java | |
| spec_sections |
|
|
| kind | guide | |
| since | 1.0.0 |
ARCP uses bearer tokens in session.hello. The runtime verifies tokens via
the BearerVerifier SPI.
ArcpClient client = ArcpClient.builder(transport)
.bearer("my-token")
.build();
client.connect(Duration.ofSeconds(5));ArcpRuntime runtime = ArcpRuntime.builder()
.verifier(BearerVerifier.staticToken("hunter2", new Principal("alice")))
.agent("echo", "1.0.0", (input, ctx) -> JobOutcome.Success.inline(input.payload()))
.build();BearerVerifier.staticToken(token, principal) accepts exactly that one
token and binds the given Principal. Jobs submitted in this session run
under alice.
The default (no verifier configured) accepts any non-empty token and creates an anonymous principal. Do not use this in production.
Implement BearerVerifier to integrate with your auth system:
public class JwtVerifier implements BearerVerifier {
@Override
public Principal verify(String token) throws UnauthenticatedException {
// validate JWT, extract sub claim
Claims claims = Jwts.parser().verifyWith(publicKey).parseSignedClaims(token);
return new Principal(claims.getSubject());
}
}
ArcpRuntime runtime = ArcpRuntime.builder()
.verifier(new JwtVerifier())
.build();Throw UnauthenticatedException (or any unchecked exception — the runtime
wraps it) to reject a token.
A complete HMAC-SHA256 verifier lives in
examples/custom-auth/. It demonstrates:
- Signing a token with
Mac.getInstance("HmacSHA256") - Timing-safe comparison with
MessageDigest.isEqual - Returning a
Principalwith metadata from the token claims
Jobs are scoped to the Principal returned by the verifier. listJobs
and subscribe are restricted to jobs owned by the calling principal — no
cross-principal data leaks.
For per-job short-lived credentials (API keys, DB passwords), see guides/credentials.md.