api

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 1, 2026 License: MIT Imports: 46 Imported by: 0

Documentation

Index

Constants

View Source 
const DefaultIdleTimeout = 30 * time.Minute

DefaultIdleTimeout is the default session idle timeout (30 minutes).

Variables

This section is empty.

Functions

func CSPNonce 

func CSPNonce(ctx context.Context) string

CSPNonce retrieves the per-request CSP nonce from the request context. Returns an empty string if the middleware has not run.

Types

type API 

type API struct {
	// contains filtered or unexported fields
}

API holds the dependencies needed by the REST handlers.

func New 

func New(repo storage.Repository, epochCache vault.EpochCache, opts ...Option) *API

New creates a new API instance.

func (*API) AbortMPCDKGAttempt 

func (a *API) AbortMPCDKGAttempt(w http.ResponseWriter, r *http.Request)

func (*API) AcceptInvite 

func (a *API) AcceptInvite(w http.ResponseWriter, r *http.Request)

AcceptInvite handles POST /invites/{token}/accept.

func (*API) AddMPCApproval 

func (a *API) AddMPCApproval(w http.ResponseWriter, r *http.Request)

func (*API) AddMember 

func (a *API) AddMember(w http.ResponseWriter, r *http.Request)

AddMember handles POST /vaults/{vaultID}/members.

func (*API) AuthMiddleware 

func (a *API) AuthMiddleware(next http.Handler) http.Handler

AuthMiddleware authenticates either a session cookie or explicit credentials and stores imported credentials on the request context.

func (*API) BeginStepUpPasskey 

func (a *API) BeginStepUpPasskey(w http.ResponseWriter, r *http.Request)

BeginStepUpPasskey handles POST /auth/step-up/passkey/begin. Starts a WebAuthn assertion ceremony for step-up authentication.

func (*API) BeginWebAuthnLogin 

func (a *API) BeginWebAuthnLogin(w http.ResponseWriter, r *http.Request)

BeginWebAuthnLogin handles POST /auth/webauthn/login/begin. Starts the WebAuthn login ceremony. Requires secret_key and passphrase in the body — the passphrase is needed for vault decryption after successful WebAuthn verification.

func (*API) BeginWebAuthnRegistration 

func (a *API) BeginWebAuthnRegistration(w http.ResponseWriter, r *http.Request)

BeginWebAuthnRegistration handles POST /auth/webauthn/register/begin. Starts the WebAuthn registration ceremony and returns the credential creation options.

func (*API) CSRFMiddleware 

func (a *API) CSRFMiddleware(next http.Handler) http.Handler

CSRFMiddleware enforces double-submit cookie CSRF protection for cookie-authenticated mutating requests. Safe methods (GET, HEAD, OPTIONS) and header-authenticated requests are exempt.

func (*API) CancelInvite 

func (a *API) CancelInvite(w http.ResponseWriter, r *http.Request)

CancelInvite handles DELETE /vaults/{vaultID}/invites/{token}.

func (*API) ChangeMemberRole 

func (a *API) ChangeMemberRole(w http.ResponseWriter, r *http.Request)

ChangeMemberRole handles PUT /vaults/{vaultID}/members/{memberID}.

func (*API) Close 

func (a *API) Close()

Close releases resources held by the API instance. Must be called on server shutdown to drain the audit webhook queue.

func (*API) CompleteMPCSigningSession 

func (a *API) CompleteMPCSigningSession(w http.ResponseWriter, r *http.Request)

func (*API) CreateInvite 

func (a *API) CreateInvite(w http.ResponseWriter, r *http.Request)

CreateInvite handles POST /vaults/{vaultID}/invites.

func (*API) CreateMPCKey 

func (a *API) CreateMPCKey(w http.ResponseWriter, r *http.Request)

func (*API) CreateMPCSigningSession 

func (a *API) CreateMPCSigningSession(w http.ResponseWriter, r *http.Request)

func (*API) CreateVault 

func (a *API) CreateVault(w http.ResponseWriter, r *http.Request)

CreateVault handles POST /vaults. Creates a new vault for the authenticated account and returns the generated vault ID.

func (*API) DeleteItem 

func (a *API) DeleteItem(w http.ResponseWriter, r *http.Request)

DeleteItem handles DELETE /vaults/{vaultID}/items/{itemID}.

func (*API) DeletePasskey 

func (a *API) DeletePasskey(w http.ResponseWriter, r *http.Request)

DeletePasskey handles DELETE /auth/webauthn/credentials/{credentialID}. Removes a registered passkey. Rejects deletion of the last passkey when no unused recovery codes exist to prevent the user from being locked out.

func (*API) DeleteVault 

func (a *API) DeleteVault(w http.ResponseWriter, r *http.Request)

DeleteVault handles DELETE /vaults/{vaultID}.

func (*API) DisableTwoFactor 

func (a *API) DisableTwoFactor(w http.ResponseWriter, r *http.Request)

DisableTwoFactor handles POST /auth/2fa/disable.

func (*API) EnableTwoFactor 

func (a *API) EnableTwoFactor(w http.ResponseWriter, r *http.Request)

EnableTwoFactor handles POST /auth/2fa/enable.

func (*API) ExportAuditLog 

func (a *API) ExportAuditLog(w http.ResponseWriter, r *http.Request)

ExportAuditLog handles GET /vaults/{vaultID}/audit/export. Admin-only. Returns the full audit chain with a tamper-evident HMAC-SHA256 signature over the serialized entries, computed with the vault's record key.

func (*API) ExportVault 

func (a *API) ExportVault(w http.ResponseWriter, r *http.Request)

ExportVault handles POST /vaults/{vaultID}/export. Requires owner access. Decrypts all current items, serializes them to JSON, and encrypts the blob with the caller-supplied passphrase using Argon2id + AES-256-GCM. The response is a binary file: version(1B) || salt(16B) || AES-256-GCM ciphertext.

func (*API) FinishStepUpPasskey 

func (a *API) FinishStepUpPasskey(w http.ResponseWriter, r *http.Request)

FinishStepUpPasskey handles POST /auth/step-up/passkey/finish. Completes the WebAuthn assertion and grants step-up authentication.

func (*API) FinishWebAuthnLogin 

func (a *API) FinishWebAuthnLogin(w http.ResponseWriter, r *http.Request)

FinishWebAuthnLogin handles POST /auth/webauthn/login/finish. Completes the WebAuthn login ceremony and creates a full session.

func (*API) FinishWebAuthnRegistration 

func (a *API) FinishWebAuthnRegistration(w http.ResponseWriter, r *http.Request)

FinishWebAuthnRegistration handles POST /auth/webauthn/register/finish. Completes the registration ceremony and stores the credential.

func (*API) GenerateCRL 

func (a *API) GenerateCRL(w http.ResponseWriter, r *http.Request)

GenerateCRL handles POST /vaults/{vaultID}/pki/crl. It regenerates the CRL (incrementing CRLNumber), caches it, and returns the PEM-encoded result. This is a state-mutating operation protected by CSRF middleware.

func (*API) GenerateRecoveryCodes 

func (a *API) GenerateRecoveryCodes(w http.ResponseWriter, r *http.Request)

GenerateRecoveryCodes handles POST /auth/recovery-codes. Generates a new batch of recovery codes, replacing any existing ones. Returns the plaintext codes once — they are never stored.

func (*API) GetAuditStatus 

func (a *API) GetAuditStatus(w http.ResponseWriter, r *http.Request)

GetAuditStatus handles GET /vaults/{vaultID}/audit/status.

func (*API) GetAuthSettings 

func (a *API) GetAuthSettings(w http.ResponseWriter, r *http.Request)

GetAuthSettings handles GET /auth/settings.

func (*API) GetCACert 

func (a *API) GetCACert(w http.ResponseWriter, r *http.Request)

GetCACert handles GET /vaults/{vaultID}/pki/ca.pem.

func (*API) GetCAInfo 

func (a *API) GetCAInfo(w http.ResponseWriter, r *http.Request)

GetCAInfo handles GET /vaults/{vaultID}/pki/info.

func (*API) GetCRL 

func (a *API) GetCRL(w http.ResponseWriter, r *http.Request)

GetCRL handles GET /vaults/{vaultID}/pki/crl.pem. GetCRL handles GET /vaults/{vaultID}/pki/crl.pem. It returns the most recently cached CRL without mutating CA state. A CRL is automatically generated during InitCA and after each GenerateCRL (POST) or RevokeCert, so a cached copy is always available for initialised CAs.

func (*API) GetHistoryVersion 

func (a *API) GetHistoryVersion(w http.ResponseWriter, r *http.Request)

GetHistoryVersion handles GET /vaults/{vaultID}/items/{itemID}/history/{version}.

func (*API) GetInviteInfo 

func (a *API) GetInviteInfo(w http.ResponseWriter, r *http.Request)

GetInviteInfo handles GET /invites/{token}. Auth required but no vault membership check.

func (*API) GetItem 

func (a *API) GetItem(w http.ResponseWriter, r *http.Request)

GetItem handles GET /vaults/{vaultID}/items/{itemID}.

func (*API) GetItemHistory 

func (a *API) GetItemHistory(w http.ResponseWriter, r *http.Request)

GetItemHistory handles GET /vaults/{vaultID}/items/{itemID}/history.

func (*API) GetItemPrivateKey 

func (a *API) GetItemPrivateKey(w http.ResponseWriter, r *http.Request)

GetItemPrivateKey handles GET /vaults/{vaultID}/items/{itemID}/private-key. Returns the raw PEM-encoded private key for a certificate item. Requires owner (admin) access because private keys are redacted from normal GetItem responses.

func (*API) GetMPCDKGAttempt 

func (a *API) GetMPCDKGAttempt(w http.ResponseWriter, r *http.Request)

func (*API) GetMPCKey 

func (a *API) GetMPCKey(w http.ResponseWriter, r *http.Request)

func (*API) GetMPCMetrics 

func (a *API) GetMPCMetrics(w http.ResponseWriter, r *http.Request)

func (*API) ImportVault 

func (a *API) ImportVault(w http.ResponseWriter, r *http.Request)

ImportVault handles POST /vaults/{vaultID}/import. Accepts multipart form with "file" (the encrypted backup blob) and "passphrase". Each imported item receives a new UUID; original IDs are not preserved.

func (*API) InitCA 

func (a *API) InitCA(w http.ResponseWriter, r *http.Request)

InitCA handles POST /vaults/{vaultID}/pki/init.

func (*API) IssueCert 

func (a *API) IssueCert(w http.ResponseWriter, r *http.Request)

IssueCert handles POST /vaults/{vaultID}/pki/issue.

func (*API) LabelPasskey 

func (a *API) LabelPasskey(w http.ResponseWriter, r *http.Request)

LabelPasskey handles PUT /auth/webauthn/credentials/{credentialID}. Updates the user-visible label for a registered passkey.

func (*API) ListAuditLogs 

func (a *API) ListAuditLogs(w http.ResponseWriter, r *http.Request)

ListAuditLogs handles GET /vaults/{vaultID}/audit.

func (*API) ListInvites 

func (a *API) ListInvites(w http.ResponseWriter, r *http.Request)

ListInvites handles GET /vaults/{vaultID}/invites.

func (*API) ListItemVersions 

func (a *API) ListItemVersions(w http.ResponseWriter, r *http.Request)

ListItemVersions handles GET /vaults/{vaultID}/items/versions. Returns a lightweight manifest of item IDs and their current versions by reading Envelope.Version from storage (no item decryption required).

func (*API) ListItems 

func (a *API) ListItems(w http.ResponseWriter, r *http.Request)

ListItems handles GET /vaults/{vaultID}/items.

func (*API) ListMPCDKGAttempts 

func (a *API) ListMPCDKGAttempts(w http.ResponseWriter, r *http.Request)

func (*API) ListMPCKeys 

func (a *API) ListMPCKeys(w http.ResponseWriter, r *http.Request)

func (*API) ListMPCProviders 

func (a *API) ListMPCProviders(w http.ResponseWriter, r *http.Request)

func (*API) ListMPCSigningSessions 

func (a *API) ListMPCSigningSessions(w http.ResponseWriter, r *http.Request)

func (*API) ListMembers 

func (a *API) ListMembers(w http.ResponseWriter, r *http.Request)

ListMembers handles GET /vaults/{vaultID}/members.

func (*API) ListPasskeys 

func (a *API) ListPasskeys(w http.ResponseWriter, r *http.Request)

ListPasskeys handles GET /auth/webauthn/credentials. Returns the list of registered passkeys with their metadata.

func (*API) ListVaults 

func (a *API) ListVaults(w http.ResponseWriter, r *http.Request)

ListVaults handles GET /vaults. Uses the per-account vault index instead of iterating all vaults in the repository, avoiding O(N) probe of every vault and preventing vault-existence leakage.

func (*API) Login 

func (a *API) Login(w http.ResponseWriter, r *http.Request)

Login handles POST /auth/login.

func (*API) Logout 

func (a *API) Logout(w http.ResponseWriter, r *http.Request)

Logout handles POST /auth/logout.

func (*API) OpenVault 

func (a *API) OpenVault(w http.ResponseWriter, r *http.Request)

OpenVault handles POST /vaults/{vaultID}/open. Validates credentials and returns vault info.

func (*API) PutItem 

func (a *API) PutItem(w http.ResponseWriter, r *http.Request)

PutItem handles POST /vaults/{vaultID}/items/{itemID}.

func (*API) RecoveryCodesStatus 

func (a *API) RecoveryCodesStatus(w http.ResponseWriter, r *http.Request)

RecoveryCodesStatus handles GET /auth/recovery-codes. Returns whether recovery codes exist and how many are unused.

func (*API) Register 

func (a *API) Register(w http.ResponseWriter, r *http.Request)

Register handles POST /auth/register.

func (*API) RegisterMPCSigner 

func (a *API) RegisterMPCSigner(w http.ResponseWriter, r *http.Request)

func (*API) RenewCert 

func (a *API) RenewCert(w http.ResponseWriter, r *http.Request)

RenewCert handles POST /vaults/{vaultID}/pki/items/{itemID}/renew.

func (*API) RevokeCert 

func (a *API) RevokeCert(w http.ResponseWriter, r *http.Request)

RevokeCert handles POST /vaults/{vaultID}/pki/items/{itemID}/revoke.

func (*API) RevokeMember 

func (a *API) RevokeMember(w http.ResponseWriter, r *http.Request)

RevokeMember handles DELETE /vaults/{vaultID}/members/{memberID}.

func (*API) RotateMPCKey 

func (a *API) RotateMPCKey(w http.ResponseWriter, r *http.Request)

func (*API) Router 

func (a *API) Router() chi.Router

Router returns a chi.Router with all API routes mounted.

func (*API) SearchItems 

func (a *API) SearchItems(w http.ResponseWriter, r *http.Request)

SearchItems handles GET /search. Searches decrypted item fields across one or all vaults. Query parameters:

  • q: text search query (case-insensitive substring)
  • type: filter by item type (login, note, card, certificate, custom)
  • vault_id: restrict to a single vault (optional)
  • limit, offset: pagination

func (*API) SecurityHeaders 

func (a *API) SecurityHeaders(next http.Handler) http.Handler

SecurityHeaders returns middleware that sets standard security response headers on every response. It should be placed early in the middleware chain.

A per-request cryptographic nonce is generated for style-src, replacing 'unsafe-inline'. The nonce is stored in the request context so that the web handler can inject it into served HTML pages (via a <meta> tag) and downstream components can apply it to dynamically created <style> elements.

HSTS (Strict-Transport-Security) is only set when the request is determined to be secure. Forwarded-protocol headers (X-Forwarded-Proto, Forwarded) are only honored if the direct peer's RemoteAddr falls within the API's configured --trusted-proxies CIDR ranges, matching the same trust model used for client IP extraction.

func (*API) SetupTwoFactor 

func (a *API) SetupTwoFactor(w http.ResponseWriter, r *http.Request)

SetupTwoFactor handles POST /auth/2fa/setup.

func (*API) SignCSR 

func (a *API) SignCSR(w http.ResponseWriter, r *http.Request)

SignCSR handles POST /vaults/{vaultID}/pki/sign-csr.

func (*API) StepUpTOTP 

func (a *API) StepUpTOTP(w http.ResponseWriter, r *http.Request)

StepUpTOTP handles POST /auth/step-up. Verifies a TOTP code to grant a time-limited step-up session.

func (*API) TwoFactorStatus 

func (a *API) TwoFactorStatus(w http.ResponseWriter, r *http.Request)

TwoFactorStatus handles GET /auth/2fa.

func (*API) UpdateAuthSettings 

func (a *API) UpdateAuthSettings(w http.ResponseWriter, r *http.Request)

UpdateAuthSettings handles PUT /auth/settings.

func (*API) UpdateItem 

func (a *API) UpdateItem(w http.ResponseWriter, r *http.Request)

UpdateItem handles PUT /vaults/{vaultID}/items/{itemID}.

func (*API) UpdateMPCKeyStatus 

func (a *API) UpdateMPCKeyStatus(w http.ResponseWriter, r *http.Request)

func (*API) WebAuthnStatus 

func (a *API) WebAuthnStatus(w http.ResponseWriter, r *http.Request)

WebAuthnStatus handles GET /auth/webauthn/status. Returns whether WebAuthn is configured and how many credentials are registered.

type AcceptInviteRequest 

type AcceptInviteRequest struct {
	Passphrase string `json:"passphrase"`
}

AcceptInviteRequest is the JSON body for POST /invites/{token}/accept.

type AcceptInviteResponse 

type AcceptInviteResponse struct {
	VaultID  string `json:"vault_id"`
	MemberID string `json:"member_id"`
}

AcceptInviteResponse is returned from POST /invites/{token}/accept.

type AddMPCApprovalRequest 

type AddMPCApprovalRequest struct {
	Approval mpc.Approval `json:"approval"`
	PartyID  uint32       `json:"party_id,omitempty"`
}

AddMPCApprovalRequest stores a signed approval from a participating signer.

type AddMemberRequest 

type AddMemberRequest struct {
	MemberID string `json:"member_id"`
	PubKey   string `json:"pub_key"`
	Role     string `json:"role"`
}

AddMemberRequest is the JSON body for POST /vaults/{vaultID}/members.

type AddMemberResponse 

type AddMemberResponse struct {
	Epoch uint64 `json:"epoch"`
}

AddMemberResponse is returned from POST /vaults/{vaultID}/members.

type AlertEvent 

type AlertEvent struct {
	Type      AlertType `json:"type"`
	Message   string    `json:"message"`
	Count     int       `json:"count"`
	Threshold int       `json:"threshold"`
	Timestamp time.Time `json:"timestamp"`
}

AlertEvent describes an anomaly that triggered an alert.

type AlertFunc 

type AlertFunc func(AlertEvent)

AlertFunc is the callback invoked when an anomaly is detected.

type AlertType 

type AlertType string

AlertType identifies the kind of anomaly detected. 

const (
	AlertLoginFailureSpike AlertType = "login_failure_spike"
	AlertBulkExport        AlertType = "bulk_export"
	AlertCeremonyPressure  AlertType = "ceremony_pressure"
)

type AuditEntryResponse 

type AuditEntryResponse struct {
	ID         string `json:"id"`
	ItemID     string `json:"item_id"`
	Action     string `json:"action"`
	MemberID   string `json:"member_id"`
	CreatedAt  string `json:"created_at"`
	RemoteAddr string `json:"remote_addr,omitempty"`
	UserAgent  string `json:"user_agent,omitempty"`
}

AuditEntryResponse is one vault audit log entry.

type AuditEvent 

type AuditEvent string

AuditEvent identifies the type of security-relevant action being logged. 

const (
	AuditLoginSuccess                AuditEvent = "login_success"
	AuditLoginFailure                AuditEvent = "login_failure"
	AuditLoginRateLimited            AuditEvent = "login_rate_limited"
	AuditRegister                    AuditEvent = "register"
	AuditLogout                      AuditEvent = "logout"
	AuditTwoFactorEnabled            AuditEvent = "2fa_enabled"
	AuditTwoFactorDisabled           AuditEvent = "2fa_disabled"
	AuditTwoFactorSetup              AuditEvent = "2fa_setup"
	AuditAuthSettingsChanged         AuditEvent = "auth_settings_changed"
	AuditVaultCreated                AuditEvent = "vault_created"
	AuditVaultDeleted                AuditEvent = "vault_deleted"
	AuditMemberAdded                 AuditEvent = "member_added"
	AuditMemberRevoked               AuditEvent = "member_revoked"
	AuditItemCreated                 AuditEvent = "item_created"
	AuditItemUpdated                 AuditEvent = "item_updated"
	AuditItemDeleted                 AuditEvent = "item_deleted"
	AuditVaultExported               AuditEvent = "vault_exported"
	AuditVaultImported               AuditEvent = "vault_imported"
	AuditCAInitialized               AuditEvent = "ca_initialized"
	AuditCertIssued                  AuditEvent = "cert_issued"
	AuditCertRevoked                 AuditEvent = "cert_revoked"
	AuditCertRenewed                 AuditEvent = "cert_renewed"
	AuditCRLGenerated                AuditEvent = "crl_generated"
	AuditCSRSigned                   AuditEvent = "csr_signed"
	AuditPrivateKeyAccessed          AuditEvent = "private_key_accessed"
	AuditWebAuthnRegistered          AuditEvent = "webauthn_registered"
	AuditWebAuthnLoginSuccess        AuditEvent = "webauthn_login_success"
	AuditRegisterRateLimited         AuditEvent = "register_rate_limited"
	AuditCeremonyCapExceeded         AuditEvent = "ceremony_cap_exceeded"
	AuditWebAuthnDeleted             AuditEvent = "webauthn_deleted"
	AuditWebAuthnLabeled             AuditEvent = "webauthn_labeled"
	AuditRecoveryCodesGenerated      AuditEvent = "recovery_codes_generated"
	AuditRecoveryCodeUsed            AuditEvent = "recovery_code_used"
	AuditMemberRoleChanged           AuditEvent = "member_role_changed"
	AuditInviteCreated               AuditEvent = "invite_created"
	AuditInviteAccepted              AuditEvent = "invite_accepted"
	AuditInviteCanceled              AuditEvent = "invite_canceled"
	AuditStepUpTOTP                  AuditEvent = "step_up_totp"
	AuditStepUpPasskey               AuditEvent = "step_up_passkey"
	AuditMPCSignerRegistered         AuditEvent = "mpc_signer_registered"
	AuditMPCKeyCreated               AuditEvent = "mpc_key_created"
	AuditMPCSigningRequested         AuditEvent = "mpc_signing_requested"
	AuditMPCSigningApprovalRequested AuditEvent = "mpc_signing_approval_requested"
	AuditMPCSigningApproved          AuditEvent = "mpc_signing_approved"
	AuditMPCSigningCompleted         AuditEvent = "mpc_signing_completed"
	AuditMPCKeyStatusChanged         AuditEvent = "mpc_key_status_changed"
	AuditMPCKeyRotated               AuditEvent = "mpc_key_rotated"
	AuditMPCDKGCommitted             AuditEvent = "mpc_dkg_committed"
	AuditMPCDKGAborted               AuditEvent = "mpc_dkg_aborted"
)

type AuditStatusResponse 

type AuditStatusResponse struct {
	VaultID        string `json:"vault_id"`
	Verified       bool   `json:"verified"`
	EntryCount     int    `json:"entry_count"`
	TipHash        string `json:"tip_hash,omitempty"`
	LatestEntryAt  string `json:"latest_entry_at,omitempty"`
	FailureReason  string `json:"failure_reason,omitempty"`
	RetentionFloor bool   `json:"retention_floor"`
}

AuditStatusResponse is returned from GET /vaults/{vaultID}/audit/status.

type AuthSession 

type AuthSession struct {
	SecretKeyID           string    `json:"secret_key_id"`
	CredentialsBlob       string    `json:"credentials_blob"`
	ExpiresAt             time.Time `json:"expires_at"`
	LastAccessedAt        time.Time `json:"last_accessed_at"`
	PendingTOTPSecret     string    `json:"pending_totp_secret,omitempty"`
	PendingTOTPExpiry     time.Time `json:"pending_totp_expiry,omitempty"`
	WebAuthnSessionData   string    `json:"webauthn_session_data,omitempty"`
	WebAuthnSessionExpiry time.Time `json:"webauthn_session_expiry,omitempty"`
	StepUpVerifiedAt      time.Time `json:"step_up_verified_at,omitempty"`
	StepUpMethod          string    `json:"step_up_method,omitempty"` // "totp" or "passkey"
}

AuthSession holds the server-side state for an authenticated session.

The session passphrase is intentionally NOT stored here. It is derived at request time from the session token and a client-held secret cookie using HMAC-SHA256 (see deriveSessionPassphrase in middleware.go). This ensures that a session store compromise alone cannot reconstruct credentials — the attacker also needs the per-session client cookie.

type AuthSettingsResponse 

type AuthSettingsResponse struct {
	PasskeyPolicy string `json:"passkey_policy"`
	TOTPEnabled   bool   `json:"totp_enabled"`
}

AuthSettingsResponse is returned from GET /auth/settings and PUT /auth/settings.

type CAInfoResponse 

type CAInfoResponse struct {
	IsCA           bool   `json:"is_ca"`
	IsIntermediate bool   `json:"is_intermediate"`
	Subject        string `json:"subject"`
	NotBefore      string `json:"not_before"`
	NotAfter       string `json:"not_after"`
	NextSerial     int64  `json:"next_serial"`
	CRLNumber      int64  `json:"crl_number"`
	CertCount      int    `json:"cert_count"`
}

CAInfoResponse is returned from GET /vaults/{vaultID}/pki/info.

type ChangeMemberRoleRequest 

type ChangeMemberRoleRequest struct {
	Role string `json:"role"`
}

ChangeMemberRoleRequest is the JSON body for PUT /vaults/{vaultID}/members/{memberID}.

type CompleteMPCSigningSessionRequest 

type CompleteMPCSigningSessionRequest struct {
	Commitments []mpc.Commitment `json:"commitments,omitempty"`
	Signature   *mpc.Signature   `json:"signature,omitempty"`
}

CompleteMPCSigningSessionRequest stores and verifies a completed MPC signature.

type CreateInviteRequest 

type CreateInviteRequest struct {
	Role string `json:"role"`
}

CreateInviteRequest is the JSON body for POST /vaults/{vaultID}/invites.

type CreateInviteResponse 

type CreateInviteResponse struct {
	Token      string `json:"token"`
	Passphrase string `json:"passphrase"`
	ExpiresAt  string `json:"expires_at"`
	InviteURL  string `json:"invite_url"`
}

CreateInviteResponse is returned from POST /vaults/{vaultID}/invites.

type CreateMPCKeyRequest 

type CreateMPCKeyRequest struct {
	KeyID        string                           `json:"key_id,omitempty"`
	Algorithm    string                           `json:"algorithm,omitempty"`
	ImportMode   string                           `json:"import_mode,omitempty"`
	DKGSessionID string                           `json:"dkg_session_id,omitempty"`
	Threshold    int                              `json:"threshold"`
	MemberIDs    []string                         `json:"member_ids,omitempty"`
	Commitments  []mpc.PublicCommitment           `json:"commitments"`
	Fragments    map[string]mpc.EncryptedFragment `json:"fragments"`
	Policy       vault.MPCPolicy                  `json:"policy,omitempty"`
}

CreateMPCKeyRequest stores the result of a vault-scoped MPC DKG ceremony.

type CreateMPCSigningSessionRequest 

type CreateMPCSigningSessionRequest struct {
	MessageBase64       string         `json:"message_base64"`
	Participants        []uint32       `json:"participants,omitempty"`
	TTLSeconds          int64          `json:"ttl_seconds,omitempty"`
	MessageType         string         `json:"message_type,omitempty"`
	Chain               string         `json:"chain,omitempty"`
	Network             string         `json:"network,omitempty"`
	TransactionMetadata map[string]any `json:"transaction_metadata,omitempty"`
}

CreateMPCSigningSessionRequest starts a new signing session for an MPC key.

type CreateVaultRequest 

type CreateVaultRequest struct {
	Name        string `json:"name,omitempty"`
	Description string `json:"description,omitempty"`
}

CreateVaultRequest is the JSON body for POST /vaults.

type CreateVaultResponse 

type CreateVaultResponse struct {
	VaultID  string `json:"vault_id"`
	MemberID string `json:"member_id"`
	Epoch    uint64 `json:"epoch"`
}

CreateVaultResponse is returned from POST /vaults.

type DisableTwoFactorRequest 

type DisableTwoFactorRequest struct {
	Code string `json:"code"`
}

DisableTwoFactorRequest is the JSON body for POST /auth/2fa/disable.

type EnableTwoFactorRequest 

type EnableTwoFactorRequest struct {
	Code string `json:"code"`
}

EnableTwoFactorRequest is the JSON body for POST /auth/2fa/enable.

type ErrorResponse 

type ErrorResponse struct {
	Error         string `json:"error"`
	CorrelationID string `json:"correlation_id,omitempty"`
}

ErrorResponse is returned for all error cases.

type ExportAuditEntryResponse 

type ExportAuditEntryResponse struct {
	ID         string `json:"id"`
	VaultID    string `json:"vault_id"`
	ItemID     string `json:"item_id"`
	Action     string `json:"action"`
	MemberID   string `json:"member_id"`
	CreatedAt  string `json:"created_at"`
	RemoteAddr string `json:"remote_addr,omitempty"`
	UserAgent  string `json:"user_agent,omitempty"`
	PrevHash   string `json:"prev_hash"`
}

ExportAuditEntryResponse extends AuditEntryResponse with the chain hash.

type ExportAuditLogResponse 

type ExportAuditLogResponse struct {
	VaultID   string                     `json:"vault_id"`
	Entries   []ExportAuditEntryResponse `json:"entries"`
	Signature string                     `json:"signature"`
}

ExportAuditLogResponse is returned from GET /vaults/{vaultID}/audit/export.

type ExportVaultRequest 

type ExportVaultRequest struct {
	Passphrase string `json:"passphrase"`
}

ExportVaultRequest is the JSON body for POST /vaults/{vaultID}/export.

type GenerateRecoveryCodesResponse 

type GenerateRecoveryCodesResponse struct {
	Codes []string `json:"codes"`
}

GenerateRecoveryCodesResponse is returned from POST /auth/recovery-codes.

type GetHistoryVersionResponse 

type GetHistoryVersionResponse struct {
	ItemID  string            `json:"item_id"`
	Version uint64            `json:"version"`
	Fields  map[string]string `json:"fields"`
}

GetHistoryVersionResponse is returned from GET /vaults/{vaultID}/items/{itemID}/history/{version}.

type GetItemHistoryResponse 

type GetItemHistoryResponse struct {
	ItemID  string                 `json:"item_id"`
	History []HistoryEntryResponse `json:"history"`
}

GetItemHistoryResponse is returned from GET /vaults/{vaultID}/items/{itemID}/history.

type GetItemResponse 

type GetItemResponse struct {
	ItemID string            `json:"item_id"`
	Fields map[string]string `json:"fields"`
}

GetItemResponse is returned from GET /vaults/{vaultID}/items/{itemID}. Attachment content fields ("_att.*") are base64-encoded; all other fields are plain strings.

type HashedRecoveryCode 

type HashedRecoveryCode struct {
	Hash string `json:"hash"` // hex(SHA-256(code))
	Used bool   `json:"used"`
}

HashedRecoveryCode is a single-use break-glass recovery code stored as its SHA-256 hash. The plaintext is shown to the user once at generation time and never persisted.

type HistoryEntryResponse 

type HistoryEntryResponse struct {
	Version   uint64 `json:"version"`
	UpdatedAt string `json:"updated_at"`
	UpdatedBy string `json:"updated_by"`
}

HistoryEntryResponse represents a single version in an item's history.

type ImportVaultResponse 

type ImportVaultResponse struct {
	ImportedCount int `json:"imported_count"`
}

ImportVaultResponse is returned from POST /vaults/{vaultID}/import.

type InitCARequest 

type InitCARequest struct {
	CommonName     string `json:"common_name"`
	Organization   string `json:"organization,omitempty"`
	OrgUnit        string `json:"org_unit,omitempty"`
	Country        string `json:"country,omitempty"`
	Province       string `json:"province,omitempty"`
	Locality       string `json:"locality,omitempty"`
	ValidityYears  int    `json:"validity_years"`
	IsIntermediate bool   `json:"is_intermediate"`
}

InitCARequest is the JSON body for POST /vaults/{vaultID}/pki/init.

type InitCAResponse 

type InitCAResponse struct {
	Subject string `json:"subject"`
}

InitCAResponse is returned from POST /vaults/{vaultID}/pki/init.

type InviteInfoResponse 

type InviteInfoResponse struct {
	VaultName string `json:"vault_name"`
	Role      string `json:"role"`
	ExpiresAt string `json:"expires_at"`
	CreatorID string `json:"creator_id"`
}

InviteInfoResponse is returned from GET /invites/{token}.

type InviteSummary 

type InviteSummary struct {
	Token     string `json:"token"`
	Role      string `json:"role"`
	ExpiresAt string `json:"expires_at"`
}

InviteSummary is one entry in the list-invites response.

type IssueCertAPIRequest 

type IssueCertAPIRequest struct {
	CommonName     string   `json:"common_name"`
	Organization   string   `json:"organization,omitempty"`
	OrgUnit        string   `json:"org_unit,omitempty"`
	Country        string   `json:"country,omitempty"`
	ValidityDays   int      `json:"validity_days"`
	KeyUsages      []string `json:"key_usages,omitempty"`
	ExtKeyUsages   []string `json:"ext_key_usages,omitempty"`
	DNSNames       []string `json:"dns_names,omitempty"`
	IPAddresses    []string `json:"ip_addresses,omitempty"`
	EmailAddresses []string `json:"email_addresses,omitempty"`
}

IssueCertAPIRequest is the JSON body for POST /vaults/{vaultID}/pki/issue.

type IssueCertResponse 

type IssueCertResponse struct {
	ItemID       string `json:"item_id"`
	SerialNumber string `json:"serial_number"`
	Subject      string `json:"subject"`
	NotBefore    string `json:"not_before"`
	NotAfter     string `json:"not_after"`
}

IssueCertResponse is returned from POST /vaults/{vaultID}/pki/issue.

type ItemSummary 

type ItemSummary struct {
	ItemID    string            `json:"item_id"`
	Name      string            `json:"name,omitempty"`
	Type      string            `json:"type,omitempty"`
	Version   uint64            `json:"version"`
	UpdatedAt string            `json:"updated_at,omitempty"`
	Preview   map[string]string `json:"preview,omitempty"`
}

ItemSummary is returned in vault item listings.

type ItemVersionsResponse 

type ItemVersionsResponse struct {
	Versions map[string]uint64 `json:"versions"`
	Epoch    uint64            `json:"epoch"`
}

ItemVersionsResponse is returned from GET /vaults/{vaultID}/items/versions. Provides a lightweight manifest of item IDs and their current versions without decrypting any content (reads Envelope.Version directly).

type LabelPasskeyRequest 

type LabelPasskeyRequest struct {
	Label string `json:"label"`
}

LabelPasskeyRequest is the JSON body for PUT /auth/webauthn/credentials/{credentialID}.

type ListAuditLogsResponse 

type ListAuditLogsResponse struct {
	Entries []AuditEntryResponse `json:"entries"`
	PaginationMeta
}

ListAuditLogsResponse is returned from GET /vaults/{vaultID}/audit.

type ListInvitesResponse 

type ListInvitesResponse struct {
	Invites []InviteSummary `json:"invites"`
}

ListInvitesResponse is returned from GET /vaults/{vaultID}/invites.

type ListItemsResponse 

type ListItemsResponse struct {
	Items []ItemSummary `json:"items"`
	PaginationMeta
}

ListItemsResponse is returned from GET /vaults/{vaultID}/items.

type ListMembersResponse 

type ListMembersResponse struct {
	Members []MemberSummary `json:"members"`
}

ListMembersResponse is returned from GET /vaults/{vaultID}/members.

type ListPasskeysResponse 

type ListPasskeysResponse struct {
	Passkeys []PasskeySummary `json:"passkeys"`
}

ListPasskeysResponse is returned from GET /auth/webauthn/credentials.

type ListVaultsResponse 

type ListVaultsResponse struct {
	Vaults []VaultSummary `json:"vaults"`
	PaginationMeta
}

ListVaultsResponse is returned from GET /vaults.

type LoginRequest 

type LoginRequest struct {
	Passphrase   string `json:"passphrase"`
	SecretKey    string `json:"secret_key"`
	TOTPCode     string `json:"totp_code,omitempty"`
	RecoveryCode string `json:"recovery_code,omitempty"`
}

LoginRequest is the JSON body for POST /auth/login.

type MPCDKGAttemptResponse 

type MPCDKGAttemptResponse = vault.MPCDKGAttempt

type MPCKeyResponse 

type MPCKeyResponse = vault.MPCKey

type MPCMetricsResponse 

type MPCMetricsResponse = vault.MPCMetricsSnapshot

type MPCSigningSessionResponse 

type MPCSigningSessionResponse = vault.MPCSigningSession

type MemberSummary 

type MemberSummary struct {
	MemberID               string `json:"member_id"`
	Role                   string `json:"role"`
	Status                 string `json:"status"`
	AddedEpoch             uint64 `json:"added_epoch"`
	MPCPartyID             uint32 `json:"mpc_party_id,omitempty"`
	MPCSignerURL           string `json:"mpc_signer_url,omitempty"`
	MPCEncryptionPublicKey string `json:"mpc_encryption_public_key,omitempty"`
	MPCApprovalPublicKey   string `json:"mpc_approval_public_key,omitempty"`
	MPCSignerStatus        string `json:"mpc_signer_status,omitempty"`
}

MemberSummary is one entry in the list-members response.

type MemorySessionStore 

type MemorySessionStore struct {
	// contains filtered or unexported fields
}

MemorySessionStore is a thread-safe in-memory SessionStore. Sessions are lost on server restart.

func NewMemorySessionStore 

func NewMemorySessionStore(idleTimeout time.Duration) *MemorySessionStore

NewMemorySessionStore creates an in-memory session store. idleTimeout of 0 disables idle timeout checking.

func (*MemorySessionStore) Delete 

func (s *MemorySessionStore) Delete(token string)

func (*MemorySessionStore) Get 

func (s *MemorySessionStore) Get(token string) (AuthSession, bool)

func (*MemorySessionStore) Put 

func (s *MemorySessionStore) Put(token string, session AuthSession)

type MutationResponse 

type MutationResponse struct {
	ItemID  string `json:"item_id"`
	Version uint64 `json:"version,omitempty"`
}

MutationResponse is returned from item create and update operations.

type OpenVaultResponse 

type OpenVaultResponse struct {
	VaultID  string `json:"vault_id"`
	MemberID string `json:"member_id"`
	Epoch    uint64 `json:"epoch"`
}

OpenVaultResponse is returned from POST /vaults/{vaultID}/open.

type Option 

type Option func(*API)

Option configures the API instance.

func WithAlerting 

func WithAlerting(fn AlertFunc) Option

WithAlerting enables anomaly detection and invokes the callback when a suspicious pattern is detected (e.g., login failure spike, bulk exports).

func WithAuditRetention 

func WithAuditRetention(maxAge time.Duration, maxEntries int) Option

WithAuditRetention configures automatic per-vault audit retention. maxAge <= 0 disables time-based pruning. maxEntries <= 0 disables count-based pruning.

func WithAuditWebhook 

func WithAuditWebhook(url, authHeader string) Option

WithAuditWebhook configures an HTTP endpoint to receive all audit events as JSON POST requests. Events are dispatched asynchronously via a bounded queue (capacity 1024). Dropped events (queue full) are logged as warnings.

The optional authHeader is sent with each request in "Header: Value" format (e.g., "Authorization: Bearer xxx").

func WithExperimentalMPC 

func WithExperimentalMPC(enabled bool) Option

WithExperimentalMPC enables the current MPC implementation. The available algorithm is intentionally marked experimental until replaced by a production-vetted threshold signature implementation.

func WithHeaderAuth 

func WithHeaderAuth(enabled bool) Option

WithHeaderAuth enables or disables X-Credentials/X-Passphrase header-based authentication. This is disabled by default for security. Enable it only for non-browser API clients that cannot use cookie-based sessions.

func WithIdleTimeout 

func WithIdleTimeout(d time.Duration) Option

WithIdleTimeout sets the session idle timeout. If a session is not used within this duration, it is automatically invalidated. The default is 30 minutes.

func WithKDFProfile 

func WithKDFProfile(name string) (Option, error)

WithKDFProfile sets the Argon2id KDF profile used for new vault and credential creation. The profile name must be one of: "interactive", "moderate", "sensitive". When not set, the "moderate" profile is used (Time=3, Memory=64 MiB, Parallelism=4).

This does NOT affect existing vaults — they store their KDF parameters in vault state at creation time and continue using those parameters.

func WithKeyStore 

func WithKeyStore(ks pki.KeyStore) Option

WithKeyStore configures an alternative PKI key store (e.g. HSM or cloud KMS). When nil (the default), a SoftwareKeyStore is used — keys are generated in software and stored in the vault like before.

func WithLogger 

func WithLogger(logger *slog.Logger) Option

WithLogger sets the structured logger for audit events. If not set, a default JSON logger writing to stderr is used.

func WithMPCProductionMode 

func WithMPCProductionMode(enabled bool) Option

WithMPCProductionMode rejects MPC providers that are not marked production ready. The current experimental provider is intentionally refused in this mode.

func WithMPCSignerAuth 

func WithMPCSignerAuth(sharedKey []byte) Option

WithMPCSignerAuth configures the shared HMAC key used for internal calls to MPC signer processes. Empty keys are accepted for local development only.

func WithMPCSignerTransport 

func WithMPCSignerTransport(sharedKey []byte, tlsConfig *tls.Config) Option

func WithNoRateLimit 

func WithNoRateLimit() Option

WithNoRateLimit disables all rate limiters. This is intended exclusively for automated E2E testing where many accounts are created in rapid succession from the same IP. Do NOT use in production.

func WithSessionStore 

func WithSessionStore(s SessionStore) Option

WithSessionStore sets a custom SessionStore implementation. When not set, an in-memory session store is used (sessions are lost on restart).

func WithTrustedProxies 

func WithTrustedProxies(cidrs []string) (Option, error)

WithTrustedProxies configures the CIDR ranges of trusted reverse proxies. Proxy headers (X-Forwarded-For, Forwarded, X-Real-IP) are only honored if the request's RemoteAddr falls within one of these ranges.

When not configured (the default), proxy headers are never consulted and the TCP peer address (RemoteAddr) is always used. This fail-safe default prevents IP spoofing when the server is deployed without a reverse proxy.

func WithWebAuthn 

func WithWebAuthn(wa *webauthn.WebAuthn) Option

WithWebAuthn enables WebAuthn/passkey MFA for the API.

type PaginationMeta 

type PaginationMeta struct {
	TotalCount int  `json:"total_count"`
	Limit      int  `json:"limit"`
	Offset     int  `json:"offset"`
	HasMore    bool `json:"has_more"`
}

PaginationMeta is embedded in paginated list responses.

type PasskeySummary 

type PasskeySummary struct {
	CredentialID string `json:"credential_id"`
	Label        string `json:"label"`
	CreatedAt    string `json:"created_at"`
	LastUsedAt   string `json:"last_used_at,omitempty"`
	BackupState  bool   `json:"backup_state"`
}

PasskeySummary is one entry in the list-passkeys response.

type PersistentSessionStore 

type PersistentSessionStore struct {
	// contains filtered or unexported fields
}

PersistentSessionStore stores sessions in a storage.Repository, encrypted at rest using AES-256-GCM. Sessions survive server restarts.

The session encryption key is itself sealed with an externally-provided wrapping key before being stored, so a repository compromise alone cannot recover session data.

func NewPersistentSessionStore 

func NewPersistentSessionStore(repo storage.Repository, idleTimeout time.Duration, wrappingKey []byte) (*PersistentSessionStore, error)

NewPersistentSessionStore creates a session store backed by the given repository. The wrappingKey (32 bytes) is used to seal the session encryption key at rest — it must be provided externally (CLI flag, environment variable, or file) and is never stored in the repository. idleTimeout of 0 disables idle timeout checking.

func (*PersistentSessionStore) Close 

func (s *PersistentSessionStore) Close()

Close stops the background cleanup goroutine and wipes key material.

func (*PersistentSessionStore) Delete 

func (s *PersistentSessionStore) Delete(token string)

func (*PersistentSessionStore) Get 

func (s *PersistentSessionStore) Get(token string) (AuthSession, bool)

func (*PersistentSessionStore) Put 

func (s *PersistentSessionStore) Put(token string, session AuthSession)

type PutItemRequest 

type PutItemRequest struct {
	Fields map[string]string `json:"fields"`
}

PutItemRequest is the JSON body for POST /vaults/{vaultID}/items/{itemID}.

Attachments are stored as fields with special prefixes:

  • "_att.<filename>": base64-encoded binary content (max 768 KiB decoded)
  • "_attmeta.<filename>": JSON metadata string (content_type, size)

Each attachment consumes two fields toward the MaxFieldCount limit.

type RecoveryCodesStatusResponse 

type RecoveryCodesStatusResponse struct {
	HasCodes    bool `json:"has_codes"`
	CodesTotal  int  `json:"codes_total"`
	CodesUnused int  `json:"codes_unused"`
}

RecoveryCodesStatusResponse is returned from GET /auth/recovery-codes.

type RegisterMPCSignerRequest 

type RegisterMPCSignerRequest struct {
	URL                 string `json:"url"`
	EncryptionPublicKey string `json:"encryption_public_key"`
	ApprovalPublicKey   string `json:"approval_public_key"`
	Status              string `json:"status,omitempty"`
}

RegisterMPCSignerRequest registers or updates the signer identity for a vault member.

type RegisterRequest 

type RegisterRequest struct {
	Passphrase string `json:"passphrase"`
}

RegisterRequest is the JSON body for POST /auth/register.

type RegisterResponse 

type RegisterResponse struct {
	SecretKey string `json:"secret_key"`
}

RegisterResponse is returned from POST /auth/register.

type RenewCertAPIRequest 

type RenewCertAPIRequest struct {
	ValidityDays int `json:"validity_days"`
}

RenewCertAPIRequest is the JSON body for POST /vaults/{vaultID}/pki/items/{itemID}/renew.

type RenewCertResponse 

type RenewCertResponse struct {
	NewItemID    string `json:"new_item_id"`
	OldItemID    string `json:"old_item_id"`
	SerialNumber string `json:"serial_number"`
}

RenewCertResponse is returned from POST /vaults/{vaultID}/pki/items/{itemID}/renew.

type RevokeCertAPIRequest 

type RevokeCertAPIRequest struct {
	Reason string `json:"reason,omitempty"`
}

RevokeCertAPIRequest is the JSON body for POST /vaults/{vaultID}/pki/items/{itemID}/revoke.

type RotateMPCKeyRequest 

type RotateMPCKeyRequest struct {
	KeyID      string          `json:"key_id,omitempty"`
	Threshold  int             `json:"threshold,omitempty"`
	MemberIDs  []string        `json:"member_ids,omitempty"`
	Policy     vault.MPCPolicy `json:"policy,omitempty"`
	ArchiveOld *bool           `json:"archive_old,omitempty"`
}

type SearchResponse 

type SearchResponse struct {
	Results []SearchResultItem `json:"results"`
	PaginationMeta
}

SearchResponse is returned from GET /search.

type SearchResultItem 

type SearchResultItem struct {
	VaultID      string `json:"vault_id"`
	VaultName    string `json:"vault_name"`
	ItemID       string `json:"item_id"`
	Name         string `json:"name"`
	Type         string `json:"type"`
	MatchedField string `json:"matched_field,omitempty"`
}

SearchResultItem is one entry in a search response.

type SessionStore 

type SessionStore interface {
	// Get retrieves a session by token. Returns false if the session
	// does not exist, has expired, or has exceeded the idle timeout.
	Get(token string) (AuthSession, bool)
	// Put creates or updates a session for the given token.
	Put(token string, session AuthSession)
	// Delete removes a session by token.
	Delete(token string)
}

SessionStore abstracts session CRUD so that sessions can be stored in-memory (default) or in persistent backing storage.

type SetupTwoFactorResponse 

type SetupTwoFactorResponse struct {
	Secret     string `json:"secret"`
	OtpauthURL string `json:"otpauth_url"`
	ExpiresAt  string `json:"expires_at"`
}

SetupTwoFactorResponse is returned from POST /auth/2fa/setup.

type SignCSRAPIRequest 

type SignCSRAPIRequest struct {
	CSR          string   `json:"csr"`
	ValidityDays int      `json:"validity_days"`
	ExtKeyUsages []string `json:"ext_key_usages,omitempty"`
}

SignCSRAPIRequest is the JSON body for POST /vaults/{vaultID}/pki/sign-csr.

type SignCSRResponse 

type SignCSRResponse struct {
	ItemID       string `json:"item_id"`
	SerialNumber string `json:"serial_number"`
	Certificate  string `json:"certificate"`
}

SignCSRResponse is returned from POST /vaults/{vaultID}/pki/sign-csr.

type StepUpRequiredResponse 

type StepUpRequiredResponse struct {
	Error   string   `json:"error"`   // "step_up_required"
	Methods []string `json:"methods"` // ["totp"], ["passkey"], or ["totp", "passkey"]
}

StepUpRequiredResponse is returned when a sensitive action requires step-up auth.

type StepUpResponse 

type StepUpResponse struct {
	Verified  bool   `json:"verified"`
	Method    string `json:"method"`
	ExpiresAt string `json:"expires_at"`
}

StepUpResponse is returned from step-up verification endpoints.

type StepUpTOTPRequest 

type StepUpTOTPRequest struct {
	Code string `json:"code"`
}

StepUpTOTPRequest is the JSON body for POST /auth/step-up.

type TwoFactorStatusResponse 

type TwoFactorStatusResponse struct {
	Enabled bool `json:"enabled"`
}

TwoFactorStatusResponse is returned from GET /auth/2fa and POST /auth/2fa/enable.

type UpdateAuthSettingsRequest 

type UpdateAuthSettingsRequest struct {
	PasskeyPolicy string `json:"passkey_policy"`
}

UpdateAuthSettingsRequest is the JSON body for PUT /auth/settings.

type UpdateItemRequest 

type UpdateItemRequest struct {
	Fields map[string]string `json:"fields"`
}

UpdateItemRequest is the JSON body for PUT /vaults/{vaultID}/items/{itemID}. See PutItemRequest for attachment field conventions.

type UpdateMPCKeyStatusRequest 

type UpdateMPCKeyStatusRequest struct {
	Status vault.MPCKeyStatus `json:"status"`
}

type VaultSummary 

type VaultSummary struct {
	VaultID     string `json:"vault_id"`
	Name        string `json:"name,omitempty"`
	Description string `json:"description,omitempty"`
	Epoch       uint64 `json:"epoch"`
	ItemCount   int    `json:"item_count"`
}

VaultSummary describes a vault visible to the current authenticated member.

type WebAuthnCredentialMeta 

type WebAuthnCredentialMeta struct {
	Label      string    `json:"label"`
	CreatedAt  time.Time `json:"created_at"`
	LastUsedAt time.Time `json:"last_used_at,omitempty"`
}

WebAuthnCredentialMeta holds user-facing metadata for a WebAuthn credential. It is stored separately from the webauthn.Credential struct (which comes from the third-party go-webauthn library) and keyed by the base64url credential ID.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.