Authentication and TLS
Bearer tokens
federiq serve enforces a shared-secret bearer token on every request
to /sources and /query.
federiq serve --token "$(openssl rand -hex 32)"
Or via environment:
export FEDERIQ_SERVER_TOKEN="..."
federiq serve
Clients send Authorization: Bearer <token>:
new FederIQ("https://federiq.example.com", { token: process.env.FEDERIQ_TOKEN })
Token comparison is constant-time to avoid timing oracles.
TLS
Provide PEM-encoded cert and key:
federiq serve \
--tls-cert /etc/federiq/cert.pem \
--tls-key /etc/federiq/key.pem
Generate a self-signed cert for development:
openssl req -x509 -newkey rsa:4096 -sha256 -days 365 -nodes \
-keyout key.pem -out cert.pem -subj "/CN=localhost"
For production, use certs from Let's Encrypt or your internal CA.
What's missing (tracked)
- Multiple tokens with distinct scopes / roles
- mTLS (client certs)
- OIDC / OAuth integration
- Rate limiting
Open an issue if any of these are blocking your deployment.