API reference

The public surface of the crate. Canonical, generated docs live on
docs.rs/laravel-iam; this page is a curated quick reference.

Re-exports (laravel_iam)

pub use IamClient;        // async client
pub use IamClientBuilder; // shared builder
pub use IamError;         // error taxonomy
pub use {Claims, Decision, DecisionQuery, Resource, Subject}; // wire types
pub trait ResultExt;      // fail-closed helper

#[cfg(feature = "blocking")]
pub mod blocking;         // synchronous IamClient

IamClient (async)

Method Signature Description
builder fn builder() -> IamClientBuilder Start configuring a client.
check async fn check(&self, query: DecisionQuery) -> Result<Decision, IamError> POST {base}/decisions/check. Fail-closed.
list_resources async fn list_resources(&self, subject: Subject, relation: impl AsRef<str>) -> Result<Vec<Resource>, IamError> POST {base}/decisions/list-resources.
verify_token async fn verify_token(&self, jwt: &str) -> Result<Claims, IamError> ES256 + iss/aud/exp/nbf against the cached JWKS.

IamClient is Clone (cheap — wraps Arcs; clones share the JWKS cache and HTTP pool).

let iam = IamClient::builder()
    .base_url("https://iam.example.com/api/iam/v1")
    .token("svc")
    .build()?;

let decision = iam.check(query).await?;     // Result<Decision, IamError>
let res = iam.list_resources(subj, "viewer").await?; // Vec<Resource>
let claims = iam.verify_token(jwt).await?;   // Claims

blocking::IamClient (feature blocking)

Same methods without async/.await; built with build_blocking().

Method Signature
builder fn builder() -> IamClientBuilder
check fn check(&self, query: DecisionQuery) -> Result<Decision, IamError>
list_resources fn list_resources(&self, subject: Subject, relation: impl AsRef<str>) -> Result<Vec<Resource>, IamError>
verify_token fn verify_token(&self, jwt: &str) -> Result<Claims, IamError>

See The blocking client.

IamClientBuilder

Method Signature Notes
base_url fn base_url(self, impl Into<String>) -> Self Required. Trailing slash trimmed.
token fn token(self, impl Into<String>) -> Self Authorization: Bearer.
timeout fn timeout(self, Duration) -> Self Default 2s.
issuer fn issuer(self, impl Into<String>) -> Self Required by verify_token.
audience fn audience(self, impl Into<String>) -> Self Required by verify_token.
build fn build(self) -> Result<IamClient, IamError> Async client.
build_blocking fn build_blocking(self) -> Result<blocking::IamClient, IamError> Blocking client (feature blocking).

All setters are #[must_use] and consume/return self for chaining. See
Configuration.

ResultExt — the fail-closed gate

pub trait ResultExt {
    fn is_allowed(&self) -> bool;
}

impl ResultExt for Result<Decision, IamError> {
    fn is_allowed(&self) -> bool {
        matches!(self, Ok(decision) if decision.is_allowed())
    }
}

true only when the call succeeded and the decision is granted() (allowed and no pending
step-up). Every IamError yields false.

use laravel_iam::ResultExt;
if iam.check(q).await.is_allowed() { /* allow */ } else { /* deny */ }

Decision helpers

Method Returns Meaning
granted() bool allowed && !requires_step_up. The fail-safe gate value.
is_allowed() bool Alias of granted().
deny(reason) Decision Construct an explicit denial carrying a reason.

Field reference is in Types; error reference in Error taxonomy.

Crate-level attributes

#![forbid(unsafe_code)]
#![warn(clippy::all, clippy::pedantic)]

No unsafe anywhere; the crate is clippy-pedantic clean.