This package provides implementations for some common authentication methods. Authentication yields a trustworthy (because generated by the server) value of an some arbitrary type:

type MyApi = Protected

type Protected = Auth '[JWT, Cookie] User :> Get '[JSON] UserAccountDetails

server :: Server Protected
server (Authenticated usr) = ... -- here we know the client really is
                                 -- who she claims to be
server _ = throwAll err401

Additional configuration happens via Context.

Example for Custom Handler

To use a custom Handler it is necessary to use hoistServerWithContext instead of hoistServer and specify the Context.

Below is an example of passing CookieSettings and JWTSettings in the Context to create a specialized function equivalent to hoistServer for an API that includes cookie authentication.

  :: HasServer api '[CookieSettings, JWTSettings]
  => Proxy api
  -> (forall x. m x -> n x)
  -> ServerT api m
  -> ServerT api n
hoistServerWithAuth api =
  hoistServerWithContext api (Proxy :: Proxy '[CookieSettings, JWTSettings])


Basic types

data Auth (auths :: [Type]) val #

Auth [auth1, auth2] val :> api represents an API protected *either* by auth1 or auth2

(n ~ S (S Z), HasServer (AddSetCookiesApi n api) ctxs, AreAuths auths ctxs v, HasServer api ctxs, AddSetCookies n (ServerT api Handler) (ServerT (AddSetCookiesApi n api) Handler), ToJWT v, HasContextEntry ctxs CookieSettings, HasContextEntry ctxs JWTSettings) => HasServer (Auth auths v :> api :: Type) ctxs Source # 
Instance details

Defined in Servant.Auth.Server.Internal

Associated Types

type ServerT (Auth auths v :> api) m :: Type #


route :: Proxy (Auth auths v :> api) -> Context ctxs -> Delayed env (Server (Auth auths v :> api)) -> Router env #

hoistServerWithContext :: Proxy (Auth auths v :> api) -> Proxy ctxs -> (forall x. m x -> n x) -> ServerT (Auth auths v :> api) m -> ServerT (Auth auths v :> api) n #

type ServerT (Auth auths v :> api :: Type) m Source # 
Instance details

Defined in Servant.Auth.Server.Internal

type ServerT (Auth auths v :> api :: Type) m = AuthResult v -> ServerT api m

data AuthResult val Source #

The result of an authentication attempt.


Authenticated val

Authentication succeeded.


If an authentication procedure cannot be carried out - if for example it expects a password and username in a header that is not present - Indefinite is returned. This indicates that other authentication methods should be tried.

newtype AuthCheck val Source #

An AuthCheck is the function used to decide the authentication status (the AuthResult) of a request. Different AuthChecks may be combined as a Monoid or Alternative; the semantics of this is that the *first* non-Indefinite result from left to right is used and the rest are ignored.




JSON Web Tokens (JWT) are a compact and secure way of transferring information between parties. In this library, they are signed by the server (or by some other party posessing the relevant key), and used to indicate the bearer's identity or authorization.

Arbitrary information can be encoded - just declare instances for the FromJWT and ToJWT classes. Don't go overboard though - be aware that usually you'll be trasmitting this information on each request (and response!).

Note that, while the tokens are signed, they are not encrypted. Do not put any information you do not wish the client to know in them!


Re-exported from 'servant-auth'

data JWT #

A JSON Web Token (JWT) in the the Authorization header:

Authorization: Bearer token

Note that while the token is signed, it is not encrypted. Therefore do not keep in it any information you would not like the client to know.

JWTs are described in IETF's RFC 7519

FromJWT usr => IsAuth JWT usr Source # 
Instance details

Defined in Servant.Auth.Server.Internal.Class

Associated Types

type AuthArgs JWT :: [Type] Source #


runAuth :: proxy JWT -> proxy usr -> Unapp (AuthArgs JWT) (AuthCheck usr) Source #

type AuthArgs JWT Source # 
Instance details

Defined in Servant.Auth.Server.Internal.Class

type AuthArgs JWT = JWTSettings ': ([] :: [Type])


class FromJWT a where Source #

How to decode data from a JWT.

The default implementation assumes the data is stored in the unregistered dat claim, and uses the FromJSON instance to decode value from there.

Minimal complete definition


class ToJWT a where Source #

How to encode data from a JWT.

The default implementation stores data in the unregistered dat claim, and uses the type's ToJSON instance to encode the data.

Minimal complete definition


Related types

data IsMatch Source #


class AreAuths (as :: [*]) (ctxs :: [*]) v Source #

Minimal complete definition


AreAuths ([] :: [Type]) ctxs v Source # 
Instance details

Defined in Servant.Auth.Server.Internal.Class


runAuths :: proxy [] -> Context ctxs -> AuthCheck v Source #

(AuthCheck v ~ App (AuthArgs a) (Unapp (AuthArgs a) (AuthCheck v)), IsAuth a v, AreAuths as ctxs v, AppCtx ctxs (AuthArgs a) (Unapp (AuthArgs a) (AuthCheck v))) => AreAuths (a ': as) ctxs v Source # 
Instance details

Defined in Servant.Auth.Server.Internal.Class


runAuths :: proxy (a ': as) -> Context ctxs -> AuthCheck v Source #



Re-exported from 'servant-auth'

data BasicAuth #

Basic Auth.

FromBasicAuthData usr => IsAuth BasicAuth usr Source # 
Instance details

Defined in Servant.Auth.Server.Internal.Class

Associated Types

type AuthArgs BasicAuth :: [Type] Source #


runAuth :: proxy BasicAuth -> proxy usr -> Unapp (AuthArgs BasicAuth) (AuthCheck usr) Source #

type AuthArgs BasicAuth Source # 
Instance details

Defined in Servant.Auth.Server.Internal.Class

type AuthArgs BasicAuth = BasicAuthCfg ': ([] :: [Type])


class FromBasicAuthData a where Source #


fromBasicAuthData :: BasicAuthData -> BasicAuthCfg -> IO (AuthResult a) Source #

Whether the username exists and the password is correct. Note that, rather than passing a Pass to the function, we pass a function that checks an EncryptedPass. This is to make sure you don't accidentally do something untoward with the password, like store it.


type family BasicAuthCfg Source #

Related types

data BasicAuthData #

A simple datatype to hold data required to decorate a request

data IsPasswordCorrect Source #

Authentication request

wwwAuthenticatedErr :: ByteString -> ServerError Source #

A ServerError that asks the client to authenticate via Basic Authentication, should be invoked by an application whenever appropriate. The argument is the realm.


class ThrowAll a where Source #


throwAll :: ServerError -> a Source #

throwAll is a convenience function to throw errors across an entire sub-API

throwAll err400 :: Handler a :<|> Handler b :<|> Handler c
   == throwError err400 :<|> throwError err400 :<|> err400
ThrowAll Application Source #

for servant <0.11

Instance details

Defined in Servant.Auth.Server.Internal.ThrowAll

MonadError ServerError m => ThrowAll (m a) Source # 
Instance details

Defined in Servant.Auth.Server.Internal.ThrowAll


throwAll :: ServerError -> m a Source #

ThrowAll b => ThrowAll (a -> b) Source # 
Instance details

Defined in Servant.Auth.Server.Internal.ThrowAll


throwAll :: ServerError -> a -> b Source #

(ThrowAll a, ThrowAll b) => ThrowAll (a :<|> b) Source # 
Instance details

Defined in Servant.Auth.Server.Internal.ThrowAll


throwAll :: ServerError -> a :<|> b Source #

MonadError ServerError m => ThrowAll (Tagged m Application) Source #

for servant >=0.11

Instance details

Defined in Servant.Auth.Server.Internal.ThrowAll

generateKey :: IO JWK Source #

Generate a key suitable for use with defaultConfig.

generateSecret :: MonadRandom m => m ByteString Source #

Generate a bytestring suitable for use with fromSecret.

fromSecret :: ByteString -> JWK Source #

Restores a key from a bytestring.

writeKey :: FilePath -> IO () Source #

Writes a secret to a file. Can for instance be used from the REPL to persist a key to a file, which can then be included with the application. Restore the key using readKey.

readKey :: FilePath -> IO JWK Source #

Reads a key from a file.

makeJWT :: ToJWT a => a -> JWTSettings -> Maybe UTCTime -> IO (Either Error ByteString) Source #

Creates a JWT containing the specified data. The data is stored in the dat claim. The 'Maybe UTCTime' argument indicates the time at which the token expires.


class Default a where #

A class for types with a default value.

Minimal complete definition



def :: a #

The default value for this type.

data SetCookie #

Data type representing the key-value pair to use for a cookie, as well as configuration options for it.

Creating a SetCookie

SetCookie does not export a constructor; instead, use defaultSetCookie and override values (see for details):

import Web.Cookie
:set -XOverloadedStrings
let cookie = defaultSetCookie { setCookieName = "cookieName", setCookieValue = "cookieValue" }

Cookie Configuration

Cookies have several configuration options; a brief summary of each option is given below. For more information, see RFC 6265 or Wikipedia.

