9 Rust authentication libraries that are ready for production

Rust is a low-level language with high-level ergonomics. It’s fast and reliable and supports asynchronous I/O arriving in stable Rust. As such, Rust is quickly becoming the premier choice for performance-focused network and web applications.

Virtually all web apps require some form of authentication, especially in an age of ever-increasing awareness around data privacy. Rust has a wide and growing range of high-quality, production-ready crates available for authentication and authorization.

In this guide, we’ll evaluate nine stable, production-ready authentication libraries based on the following criteria:

Popularity
Completeness
Maintenance
Support for stable Rust

We’ll also preview some crates that aren’t yet production-ready but should be on your radar.

Let’s dive in!

1. `cookie`

Production-ready: Yes
Async support: No

cookie is a crate for creating and parsing HTTP cookies. It’s used for managing sessions, encrypting, and signing cookies.

cookie is a production-ready crate with thousands of downloads. It serves as a foundation for building session-based authentication strategies. The crate supports saving and recording changes in cookies. It’s web framework-agnostic and supports actix, rocket, and all other frameworks.

2. `jsonwebtoken`

Production-ready: Yes
Async support: No

JSON Web Tokens are very popular for authorization; many OAuth provider issues JWT. jsonwebtoken provides support for verifying and creating JWT tokens.

The crate supports all standard signing algorithms as well as both symmetric and asymmetric encryption algorithms. It comes with built-in validation of standard claims and strongly typed and highly configurable APIs. It also features full implementation of RFC 7519.

jsonwebtoken is a highly stable and widely used library with thousands of downloads. Best of all, it has an active team of maintainers with huge community support.

3. `oauth2`

Production-ready: Yes
Async support: Yes

oauth2 provides a complete implementation of the OAuth 2 protocol. It supports async and sync I/O, obtaining access tokens, verifying state, and obtaining refresh tokens.

Features include full implementation of RFC 6749 and strongly typed. The crate has support for state and crf_state validation as well as PKCE challenge. Furthermore, a custom HTTP client with default support for reqwest and curl is baked into the crate.

Finally, oauth2 is framework-agnostic and supports using a password and username directly.

Examples of other oAuth providers include:

oauth2 is easy to use and provides a complete OAuth 2 client solution, including refresh tokens, managing claims, scopes, and grants.

4. `otpauth`

Production-ready: Yes
Async support: No

otpauth provides support for both HOTP and TOTP algorithms. It’s used to generate one-time passwords (OTPs). It can generate time-based OTPs with support for changing validation time.

otpauth‘s APIs are easy to use and intuitive, and it features full impementation of HOTP and TOTP.

5. `yup-oauth2`

Production-ready: Yes
Async support: Yes

yup-oauth2 provides the implementation of OAuth 2.0 for server-to-server. It’s used to implement a client library for different services, such as google-api-rs.

Over 200k developers use LogRocket to create better digital experiences

Learn more →

The crate supports both service accounts and installed applications and works with any service that implements OAuth 2.0 for server-to-server authentication. yup-ouath is typically used for authentication on devices with limited input capabilities using device flow. It’s used in services such as Google cloud platform, Firebase, and other Google services using service flow. It also supports application where the authentication token cannot be saved securely using installed application flow.

6. Asap

Production-ready: Yes
Async support: No

ASAP is an authentication mechanism created and maintained by Atlassian. It supports nonstandard claims and performs validation and token generation at lightning-fast speed.

ASAP is based on the jsonwebtoken crate. It fully supports ASAP specifications.

7. JWKS-Client

Production-ready: Yes
Async support: Yes

JWKS-Client provides support for validating JSON web tokens using a JWKS (JSON web keyset). The primary function of the crate is symmetric signature validation for JWT tokens using a JWKS.

The crate is primarily used for Google and Firebase OAuth but can be used with any other provider easily. It takes the URL of the key arguments and verifies the token. It also supports key caching.

8. `openssl`

Production-ready: Yes
Async support: No

The openssl crate is Rust binding for the OpenSSL library. It provides full support for signing tokens, hashing passwords, generating random auth tokens, and encrypting data.

Many authentication libraries use OpenSSL for signing and hashing data. jsonwebtoken uses OpenSSL for signing tokens.

The openssl crate has support for both static and dynamic linking. It also supports the available version of OpenSSL or downloads the required version.

9. `pgen`

Production-ready: Yes
Async support: No

pgen generates passphrases using the EFF’s wordlists for random passphrases.

3 Rust authentication libraries to keep on your radar

The following libraries are not yet stable but have promising features and should be on your radar. As Rust grows, it will support more and more standards.

1. `boringauth`

Production-ready: No
Async support: No

boringauth is a one-stop solution for any app’s authentication-related needs. It supports passpharse authentication and both HTOP- and TOP-based authentication. It also features a customizable period, hashing algorithm, output length, and initial timestamps.

boringauth can be used in CLI and desktop apps. It doesn’t have full support for HTOP and TOPT just yet. Suport for universal two-factor authentication is also forthcoming.

2. `oxide-auth`

Production-ready: No
Async support: No

The oxide-auth crate provides implementation of OAuth for the server. It has support for many web frameworks, including Actix, Iron, Rocket, and Rouille.

Put simply, oxide-auth makes managing OAuth tokens on the server easy. It also supports handling token for custom servers.

3. Frank JWT

Production-ready: No
Async support: No

Frank JWT is used for verifying and generating JWT. It can read keys automatically from path.

This crate is not yet production-ready since it doesn’t support validation of iss , sub, and many other claims.

Summary

To summarize, below is a comprehensive table to help you compare the features, capabilities, and pros and cons of the Rust authentication libraries discussed in this guide.

Name	Production-ready?	Type	Async support?	Primary use(s)	Drawbacks	Benefits	Maintained?
`cookie`	Yes	Helper	No	Creating a custom session- and cookies-based auth Saving JWT in encrypted cookies Tracking users	Only a helper library	Wide user base Support for parser and creating cookies	Yes
`oauth2`	Yes	OAuth support	Yes	Obtaining OAuth tokens Supports multiple HTTPS request clients (request, curl, custom) Supports any OAuth provider that supports OAuth 2	No support for verifying obtained tokens	Full implementation of OAuth 2	Yes
`oauth-client`	No	OAuth support	No	OAuth support	No support for verifying obtained tokens Not actively maintained		No
`oauth-client-async`	No	OAuth support	Yes	Async version of `oauth-client`	Not actively maintained Relatively few users No support for verifying obtained tokens		No
`oxide-auth`	No	OAuth server	Yes	Building servers based on OAuth Support for various frameworks (`oxide-auth-actix`, `oxide-auth-iron`, `oxide-auth-rocket`, `oxide-auth-rouille`)	No stable API		Yes
`inth-oauth2`	No	OAuth server	Yes	OAuth client server Supports Google, GitHub, and Imgur out of the box Pluggable interface with community support for Slack and other providers	Not maintained		No
`yup-oauth2`	Yes	OAuth server	Yes	OAuth for Google services Token caching	No out-of-the-box auth provider support	Support for installed applications Service account<be> Used by `google-api-rs`	Yes
Frank JWT	No	JWT helper	No	JWT creation and validation Symmetric and asymmetric alog	No support for fetching keys from JWKS	Support for numerous algorithms	Yes
`jsonwebtoken`	Yes	JWT helper	No	JWT creation and validation Symmetric and asymmetric alog	No support for fetching keys from JWKS	Great community support Wide use	Yes
`otpauth`	Yes	OTP auth	No	OTP creation and validation	No support for secret generation	Supports both TOPT and HTOP	Yes
`boringauth`	No	OTP auth	No	OTP creation and validation	Highly configurable Support for pasword	Supports both TOPT and HTOP	Yes
ASAP	Yes	ASAP auth	Yes	ASAP tokens(JWT with custom claims)	No support for JWKS	Super-fast Supported by Atlassian	Yes
JWKS-Client	Yes	JWT auth middleware	Yes	JWT validation using JWKS	Works only for RocketU	Uses JWKS	Yes
`openssl`	Yes	Cryptography	No	Hashing passwords Generating salts		Binding for OpenSSL library	Yes
`pgen`	Yes	Paraphrases generator	No	Passphrase generation	Based on EFF list		Yes

LogRocket: Full visibility into web frontends for Rust apps

Debugging Rust applications can be difficult, especially when users experience issues that are difficult to reproduce. If you’re interested in monitoring and tracking performance of your Rust apps, automatically surfacing errors, and tracking slow network requests and load time, try LogRocket.

LogRocket is like a DVR for web and mobile apps, recording literally everything that happens on your Rust app. Instead of guessing why problems happen, you can aggregate and report on what state your application was in when an issue occurred. LogRocket also monitors your app’s performance, reporting metrics like client CPU load, client memory usage, and more.

Modernize how you debug your Rust apps — start monitoring for free.