{"id":48757107,"url":"https://github.com/oathmesh/oathmesh","last_synced_at":"2026-04-23T05:04:35.912Z","repository":{"id":350946215,"uuid":"1208879098","full_name":"oathmesh/oathmesh","owner":"oathmesh","description":"Short-lived signed identity for every machine call. Replace API keys with scoped, auditable Oath Tokens. Go + TypeScript + Python SDKs.","archived":false,"fork":false,"pushed_at":"2026-04-13T03:17:31.000Z","size":7395,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-13T03:27:53.733Z","etag":null,"topics":["authentication","ed25519","express","fastapi","golang","jwt","machine-identity","middleware","nextjs","pkl","python","security","service-to-service","typescript","zero-trust"],"latest_commit_sha":null,"homepage":"https://github.com/oathmesh/oathmesh#readme","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/oathmesh.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":"SUPPORT.md","governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-12T21:27:08.000Z","updated_at":"2026-04-13T03:17:35.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/oathmesh/oathmesh","commit_stats":null,"previous_names":["mustafamahmoudatta111/oathmesh","oathmesh/oathmesh"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/oathmesh/oathmesh","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oathmesh%2Foathmesh","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oathmesh%2Foathmesh/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oathmesh%2Foathmesh/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oathmesh%2Foathmesh/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/oathmesh","download_url":"https://codeload.github.com/oathmesh/oathmesh/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oathmesh%2Foathmesh/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32166661,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-23T02:19:40.750Z","status":"ssl_error","status_checked_at":"2026-04-23T02:17:55.737Z","response_time":53,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","ed25519","express","fastapi","golang","jwt","machine-identity","middleware","nextjs","pkl","python","security","service-to-service","typescript","zero-trust"],"created_at":"2026-04-13T03:22:26.012Z","updated_at":"2026-04-23T05:04:35.900Z","avatar_url":"https://github.com/oathmesh.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/logo.png\" width=\"200\" alt=\"OathMesh Logo\"\u003e\n\u003c/p\u003e\n\n\u003ch1 align=\"center\"\u003eOathMesh\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cb\u003e🔐 Every machine call gets a short-lived, signed identity.\u003c/b\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/social-preview.png\" alt=\"OathMesh in action\" width=\"600\"\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  Stop leaking API keys. Replace static secrets with cryptographically verified tokens that expire in 5 minutes or less.\n\u003c/p\u003e\n\n\u003e ⚠️ **Pre-production:** OathMesh has not yet received an independent security audit, but it is currently structurally ready for Early Adopter/MVP deployments.\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/oathmesh/oathmesh/actions/workflows/ci.yml\"\u003e\n    \u003cimg src=\"https://github.com/oathmesh/oathmesh/actions/workflows/ci.yml/badge.svg\" alt=\"CI Status\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://www.npmjs.com/package/@oathmesh/sdk\"\u003e\n    \u003cimg src=\"https://img.shields.io/npm/v/@oathmesh/sdk.svg\" alt=\"npm version\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://github.com/oathmesh/oathmesh/releases\"\u003e\n    \u003cimg src=\"https://img.shields.io/pypi/v/oathmesh.svg\" alt=\"pypi version\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://github.com/oathmesh/oathmesh/releases\"\u003e\n    \u003cimg src=\"https://img.shields.io/github/v/release/oathmesh/oathmesh\" alt=\"GitHub Release\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://github.com/oathmesh/oathmesh/blob/main/LICENSE\"\u003e\n    \u003cimg src=\"https://img.shields.io/github/license/oathmesh/oathmesh.svg\" alt=\"License\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://github.com/oathmesh/oathmesh/stargazers\"\u003e\n    \u003cimg src=\"https://img.shields.io/github/stars/oathmesh/oathmesh\" alt=\"Stars\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://github.com/oathmesh/oathmesh/graphs/contributors\"\u003e\n    \u003cimg src=\"https://img.shields.io/github/contributors/oathmesh/oathmesh\" alt=\"Contributors\"\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\n---\n\n## ✨ Features\n\n- 🔑 **Zero API Keys** — No more long-lived secrets in environment variables\n- ⏱️ **Short-Lived Tokens** — Maximum 300 seconds TTL, auto-expiring credentials\n- 🛡️ **Zero-Trust Security** — Every request must prove its identity\n- 🔒 **Ed25519 Signatures** — Modern elliptic curve cryptography (KMS-backed via `SignFunc` abstraction)\n- 📋 **14-Step Verification** — Func-slice pipeline with step-annotated errors for instant diagnosis\n- 🌐 **Polyglot SDKs** — Go, Node.js (TypeScript), and Python supported\n- 📊 **Full Audit Trail** — Every allow and deny logged via composable `FanOutAuditSink`\n- 🔄 **Policy-Driven** — Apple Pkl-based rules, hot-reload, default deny\n- 🌐 **Gateway Mode** — Reverse proxy that injects verified context headers\n- 🛠️ **CLI Native** — Terminal-driven management for robust GitOps integration\n- 🛑 **Stateful Revocation** — Redis-backed O(1) revocation lists directly synced\n- 🤖 **CI Native Auto-Sign** — Built-in OIDC exchange mappings for GitHub Actions and GitLab CI\n- ⚡ **Circuit-Breaker Replay Defense** — Redis failover to in-process cache (never fails open)\n- 🚀 **JWKS Pre-Warming** — Eliminate cold-start latency with `JWKSCache.PreWarm(ctx)`\n\n---\n\n## 📚 SDKs\n\n| Language | Package | Frameworks |\n|----------|---------|------------|\n| **Go** | [`github.com/oathmesh/oathmesh`](https://github.com/oathmesh/oathmesh) | chi, stdlib `net/http` |\n| **Node.js** | [`@oathmesh/sdk`](https://www.npmjs.com/package/@oathmesh/sdk) | Express, **Next.js** (App, Pages, Edge) |\n| **Python** | [`oathmesh`](https://github.com/oathmesh/oathmesh/releases) | FastAPI, Flask, Django |\n\n### SDK Feature Comparison\n\n| Feature | Go SDK | Node.js SDK | Python SDK |\n|---------|--------|-------------|------------|\n| **Token verification** | ✅ Full 14-step | ✅ Full 14-step (Go-aligned semantics) | ✅ Full 14-step (Go-aligned semantics) |\n| **alg:none rejection** | ✅ | ✅ | ✅ |\n| **Exact audience match** | ✅ | ✅ | ✅ |\n| **Subject format validation** | ✅ | ✅ | ✅ |\n| **rqh binding** | ✅ | ✅ | ✅ |\n| **Binding-required mode (`rqh`)** | ✅ | ✅ | ✅ |\n| **Future `iat` rejection** | ✅ | ✅ | ✅ |\n| **Replay cache** | ✅ Built-in | ✅ Built-in (InMemoryReplayCache) | ✅ Built-in (InMemoryReplayCache) |\n| **Revocation list (step 13.5)** | ✅ Conformance-covered | ⚠️ Optional API (conformance N/A) | ⚠️ Optional API (conformance N/A) |\n| **Policy evaluation** | ✅ Built-in (Pkl) | ✅ Built-in (JSON) | ✅ Built-in (JSON) |\n\n\u003e **Conformance note:** Node.js and Python verifiers were tightened toward the canonical Go step semantics (for example: `alg=none` rejection, subject format validation, required request binding semantics, and future-`iat` rejection). This is behavioral parity, not byte-level implementation equivalence across languages.\n\u003e\n\u003e **Revocation note:** Go conformance covers revocation-list behavior. Node.js and Python expose optional revocation list hooks, but revocation is currently marked N/A in cross-SDK conformance for those targets.\n\n---\n\n## 🚦 Start Here\n\nUse this canonical developer entry flow:\n\n1. **Step 1 (commands):** [QUICKSTART.md](QUICKSTART.md)\n2. **Step 2 (guided onboarding):** [docs/GETTING_STARTED.md](docs/GETTING_STARTED.md)\n3. **Step 3 (full docs index):** [docs/INDEX.md](docs/INDEX.md)\n\nStep 1 is the canonical runnable path for local verification (issuer `http://localhost:4000`, protected `chi-api` at `http://localhost:8081`).\n\n### ✅ Local quality checks (before a PR)\n\nRun the minimal local quality workflow:\n\n```bash\nmake quality-local\n```\n\nIf `make` is not available (for example on some Windows setups), run the same flow manually:\n\n```bash\ngo test ./...\ngolangci-lint run ./...  # if installed\ngovulncheck ./...        # if installed\n```\n\n---\n\n## 📦 Installation\n\n### Go\n\n```bash\ngo install github.com/oathmesh/oathmesh/cmd/oathmesh@latest\n```\n\n### Node.js / TypeScript\n\n```bash\nnpm install @oathmesh/sdk\n# or\nyarn add @oathmesh/sdk\n# or\npnpm add @oathmesh/sdk\n```\n\n### Python\n\n```bash\npip install oathmesh\n# or\npoetry add oathmesh\n```\n\n### Docker\n\n```bash\ndocker pull oathmesh/oathmesh:latest\n```\n\n---\n\n## 💻 Usage Examples\n\n### Go Middleware\n\n```go\nr.Use(middleware.OathMeshMiddleware(cfg))\ncaller := middleware.CallerFrom(r.Context())\n// caller.Principal.Subject, caller.Action, caller.TokenID\n```\n\n### Express (TypeScript)\n\n```typescript\nimport { verifyToken } from '@oathmesh/sdk';\n\napp.use(verifyToken({ audience, trustedIssuers }));\n// req.oathmeshContext is fully typed\n```\n\n### Next.js (App Router)\n\n```typescript\nimport { withOathMesh } from '@oathmesh/sdk/next';\n\nconst oathmesh = withOathMesh({ audience, trustedIssuers });\n\nexport async function GET(request: NextRequest) {\n  const { caller, error } = await oathmesh(request);\n  if (error) return error;\n  return NextResponse.json({ subject: caller.principal.subject });\n}\n```\n\n### FastAPI (Python)\n\n```python\nfrom oathmesh import verify_token, VerifierConfig\n\ncaller = verify_token(request.headers[\"authorization\"], config)\n# caller.principal.subject, caller.action, caller.token_id\n```\n\n---\n\n## ⚖️ Comparison\n\n| Feature | API Keys | Traditional JWT | OathMesh |\n|---------|----------|------------------|----------|\n| **Lifetime** | Infinite (leaked = compromised) | Hours to days | ≤ 300 seconds |\n| **Cryptography** | None (just strings) | HS256, RS256 common | Ed25519 only |\n| **Replay Protection** | ❌ | ❌ | ✅ Unique `jti` per token |\n| **Policy Engine** | ❌ | ❌ | ✅ Pkl-based rules |\n| **Audit Logging** | ❌ | Optional | ✅ Every allow/deny |\n| **Scoped Actions** | ❌ | Optional | ✅ `act` claim required |\n\n---\n\n## 🏗️ Architecture\n\n```\n┌──────────┐    ┌─────────┐    ┌─────────────────────┐\n│ Caller   │───▶│ Issuer  │───▶│ Signs Oath Token    │\n│ (bot, CI,│    │         │    │ (Ed25519, ≤300s TTL)│\n│  service)│    └─────────┘    └─────────────────────┘\n└──────────┘                         │\n                     ┌────────────────┴────────────┐\n                     ▼                             ▼\n              ┌──────────────┐              ┌──────────────┐\n              │   Receiver   │              │   Gateway    │\n              │  (your API)  │              │ (proxy mode) │\n              └──────────────┘              └──────────────┘\n                     │                             │\n              ┌──────┴──────┐               ┌───────┴───────┐\n              │ 14-step     │               │ Injects       │\n              │ verification│               │ X-OathMesh-*  │\n              │ pipeline    │               │ headers       │\n              └─────────────┘               └───────────────┘\n```\n\n**Gateway Mode** (`oathmesh serve --gateway`): A reverse proxy that verifies tokens and injects security context headers into your existing upstream services.\n\n---\n\n## 🗺️ Roadmap\n\n- 🔜 **Rust SDK** — Coming soon\n- 🔜 **Java SDK** — Coming soon  \n- 🗓️ **Policy UI** — Visual policy editor\n- 🗓️ **Audit Dashboard** — Web-based log viewer\n\n---\n\n## 🤝 Contributing\n\nContributions are welcome! Here's how to get started:\n\n1. **Fork** the repository\n2. **Clone** your fork: `git clone https://github.com/YOUR_USERNAME/oathmesh.git`\n3. **Create a branch**: `git checkout -b feature/your-feature-name`\n4. **Make your changes** and add tests\n5. **Run tests**: `make test` (Go) / `npm test` (Node) / `pytest` (Python)\n6. **Submit a PR** — We'll review and merge!\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for detailed guidelines.\n\n---\n\n## ⭐ Show Your Support\n\nIf OathMesh helps you build safer systems, please:\n\n- **Star** this repository ⭐\n- **Share** it with your team\n- **Open an issue** if you find a bug or have a feature request\n- **Contribute** — We need SDKs for more languages!\n\n[![Star this repo](https://img.shields.io/github/stars/oathmesh/oathmesh?style=social)](https://github.com/oathmesh/oathmesh)\n\n---\n\n## 📖 Documentation\n\n### Quickstarts\n- [Protect a Go chi API](docs/quickstarts/protect-chi-api.md)\n- [Protect an Express API](docs/quickstarts/protect-express-api.md)\n- [Protect a Next.js API](docs/quickstarts/protect-nextjs-api.md)\n- [Protect a FastAPI service](docs/quickstarts/protect-fastapi.md)\n- [GitHub Actions to internal API](docs/quickstarts/github-actions-to-internal-api.md)\n\n### Tutorials\n- [Getting started: issuer + receiver + verify](docs/tutorials/getting-started.md)\n- [gRPC integration](docs/tutorials/grpc-integration.md)\n- [GraphQL integration (Node + Python)](docs/tutorials/graphql-integration.md)\n- [CI/CD machine identity](docs/tutorials/ci-cd-machine-identity.md)\n\n### Deployment\n- [Linux VM Deployment (systemd)](docs/deployment/vm.md)\n- [Docker Compose Deployment](docs/deployment/docker-compose.md)\n- [Kubernetes Deployment Guide](docs/deployment/kubernetes.md)\n- [TLS Configuration Guide](docs/deployment/tls.md)\n\n### Protocol \u0026 Security\n- [Token Format](docs/protocol/token-format.md) · [Claim Reference](docs/protocol/claim-reference.md)\n- [Verification Rules](docs/protocol/verification-rules.md) · [Threat Model](docs/security/threat-model.md)\n- [Replay Defense](docs/security/replay-defense.md) · [Key Management](docs/security/key-management.md)\n- [SOC2 Compliance Matrix](docs/security/soc2-compliance.md)\n\n### Policy\n- [Policy Overview](docs/policies/overview.md)\n- [Policy Examples](docs/policies/examples.md)\n- [Policy Migration Guide](docs/policies/migration.md)\n\n### Documentation Hub\n- [Full Documentation Index](docs/INDEX.md)\n\n---\n\n## 🔒 Security\n\nFor security vulnerabilities, please see [SECURITY.md](SECURITY.md). **Do NOT open a public issue** for security vulnerabilities.\n\n---\n\n## 📄 License\n\n[MIT](LICENSE)\n\n---\n\n\u003cp align=\"center\"\u003e\n  Built with ❤️ by the \u003ca href=\"https://github.com/oathmesh/oathmesh/graphs/contributors\"\u003eOathMesh team\u003c/a\u003e\n\u003c/p\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foathmesh%2Foathmesh","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Foathmesh%2Foathmesh","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foathmesh%2Foathmesh/lists"}