{"id":30117349,"url":"https://github.com/scroll-tech/rpc-auth-proxy","last_synced_at":"2025-08-10T10:41:51.684Z","repository":{"id":296833179,"uuid":"994655789","full_name":"scroll-tech/rpc-auth-proxy","owner":"scroll-tech","description":"An authenticated JSON-RPC proxy server","archived":false,"fork":false,"pushed_at":"2025-08-08T11:13:10.000Z","size":304,"stargazers_count":1,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-08-08T11:20:32.480Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/scroll-tech.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-06-02T09:24:08.000Z","updated_at":"2025-08-08T11:13:13.000Z","dependencies_parsed_at":null,"dependency_job_id":"fbf07d2e-6050-4511-a706-15a26e98e86a","html_url":"https://github.com/scroll-tech/rpc-auth-proxy","commit_stats":null,"previous_names":["scroll-tech/rpc-auth-proxy"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/scroll-tech/rpc-auth-proxy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scroll-tech%2Frpc-auth-proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scroll-tech%2Frpc-auth-proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scroll-tech%2Frpc-auth-proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scroll-tech%2Frpc-auth-proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/scroll-tech","download_url":"https://codeload.github.com/scroll-tech/rpc-auth-proxy/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scroll-tech%2Frpc-auth-proxy/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":269712872,"owners_count":24463216,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-10T02:00:08.965Z","response_time":71,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-08-10T10:41:46.289Z","updated_at":"2025-08-10T10:41:51.658Z","avatar_url":"https://github.com/scroll-tech.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"## Steps to run the example\n\n1. Run the proxy server:\n\n```sh\ncargo run -- --config config.toml\n```\n\n2. Run the example frontend:\n\n```sh\ncd examples/siwe-frontend \u0026\u0026 yarn \u0026\u0026 yarn start\n```\n\n3. Go to http://localhost:8080\n\n\n## Configuration\n\nYou can configure the proxy server via an optional `config.toml` file or command-line arguments. If neither is set, built-in defaults are used.\n\n`config.toml` example:\n\n```toml\nbind_address = \"0.0.0.0:8080\"\nupstream_url = \"http://validium-sequencer:8545\"\n```\n\n### Override with CLI\n\n```sh\ncargo run -- --bind-address 127.0.0.1:9000 --upstream-url http://localhost:8545\n```\n\n### Config file path\n\nBy default, the server uses `config.toml` in the current directory. You can use `--config config.toml` to specify a different path.\n\n### Defaults\n\nIf not specified, `bind_address` defaults to `0.0.0.0:8080`, `upstream_url` defaults to `http://validium-sequencer:8545`.\n\n### Precedence\n\nPrecedence order for configuration is: CLI arguments \u003e `config.toml` \u003e defaults.\n\n## Authorization \u0026 Admin Key Management\n\n### Admin keys\n\nYou can specify one or more admin API tokens via the `admin_keys` field in `config.toml`:\n\n```toml\nadmin_keys = [\"admin-token-1-abcdefg\", \"admin-token-2-hijklmn\"]\n```\n\nAny HTTP request with header\n\n```http\nAuthorization: Bearer \u003cadmin_key\u003e\n```\n\nmatching one of these values will receive full admin permissions.\n\n### Access levels\n\n**Full**: Requests using a valid admin key.\n\n**Restricted**: Requests with a regular JWT.\n\n**None**: Requests without any authorization or with invalid authorization.\n\n### Security and key rotation\n\n1. Treat admin keys as sensitive credentials.\n\n2. Rotate admin keys by updating the config and restarting the server.\n\n## JWT Signer Key Management (Key Rotation)\n\n### JWT signer keys\n\nUsed for signing and verifying user JWT tokens.\n\nEach entry under `jwt_signer_keys` must have a unique `kid` and `secret`.\n\nThe `default_kid` field specifies which key is used to sign new JWTs.\n\n**Example:**\n\n```toml\ndefault_kid = \"key-2025-07\"\njwt_signer_keys = [\n  { kid = \"key-2025-07\", secret = \"supersecret1\" },\n  { kid = \"key-2025-06\", secret = \"supersecret2\" }\n]\n```\n\n### Token expiry\n\nThe `jwt_expiry_secs` field sets the lifetime (in seconds) for newly issued JWT tokens.\n\n**Example:**\n\n```toml\njwt_expiry_secs = 3600  # JWTs are valid for 1 hour, timeout is not exact, there is a 60s leeway by default\n```\n\n### Key rotation\n\nTo rotate JWT signer keys, you can add a new key entry to `jwt_signer_keys`, set `default_kid` to the new key, and optionally remove old keys.\n\nFor a graceful key rotation (phased removal):\n\n1. After switching `default_kid`, keep old keys in `jwt_signer_keys` (for verification only), so old tokens remain valid until expiry.\n\n2. Once all old tokens are expired (i.e., after `jwt_expiry_secs`), you can safely remove the old key entry.\n\n3. Old JWTs signed with removed keys will be rejected.\n\n**Note**: After changing keys, restart the server to reload configuration.\n\n### Security and key rotation\n\n1. Treat JWT signer keys as sensitive credentials.\n\n2. Rotate keys regularly for better security.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fscroll-tech%2Frpc-auth-proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fscroll-tech%2Frpc-auth-proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fscroll-tech%2Frpc-auth-proxy/lists"}