Authentication and Authorization
RuleGo-Server provides a flexible user authentication and authorization system, supporting both JWT token and API Key authentication methods, and allows custom authenticators and authorizers through interfaces.
# User Management
Configure users in the [users] section of config.conf:
[users]
# Format: username = password[,apiKey]
# apiKey is optional
admin = admin,ak-2af255ea5618467d914c67a8beeca31d
user01 = user01
user02 = user02,ak-another-key
2
3
4
5
6
Each user has an independent workspace; rule chains, components, configurations, and other data are isolated per user.
# Authentication Methods
# Anonymous Mode (Default)
When require_auth = false and the request does not carry authentication information, access is granted as default_username (default admin):
require_auth = false
default_username = admin
2
# JWT Authentication
Enable authentication:
require_auth = true
jwt_secret_key = your-secret-key
jwt_expire_time = 43200000
jwt_issuer = rulego.cc
2
3
4
# Login to Get Token
POST /api/v1/login
Content-Type: application/json
{
"username": "admin",
"password": "admin"
}
2
3
4
5
6
7
Response:
{
"token": "eyJhbGciOiJIUzI1NiIs...",
"expiresAt": 1719360000
}
2
3
4
expiresAtis a Unix timestamp (seconds). The login endpoint has rate limiting: a maximum of 10 requests per minute from the same IP; exceeding this returns 429.
# Using the Token
Carry the token in subsequent requests via the Authorization header:
GET /api/v1/rules
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
2
# API Key Authentication
Once an apiKey is configured for a user, you can use the API Key directly instead of JWT:
Option 1: Authorization Header
GET /api/v1/rules
Authorization: Bearer ak-2af255ea5618467d914c67a8beeca31d
2
Option 2: X-API-Key Header
GET /api/v1/rules
X-API-Key: ak-2af255ea5618467d914c67a8beeca31d
2
API Key is commonly used for MCP client integration, third-party system integration, and other scenarios that do not require a login flow.
# Permission System
# Permission Actions
| Resource | Action | Description |
|---|---|---|
rule | read / write / delete / execute / operate | Rule chain management |
component | read / write / delete | Component management |
config | read / write | System configuration |
log | read / delete | Run logs |
locale | read / write | Internationalization |
marketplace | read | Component marketplace |
# Default Authorizer
By default, DefaultAuthorizer allows all operations and imposes no permission restrictions.
# Custom Authenticator/Authorizer
RuleGo-Server's authentication and authorization are replaceable. Custom implementations can be injected through the service container:
| Service Key | Interface | Description |
|---|---|---|
module.user.authenticator | Authenticator | Custom authentication logic (OAuth2, LDAP, etc.) |
module.user.authorizer | Authorizer | Custom authorization logic (RBAC, ABAC, etc.) |
For custom development, see Custom Development.