rust
56 lines · 8 steps
How a JWT extractor works in Axum
A custom FromRequestParts implementation turns a Bearer token into a typed CurrentUser handlers can request directly.
Explained by
highlit
1use axum::{
2 extract::FromRequestParts,
3 http::{request::Parts, StatusCode, header::AUTHORIZATION},
4};
5use jsonwebtoken::{decode, DecodingKey, Validation};
6use serde::Deserialize;
7use uuid::Uuid;
8
9#[derive(Debug, Clone)]
10pub struct CurrentUser {
11 pub id: Uuid,
12 pub email: String,
13}
14
15#[derive(Deserialize)]
16struct Claims {
17 sub: Uuid,
18 email: String,
19}
20
21pub struct AuthError(StatusCode, &'static str);
22
23impl axum::response::IntoResponse for AuthError {
24 fn into_response(self) -> axum::response::Response {
25 (self.0, self.1).into_response()
26 }
27}
28
29impl<S> FromRequestParts<S> for CurrentUser
30where
31 S: Send + Sync,
32{
33 type Rejection = AuthError;
34
35 async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
36 let header = parts
37 .headers
38 .get(AUTHORIZATION)
39 .and_then(|v| v.to_str().ok())
40 .ok_or(AuthError(StatusCode::UNAUTHORIZED, "missing authorization header"))?;
41
42 let token = header
43 .strip_prefix("Bearer ")
44 .ok_or(AuthError(StatusCode::UNAUTHORIZED, "invalid scheme"))?;
45
46 let key = DecodingKey::from_secret(std::env::var("JWT_SECRET").unwrap().as_bytes());
47 let claims = decode::<Claims>(token, &key, &Validation::default())
48 .map_err(|_| AuthError(StatusCode::UNAUTHORIZED, "invalid token"))?
49 .claims;
50
51 Ok(CurrentUser {
52 id: claims.sub,
53 email: claims.email,
54 })
55 }
56}
01 / 01
STEP 01
‹ swipe to step through ›
Walkthrough
Space play
←→ step
click any line
Three takeaways
- 1Implementing FromRequestParts lets a type become a first-class handler argument that Axum resolves automatically.
- 2Returning a typed Rejection that implements IntoResponse keeps auth failures as clean HTTP responses.
- 3Validating credentials inside the extractor centralizes auth so individual handlers stay free of token-parsing logic.
Related explainers
rust
use std::collections::HashMap; use std::sync::{Arc, Mutex}; use std::thread;
Aggregating metrics across threads in Rust
concurrency
shared-state
mutex
Intermediate
7 steps
go
package main import ( "errors"
Parsing and validating CLI flags in Go
cli-parsing
validation
error-handling
Intermediate
8 steps
java
public class ThumbnailProcessor { private static final int MAX_CONCURRENCY = 4;
Bounded parallel thumbnail rendering in Java
concurrency
thread-pool
futures
Intermediate
7 steps
rust
use std::sync::{mpsc, Arc, Mutex}; use std::thread; use std::time::Duration;
Building a thread pool in Rust
concurrency
channels
thread-pool
Advanced
9 steps
python
import time from collections import defaultdict from threading import Lock
Sliding-window login rate limiting in Flask
rate-limiting
sliding-window
thread-safety
Intermediate
7 steps
rust
use std::time::Instant; use tracing::info; pub struct Timer {
A scope-guard timer with Drop in Rust
raii
drop-guard
timing
Intermediate
7 steps
Share this explainer
Here's the card — post it anywhere.
Made with highlit — turn any snippet into a walkthrough like this in about a minute.
Explain your code
Embed this explainer
Drop the interactive walkthrough into a blog or docs. Views never cost a credit.
<iframe src="https://highlit.co/explainers/how-a-jwt-extractor-works-in-axum-explained-rust-5768/embed?autoplay=1" width="100%" height="520" loading="lazy" style="border:0"></iframe>
Autoplay is on by default — add ?autoplay=0 to start paused.