feat: implement built-in auth

Author: streamer45

.github/workflows/e2e.yml

@@ -65,6 +65,10 @@ jobs:
         working-directory: ./e2e
         run: bun run test
 
+      - name: Run E2E tests (auth enabled)
+        working-directory: ./e2e
+        run: E2E_AUTH=1 bun run test
+
       - name: Upload Playwright report
         uses: actions/upload-artifact@v4
         if: failure()

.gitignore

@@ -50,6 +50,9 @@ samples/pipelines/user
 samples/audio/user/*
 !samples/audio/user/.gitkeep
 
+# StreamKit runtime state (keys/tokens/config caches)
+.streamkit
+
 # Audio samples - only keep opus/ogg formats
 samples/audio/system/*.wav
 samples/audio/system/*.flac

Cargo.lock

@@ -26,12 +26,30 @@ This guide covers building and running StreamKit Docker images. The official “
 ```bash
 docker build -f Dockerfile.demo -t streamkit:demo .
 
-docker run \
+docker run --rm --name streamkit-demo \
   -p 127.0.0.1:4545:4545/tcp \
   -p 127.0.0.1:4545:4545/udp \
   streamkit:demo
 ```
 
+> [!NOTE]
+> The demo image binds to `0.0.0.0:4545` inside the container so published ports work. With `auth.mode=auto`, built-in auth is enabled by default.
+> To log in, print the bootstrap admin token and paste it into `http://localhost:4545/login`:
+>
+> ```bash
+> docker exec streamkit-demo skit auth print-admin-token --raw
+> ```
+
+> [!NOTE]
+> Linux-only (no login): run with host networking and bind to loopback inside the container to keep auth disabled in `auth.mode=auto`:
+>
+> ```bash
+> docker run --rm --name streamkit-demo \
+>   --network host \
+>   -e SK_SERVER__ADDRESS=127.0.0.1:4545 \
+>   streamkit:demo
+> ```
+
 If you want the OpenAI-powered sample pipelines, pass `OPENAI_API_KEY` without putting it directly in the command:
 
 ```bash
@@ -106,6 +124,28 @@ docker run --rm -d --name streamkit \
 
 # Note: the image defaults to `skit serve` (you can also pass it explicitly).
 
+> [!CAUTION]
+> StreamKit ships with built-in authentication (auto-enabled on non-loopback binds, including Docker’s `0.0.0.0`).
+> If you see the login page, fetch the bootstrap admin token with:
+>
+> ```bash
+> docker exec streamkit skit auth print-admin-token
+> ```
+>
+> The default token path inside the container is `/opt/streamkit/.streamkit/auth/admin.token`.
+> Mount `/opt/streamkit/.streamkit` (or set `[auth].state_dir`) if you want the auth state persisted across restarts.
+>
+> Linux-only (frictionless demo): run with host networking and bind to loopback inside the container to keep auth disabled in `auth.mode=auto`:
+>
+> ```bash
+> docker run --rm -d --name streamkit \
+>   --network host \
+>   -e SK_SERVER__ADDRESS=127.0.0.1:4545 \
+>   -v $(pwd)/models:/opt/streamkit/models:ro \
+>   -v $(pwd)/.plugins:/opt/streamkit/plugins:ro \
+>   streamkit:latest
+> ```
+
 # Open http://localhost:4545 in your browser
 # To stop: docker stop streamkit
 ```

DOCKER.md

@@ -88,7 +88,7 @@ If you try it and something feels off, please open an issue (or a small PR). For
 The fastest way to get started is using pre-built Docker images from GitHub Container Registry (GHCR). The image serves the web UI and includes sample pipelines.
 
 > [!CAUTION]
-> StreamKit does not currently implement authentication. Do not expose it directly to the public internet. Bind to localhost (recommended) or put it behind an authenticating reverse proxy and a trusted role header. See <https://streamkit.dev/guides/security/>.
+> StreamKit ships with built-in authentication (auto-enabled on non-loopback binds). If you see the login page, run `skit auth print-admin-token` and paste the token; admins can mint additional tokens in **Admin → Access Tokens**. Do not disable auth when exposing it beyond localhost; see <https://streamkit.dev/guides/authentication/> and <https://streamkit.dev/guides/security/>.
 
 > [!NOTE]
 > Official Docker images are published for `linux/amd64` (x86_64). On ARM hosts (Raspberry Pi, Apple Silicon, etc.), use “Build from Source” or run with amd64 emulation.
@@ -111,12 +111,30 @@ docker run --rm \
 The `:latest-demo` image bundles core plugins plus the models needed by the shipped sample pipelines (much larger image; intended for demos/evaluation, not production).
 
 ```bash
-docker run --rm \
+docker run --rm --name streamkit-demo \
   -p 127.0.0.1:4545:4545/tcp \
   -p 127.0.0.1:4545:4545/udp \
   ghcr.io/streamer45/streamkit:latest-demo
 ```
 
+> [!NOTE]
+> In Docker, StreamKit binds to `0.0.0.0` inside the container so published ports work. With `auth.mode=auto`, this means built-in auth is enabled by default.
+> To log in, print the bootstrap admin token and paste it into `http://localhost:4545/login`:
+>
+> ```bash
+> docker exec streamkit-demo skit auth print-admin-token --raw
+> ```
+
+> [!NOTE]
+> Linux-only (no login): run with host networking and bind to loopback inside the container to keep auth disabled in `auth.mode=auto`:
+>
+> ```bash
+> docker run --rm --name streamkit-demo \
+>   --network host \
+>   -e SK_SERVER__ADDRESS=127.0.0.1:4545 \
+>   ghcr.io/streamer45/streamkit:latest-demo
+> ```
+
 If you want the OpenAI-powered sample pipelines, pass `OPENAI_API_KEY` without putting it directly in the command:
 
 ```bash

README.md

@@ -86,6 +86,7 @@ SPDX-License-Identifier = "MPL-2.0"
 [[annotations]]
 path = [
   "target/**",
+  ".streamkit/**",
   "node_modules/**",
   "dist/**",
   "build/**",

REUSE.toml

@@ -38,7 +38,7 @@ These are in place today and will be iterated on (not “added from scratch”):
 - **Playwright E2E** + CI workflow (expand coverage over time)
 - **Load testing runner + presets** (curate canonical scenarios + track budgets)
 - **Observability baseline** (logs + OTLP metrics/traces + profiling helpers)
-- **RBAC permissions model** (roles + allowlists), even though authentication is not yet implemented
+- **RBAC + built-in auth foundation** (roles/allowlists + JWT auth), with secure-by-default behavior on non-loopback binds
 
 ## Near-Term (v0.1 → v0.5)
 

ROADMAP.md

@@ -54,6 +54,7 @@ tokio-stream = "0.1"
 hyper = { version = "1.8", features = ["full"] }
 axum-server = { version = "0.8", features = ["tls-rustls"] }
 rustls = { version = "0.23", features = ["ring"] }
+reqwest = { version = "0.12", features = ["multipart", "json"] }
 bytes = { workspace = true }
 futures = { workspace = true }
 uuid = { version = "1.19", features = ["v4", "serde"] }
@@ -113,6 +114,17 @@ async-trait = { workspace = true }
 # For glob pattern matching in permissions
 glob = "0.3"
 
+# For built-in authentication
+jsonwebtoken = { version = "10.2.0", default-features = false, features = ["aws_lc_rs"] }
+sha2 = "0.10"
+hex = "0.4"
+base64 = "0.22"
+thiserror = "2.0"
+getrandom = "0.3"
+aws-lc-rs = "1"
+
+# For MoQ auth path matching (optional, with moq feature)
+moq-lite = { version = "0.10", optional = true }
 
 [features]
 default = ["script"]
@@ -121,12 +133,11 @@ profiling = ["dep:pprof", "dep:tikv-jemallocator", "dep:jemalloc_pprof"]
 # DHAT allocation profiling - tracks allocation counts/rates (mutually exclusive with profiling)
 # Use this to find hot allocation sites. Output is written on graceful shutdown.
 dhat-heap = ["dep:dhat"]
-moq = ["dep:moq-native"]
+moq = ["dep:moq-native", "dep:moq-lite"]
 script = ["streamkit-nodes/script", "streamkit-engine/script"]
 
 [dev-dependencies]
 tokio-test = "0.4"
-reqwest = { version = "0.12", features = ["multipart", "json"] }
 tokio-tungstenite = "0.28"
 futures-util = "0.3"
 ogg = "0.9.2"