feat(rpc): key Tooling Access JWT cache by account (DX-6130)#54
Merged
johnpmitsch merged 1 commit intoJul 10, 2026
Conversation
Tooling Access endpoints are provisioned per account, not per API key, so
the token cache now keys by account id via a two-level offline lookup:
sha256(api_key) -> account_id -> { endpoint_url, token, exp_unix }.
All API keys for one account share a single cached JWT. A cache hit
resolves the account offline (no control-plane call); a miss learns the
account id from account_info once, alongside the mint already occurring.
tokens.toml gains a [keys] table (fingerprint -> account id) and per-account
[tokens.<id>] entries. save/delete are read-modify-write so one account's
token going stale never disturbs another's. An older on-disk schema is a
cache miss and is rewritten in place. The custom-endpoint lane is unchanged.
Adds config unit tests and updates the rpc integration tests: 137 lib tests
plus the rpc suite cover shared-token reuse, zero calls on hit, one
account_info on miss, per-account stale-token clear, old-schema miss, and
0600 with no key on disk.
machito
approved these changes
Jul 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
qn rpcTooling Access token cache by account id instead of by API-key hash. Tooling Access endpoints are per-account, so all API keys for one account now share a single cached JWT rather than re-minting per key.tokens.toml:sha256(api_key) -> account_id -> token. A cache hit resolves the account offline (no control-plane call); a miss learns the account id fromaccount_infoonce, alongside the mint that already happens.Closes DX-6130
Test plan
account_infoand zero mint callsaccount_infoexactly once, then caches the mappingtokens.tomlis a miss, not an error, and is rewrittentokens.tomlis 0600 and never contains the API keycargo test,cargo clippy --all-targets -- -D warnings,cargo fmt --check,cargo build --releaseall pass