How to use the Biscuit Rust crate

The Rust version of Biscuit can be found on Github, and on


In Cargo.toml:

biscuit-auth = "2.1"

Create a root key

use biscuit_auth::KeyPair;

let root_keypair = KeyPair::new();

Create a token

use biscuit_auth::{Biscuit, KeyPair, error};

fn create_token(root: &KeyPair) -> Result<Biscuit, error::Token> {
    let mut builder = Biscuit::builder(root);
    builder.add_authority_check_(r#"check if operation("read");"#)?;

Create an authorizer

use biscuit_auth::{Biscuit, error, builder::Fact};

fn authorize(token: &Biscuit) -> Result<(), error::Token> {
    let mut authorizer = token.authorizer()?;

    // add a time($date) fact with the current date

    // facts can be created directly from a string generated with `format!()`
    // but this way is safer if you create facts from user data,because it
    // prevents injections
    let mut operation: Fact = "operation($op)".try_into()?;
    operation.set("op", "read")?;




Attenuate a token

use biscuit_auth::{Biscuit, error, builder::Check};
use std::time::{Duration, SystemTime};

fn attenuate(token: &Biscuit) -> Result<Biscuit, error::Token> {
    let mut builder = token.create_block();

    builder.add_check("check if time($time), $time < $ttl")?;
    builder.set("ttl", System::now() + Duration::from_secs(60))?;

Seal a token

let sealed_token = token.seal()?;

Reject revoked tokens

The Biscuit::revocation_identifiers method returns the list of revocation identifiers as byte arrays.

let identifiers: Vec<Vec<u8>> = token.revocation_identifiers();

Query data from the authorizer

The Authorizer::query method takes a rule as argument and extract the data from generated facts as tuples.

let res: Vec<(String, i64)> =
    authorizer.query("data($name, $id) <- user($name, $id)").unwrap();