Passwords, API keys & JWT
Hash passwords, issue API keys, and mint tokens.
passwords hashes/verifies with argon2id (memory-hard, deliberately slow). api_keys generates {prefix}.{secret} keys (argon2-hashed at rest). jwt mints/verifies HS256 tokens for service-to-service auth or magic links.
let hash = passwords::hash(&plaintext)?;
let ok = passwords::verify(&plaintext, &hash)?;
let (key, record) = api_keys::generate(user_id); // show `key` once
Rate-limit login
argon2 is intentionally expensive; pair the login route with account_lockout + rate_limit so it can't be weaponized.