The Rust version of Biscuit can be found on Github, and on


In Cargo.toml:

biscuit-auth = "3.1"

Create a root key

use biscuit_auth::KeyPair;

let root_keypair = KeyPair::new();

Create a token

use biscuit_auth::{error, macros::*, Biscuit, KeyPair};

fn create_token(root: &KeyPair) -> Result<Biscuit, error::Token> {
    let user_id = "1234";
    // the authority block can be built from a datalog snippet
    // the snippet is parsed at compile-time, efficient building
    // code is generated
    let mut authority = biscuit!(
      // parameters can directly reference in-scope variables

      // parameters can be manually supplied as well
      right({user_id}, "file1", {operation});
      operation = "read",

    // it is possible to modify a builder by adding a datalog snippet
      &mut authority,
      r#"check if operation("read");"#

Create an authorizer

use biscuit_auth::{builder_ext::AuthorizerExt, error, macros::*, Biscuit};

fn authorize(token: &Biscuit) -> Result<(), error::Token> {
    let operation = "read";

    // same as the `biscuit!` macro. There is also a `authorizer_merge!`
    // macro for dynamic authorizer construction
    let mut authorizer = authorizer!(

    // register a fact containing the current time for TTL checks

    // add a `allow if true;` policy
    // meaning that we are relying entirely on checks carried in the token itself

    // link the token to the authorizer

    let result = authorizer.authorize();

    // store the authorization context
    println!("{}", authorizer.to_base64_snapshot()?);

    let _ = result?;

Restore an authorizer from a snasphot

use biscuit_auth::Authorizer;

fn display(snapshot: &str) {
  let authorizer = Authorizer::from_base64_snapshot(snapshot).unwrap();

Attenuate a token

use biscuit_auth::{builder_ext::BuilderExt, error, macros::*, Biscuit};
use std::time::{Duration, SystemTime};

fn attenuate(token: &Biscuit) -> Result<Biscuit, error::Token> {
    let res = "file1";
    // same as `biscuit!` and `authorizer!`, a `block_merge!` macro is available
    let mut builder = block!(r#"check if resource({res});"#);

    builder.check_expiration_date(SystemTime::now() + Duration::from_secs(60));


Seal a token

let sealed_token = token.seal()?;

Reject revoked tokens

The Biscuit::revocation_identifiers method returns the list of revocation identifiers as byte arrays. Don't forget to parse them from a textual representation (for instance hexadecimal) if you store them as text values.

let identifiers: Vec<Vec<u8>> = token.revocation_identifiers();

Query data from the authorizer

The Authorizer::query method takes a rule as argument and extract the data from generated facts as tuples.

let res: Vec<(String, i64)> =
    authorizer.query("data($name, $id) <- user($name, $id)").unwrap();