API Endpoints
GET /auth
Section titled “GET /auth”The ForwardAuth endpoint. Traefik sends every registry request here for authentication.
Request
Section titled “Request”Traefik forwards the original request’s headers. trupu reads the Authorization header.
Supported schemes:
Bearer <oidc-token>— used by GitHub Actions directlyBasic base64(username:token)— used bydocker login(the password is the OIDC token)
Responses
Section titled “Responses”200 OK — authenticated
{ "status": "authenticated", "publisher": "my-org/my-app:publish.yml"}Response headers set:
X-Trupu-RepositoryX-Trupu-WorkflowX-Trupu-Ref
401 Unauthorized — no credentials
{ "error": "missing authorization header" }Response headers set:
Www-Authenticate: Basic realm="trupu"
403 Forbidden — invalid token or untrusted publisher
{ "error": "publisher \"my-org/my-app:other.yml\" is not trusted" }GET /healthz
Section titled “GET /healthz”Health check endpoint.
Response
Section titled “Response”200 OK
{ "status": "ok" }