inferadb
diff --git a/‎crates/infera-management-api/Cargo.toml‎
Lines changed: 3 additions & 0 deletions b/‎crates/infera-management-api/Cargo.toml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎crates/infera-management-api/src/handlers/tokens.rs‎
Lines changed: 6 additions & 0 deletions b/‎crates/infera-management-api/src/handlers/tokens.rs‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎crates/infera-management-api/src/handlers/vaults.rs‎
Lines changed: 27 additions & 0 deletions b/‎crates/infera-management-api/src/handlers/vaults.rs‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎crates/infera-management-api/src/middleware/dual_auth.rs‎
Lines changed: 114 additions & 0 deletions b/‎crates/infera-management-api/src/middleware/dual_auth.rs‎
Lines changed: 114 additions & 0 deletions
diff --git a/‎crates/infera-management-api/src/middleware/mod.rs‎
Lines changed: 4 additions & 0 deletions b/‎crates/infera-management-api/src/middleware/mod.rs‎
Lines changed: 4 additions & 0 deletions
@@ -23,7 +23,10 @@ base64 = { workspace = true }
 chrono = { workspace = true }
 jsonwebtoken = { workspace = true }
 metrics-exporter-prometheus = { workspace = true }
+once_cell = "1.20"
+pem = "3.0"
 rand = { workspace = true }
+reqwest = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
 serde_yaml = { workspace = true }
 
@@ -153,6 +153,8 @@ pub async fn generate_vault_token(
         vault_id,
         vault_role,
         access_ttl,
+        &state.config.auth.jwt_issuer,
+        &state.config.auth.jwt_audience,
     );
 
     // Sign the access token
@@ -302,6 +304,8 @@ pub async fn refresh_vault_token(
         old_token.vault_id,
         old_token.vault_role,
         access_ttl,
+        &state.config.auth.jwt_issuer,
+        &state.config.auth.jwt_audience,
     );
 
     let access_token = signer.sign_vault_token(&claims, &certificate)?;
@@ -577,6 +581,8 @@ pub async fn client_assertion_authenticate(
         vault_id,
         requested_role,
         access_ttl,
+        &state.config.auth.jwt_issuer,
+        &state.config.auth.jwt_audience,
     );
 
     let access_token = signer.sign_vault_token(&vault_claims, &certificate)?;
 
@@ -230,6 +230,33 @@ pub async fn get_vault(
     Ok(Json(vault_to_response(vault)))
 }
 
+/// Get a specific vault by ID (server-to-server endpoint)
+///
+/// GET /v1/vaults/:vault
+/// Auth: Session or Server JWT (dual authentication)
+///
+/// This endpoint is used by the Server API to verify vault ownership and metadata.
+/// Unlike the organization-scoped endpoint, this uses the vault ID directly without
+/// requiring organization context.
+pub async fn get_vault_by_id(
+    State(state): State<AppState>,
+    Path(vault_id): Path<i64>,
+) -> Result<Json<VaultResponse>> {
+    let repos = RepositoryContext::new((*state.storage).clone());
+    let vault = repos
+        .vault
+        .get(vault_id)
+        .await?
+        .ok_or_else(|| CoreError::NotFound("Vault not found".to_string()))?;
+
+    // Don't return deleted vaults
+    if vault.is_deleted() {
+        return Err(CoreError::NotFound("Vault not found".to_string()).into());
+    }
+
+    Ok(Json(vault_to_response(vault)))
+}
+
 /// Update a vault
 ///
 /// PATCH /v1/organizations/:org/vaults/:vault
 
@@ -0,0 +1,114 @@
+use axum::{
+    extract::{Request, State},
+    middleware::Next,
+    response::Response,
+};
+use axum_extra::extract::cookie::CookieJar;
+
+use crate::handlers::auth::{ApiError, AppState, SESSION_COOKIE_NAME};
+use infera_management_core::error::Error as CoreError;
+
+use super::{require_server_jwt, require_session, ServerContext, SessionContext};
+
+/// Dual authentication middleware
+///
+/// Accepts EITHER session authentication OR server JWT authentication.
+/// This allows both user requests (via session cookies/tokens) and
+/// server-to-server requests (via JWT) to access the same endpoints.
+///
+/// Attaches either SessionContext or ServerContext to the request extensions.
+pub async fn require_session_or_server_jwt(
+    State(state): State<AppState>,
+    jar: CookieJar,
+    request: Request,
+    next: Next,
+) -> Result<Response, ApiError> {
+    // Check if this looks like a JWT request (Bearer token in Authorization header)
+    let has_bearer_token = request
+        .headers()
+        .get("authorization")
+        .and_then(|h| h.to_str().ok())
+        .map(|s| s.starts_with("Bearer "))
+        .unwrap_or(false);
+
+    // Check if this looks like a session request (session cookie or numeric Bearer token)
+    let has_session = jar.get(SESSION_COOKIE_NAME).is_some()
+        || request
+            .headers()
+            .get("authorization")
+            .and_then(|h| h.to_str().ok())
+            .and_then(|s| s.strip_prefix("Bearer "))
+            .and_then(|token| token.parse::<i64>().ok())
+            .is_some();
+
+    // If we have a Bearer token and it's NOT a session (numeric), try JWT auth first
+    if has_bearer_token && !has_session {
+        return require_server_jwt(State(state), request, next).await;
+    }
+
+    // Otherwise, try session auth first
+    if has_session {
+        return require_session(State(state), jar, request, next).await;
+    }
+
+    // No recognizable auth present
+    Err(CoreError::Auth(
+        "Authentication required: provide either a session token or server JWT".to_string(),
+    )
+    .into())
+}
+
+/// Extract either session context or server context from request
+///
+/// Returns SessionContext if session auth was used, or converts ServerContext to a
+/// compatible format if server JWT was used.
+pub fn extract_dual_auth_context(request: &Request) -> Result<AuthContextType, ApiError> {
+    // Try to extract session context first
+    if let Some(session_ctx) = request.extensions().get::<SessionContext>() {
+        return Ok(AuthContextType::Session(session_ctx.clone()));
+    }
+
+    // Try to extract server context
+    if let Some(server_ctx) = request.extensions().get::<ServerContext>() {
+        return Ok(AuthContextType::Server(server_ctx.clone()));
+    }
+
+    Err(CoreError::Auth("No authentication context found in request".to_string()).into())
+}
+
+/// Enum representing the type of authentication used
+#[derive(Debug, Clone)]
+pub enum AuthContextType {
+    /// Session-based authentication (user request)
+    Session(SessionContext),
+    /// Server JWT authentication (server-to-server)
+    Server(ServerContext),
+}
+
+impl AuthContextType {
+    /// Get user ID if this is a session context, None otherwise
+    pub fn user_id(&self) -> Option<i64> {
+        match self {
+            AuthContextType::Session(ctx) => Some(ctx.user_id),
+            AuthContextType::Server(_) => None,
+        }
+    }
+
+    /// Get server ID if this is a server context, None otherwise
+    pub fn server_id(&self) -> Option<&str> {
+        match self {
+            AuthContextType::Session(_) => None,
+            AuthContextType::Server(ctx) => Some(&ctx.server_id),
+        }
+    }
+
+    /// Check if this is a server authentication
+    pub fn is_server_auth(&self) -> bool {
+        matches!(self, AuthContextType::Server(_))
+    }
+
+    /// Check if this is a session authentication
+    pub fn is_session_auth(&self) -> bool {
+        matches!(self, AuthContextType::Session(_))
+    }
+}
@@ -1,10 +1,13 @@
+pub mod dual_auth;
 pub mod logging;
 pub mod organization;
 pub mod permission;
 pub mod ratelimit;
+pub mod server_auth;
 pub mod session;
 pub mod vault;
 
+pub use dual_auth::{extract_dual_auth_context, require_session_or_server_jwt, AuthContextType};
 pub use logging::logging_middleware;
 pub use organization::{
     require_admin_or_owner, require_member, require_organization_member, require_owner,
@@ -14,6 +17,7 @@ pub use permission::{
     get_user_permissions, has_organization_permission, require_organization_permission,
 };
 pub use ratelimit::{login_rate_limit, registration_rate_limit};
+pub use server_auth::{extract_server_context, require_server_jwt, ServerContext};
 pub use session::{extract_session_context, require_session, SessionContext};
 pub use vault::{
     get_user_vault_role, require_admin, require_manager, require_reader, require_vault_access,