Class OAuthClient

OAuth 2.0 Authorization Code + PKCE client.

Remarks

Storage layout under the supplied TokenStore (all keys namespaced):

oauth:tokens:{clientId} → access token record
oauth:refresh:{clientId} → refresh token record (no expiry)
oauth:verifier:{state} → in-flight PKCE verifier (10 min TTL)

Index

Methods

buildAuthorizationUrl handleCallback refresh getAccessToken signOut

Methods

buildAuthorizationUrl

buildAuthorizationUrl(
    opts?: {
        state?: string;
        scope?: string;
        extraParams?: Record<string, string>;
    },
): Promise<AuthorizationUrlResult>
Build the authorize URL and persist the PKCE verifier keyed by state.
Parameters
- opts: { state?: string; scope?: string; extraParams?: Record<string, string> } = {}
Returns Promise<AuthorizationUrlResult>
- Defined in auth/oauth-client.ts:142

handleCallback

handleCallback(callbackUrl: string): Promise<TokenRecord>
Handle the redirect-callback URL. Validates state, retrieves the saved verifier, exchanges the authorization code + verifier for tokens, and persists them. Returns the access TokenRecord.
Parameters
- callbackUrl: string
Returns Promise<TokenRecord>
- Defined in auth/oauth-client.ts:194

refresh

refresh(): Promise<TokenRecord>
Exchange a stored refresh token for a fresh access token. Throws if no refresh token is available.

Returns Promise<TokenRecord>
- Defined in auth/oauth-client.ts:245

getAccessToken

getAccessToken(): Promise<string | null>
Get the current access token if valid (refreshing first if expired and a refresh token is available). Returns null when no usable token exists.

Returns Promise<string | null>
- Defined in auth/oauth-client.ts:264

signOut

signOut(): Promise<void>
Forget tokens (logout). Does NOT call any remote revocation endpoint.

Returns Promise<void>
- Defined in auth/oauth-client.ts:281