Interfaces

AuthStorageAdapter

ApiToken

Properties:

Property	Type	Required
`id`	`string`	Yes
`serviceAccountId`	`string`	Yes
`name`	`string`	Yes
`tokenHash`	`string`	Yes
`prefix`	`string`	Yes
`lastUsedAt`	`string \| undefined`	No
`expiresAt`	`string \| undefined`	No
`createdAt`	`string`	Yes
`revoked`	`boolean`	Yes
`domainId`	`string`	Yes
`orgId`	`string`	Yes

MailAdapter

SendResult

Properties:

Property	Type	Required
`success`	`boolean`	Yes
`messageId`	`string \| undefined`	No
`error`	`string \| undefined`	No

AuthData

Authentication data attached to request after successful validation. Contains information about the authenticated user or service account.

Properties:

Property	Type	Required	Description
`type`	`"jwt" \| "api_token"`	Yes	The type of authentication used
`userId`	`string \| undefined`	No	User ID for JWT authentication
`serviceAccountId`	`string \| undefined`	No	Service account ID for API token authentication
`email`	`string \| undefined`	No	User email for JWT authentication
`domainId`	`string`	Yes	Domain ID the authentication is valid for
`orgId`	`string`	Yes	Organization ID the authentication is valid for
`scopes`	`string[]`	Yes	Scopes/permissions granted to this authentication
`tokenName`	`string \| undefined`	No	Token name for API token authentication

AuthenticatedRequest

Express Request extended with authentication data. Use this type when you need to access req.authData in route handlers.

Properties:

Property	Type	Required	Description
`authData`	`AuthData`	Yes	Authentication data populated by requireAuth middleware

AuthRoutesConfig

Configuration for auth routes

Properties:

Property	Type	Required	Description
`tokenManager`	`TokenManager`	Yes	TokenManager instance for JWT creation and verification
`storage`	`AuthStorageAdapter`	Yes	Storage adapter for users, sessions, and verification tokens
`mailService`	`MailService`	Yes	Mail service for sending verification emails
`defaultDomainId`	`string`	Yes	Default domain ID for multi-tenant support

TokenService

Token service interface for generating JWT tokens. This is injected into the OAuth router to decouple token generation from OAuth flow. Supports both sync methods (when tokens are pre-generated) and async methods.

TokenClaims

Claims included in access tokens.

Properties:

Property	Type	Required
`userId`	`string`	Yes
`domainId`	`string`	Yes
`scope`	`string`	Yes

RefreshTokenClaims

Claims included in refresh tokens.

Properties:

Property	Type	Required	Description
`userId`	`string`	Yes
`domainId`	`string`	Yes

RefreshTokenVerificationResult

Result of verifying a refresh token.

Properties:

Property	Type	Required
`valid`	`boolean`	Yes
`userId`	`string \| undefined`	No
`domainId`	`string \| undefined`	No
`scope`	`string \| undefined`	No
`error`	`string \| undefined`	No

OAuthRouterConfig

Configuration for OAuth routes.

Properties:

Property	Type	Required	Description
`issuer`	`string`	Yes	Token issuer URL
`accessTokenTTL`	`number`	Yes	Access token TTL in seconds

OAuthMetadata

OAuth Authorization Server Metadata as per RFC 8414. This metadata is used by OAuth clients for automatic discovery.

Properties:

Property	Type	Required	Description
`issuer`	`string`	Yes	The authorization server's issuer identifier (URL)
`authorization_endpoint`	`string`	Yes	URL of the authorization endpoint
`token_endpoint`	`string`	Yes	URL of the token endpoint
`response_types_supported`	`string[]`	Yes	Supported response types
`grant_types_supported`	`string[]`	Yes	Supported grant types
`code_challenge_methods_supported`	`string[]`	Yes	Supported PKCE code challenge methods
`token_endpoint_auth_methods_supported`	`string[]`	Yes	Supported token endpoint authentication methods
`scopes_supported`	`string[]`	Yes	Supported OAuth scopes

OAuthCodeData

Data stored for an OAuth authorization code. Includes all information needed to validate and exchange the code.

Properties:

Property	Type	Required	Description
`code`	`string`	Yes	The authorization code value
`clientId`	`string`	Yes	OAuth client ID that requested this code
`userId`	`string`	Yes	User ID the code was issued for
`domainId`	`string`	Yes	Domain/tenant ID for multi-tenant support
`redirectUri`	`string`	Yes	Redirect URI that must match during token exchange
`codeChallenge`	`string`	Yes	PKCE code challenge provided during authorization
`codeChallengeMethod`	`CodeChallengeMethod`	Yes	PKCE code challenge method (S256 or plain)
`scope`	`string`	Yes	OAuth scopes granted with this code
`expiresAt`	`number`	Yes	Unix timestamp (ms) when the code expires

CreateCodeParams

Parameters for creating a new authorization code.

Properties:

Property	Type	Required	Description
`clientId`	`string`	Yes	OAuth client ID
`userId`	`string`	Yes	User ID the code is being issued for
`domainId`	`string`	Yes	Domain/tenant ID
`redirectUri`	`string`	Yes	Redirect URI for the callback
`codeChallenge`	`string`	Yes	PKCE code challenge
`codeChallengeMethod`	`CodeChallengeMethod`	Yes	PKCE code challenge method
`scope`	`string`	Yes	OAuth scopes being requested

ClientValidationResult

Result of validating an OAuth client.

Properties:

Property	Type	Required	Description
`valid`	`boolean`	Yes	Whether the client is valid
`clientId`	`string`	Yes	Client ID
`clientName`	`string \| undefined`	No	Human-readable client name (if valid)
`redirectUris`	`string[] \| undefined`	No	Allowed redirect URI patterns (if valid)

ExchangeCodeResult

Result of exchanging an authorization code for tokens.

Properties:

Property	Type	Required	Description
`success`	`boolean`	Yes	Whether the exchange was successful
`userId`	`string \| undefined`	No	User ID (if successful)
`domainId`	`string \| undefined`	No	Domain ID (if successful)
`scope`	`string \| undefined`	No	Granted scopes (if successful)
`error`	`string \| undefined`	No	OAuth error code (if failed)
`errorDescription`	`string \| undefined`	No	Human-readable error description (if failed)

OAuthStorage

Storage interface for OAuth codes. Implementations can use any backend (memory, database, etc.)