Skip to main content

Interface: AccessTokenStore

Defined in: oauthServerTypes.ts:213

App-provided store for opaque access tokens, looked up by hash. The store is pure persistence — the verification mechanics (expiry, default-deny) live in createAccessTokenVerifier. Back it with DynamoDB, Postgres, in-memory, …

Storing the hash, not the token, is a contract: a store compromise yields no usable credentials. Revocation is first-class — delete kills one token; deleteBySubject kills every token for a user (offboarding, compromise).

Properties

delete

delete: (tokenHash) => void | Promise<void>

Defined in: oauthServerTypes.ts:221

Remove a single access token by its hash (revoke one session/key).

Parameters

ParameterType
tokenHashstring

Returns

void | Promise<void>


deleteBySubject

deleteBySubject: (subject) => void | Promise<void>

Defined in: oauthServerTypes.ts:226

Remove every access token for a subject. Called to revoke all of a user's access at once on offboarding or suspected compromise.

Parameters

ParameterType
subjectstring

Returns

void | Promise<void>


get

get: (tokenHash) => StoredAccessToken | Promise<StoredAccessToken | undefined> | undefined

Defined in: oauthServerTypes.ts:217

Look up an access token by its hash. Return undefined if unknown.

Parameters

ParameterType
tokenHashstring

Returns

StoredAccessToken | Promise<StoredAccessToken | undefined> | undefined


listBySubject?

optional listBySubject?: (subject) => StoredAccessToken[] | Promise<StoredAccessToken[]>

Defined in: oauthServerTypes.ts:241

Return every token belonging to a subject, for "your authorized apps / personal API keys" listing UIs. Optional; createMemoryAccessTokenStore implements this.

Parameters

ParameterType
subjectstring

Returns

StoredAccessToken[] | Promise<StoredAccessToken[]>


save

save: (token) => void | Promise<void>

Defined in: oauthServerTypes.ts:215

Persist an access token, upserting by tokenHash.

Parameters

ParameterType
tokenStoredAccessToken

Returns

void | Promise<void>


touchLastUsed?

optional touchLastUsed?: (args) => void | Promise<void>

Defined in: oauthServerTypes.ts:232

Record the time a token was last presented. Optional and fire-and-forget: implementations MUST NOT block or fail verification on this write, and SHOULD use a writable client (never a read-only replica).

Parameters

ParameterType
args{ lastUsedAt: number; tokenHash: string; }
args.lastUsedAtnumber
args.tokenHashstring

Returns

void | Promise<void>