Interface: AccessTokenStore
Defined in: oauthServerTypes.ts:213
App-provided store for opaque access tokens, looked up by hash. The store is
pure persistence — the verification mechanics (expiry, default-deny) live in
createAccessTokenVerifier. Back it with DynamoDB, Postgres, in-memory, …
Storing the hash, not the token, is a contract: a store compromise yields no
usable credentials. Revocation is first-class — delete kills one token;
deleteBySubject kills every token for a user (offboarding, compromise).
Properties
delete
delete: (
tokenHash) =>void|Promise<void>
Defined in: oauthServerTypes.ts:221
Remove a single access token by its hash (revoke one session/key).
Parameters
| Parameter | Type |
|---|---|
tokenHash | string |
Returns
void | Promise<void>
deleteBySubject
deleteBySubject: (
subject) =>void|Promise<void>
Defined in: oauthServerTypes.ts:226
Remove every access token for a subject. Called to revoke all of a user's access at once on offboarding or suspected compromise.
Parameters
| Parameter | Type |
|---|---|
subject | string |
Returns
void | Promise<void>
get
get: (
tokenHash) =>StoredAccessToken|Promise<StoredAccessToken|undefined> |undefined
Defined in: oauthServerTypes.ts:217
Look up an access token by its hash. Return undefined if unknown.
Parameters
| Parameter | Type |
|---|---|
tokenHash | string |
Returns
StoredAccessToken | Promise<StoredAccessToken | undefined> | undefined
listBySubject?
optionallistBySubject?: (subject) =>StoredAccessToken[] |Promise<StoredAccessToken[]>
Defined in: oauthServerTypes.ts:241
Return every token belonging to a subject, for "your authorized
apps / personal API keys" listing UIs. Optional; createMemoryAccessTokenStore
implements this.
Parameters
| Parameter | Type |
|---|---|
subject | string |
Returns
StoredAccessToken[] | Promise<StoredAccessToken[]>
save
save: (
token) =>void|Promise<void>
Defined in: oauthServerTypes.ts:215
Persist an access token, upserting by tokenHash.
Parameters
| Parameter | Type |
|---|---|
token | StoredAccessToken |
Returns
void | Promise<void>
touchLastUsed?
optionaltouchLastUsed?: (args) =>void|Promise<void>
Defined in: oauthServerTypes.ts:232
Record the time a token was last presented. Optional and fire-and-forget: implementations MUST NOT block or fail verification on this write, and SHOULD use a writable client (never a read-only replica).
Parameters
| Parameter | Type |
|---|---|
args | { lastUsedAt: number; tokenHash: string; } |
args.lastUsedAt | number |
args.tokenHash | string |
Returns
void | Promise<void>