Interface: StoredAccessToken
Defined in: oauthServerTypes.ts:174
A persisted opaque access token, stored by its hash (never the plaintext
value) so a store compromise does not leak usable tokens. The same shape
backs both OAuth access tokens and long-lived personal API keys; mint the
opaque value with generateApiToken and persist only its tokenHash.
Properties
clientId
clientId:
string
Defined in: oauthServerTypes.ts:178
The client_id the token was issued to.
createdAt?
optionalcreatedAt?:number
Defined in: oauthServerTypes.ts:201
Unix timestamp (milliseconds) when the token was created. Set at issuance; used by listing UIs to show "created on" dates.
displayPrefix?
optionaldisplayPrefix?:string
Defined in: oauthServerTypes.ts:196
Masked prefix safe to display in listing UIs (e.g. "oca_3f2a…"). Set at
issuance from generateApiToken's return value; never recomputable from
the hash alone. Omit for tokens minted without a display prefix.
expiresAt
expiresAt:
number|null
Defined in: oauthServerTypes.ts:188
Unix timestamp (milliseconds) after which the token is invalid, or null
for a token that never expires. null is an explicit opt-in for personal
API keys; OAuth access tokens should always set a short lifetime.
lastUsedAt?
optionallastUsedAt?:number
Defined in: oauthServerTypes.ts:190
Unix timestamp (milliseconds) the token was last presented, for auditing.
scopes
scopes:
string[]
Defined in: oauthServerTypes.ts:182
The scopes granted to the token.
subject
subject:
string
Defined in: oauthServerTypes.ts:180
The authenticated end-user subject identifier.
tokenHash
tokenHash:
string
Defined in: oauthServerTypes.ts:176
SHA-256 hash (hex) of the opaque token. Plaintext is never stored.