Skip to main content

Interface: StoredAccessToken

Defined in: oauthServerTypes.ts:174

A persisted opaque access token, stored by its hash (never the plaintext value) so a store compromise does not leak usable tokens. The same shape backs both OAuth access tokens and long-lived personal API keys; mint the opaque value with generateApiToken and persist only its tokenHash.

Properties

clientId

clientId: string

Defined in: oauthServerTypes.ts:178

The client_id the token was issued to.


createdAt?

optional createdAt?: number

Defined in: oauthServerTypes.ts:201

Unix timestamp (milliseconds) when the token was created. Set at issuance; used by listing UIs to show "created on" dates.


displayPrefix?

optional displayPrefix?: string

Defined in: oauthServerTypes.ts:196

Masked prefix safe to display in listing UIs (e.g. "oca_3f2a…"). Set at issuance from generateApiToken's return value; never recomputable from the hash alone. Omit for tokens minted without a display prefix.


expiresAt

expiresAt: number | null

Defined in: oauthServerTypes.ts:188

Unix timestamp (milliseconds) after which the token is invalid, or null for a token that never expires. null is an explicit opt-in for personal API keys; OAuth access tokens should always set a short lifetime.


lastUsedAt?

optional lastUsedAt?: number

Defined in: oauthServerTypes.ts:190

Unix timestamp (milliseconds) the token was last presented, for auditing.


scopes

scopes: string[]

Defined in: oauthServerTypes.ts:182

The scopes granted to the token.


subject

subject: string

Defined in: oauthServerTypes.ts:180

The authenticated end-user subject identifier.


tokenHash

tokenHash: string

Defined in: oauthServerTypes.ts:176

SHA-256 hash (hex) of the opaque token. Plaintext is never stored.