Auth
Classes
Section titled “Classes”AccessDeniedError
Section titled “AccessDeniedError”Defined in: auth/types.ts:155
User denied access during OAuth flow
Extends
Section titled “Extends”Constructors
Section titled “Constructors”Constructor
Section titled “Constructor”new AccessDeniedError():
AccessDeniedError
Defined in: auth/types.ts:156
Returns
Section titled “Returns”Overrides
Section titled “Overrides”Properties
Section titled “Properties”
readonlyoptionalcode:string
Defined in: errors.ts:21
Machine-readable error code. Prefer values from the ErrorCode enum.
Inherited from
Section titled “Inherited from”httpStatus?
Section titled “httpStatus?”
readonlyoptionalhttpStatus:number
Defined in: errors.ts:25
HTTP status code hint for error classification
Inherited from
Section titled “Inherited from”retryable
Section titled “retryable”
readonlyretryable:boolean
Defined in: errors.ts:23
Whether this error is safe to retry
Inherited from
Section titled “Inherited from”Methods
Section titled “Methods”
staticis(error):error is AgentSDKError
Defined in: errors.ts:36
Check if an error is an AgentSDKError (works across bundled copies)
Parameters
Section titled “Parameters”unknown
Returns
Section titled “Returns”error is AgentSDKError
Inherited from
Section titled “Inherited from”AuthError
Section titled “AuthError”Defined in: auth/types.ts:139
Base error for auth operations.
Error description
Standard ErrorOptions (e.g. cause)
Extends
Section titled “Extends”Extended by
Section titled “Extended by”Constructors
Section titled “Constructors”Constructor
Section titled “Constructor”new AuthError(
message,options?):AuthError
Defined in: auth/types.ts:140
Parameters
Section titled “Parameters”message
Section titled “message”string
options?
Section titled “options?”ErrorOptions
Returns
Section titled “Returns”Overrides
Section titled “Overrides”Properties
Section titled “Properties”
readonlyoptionalcode:string
Defined in: errors.ts:21
Machine-readable error code. Prefer values from the ErrorCode enum.
Inherited from
Section titled “Inherited from”httpStatus?
Section titled “httpStatus?”
readonlyoptionalhttpStatus:number
Defined in: errors.ts:25
HTTP status code hint for error classification
Inherited from
Section titled “Inherited from”retryable
Section titled “retryable”
readonlyretryable:boolean
Defined in: errors.ts:23
Whether this error is safe to retry
Inherited from
Section titled “Inherited from”Methods
Section titled “Methods”
staticis(error):error is AgentSDKError
Defined in: errors.ts:36
Check if an error is an AgentSDKError (works across bundled copies)
Parameters
Section titled “Parameters”unknown
Returns
Section titled “Returns”error is AgentSDKError
Inherited from
Section titled “Inherited from”ClaudeAuth
Section titled “ClaudeAuth”Defined in: auth/claude-auth.ts:33
Programmatic OAuth+PKCE authentication for Claude SDK.
Example
Section titled “Example”const auth = new ClaudeAuth();const { authorizeUrl, completeAuth } = auth.startOAuthFlow({ redirectUri: "https://platform.claude.com/oauth/code/callback",});// Open authorizeUrl in browser, get code from redirectconst token = await completeAuth(code);// Use token with ClaudeBackendOptions: env.CLAUDE_CODE_OAUTH_TOKENConstructors
Section titled “Constructors”Constructor
Section titled “Constructor”new ClaudeAuth(
options?):ClaudeAuth
Defined in: auth/claude-auth.ts:40
Parameters
Section titled “Parameters”options?
Section titled “options?”Optional configuration with custom fetch and random bytes for testing
fetch?
Section titled “fetch?”{(input, init?): Promise<Response>; (input, init?): Promise<Response>; }
randomBytes?
Section titled “randomBytes?”RandomBytesFn
Returns
Section titled “Returns”Methods
Section titled “Methods”extractCode()
Section titled “extractCode()”
staticextractCode(input):string
Defined in: auth/claude-auth.ts:103
Extract an authorization code from user input.
Accepts a raw code string or a full redirect URL containing a code query parameter.
Parameters
Section titled “Parameters”string
Raw authorization code or redirect URL
Returns
Section titled “Returns”string
The extracted authorization code
Example
Section titled “Example”ClaudeAuth.extractCode("abc123"); // "abc123"ClaudeAuth.extractCode("https://platform.claude.com/oauth/code/callback?code=abc123&state=xyz"); // "abc123"refreshToken()
Section titled “refreshToken()”refreshToken(
refreshToken):Promise<ClaudeAuthToken>
Defined in: auth/claude-auth.ts:133
Refresh an expired Claude token.
Parameters
Section titled “Parameters”refreshToken
Section titled “refreshToken”string
The refresh token from a previous authentication
Returns
Section titled “Returns”Promise<ClaudeAuthToken>
New auth token with refreshed access token
Throws
Section titled “Throws”If the refresh request fails
Example
Section titled “Example”const auth = new ClaudeAuth();const newToken = await auth.refreshToken(oldToken.refreshToken);startOAuthFlow()
Section titled “startOAuthFlow()”startOAuthFlow(
options?):OAuthFlowResult
Defined in: auth/claude-auth.ts:67
Start the Claude OAuth+PKCE flow.
Generates PKCE code verifier/challenge and returns an authorize URL
plus a completeAuth(code) function for token exchange.
Parameters
Section titled “Parameters”options?
Section titled “options?”Redirect URI and optional scopes
Returns
Section titled “Returns”OAuth flow result with authorize URL and completeAuth function
Throws
Section titled “Throws”If PKCE generation fails
Example
Section titled “Example”const auth = new ClaudeAuth();const { authorizeUrl, completeAuth } = auth.startOAuthFlow({ redirectUri: "https://platform.claude.com/oauth/code/callback",});console.log(`Open: ${authorizeUrl}`);const token = await completeAuth(authorizationCode);CopilotAuth
Section titled “CopilotAuth”Defined in: auth/copilot-auth.ts:54
Programmatic GitHub Device Flow authentication for Copilot SDK.
Example
Section titled “Example”const auth = new CopilotAuth();const flow = await auth.startDeviceFlow();console.log(`Open ${flow.verificationUrl} and enter ${flow.userCode}`);const token = await flow.waitForToken();// Use token.accessToken with CopilotBackendOptions.githubTokenConstructors
Section titled “Constructors”Constructor
Section titled “Constructor”new CopilotAuth(
options?):CopilotAuth
Defined in: auth/copilot-auth.ts:58
Parameters
Section titled “Parameters”options?
Section titled “options?”Optional configuration with custom fetch for testing
fetch?
Section titled “fetch?”{(input, init?): Promise<Response>; (input, init?): Promise<Response>; }
Returns
Section titled “Returns”Methods
Section titled “Methods”refreshToken()
Section titled “refreshToken()”refreshToken(
refreshToken,signal?):Promise<CopilotAuthToken>
Defined in: auth/copilot-auth.ts:232
Refresh an expired Copilot token using a refresh token. Only works for GitHub App tokens that include a refresh_token.
Parameters
Section titled “Parameters”refreshToken
Section titled “refreshToken”string
The refresh token from the original auth flow
signal?
Section titled “signal?”AbortSignal
Optional abort signal
Returns
Section titled “Returns”Promise<CopilotAuthToken>
Fresh CopilotAuthToken with new access and refresh tokens
Throws
Section titled “Throws”If the refresh request fails
Example
Section titled “Example”const auth = new CopilotAuth();const newToken = await auth.refreshToken(oldToken.refreshToken!);startDeviceFlow()
Section titled “startDeviceFlow()”startDeviceFlow(
options?):Promise<DeviceFlowResult>
Defined in: auth/copilot-auth.ts:81
Start the GitHub Device Flow.
Returns a device code result with user code, verification URL,
and a waitForToken() function that polls until the user authorizes.
Parameters
Section titled “Parameters”options?
Section titled “options?”Optional scopes and abort signal
scopes?
Section titled “scopes?”string
signal?
Section titled “signal?”AbortSignal
Returns
Section titled “Returns”Promise<DeviceFlowResult>
Device flow result with user code, verification URL, and waitForToken poller
Throws
Section titled “Throws”If the device code request fails
Throws
Section titled “Throws”If the device code expires before user authorizes
Throws
Section titled “Throws”If the user denies access
Example
Section titled “Example”const auth = new CopilotAuth();const { userCode, verificationUrl, waitForToken } = await auth.startDeviceFlow();console.log(`Open ${verificationUrl} and enter code: ${userCode}`);const token = await waitForToken();DeviceCodeExpiredError
Section titled “DeviceCodeExpiredError”Defined in: auth/types.ts:147
Device code expired before user authorized
Extends
Section titled “Extends”Constructors
Section titled “Constructors”Constructor
Section titled “Constructor”new DeviceCodeExpiredError():
DeviceCodeExpiredError
Defined in: auth/types.ts:148
Returns
Section titled “Returns”Overrides
Section titled “Overrides”Properties
Section titled “Properties”
readonlyoptionalcode:string
Defined in: errors.ts:21
Machine-readable error code. Prefer values from the ErrorCode enum.
Inherited from
Section titled “Inherited from”httpStatus?
Section titled “httpStatus?”
readonlyoptionalhttpStatus:number
Defined in: errors.ts:25
HTTP status code hint for error classification
Inherited from
Section titled “Inherited from”retryable
Section titled “retryable”
readonlyretryable:boolean
Defined in: errors.ts:23
Whether this error is safe to retry
Inherited from
Section titled “Inherited from”Methods
Section titled “Methods”
staticis(error):error is AgentSDKError
Defined in: errors.ts:36
Check if an error is an AgentSDKError (works across bundled copies)
Parameters
Section titled “Parameters”unknown
Returns
Section titled “Returns”error is AgentSDKError
Inherited from
Section titled “Inherited from”TokenExchangeError
Section titled “TokenExchangeError”Defined in: auth/types.ts:166
Token exchange or refresh failed.
Error description
Standard ErrorOptions (e.g. cause)
Extends
Section titled “Extends”Constructors
Section titled “Constructors”Constructor
Section titled “Constructor”new TokenExchangeError(
message,options?):TokenExchangeError
Defined in: auth/types.ts:167
Parameters
Section titled “Parameters”message
Section titled “message”string
options?
Section titled “options?”ErrorOptions
Returns
Section titled “Returns”Overrides
Section titled “Overrides”Properties
Section titled “Properties”
readonlyoptionalcode:string
Defined in: errors.ts:21
Machine-readable error code. Prefer values from the ErrorCode enum.
Inherited from
Section titled “Inherited from”httpStatus?
Section titled “httpStatus?”
readonlyoptionalhttpStatus:number
Defined in: errors.ts:25
HTTP status code hint for error classification
Inherited from
Section titled “Inherited from”retryable
Section titled “retryable”
readonlyretryable:boolean
Defined in: errors.ts:23
Whether this error is safe to retry
Inherited from
Section titled “Inherited from”Methods
Section titled “Methods”
staticis(error):error is AgentSDKError
Defined in: errors.ts:36
Check if an error is an AgentSDKError (works across bundled copies)
Parameters
Section titled “Parameters”unknown
Returns
Section titled “Returns”error is AgentSDKError
Inherited from
Section titled “Inherited from”TokenRefreshManager
Section titled “TokenRefreshManager”Defined in: auth/refresh-manager.ts:116
Background token refresh manager with event emission and retry logic.
Lifecycle: new → start() → (auto-refreshes) → stop() or dispose()
Constructors
Section titled “Constructors”Constructor
Section titled “Constructor”new TokenRefreshManager(
options):TokenRefreshManager
Defined in: auth/refresh-manager.ts:135
Parameters
Section titled “Parameters”options
Section titled “options”Returns
Section titled “Returns”Accessors
Section titled “Accessors”isDisposed
Section titled “isDisposed”Get Signature
Section titled “Get Signature”get isDisposed():
boolean
Defined in: auth/refresh-manager.ts:169
Whether the manager has been disposed
Returns
Section titled “Returns”boolean
isRunning
Section titled “isRunning”Get Signature
Section titled “Get Signature”get isRunning():
boolean
Defined in: auth/refresh-manager.ts:164
Whether the manager is currently running
Returns
Section titled “Returns”boolean
Get Signature
Section titled “Get Signature”get token():
AuthToken
Defined in: auth/refresh-manager.ts:159
Current token managed by this instance
Returns
Section titled “Returns”Methods
Section titled “Methods”dispose()
Section titled “dispose()”dispose():
void
Defined in: auth/refresh-manager.ts:205
Stop and clean up all resources
Returns
Section titled “Returns”void
off<
K>(event,listener):this
Defined in: auth/refresh-manager.ts:152
Remove an event listener
Type Parameters
Section titled “Type Parameters”K extends keyof TokenRefreshEvents
Parameters
Section titled “Parameters”K
listener
Section titled “listener”Returns
Section titled “Returns”this
on<
K>(event,listener):this
Defined in: auth/refresh-manager.ts:145
Register an event listener
Type Parameters
Section titled “Type Parameters”K extends keyof TokenRefreshEvents
Parameters
Section titled “Parameters”K
listener
Section titled “listener”Returns
Section titled “Returns”this
start()
Section titled “start()”start():
void
Defined in: auth/refresh-manager.ts:178
Start automatic refresh scheduling. If the token is already expired, emits “expired” immediately. If the token has no expiresIn, does nothing (long-lived token).
Returns
Section titled “Returns”void
stop()
Section titled “stop()”stop():
void
Defined in: auth/refresh-manager.ts:186
Stop automatic refresh (can be restarted with start())
Returns
Section titled “Returns”void
updateToken()
Section titled “updateToken()”updateToken(
token):void
Defined in: auth/refresh-manager.ts:195
Update the managed token (e.g. after manual refresh). Reschedules automatic refresh if running.
Parameters
Section titled “Parameters”Returns
Section titled “Returns”void
Interfaces
Section titled “Interfaces”AuthToken
Section titled “AuthToken”Defined in: auth/types.ts:20
Base auth token returned by all auth providers.
Example
Section titled “Example”import type { AuthToken } from "@witqq/agent-sdk/auth";
const token: AuthToken = { accessToken: "gho_abc123...", tokenType: "bearer", obtainedAt: Date.now(),};Extended by
Section titled “Extended by”Properties
Section titled “Properties”accessToken
Section titled “accessToken”accessToken:
string
Defined in: auth/types.ts:22
The access token string
expiresIn?
Section titled “expiresIn?”
optionalexpiresIn:number
Defined in: auth/types.ts:26
Seconds until token expires (undefined = long-lived)
obtainedAt
Section titled “obtainedAt”obtainedAt:
number
Defined in: auth/types.ts:28
Timestamp when the token was obtained
tokenType
Section titled “tokenType”tokenType:
string
Defined in: auth/types.ts:24
Token type (e.g. “bearer”)
ClaudeAuthToken
Section titled “ClaudeAuthToken”Defined in: auth/types.ts:70
Claude-specific token (OAuth+PKCE, expires in 8h).
Example
Section titled “Example”import type { ClaudeAuthToken } from "@witqq/agent-sdk/auth";
const token: ClaudeAuthToken = { accessToken: "sk-ant-oat01-...", tokenType: "bearer", expiresIn: 28800, obtainedAt: Date.now(), refreshToken: "sk-ant-rt01-...", scopes: ["user:inference", "user:profile"],};Extends
Section titled “Extends”Properties
Section titled “Properties”accessToken
Section titled “accessToken”accessToken:
string
Defined in: auth/types.ts:22
The access token string
Inherited from
Section titled “Inherited from”expiresIn?
Section titled “expiresIn?”
optionalexpiresIn:number
Defined in: auth/types.ts:26
Seconds until token expires (undefined = long-lived)
Inherited from
Section titled “Inherited from”obtainedAt
Section titled “obtainedAt”obtainedAt:
number
Defined in: auth/types.ts:28
Timestamp when the token was obtained
Inherited from
Section titled “Inherited from”refreshToken
Section titled “refreshToken”refreshToken:
string
Defined in: auth/types.ts:72
Refresh token for obtaining new access tokens
scopes
Section titled “scopes”scopes:
string[]
Defined in: auth/types.ts:74
OAuth scopes granted
tokenType
Section titled “tokenType”tokenType:
string
Defined in: auth/types.ts:24
Token type (e.g. “bearer”)
Inherited from
Section titled “Inherited from”CopilotAuthToken
Section titled “CopilotAuthToken”Defined in: auth/types.ts:46
Copilot-specific token (GitHub OAuth, long-lived).
Example
Section titled “Example”import type { CopilotAuthToken } from "@witqq/agent-sdk/auth";
const token: CopilotAuthToken = { accessToken: "gho_abc123...", tokenType: "bearer", obtainedAt: Date.now(), login: "octocat",};Extends
Section titled “Extends”Properties
Section titled “Properties”accessToken
Section titled “accessToken”accessToken:
string
Defined in: auth/types.ts:22
The access token string
Inherited from
Section titled “Inherited from”expiresIn?
Section titled “expiresIn?”
optionalexpiresIn:number
Defined in: auth/types.ts:26
Seconds until token expires (undefined = long-lived)
Inherited from
Section titled “Inherited from”login?
Section titled “login?”
optionallogin:string
Defined in: auth/types.ts:48
GitHub user login associated with the token
obtainedAt
Section titled “obtainedAt”obtainedAt:
number
Defined in: auth/types.ts:28
Timestamp when the token was obtained
Inherited from
Section titled “Inherited from”refreshToken?
Section titled “refreshToken?”
optionalrefreshToken:string
Defined in: auth/types.ts:50
Refresh token for obtaining new access tokens (present when GitHub App has expiring tokens)
tokenType
Section titled “tokenType”tokenType:
string
Defined in: auth/types.ts:24
Token type (e.g. “bearer”)
Inherited from
Section titled “Inherited from”DeviceFlowResult
Section titled “DeviceFlowResult”Defined in: auth/types.ts:92
Result of initiating a GitHub Device Flow.
Example
Section titled “Example”import { CopilotAuth } from "@witqq/agent-sdk/auth";
const auth = new CopilotAuth();const { userCode, verificationUrl, waitForToken } = await auth.startDeviceFlow();console.log(`Open ${verificationUrl} and enter code: ${userCode}`);const token = await waitForToken();Properties
Section titled “Properties”userCode
Section titled “userCode”userCode:
string
Defined in: auth/types.ts:94
The code the user must enter at the verification URL
verificationUrl
Section titled “verificationUrl”verificationUrl:
string
Defined in: auth/types.ts:96
URL where the user enters the code
waitForToken()
Section titled “waitForToken()”waitForToken: (
signal?) =>Promise<CopilotAuthToken>
Defined in: auth/types.ts:98
Polls GitHub until user authorizes; resolves with token
Parameters
Section titled “Parameters”signal?
Section titled “signal?”AbortSignal
Returns
Section titled “Returns”Promise<CopilotAuthToken>
OAuthFlowOptions
Section titled “OAuthFlowOptions”Defined in: auth/types.ts:104
Options for starting a Claude OAuth flow
Properties
Section titled “Properties”redirectUri?
Section titled “redirectUri?”
optionalredirectUri:string
Defined in: auth/types.ts:106
The redirect URI registered with the OAuth app
scopes?
Section titled “scopes?”
optionalscopes:string
Defined in: auth/types.ts:108
OAuth scopes to request (defaults to user:profile user:inference)
OAuthFlowResult
Section titled “OAuthFlowResult”Defined in: auth/types.ts:126
Result of initiating a Claude OAuth flow.
Example
Section titled “Example”import type { OAuthFlowResult } from "@witqq/agent-sdk/auth";
const result: OAuthFlowResult = { authorizeUrl: "https://claude.ai/oauth/authorize?...", completeAuth: async (code) => ({ ... }),};// Open result.authorizeUrl in browser, get code from redirectconst token = await result.completeAuth(code);Properties
Section titled “Properties”authorizeUrl
Section titled “authorizeUrl”authorizeUrl:
string
Defined in: auth/types.ts:128
URL to open in browser for user authorization
completeAuth()
Section titled “completeAuth()”completeAuth: (
codeOrUrl) =>Promise<ClaudeAuthToken>
Defined in: auth/types.ts:130
Exchange the authorization code (or full redirect URL) for tokens
Parameters
Section titled “Parameters”codeOrUrl
Section titled “codeOrUrl”string
Returns
Section titled “Returns”Promise<ClaudeAuthToken>
TokenRefreshEvents
Section titled “TokenRefreshEvents”Defined in: auth/refresh-manager.ts:67
Events emitted by TokenRefreshManager
Properties
Section titled “Properties”disposed()
Section titled “disposed()”disposed: () =>
void
Defined in: auth/refresh-manager.ts:75
Emitted when manager is disposed
Returns
Section titled “Returns”void
error()
Section titled “error()”error: (
error,attempt) =>void
Defined in: auth/refresh-manager.ts:71
Emitted when refresh attempt failed (may retry)
Parameters
Section titled “Parameters”Error
attempt
Section titled “attempt”number
Returns
Section titled “Returns”void
expired()
Section titled “expired()”expired: () =>
void
Defined in: auth/refresh-manager.ts:73
Emitted when token expired and could not be refreshed
Returns
Section titled “Returns”void
refreshed()
Section titled “refreshed()”refreshed: (
token) =>void
Defined in: auth/refresh-manager.ts:69
Emitted when token was successfully refreshed
Parameters
Section titled “Parameters”Returns
Section titled “Returns”void
TokenRefreshOptions
Section titled “TokenRefreshOptions”Defined in: auth/refresh-manager.ts:79
Configuration for TokenRefreshManager
Properties
Section titled “Properties”maxRetries?
Section titled “maxRetries?”
optionalmaxRetries:number
Defined in: auth/refresh-manager.ts:95
Maximum retry attempts on refresh failure. Default: 3
minDelayMs?
Section titled “minDelayMs?”
optionalminDelayMs:number
Defined in: auth/refresh-manager.ts:103
Minimum schedule delay in ms (prevents scheduling in the past). Default: 1000
refresh()
Section titled “refresh()”refresh: (
token) =>Promise<AuthToken>
Defined in: auth/refresh-manager.ts:86
Function that performs the actual token refresh. Receives the current token and returns a new one.
Parameters
Section titled “Parameters”Returns
Section titled “Returns”Promise<AuthToken>
refreshThreshold?
Section titled “refreshThreshold?”
optionalrefreshThreshold:number
Defined in: auth/refresh-manager.ts:91
Fraction of token lifetime at which to trigger refresh (0-1). Default: 0.8 (refresh at 80% of lifetime, i.e. with 20% remaining)
retryDelayMs?
Section titled “retryDelayMs?”
optionalretryDelayMs:number
Defined in: auth/refresh-manager.ts:99
Base delay between retries in ms. Exponential backoff applied. Default: 1000
token:
AuthToken
Defined in: auth/refresh-manager.ts:81
Current token with expiresIn and obtainedAt