@agentuity/core 1.0.59 → 2.0.0-beta.1

package/dist/services/oauth/token-storage.d.ts

@@ -1,109 +0,0 @@
-import type { KeyValueStorage } from '../keyvalue/service.ts';
-import type { OAuthFlowConfig, OAuthTokenResponse, StoredToken } from './types.ts';
-/**
- * Check whether a stored token's access token has expired.
- *
- * @param token - The stored token to check
- * @returns true if the token has an expires_at timestamp that is in the past
- *
- * @example
- * ```typescript
- * const token = await storage.get('user:123');
- * if (token && isTokenExpired(token)) {
- *   // Token is expired and auto-refresh wasn't available
- * }
- * ```
- */
-export declare function isTokenExpired(token: StoredToken): boolean;
-/**
- * Options for configuring a TokenStorage instance.
- */
-export interface TokenStorageOptions {
-    /**
-     * OAuth configuration for auto-refresh and token revocation.
-     * If not provided, auto-refresh on get() and server-side revocation on invalidate() are disabled.
-     */
-    config?: OAuthFlowConfig;
-    /**
-     * KV namespace for storing tokens. Defaults to 'oauth-tokens'.
-     */
-    namespace?: string;
-    /**
-     * Key prefix prepended to all storage keys.
-     * Useful for scoping tokens by application or tenant.
-     */
-    prefix?: string;
-}
-/**
- * Interface for storing, retrieving, and invalidating OAuth tokens.
- *
- * Implementations handle persistence and may support automatic token refresh
- * on retrieval and server-side revocation on invalidation.
- */
-export interface TokenStorage {
-    /**
-     * Retrieve a stored token by key.
-     *
-     * If the token is expired and a refresh_token is available (and config is provided),
-     * the token is automatically refreshed, stored, and the new token is returned.
-     * If auto-refresh fails, the expired token is returned so the caller can decide
-     * how to handle it (check with {@link isTokenExpired}).
-     *
-     * @param key - The storage key (e.g. a user ID or session ID)
-     * @returns The stored token, or null if no token exists for the key
-     */
-    get(key: string): Promise<StoredToken | null>;
-    /**
-     * Store a token response from a token exchange or refresh.
-     *
-     * Automatically computes `expires_at` from `expires_in` if present.
-     *
-     * @param key - The storage key (e.g. a user ID or session ID)
-     * @param token - The OAuth token response to store
-     */
-    set(key: string, token: OAuthTokenResponse): Promise<void>;
-    /**
-     * Invalidate a stored token: revoke it server-side and remove from storage.
-     *
-     * If config is provided, the refresh token (or access token as fallback)
-     * is revoked via the token revocation endpoint. Revocation is best-effort —
-     * the token is removed from storage regardless of whether revocation succeeds.
-     *
-     * @param key - The storage key to invalidate
-     * @returns The token that was removed, or null if no token existed
-     */
-    invalidate(key: string): Promise<StoredToken | null>;
-}
-/**
- * Token storage backed by Agentuity's Key-Value storage service.
- *
- * Stores tokens as JSON in a KV namespace. Supports automatic token refresh
- * on retrieval when tokens expire (if OAuth config is provided).
- *
- * @example
- * ```typescript
- * import { KeyValueTokenStorage } from '@agentuity/core/oauth';
- *
- * // Create storage with auto-refresh enabled
- * const storage = new KeyValueTokenStorage(ctx.kv, {
- *   config: { issuer: 'https://auth.example.com' },
- * });
- *
- * // Store a token after initial exchange
- * await storage.set('user:123', tokenResponse);
- *
- * // Retrieve — auto-refreshes if expired
- * const token = await storage.get('user:123');
- *
- * // Logout — revokes server-side and removes from storage
- * await storage.invalidate('user:123');
- * ```
- */
-export declare class KeyValueTokenStorage implements TokenStorage {
-    #private;
-    constructor(kv: KeyValueStorage, options?: TokenStorageOptions);
-    get(key: string): Promise<StoredToken | null>;
-    set(key: string, token: OAuthTokenResponse): Promise<void>;
-    invalidate(key: string): Promise<StoredToken | null>;
-}
-//# sourceMappingURL=token-storage.d.ts.map

package/dist/services/oauth/token-storage.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"token-storage.d.ts","sourceRoot":"","sources":["../../../src/services/oauth/token-storage.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAC9D,OAAO,KAAK,EAAE,eAAe,EAAE,kBAAkB,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAMnF;;;;;;;;;;;;;GAaG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,WAAW,GAAG,OAAO,CAG1D;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IACnC;;;OAGG;IACH,MAAM,CAAC,EAAE,eAAe,CAAC;IAEzB;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;;;GAKG;AACH,MAAM,WAAW,YAAY;IAC5B;;;;;;;;;;OAUG;IACH,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAE9C;;;;;;;OAOG;IACH,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE3D;;;;;;;;;OASG;IACH,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;CACrD;AAgBD;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,qBAAa,oBAAqB,YAAW,YAAY;;gBAM5C,EAAE,EAAE,eAAe,EAAE,OAAO,CAAC,EAAE,mBAAmB;IAOxD,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAyB7C,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC;IAK1D,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;CA8C1D"}

package/dist/services/oauth/token-storage.js

@@ -1,140 +0,0 @@
-import { StoredTokenSchema } from "./types.js";
-import { refreshToken, logout } from "./flow.js";
-const DEFAULT_NAMESPACE = 'oauth-tokens';
-/**
- * Check whether a stored token's access token has expired.
- *
- * @param token - The stored token to check
- * @returns true if the token has an expires_at timestamp that is in the past
- *
- * @example
- * ```typescript
- * const token = await storage.get('user:123');
- * if (token && isTokenExpired(token)) {
- *   // Token is expired and auto-refresh wasn't available
- * }
- * ```
- */
-export function isTokenExpired(token) {
-    if (!token.expires_at)
-        return false;
-    return Math.floor(Date.now() / 1000) >= token.expires_at;
-}
-/**
- * Convert an OAuth token response to a StoredToken with computed expires_at.
- */
-function toStoredToken(token) {
-    return {
-        access_token: token.access_token,
-        token_type: token.token_type,
-        refresh_token: token.refresh_token,
-        scope: token.scope,
-        id_token: token.id_token,
-        expires_at: token.expires_in ? Math.floor(Date.now() / 1000) + token.expires_in : undefined,
-    };
-}
-/**
- * Token storage backed by Agentuity's Key-Value storage service.
- *
- * Stores tokens as JSON in a KV namespace. Supports automatic token refresh
- * on retrieval when tokens expire (if OAuth config is provided).
- *
- * @example
- * ```typescript
- * import { KeyValueTokenStorage } from '@agentuity/core/oauth';
- *
- * // Create storage with auto-refresh enabled
- * const storage = new KeyValueTokenStorage(ctx.kv, {
- *   config: { issuer: 'https://auth.example.com' },
- * });
- *
- * // Store a token after initial exchange
- * await storage.set('user:123', tokenResponse);
- *
- * // Retrieve — auto-refreshes if expired
- * const token = await storage.get('user:123');
- *
- * // Logout — revokes server-side and removes from storage
- * await storage.invalidate('user:123');
- * ```
- */
-export class KeyValueTokenStorage {
-    #kv;
-    #namespace;
-    #prefix;
-    #config;
-    constructor(kv, options) {
-        this.#kv = kv;
-        this.#namespace = options?.namespace ?? DEFAULT_NAMESPACE;
-        this.#prefix = options?.prefix ?? '';
-        this.#config = options?.config;
-    }
-    async get(key) {
-        const result = await this.#kv.get(this.#namespace, this.#resolveKey(key));
-        if (!result.exists)
-            return null;
-        const parsed = StoredTokenSchema.safeParse(result.data);
-        if (!parsed.success)
-            return null;
-        const token = parsed.data;
-        // Auto-refresh if expired and refresh_token + config are available
-        if (isTokenExpired(token) && token.refresh_token && this.#config) {
-            try {
-                const newTokenResponse = await refreshToken(token.refresh_token, this.#config);
-                const newStored = toStoredToken(newTokenResponse);
-                await this.#store(key, newStored);
-                return newStored;
-            }
-            catch {
-                // Refresh failed — return the expired token, caller can check isTokenExpired()
-                return token;
-            }
-        }
-        return token;
-    }
-    async set(key, token) {
-        const stored = toStoredToken(token);
-        await this.#store(key, stored);
-    }
-    async invalidate(key) {
-        const resolvedKey = this.#resolveKey(key);
-        const result = await this.#kv.get(this.#namespace, resolvedKey);
-        if (!result.exists)
-            return null;
-        const parsed = StoredTokenSchema.safeParse(result.data);
-        const token = parsed.success ? parsed.data : null;
-        // Revoke server-side (best effort)
-        if (token && this.#config) {
-            const tokenToRevoke = token.refresh_token ?? token.access_token;
-            try {
-                await logout(tokenToRevoke, this.#config);
-            }
-            catch {
-                // Best effort — continue with storage cleanup
-            }
-        }
-        // Remove from storage regardless of revocation result
-        await this.#kv.delete(this.#namespace, resolvedKey);
-        return token;
-    }
-    async #store(key, token) {
-        // Only set explicit TTL for tokens without a refresh_token.
-        // Tokens with refresh capability persist until explicitly invalidated
-        // (auto-refresh on get() will keep them fresh).
-        let ttl;
-        if (!token.refresh_token && token.expires_at) {
-            const remaining = token.expires_at - Math.floor(Date.now() / 1000);
-            if (remaining > 0) {
-                ttl = Math.max(remaining, 60); // KV minimum is 60 seconds
-            }
-        }
-        await this.#kv.set(this.#namespace, this.#resolveKey(key), token, {
-            ttl,
-            contentType: 'application/json',
-        });
-    }
-    #resolveKey(key) {
-        return this.#prefix ? `${this.#prefix}${key}` : key;
-    }
-}
-//# sourceMappingURL=token-storage.js.map

package/dist/services/oauth/token-storage.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"token-storage.js","sourceRoot":"","sources":["../../../src/services/oauth/token-storage.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,WAAW,CAAC;AAEjD,MAAM,iBAAiB,GAAG,cAAc,CAAC;AAEzC;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,cAAc,CAAC,KAAkB;IAChD,IAAI,CAAC,KAAK,CAAC,UAAU;QAAE,OAAO,KAAK,CAAC;IACpC,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,IAAI,KAAK,CAAC,UAAU,CAAC;AAC1D,CAAC;AAmED;;GAEG;AACH,SAAS,aAAa,CAAC,KAAyB;IAC/C,OAAO;QACN,YAAY,EAAE,KAAK,CAAC,YAAY;QAChC,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,aAAa,EAAE,KAAK,CAAC,aAAa;QAClC,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,UAAU,EAAE,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;KAC3F,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,OAAO,oBAAoB;IAChC,GAAG,CAAkB;IACrB,UAAU,CAAS;IACnB,OAAO,CAAS;IAChB,OAAO,CAAmB;IAE1B,YAAY,EAAmB,EAAE,OAA6B;QAC7D,IAAI,CAAC,GAAG,GAAG,EAAE,CAAC;QACd,IAAI,CAAC,UAAU,GAAG,OAAO,EAAE,SAAS,IAAI,iBAAiB,CAAC;QAC1D,IAAI,CAAC,OAAO,GAAG,OAAO,EAAE,MAAM,IAAI,EAAE,CAAC;QACrC,IAAI,CAAC,OAAO,GAAG,OAAO,EAAE,MAAM,CAAC;IAChC,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW;QACpB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,GAAG,CAAc,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC;QACvF,IAAI,CAAC,MAAM,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEhC,MAAM,MAAM,GAAG,iBAAiB,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QACxD,IAAI,CAAC,MAAM,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC;QAEjC,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC;QAE1B,mEAAmE;QACnE,IAAI,cAAc,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,aAAa,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YAClE,IAAI,CAAC;gBACJ,MAAM,gBAAgB,GAAG,MAAM,YAAY,CAAC,KAAK,CAAC,aAAa,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;gBAC/E,MAAM,SAAS,GAAG,aAAa,CAAC,gBAAgB,CAAC,CAAC;gBAClD,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;gBAClC,OAAO,SAAS,CAAC;YAClB,CAAC;YAAC,MAAM,CAAC;gBACR,+EAA+E;gBAC/E,OAAO,KAAK,CAAC;YACd,CAAC;QACF,CAAC;QAED,OAAO,KAAK,CAAC;IACd,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW,EAAE,KAAyB;QAC/C,MAAM,MAAM,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;QACpC,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAChC,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,GAAW;QAC3B,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,GAAG,CAAc,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;QAE7E,IAAI,CAAC,MAAM,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEhC,MAAM,MAAM,GAAG,iBAAiB,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QACxD,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;QAElD,mCAAmC;QACnC,IAAI,KAAK,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YAC3B,MAAM,aAAa,GAAG,KAAK,CAAC,aAAa,IAAI,KAAK,CAAC,YAAY,CAAC;YAChE,IAAI,CAAC;gBACJ,MAAM,MAAM,CAAC,aAAa,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;YAC3C,CAAC;YAAC,MAAM,CAAC;gBACR,8CAA8C;YAC/C,CAAC;QACF,CAAC;QAED,sDAAsD;QACtD,MAAM,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;QAEpD,OAAO,KAAK,CAAC;IACd,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW,EAAE,KAAkB;QAC3C,4DAA4D;QAC5D,sEAAsE;QACtE,gDAAgD;QAChD,IAAI,GAAuB,CAAC;QAC5B,IAAI,CAAC,KAAK,CAAC,aAAa,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;YAC9C,MAAM,SAAS,GAAG,KAAK,CAAC,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YACnE,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC;gBACnB,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,CAAC,2BAA2B;YAC3D,CAAC;QACF,CAAC;QAED,MAAM,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,KAAK,EAAE;YACjE,GAAG;YACH,WAAW,EAAE,kBAAkB;SAC/B,CAAC,CAAC;IACJ,CAAC;IAED,WAAW,CAAC,GAAW;QACtB,OAAO,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,OAAO,GAAG,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC;IACrD,CAAC;CACD"}

package/src/services/oauth/token-storage.ts

@@ -1,220 +0,0 @@
-import type { KeyValueStorage } from '../keyvalue/service.ts';
-import type { OAuthFlowConfig, OAuthTokenResponse, StoredToken } from './types.ts';
-import { StoredTokenSchema } from './types.ts';
-import { refreshToken, logout } from './flow.ts';
-
-const DEFAULT_NAMESPACE = 'oauth-tokens';
-
-/**
- * Check whether a stored token's access token has expired.
- *
- * @param token - The stored token to check
- * @returns true if the token has an expires_at timestamp that is in the past
- *
- * @example
- * ```typescript
- * const token = await storage.get('user:123');
- * if (token && isTokenExpired(token)) {
- *   // Token is expired and auto-refresh wasn't available
- * }
- * ```
- */
-export function isTokenExpired(token: StoredToken): boolean {
-	if (!token.expires_at) return false;
-	return Math.floor(Date.now() / 1000) >= token.expires_at;
-}
-
-/**
- * Options for configuring a TokenStorage instance.
- */
-export interface TokenStorageOptions {
-	/**
-	 * OAuth configuration for auto-refresh and token revocation.
-	 * If not provided, auto-refresh on get() and server-side revocation on invalidate() are disabled.
-	 */
-	config?: OAuthFlowConfig;
-
-	/**
-	 * KV namespace for storing tokens. Defaults to 'oauth-tokens'.
-	 */
-	namespace?: string;
-
-	/**
-	 * Key prefix prepended to all storage keys.
-	 * Useful for scoping tokens by application or tenant.
-	 */
-	prefix?: string;
-}
-
-/**
- * Interface for storing, retrieving, and invalidating OAuth tokens.
- *
- * Implementations handle persistence and may support automatic token refresh
- * on retrieval and server-side revocation on invalidation.
- */
-export interface TokenStorage {
-	/**
-	 * Retrieve a stored token by key.
-	 *
-	 * If the token is expired and a refresh_token is available (and config is provided),
-	 * the token is automatically refreshed, stored, and the new token is returned.
-	 * If auto-refresh fails, the expired token is returned so the caller can decide
-	 * how to handle it (check with {@link isTokenExpired}).
-	 *
-	 * @param key - The storage key (e.g. a user ID or session ID)
-	 * @returns The stored token, or null if no token exists for the key
-	 */
-	get(key: string): Promise<StoredToken | null>;
-
-	/**
-	 * Store a token response from a token exchange or refresh.
-	 *
-	 * Automatically computes `expires_at` from `expires_in` if present.
-	 *
-	 * @param key - The storage key (e.g. a user ID or session ID)
-	 * @param token - The OAuth token response to store
-	 */
-	set(key: string, token: OAuthTokenResponse): Promise<void>;
-
-	/**
-	 * Invalidate a stored token: revoke it server-side and remove from storage.
-	 *
-	 * If config is provided, the refresh token (or access token as fallback)
-	 * is revoked via the token revocation endpoint. Revocation is best-effort —
-	 * the token is removed from storage regardless of whether revocation succeeds.
-	 *
-	 * @param key - The storage key to invalidate
-	 * @returns The token that was removed, or null if no token existed
-	 */
-	invalidate(key: string): Promise<StoredToken | null>;
-}
-
-/**
- * Convert an OAuth token response to a StoredToken with computed expires_at.
- */
-function toStoredToken(token: OAuthTokenResponse): StoredToken {
-	return {
-		access_token: token.access_token,
-		token_type: token.token_type,
-		refresh_token: token.refresh_token,
-		scope: token.scope,
-		id_token: token.id_token,
-		expires_at: token.expires_in ? Math.floor(Date.now() / 1000) + token.expires_in : undefined,
-	};
-}
-
-/**
- * Token storage backed by Agentuity's Key-Value storage service.
- *
- * Stores tokens as JSON in a KV namespace. Supports automatic token refresh
- * on retrieval when tokens expire (if OAuth config is provided).
- *
- * @example
- * ```typescript
- * import { KeyValueTokenStorage } from '@agentuity/core/oauth';
- *
- * // Create storage with auto-refresh enabled
- * const storage = new KeyValueTokenStorage(ctx.kv, {
- *   config: { issuer: 'https://auth.example.com' },
- * });
- *
- * // Store a token after initial exchange
- * await storage.set('user:123', tokenResponse);
- *
- * // Retrieve — auto-refreshes if expired
- * const token = await storage.get('user:123');
- *
- * // Logout — revokes server-side and removes from storage
- * await storage.invalidate('user:123');
- * ```
- */
-export class KeyValueTokenStorage implements TokenStorage {
-	#kv: KeyValueStorage;
-	#namespace: string;
-	#prefix: string;
-	#config?: OAuthFlowConfig;
-
-	constructor(kv: KeyValueStorage, options?: TokenStorageOptions) {
-		this.#kv = kv;
-		this.#namespace = options?.namespace ?? DEFAULT_NAMESPACE;
-		this.#prefix = options?.prefix ?? '';
-		this.#config = options?.config;
-	}
-
-	async get(key: string): Promise<StoredToken | null> {
-		const result = await this.#kv.get<StoredToken>(this.#namespace, this.#resolveKey(key));
-		if (!result.exists) return null;
-
-		const parsed = StoredTokenSchema.safeParse(result.data);
-		if (!parsed.success) return null;
-
-		const token = parsed.data;
-
-		// Auto-refresh if expired and refresh_token + config are available
-		if (isTokenExpired(token) && token.refresh_token && this.#config) {
-			try {
-				const newTokenResponse = await refreshToken(token.refresh_token, this.#config);
-				const newStored = toStoredToken(newTokenResponse);
-				await this.#store(key, newStored);
-				return newStored;
-			} catch {
-				// Refresh failed — return the expired token, caller can check isTokenExpired()
-				return token;
-			}
-		}
-
-		return token;
-	}
-
-	async set(key: string, token: OAuthTokenResponse): Promise<void> {
-		const stored = toStoredToken(token);
-		await this.#store(key, stored);
-	}
-
-	async invalidate(key: string): Promise<StoredToken | null> {
-		const resolvedKey = this.#resolveKey(key);
-		const result = await this.#kv.get<StoredToken>(this.#namespace, resolvedKey);
-
-		if (!result.exists) return null;
-
-		const parsed = StoredTokenSchema.safeParse(result.data);
-		const token = parsed.success ? parsed.data : null;
-
-		// Revoke server-side (best effort)
-		if (token && this.#config) {
-			const tokenToRevoke = token.refresh_token ?? token.access_token;
-			try {
-				await logout(tokenToRevoke, this.#config);
-			} catch {
-				// Best effort — continue with storage cleanup
-			}
-		}
-
-		// Remove from storage regardless of revocation result
-		await this.#kv.delete(this.#namespace, resolvedKey);
-
-		return token;
-	}
-
-	async #store(key: string, token: StoredToken): Promise<void> {
-		// Only set explicit TTL for tokens without a refresh_token.
-		// Tokens with refresh capability persist until explicitly invalidated
-		// (auto-refresh on get() will keep them fresh).
-		let ttl: number | undefined;
-		if (!token.refresh_token && token.expires_at) {
-			const remaining = token.expires_at - Math.floor(Date.now() / 1000);
-			if (remaining > 0) {
-				ttl = Math.max(remaining, 60); // KV minimum is 60 seconds
-			}
-		}
-
-		await this.#kv.set(this.#namespace, this.#resolveKey(key), token, {
-			ttl,
-			contentType: 'application/json',
-		});
-	}
-
-	#resolveKey(key: string): string {
-		return this.#prefix ? `${this.#prefix}${key}` : key;
-	}
-}