@julr/sesame 0.4.0 → 0.5.1

package/README.md

@@ -24,6 +24,7 @@ node ace add @julr/sesame
 ```
 
 This will:
+
 - Publish the configuration file to `config/sesame.ts`
 - Publish database migrations (6 tables)
 - Register the service provider and commands
@@ -47,8 +48,8 @@ const sesameConfig = defineConfig({
   issuer: env.get('APP_URL'),
 
   scopes: {
-    'read': 'Read access',
-    'write': 'Write access',
+    read: 'Read access',
+    write: 'Write access',
   },
 
   defaultScopes: ['read'],
@@ -83,9 +84,11 @@ Register OAuth routes from your `start/routes.ts` file:
 import sesame from '@julr/sesame/services/main'
 
 // OAuth endpoints under /oauth
-router.group(() => {
-  sesame.registerRoutes()
-}).prefix('/oauth')
+router
+  .group(() => {
+    sesame.registerRoutes()
+  })
+  .prefix('/oauth')
 
 // Discovery endpoints at the root
 sesame.registerWellKnownRoutes()
@@ -144,14 +147,10 @@ Two named middleware are available for checking scopes on authenticated requests
 
 ```ts
 // Requires ALL listed scopes
-router
-  .get('/admin', [AdminController])
-  .use(middleware.scopes({ scopes: ['admin', 'write'] }))
+router.get('/admin', [AdminController]).use(middleware.scopes({ scopes: ['admin', 'write'] }))
 
 // Requires AT LEAST ONE of the listed scopes
-router
-  .get('/data', [DataController])
-  .use(middleware.anyScope({ scopes: ['read', 'write'] }))
+router.get('/data', [DataController]).use(middleware.anyScope({ scopes: ['read', 'write'] }))
 ```
 
 ## MCP Support

package/build/{authorize_controller-Bb54Bi_s.js → authorize_controller-YUfAy-R2.js}

@@ -1,10 +1,10 @@
-import { i as OAuthAuthorizationCode, n as OAuthPendingAuthorizationRequest, r as OAuthConsent, t as SesameManager } from "./sesame_manager-BIHBwkqK.js";
+import { i as OAuthAuthorizationCode, n as OAuthPendingAuthorizationRequest, r as OAuthConsent, t as SesameManager } from "./sesame_manager-DwDZy5Vy.js";
 import "./decorate-BKZEjPRg.js";
 import "./oauth_access_token-bsoM5KeU.js";
 import { d as E_UNSUPPORTED_RESPONSE_TYPE, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT } from "./oauth_error-CnJ3L8tf.js";
 import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
 import { t as TokenService } from "./token_service-fhoA4slP.js";
-import { t as ClientService } from "./client_service-BD1CDQuC.js";
+import { t as ClientService } from "./client_service-WTNMqWzY.js";
 import { DateTime } from "luxon";
 import string from "@adonisjs/core/helpers/string";
 import vine from "@vinejs/vine";

package/build/{client_service-BD1CDQuC.js → client_service-WTNMqWzY.js}

@@ -1,3 +1,4 @@
+import { o as BUILTIN_SCOPES } from "./sesame_manager-DwDZy5Vy.js";
 import { o as E_INVALID_REQUEST, r as E_INVALID_CLIENT, s as E_INVALID_SCOPE } from "./oauth_error-CnJ3L8tf.js";
 import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
 import { createHash, randomBytes, timingSafeEqual } from "node:crypto";
@@ -37,9 +38,10 @@ var ClientService = class {
 		return client;
 	}
 	validateClientScopes(requestedScopes, clientScopes) {
-		if (clientScopes.length === 0 && requestedScopes.length > 0) throw new E_INVALID_SCOPE(`Scope not allowed: ${requestedScopes.join(", ")}`);
+		const nonBuiltinScopes = requestedScopes.filter((s) => !BUILTIN_SCOPES.has(s));
+		if (clientScopes.length === 0 && nonBuiltinScopes.length > 0) throw new E_INVALID_SCOPE(`Scope not allowed: ${nonBuiltinScopes.join(", ")}`);
 		const allowedSet = new Set(clientScopes);
-		const invalid = requestedScopes.filter((s) => !allowedSet.has(s));
+		const invalid = nonBuiltinScopes.filter((s) => !allowedSet.has(s));
 		if (invalid.length > 0) throw new E_INVALID_SCOPE(`Scope not allowed: ${invalid.join(", ")}`);
 	}
 	hashSecret(secret) {

package/build/commands/sesame_purge.js

@@ -1,4 +1,4 @@
-import { t as SesameManager } from "../sesame_manager-BIHBwkqK.js";
+import { t as SesameManager } from "../sesame_manager-DwDZy5Vy.js";
 import { t as __decorate } from "../decorate-BKZEjPRg.js";
 import "../oauth_access_token-bsoM5KeU.js";
 import { BaseCommand, flags } from "@adonisjs/core/ace";

package/build/{consent_controller-gMuS9nSx.js → consent_controller-Dprwd1ed.js}

@@ -1,4 +1,4 @@
-import { i as OAuthAuthorizationCode, n as OAuthPendingAuthorizationRequest, r as OAuthConsent, t as SesameManager } from "./sesame_manager-BIHBwkqK.js";
+import { i as OAuthAuthorizationCode, n as OAuthPendingAuthorizationRequest, r as OAuthConsent, t as SesameManager } from "./sesame_manager-DwDZy5Vy.js";
 import "./decorate-BKZEjPRg.js";
 import "./oauth_access_token-bsoM5KeU.js";
 import { a as E_INVALID_GRANT, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT } from "./oauth_error-CnJ3L8tf.js";

package/build/index.js

@@ -1,11 +1,11 @@
 import { configure } from "./configure.js";
-import { a as OAuthRefreshToken, i as OAuthAuthorizationCode, r as OAuthConsent, t as SesameManager } from "./sesame_manager-BIHBwkqK.js";
+import { a as OAuthRefreshToken, i as OAuthAuthorizationCode, r as OAuthConsent, t as SesameManager } from "./sesame_manager-DwDZy5Vy.js";
 import "./decorate-BKZEjPRg.js";
 import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
 import { a as E_INVALID_GRANT, c as E_INVALID_TOKEN, d as E_UNSUPPORTED_RESPONSE_TYPE, f as OAuthError, i as E_INVALID_CLIENT_METADATA, l as E_SERVER_ERROR, n as E_INSUFFICIENT_SCOPE, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT, s as E_INVALID_SCOPE, t as E_ACCESS_DENIED, u as E_UNSUPPORTED_GRANT_TYPE } from "./oauth_error-CnJ3L8tf.js";
 import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
 import "./token_service-fhoA4slP.js";
-import { i as OAuthGuard, n as oauthUserProvider, r as OAuthLucidUserProvider, t as oauthGuard } from "./main-BJRXMGrZ.js";
+import { i as OAuthGuard, n as oauthUserProvider, r as OAuthLucidUserProvider, t as oauthGuard } from "./main-EbeMS5S9.js";
 function defineConfig(config) {
 	return {
 		issuer: config.issuer,
@@ -13,6 +13,7 @@ function defineConfig(config) {
 		defaultScopes: config.defaultScopes ?? [],
 		grantTypes: config.grantTypes ?? ["authorization_code", "refresh_token"],
 		accessTokenTtl: config.accessTokenTtl ?? "1h",
+		clientCredentialsAccessTokenTtl: config.clientCredentialsAccessTokenTtl ?? config.accessTokenTtl ?? "1h",
 		refreshTokenTtl: config.refreshTokenTtl ?? "30d",
 		authorizationCodeTtl: config.authorizationCodeTtl ?? "10m",
 		authorizationRequestTtl: config.authorizationRequestTtl ?? config.authorizationCodeTtl ?? "10m",

package/build/{introspect_controller-bKg1T2Xx.js → introspect_controller-6bRt9sZt.js}

@@ -1,10 +1,10 @@
-import { a as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-BIHBwkqK.js";
+import { a as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-DwDZy5Vy.js";
 import "./decorate-BKZEjPRg.js";
 import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
 import "./oauth_error-CnJ3L8tf.js";
 import "./oauth_client-BIoY5jBR.js";
 import { t as TokenService } from "./token_service-fhoA4slP.js";
-import { t as ClientService } from "./client_service-BD1CDQuC.js";
+import { t as ClientService } from "./client_service-WTNMqWzY.js";
 const INACTIVE = { active: false };
 var IntrospectController = class {
 	async handle(ctx) {

package/build/{main-BJRXMGrZ.js → main-EbeMS5S9.js}

@@ -150,7 +150,7 @@ var OAuthLucidUserProvider = class {
 function oauthGuard(config) {
 	return { async resolver(name, app) {
 		const emitter = await app.container.make("emitter");
-		const { SesameManager } = await import("./sesame_manager-BWqeaqn9.js");
+		const { SesameManager } = await import("./sesame_manager-Bu4MHqZV.js");
 		const manager = await app.container.make(SesameManager);
 		return (ctx) => new OAuthGuard(name, ctx, emitter, config.provider, manager, config.resource);
 	} };

package/build/{metadata_controller-CGaKw3UM.js → metadata_controller-DeaMRnUr.js}

@@ -1,4 +1,4 @@
-import { t as SesameManager } from "./sesame_manager-BIHBwkqK.js";
+import { o as BUILTIN_SCOPES, t as SesameManager } from "./sesame_manager-DwDZy5Vy.js";
 import "./decorate-BKZEjPRg.js";
 import "./oauth_access_token-bsoM5KeU.js";
 import { l as E_SERVER_ERROR } from "./oauth_error-CnJ3L8tf.js";
@@ -63,7 +63,7 @@ var MetadataController = class {
 		return {
 			...base,
 			subject_types_supported: ["public"],
-			scopes_supported: Object.keys(manager.config.scopes)
+			scopes_supported: [...Object.keys(manager.config.scopes), ...BUILTIN_SCOPES]
 		};
 	}
 	async protectedResource(ctx) {
@@ -73,7 +73,7 @@ var MetadataController = class {
 		return {
 			resource: issuer,
 			authorization_servers: [issuer],
-			scopes_supported: Object.keys(manager.config.scopes),
+			scopes_supported: [...Object.keys(manager.config.scopes), ...BUILTIN_SCOPES],
 			bearer_methods_supported: ["header"]
 		};
 	}

package/build/providers/sesame_provider.js

@@ -1,4 +1,4 @@
-import { t as SesameManager } from "../sesame_manager-BIHBwkqK.js";
+import { t as SesameManager } from "../sesame_manager-DwDZy5Vy.js";
 import "../decorate-BKZEjPRg.js";
 import "../oauth_access_token-bsoM5KeU.js";
 var SesameProvider = class {

package/build/{register_controller-CnzYR-iH.js → register_controller-sIJ1rxdM.js}

@@ -1,9 +1,9 @@
-import { t as SesameManager } from "./sesame_manager-BIHBwkqK.js";
+import { t as SesameManager } from "./sesame_manager-DwDZy5Vy.js";
 import "./decorate-BKZEjPRg.js";
 import "./oauth_access_token-bsoM5KeU.js";
 import { i as E_INVALID_CLIENT_METADATA, o as E_INVALID_REQUEST, s as E_INVALID_SCOPE, t as E_ACCESS_DENIED } from "./oauth_error-CnJ3L8tf.js";
 import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
-import { t as ClientService } from "./client_service-BD1CDQuC.js";
+import { t as ClientService } from "./client_service-WTNMqWzY.js";
 import vine from "@vinejs/vine";
 const DANGEROUS_SCHEMES = [
 	"javascript:",

package/build/{revoke_controller-dJtMG1zK.js → revoke_controller-D6isoQCi.js}

@@ -1,10 +1,10 @@
-import { a as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-BIHBwkqK.js";
+import { a as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-DwDZy5Vy.js";
 import "./decorate-BKZEjPRg.js";
 import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
 import "./oauth_error-CnJ3L8tf.js";
 import "./oauth_client-BIoY5jBR.js";
 import { t as TokenService } from "./token_service-fhoA4slP.js";
-import { t as ClientService } from "./client_service-BD1CDQuC.js";
+import { t as ClientService } from "./client_service-WTNMqWzY.js";
 import { DateTime } from "luxon";
 var RevokeController = class {
 	async handle(ctx) {

package/build/services/main.js

@@ -1,4 +1,4 @@
-import { t as SesameManager } from "../sesame_manager-BIHBwkqK.js";
+import { t as SesameManager } from "../sesame_manager-DwDZy5Vy.js";
 import "../decorate-BKZEjPRg.js";
 import "../oauth_access_token-bsoM5KeU.js";
 import app from "@adonisjs/core/services/app";

package/build/{sesame_manager-BWqeaqn9.js → sesame_manager-Bu4MHqZV.js}

@@ -1,4 +1,4 @@
-import { t as SesameManager } from "./sesame_manager-BIHBwkqK.js";
+import { t as SesameManager } from "./sesame_manager-DwDZy5Vy.js";
 import "./decorate-BKZEjPRg.js";
 import "./oauth_access_token-bsoM5KeU.js";
 export { SesameManager };

package/build/{sesame_manager-BIHBwkqK.js → sesame_manager-DwDZy5Vy.js}

@@ -2,14 +2,15 @@ import { n as json, t as __decorate } from "./decorate-BKZEjPRg.js";
 import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
 import { DateTime } from "luxon";
 import { BaseModel, column } from "@adonisjs/lucid/orm";
+const BUILTIN_SCOPES = new Set(["offline_access"]);
 const controllers = {
-	token: () => import("./token_controller-BijtWj5C.js"),
-	authorize: () => import("./authorize_controller-Bb54Bi_s.js"),
-	consent: () => import("./consent_controller-gMuS9nSx.js"),
-	introspect: () => import("./introspect_controller-bKg1T2Xx.js"),
-	revoke: () => import("./revoke_controller-dJtMG1zK.js"),
-	register: () => import("./register_controller-CnzYR-iH.js"),
-	metadata: () => import("./metadata_controller-CGaKw3UM.js"),
+	token: () => import("./token_controller-DzcrLMyS.js"),
+	authorize: () => import("./authorize_controller-YUfAy-R2.js"),
+	consent: () => import("./consent_controller-Dprwd1ed.js"),
+	introspect: () => import("./introspect_controller-6bRt9sZt.js"),
+	revoke: () => import("./revoke_controller-D6isoQCi.js"),
+	register: () => import("./register_controller-sIJ1rxdM.js"),
+	metadata: () => import("./metadata_controller-DeaMRnUr.js"),
 	clientInfo: () => import("./client_info_controller-BucHGx4u.js")
 };
 function registerOAuthRoutes(router) {
@@ -99,8 +100,8 @@ var SesameManager = class {
 		return scope in this.#config.scopes;
 	}
 	validateScopes(scopes) {
-		if (Object.keys(this.#config.scopes).length === 0) return scopes;
-		return scopes.filter((s) => !this.hasScope(s));
+		if (Object.keys(this.#config.scopes).length === 0) return scopes.filter((s) => !BUILTIN_SCOPES.has(s));
+		return scopes.filter((s) => !BUILTIN_SCOPES.has(s) && !this.hasScope(s));
 	}
 	isGrantTypeEnabled(grantType) {
 		return this.#config.grantTypes.includes(grantType);
@@ -154,7 +155,7 @@ var SesameManager = class {
 			return {
 				resource: `${this.#config.issuer}${options.resource}`,
 				authorization_servers: [this.#config.issuer],
-				scopes_supported: options.scopes ?? Object.keys(this.#config.scopes),
+				scopes_supported: [...options.scopes ?? Object.keys(this.#config.scopes), ...BUILTIN_SCOPES],
 				bearer_methods_supported: ["header"]
 			};
 		});
@@ -163,4 +164,4 @@ var SesameManager = class {
 		return result.then((r) => Array.isArray(r) ? Number(r[0] ?? 0) : Number(r));
 	}
 };
-export { OAuthRefreshToken as a, OAuthAuthorizationCode as i, OAuthPendingAuthorizationRequest as n, OAuthConsent as r, SesameManager as t };
+export { OAuthRefreshToken as a, OAuthAuthorizationCode as i, OAuthPendingAuthorizationRequest as n, BUILTIN_SCOPES as o, OAuthConsent as r, SesameManager as t };

package/build/src/controllers/metadata_controller.d.ts

@@ -1,5 +1,5 @@
 import type { HttpContext } from '@adonisjs/core/http';
-import type { AuthServerMetadata, ResourceServerMetadata } from '../types.ts';
+import { type AuthServerMetadata, type ResourceServerMetadata } from '../types.ts';
 /**
  * Serves OAuth 2.0 discovery metadata documents.
  *

package/build/src/grants/authorization_code_grant.d.ts

@@ -3,17 +3,13 @@ import type { SesameManager } from '../sesame_manager.ts';
 /**
  * Handle the Authorization Code Grant (RFC 6749 §4.1.3).
  *
- * Exchanges an authorization code for an access token (and optionally
- * a refresh token if the `offline_access` scope was granted).
+ * Exchanges an authorization code for an access token and a refresh
+ * token. A refresh token is always issued when the `refresh_token`
+ * grant type is enabled on the server — the client does not need
+ * to request `offline_access` explicitly.
  *
- * Performs the following validations:
- * - Client authentication (Basic header or POST body credentials)
- * - Authorization code existence, expiration, and single-use enforcement
- * - Redirect URI matching against the original authorization request
- * - PKCE code_verifier verification using S256 (RFC 7636 §4.6)
- *
- * All tokens (access tokens, refresh tokens, authorization codes)
- * are opaque values stored as SHA-256 hashes.
+ * This matches the behavior of major OAuth providers and avoids
+ * forcing MCP clients like ClaudeDesktop to know about `offline_access` to get long-lived sessions.
  *
  * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
  * @see https://datatracker.ietf.org/doc/html/rfc7636#section-4.6

package/build/src/grants/client_credentials_grant.d.ts

@@ -0,0 +1,23 @@
+import type { HttpContext } from '@adonisjs/core/http';
+import type { SesameManager } from '../sesame_manager.ts';
+/**
+ * Handle the Client Credentials Grant (RFC 6749 §4.4).
+ *
+ * Issues an access token directly to the client for
+ * machine-to-machine (M2M) communication. The client
+ * authenticates with its own credentials and receives an
+ * access token without an interactive user step.
+ *
+ * No refresh token is issued (per spec and convention).
+ *
+ * Built-in OIDC scopes (e.g. `offline_access`) are rejected
+ * since they are user-centric and meaningless in an M2M context.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.4
+ */
+export declare function handleClientCredentialsGrant(ctx: HttpContext, manager: SesameManager): Promise<{
+    access_token: string;
+    token_type: string;
+    expires_in: number;
+    scope: string;
+}>;

package/build/src/guard/main.js

@@ -2,5 +2,5 @@ import "../../decorate-BKZEjPRg.js";
 import "../../oauth_access_token-bsoM5KeU.js";
 import "../../oauth_client-BIoY5jBR.js";
 import "../../token_service-fhoA4slP.js";
-import { i as OAuthGuard, n as oauthUserProvider, r as OAuthLucidUserProvider, t as oauthGuard } from "../../main-BJRXMGrZ.js";
+import { i as OAuthGuard, n as oauthUserProvider, r as OAuthLucidUserProvider, t as oauthGuard } from "../../main-EbeMS5S9.js";
 export { OAuthGuard, OAuthLucidUserProvider, oauthGuard, oauthUserProvider };

package/build/src/sesame_manager.d.ts

@@ -1,5 +1,5 @@
 import type { Router } from '@adonisjs/core/http';
-import type { ResolvedSesameConfig, Scope } from './types.ts';
+import { type ResolvedSesameConfig, type Scope } from './types.ts';
 export interface PurgeResult {
     accessTokens: number;
     refreshTokens: number;

package/build/src/types.d.ts

@@ -27,15 +27,38 @@ export type InferScopes<T extends {
     [K in keyof T['scopes'] & string]: true;
 };
 /**
- * Supported grant types for v1 (MCP-focused).
+ * Standard OAuth/OIDC scopes that are always valid regardless
+ * of server or client scope configuration.
+ *
+ * These scopes are:
+ * - Accepted during scope validation (client and server level)
+ * - Advertised in `scopes_supported` of all metadata endpoints
+ *   (protected resource, OIDC discovery) so MCP clients know
+ *   they can request them
+ *
+ * - `offline_access`: signals that the client needs a refresh token
+ *   (OIDC Core §11). Note: Sesame issues refresh tokens by default
+ *   when the `refresh_token` grant is enabled, regardless of whether
+ *   the client requests this scope (per RFC 6749 §5.1). This scope
+ *   is still advertised for clients that check metadata before
+ *   building their authorization request.
+ *
+ * @see https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.1
+ */
+export declare const BUILTIN_SCOPES: Set<string>;
+/**
+ * Supported OAuth 2.1 grant types.
  *
  * - `authorization_code`: RFC 6749 §4.1 — Authorization Code Grant
  * - `refresh_token`: RFC 6749 §6 — Refreshing an Access Token
+ * - `client_credentials`: RFC 6749 §4.4 — Client Credentials Grant (M2M)
  *
  * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.4
  * @see https://datatracker.ietf.org/doc/html/rfc6749#section-6
  */
-export type GrantType = 'authorization_code' | 'refresh_token';
+export type GrantType = 'authorization_code' | 'refresh_token' | 'client_credentials';
 /**
  * User-facing configuration interface for Sésame.
  *
@@ -77,6 +100,11 @@ export interface SesameConfig {
      * Defaults to '30d'.
      */
     refreshTokenTtl?: string;
+    /**
+     * Access token TTL for the client_credentials grant (M2M).
+     * Defaults to `accessTokenTtl`.
+     */
+    clientCredentialsAccessTokenTtl?: string;
     /**
      * Authorization code TTL as a string duration.
      * Defaults to '10m'.
@@ -125,6 +153,7 @@ export interface ResolvedSesameConfig {
     defaultScopes: string[];
     grantTypes: GrantType[];
     accessTokenTtl: string;
+    clientCredentialsAccessTokenTtl: string;
     refreshTokenTtl: string;
     authorizationCodeTtl: string;
     authorizationRequestTtl: string;

package/build/{token_controller-BijtWj5C.js → token_controller-DzcrLMyS.js}

@@ -1,10 +1,10 @@
-import { a as OAuthRefreshToken, i as OAuthAuthorizationCode, t as SesameManager } from "./sesame_manager-BIHBwkqK.js";
+import { a as OAuthRefreshToken, i as OAuthAuthorizationCode, o as BUILTIN_SCOPES, t as SesameManager } from "./sesame_manager-DwDZy5Vy.js";
 import "./decorate-BKZEjPRg.js";
 import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
 import { a as E_INVALID_GRANT, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT, s as E_INVALID_SCOPE, u as E_UNSUPPORTED_GRANT_TYPE } from "./oauth_error-CnJ3L8tf.js";
 import "./oauth_client-BIoY5jBR.js";
 import { t as TokenService } from "./token_service-fhoA4slP.js";
-import { t as ClientService } from "./client_service-BD1CDQuC.js";
+import { t as ClientService } from "./client_service-WTNMqWzY.js";
 import { DateTime } from "luxon";
 import { createHash } from "node:crypto";
 import string from "@adonisjs/core/helpers/string";
@@ -50,7 +50,7 @@ async function handleAuthorizationCodeGrant(ctx, manager) {
 		expiresAt: DateTime.fromJSDate(expiresAt)
 	});
 	let refreshTokenRaw;
-	if (authCode.scopes.includes("offline_access")) {
+	if (manager.isGrantTypeEnabled("refresh_token")) {
 		const { raw, hash } = tokenService.createRefreshToken();
 		const refreshTtl = string.seconds.parse(manager.config.refreshTokenTtl);
 		await OAuthRefreshToken.create({
@@ -135,9 +135,46 @@ async function handleRefreshTokenGrant(ctx, manager) {
 		refresh_token: newRefreshTokenRaw
 	};
 }
+async function handleClientCredentialsGrant(ctx, manager) {
+	const tokenService = new TokenService(manager);
+	const clientService = new ClientService();
+	const body = ctx.request.body();
+	const client = await clientService.authenticateClient({
+		authorizationHeader: ctx.request.header("authorization"),
+		bodyClientId: body.client_id,
+		bodyClientSecret: body.client_secret
+	});
+	if (client.isPublic) throw new E_INVALID_CLIENT("Public clients cannot use the client_credentials grant");
+	if (!client.grantTypes.includes("client_credentials")) throw new E_INVALID_CLIENT("Client is not allowed to use the client_credentials grant");
+	const requestedScopes = body.scope ? body.scope.split(" ") : client.scopes.filter((scope) => !BUILTIN_SCOPES.has(scope));
+	const builtinRequested = requestedScopes.filter((s) => BUILTIN_SCOPES.has(s));
+	if (builtinRequested.length > 0) throw new E_INVALID_SCOPE(`Scopes not allowed for client_credentials: ${builtinRequested.join(", ")}`);
+	const invalidScopes = manager.validateScopes(requestedScopes);
+	if (invalidScopes.length > 0) throw new E_INVALID_SCOPE(`Invalid scopes: ${invalidScopes.join(", ")}`);
+	clientService.validateClientScopes(requestedScopes, client.scopes);
+	if (!client.userId) throw new E_INVALID_CLIENT("Client must be associated with a user to use the client_credentials grant");
+	const ttlSeconds = string.seconds.parse(manager.config.clientCredentialsAccessTokenTtl);
+	const { raw: accessTokenRaw, hash: tokenHash } = tokenService.createAccessToken();
+	const expiresAt = new Date(Date.now() + ttlSeconds * 1e3);
+	await OAuthAccessToken.create({
+		id: crypto.randomUUID(),
+		tokenHash,
+		clientId: client.clientId,
+		userId: client.userId,
+		scopes: requestedScopes,
+		expiresAt: DateTime.fromJSDate(expiresAt)
+	});
+	return {
+		access_token: accessTokenRaw,
+		token_type: "Bearer",
+		expires_in: ttlSeconds,
+		scope: requestedScopes.join(" ")
+	};
+}
 const grantHandlers = {
 	authorization_code: handleAuthorizationCodeGrant,
-	refresh_token: handleRefreshTokenGrant
+	refresh_token: handleRefreshTokenGrant,
+	client_credentials: handleClientCredentialsGrant
 };
 var TokenController = class TokenController {
 	static validator = vine.create({ grant_type: vine.string() });

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@julr/sesame",
   "description": "OAuth 2.1 + OIDC server for AdonisJS",
-  "version": "0.4.0",
+  "version": "0.5.1",
   "engines": {
     "node": ">=24.0.0"
   },