@keycardai/oauth 0.1.0 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/LICENSE +21 -0
  2. package/README.md +112 -0
  3. package/package.json +16 -9
package/LICENSE ADDED
@@ -0,0 +1,21 @@
1
+ MIT License
2
+
3
+ Copyright (c) 2024 Keycard
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
package/README.md ADDED
@@ -0,0 +1,112 @@
1
+ # @keycardai/oauth
2
+
3
+ Pure OAuth 2.0 primitives for Keycard — JWKS key management, JWT signing/verification, authorization server discovery, and token exchange. **Zero MCP dependencies.**
4
+
5
+ This is the foundational layer of the [Keycard TypeScript SDK](../../README.md). If you're building an MCP server, you probably want [`@keycardai/mcp`](../mcp/) instead, which includes this package as a dependency.
6
+
7
+ ## Installation
8
+
9
+ ```bash
10
+ npm install @keycardai/oauth
11
+ ```
12
+
13
+ ## Quick Start
14
+
15
+ ### Sign and Verify JWTs
16
+
17
+ ```typescript
18
+ import { JWTSigner } from "@keycardai/oauth/jwt/signer";
19
+ import { JWTVerifier } from "@keycardai/oauth/jwt/verifier";
20
+ import { JWKSOAuthKeyring } from "@keycardai/oauth/keyring";
21
+
22
+ // Sign a JWT
23
+ const keyring = new JWKSOAuthKeyring();
24
+ const signer = new JWTSigner(keyring);
25
+ const token = await signer.sign({
26
+ sub: "user-123",
27
+ aud: "https://api.example.com",
28
+ scope: "read write",
29
+ });
30
+
31
+ // Verify a JWT
32
+ const verifier = new JWTVerifier(keyring);
33
+ const claims = await verifier.verify(token);
34
+ ```
35
+
36
+ ### Discover Authorization Server Metadata
37
+
38
+ ```typescript
39
+ import { fetchAuthorizationServerMetadata } from "@keycardai/oauth/discovery";
40
+
41
+ const metadata = await fetchAuthorizationServerMetadata(
42
+ "https://your-zone.keycard.cloud",
43
+ );
44
+ console.log(metadata.token_endpoint);
45
+ console.log(metadata.jwks_uri);
46
+ ```
47
+
48
+ ### Token Exchange (RFC 8693)
49
+
50
+ ```typescript
51
+ import { TokenExchangeClient } from "@keycardai/oauth/tokenExchange";
52
+
53
+ const client = new TokenExchangeClient("https://your-zone.keycard.cloud", {
54
+ clientId: "your-client-id",
55
+ clientSecret: "your-client-secret",
56
+ });
57
+
58
+ const response = await client.exchangeToken({
59
+ subjectToken: userBearerToken,
60
+ resource: "https://api.github.com",
61
+ });
62
+
63
+ console.log(response.accessToken);
64
+ ```
65
+
66
+ ## API Overview
67
+
68
+ ### JWKS Key Management
69
+
70
+ | Export | Import Path | Description |
71
+ |---|---|---|
72
+ | `JWKSOAuthKeyring` | `@keycardai/oauth/keyring` | Fetches and caches JWKS public keys from an authorization server |
73
+ | `OAuthKeyring` (type) | `@keycardai/oauth/keyring` | Interface for public key lookup by issuer and key ID |
74
+ | `PrivateKeyring` (type) | `@keycardai/oauth/keyring` | Interface for private key access (signing) |
75
+
76
+ ### JWT Signing & Verification
77
+
78
+ | Export | Import Path | Description |
79
+ |---|---|---|
80
+ | `JWTSigner` | `@keycardai/oauth/jwt/signer` | Signs JWTs with RS256 using a private keyring |
81
+ | `JWTVerifier` | `@keycardai/oauth/jwt/verifier` | Verifies JWT signatures against JWKS public keys |
82
+ | `JWTClaims` (type) | `@keycardai/oauth/jwt/signer` | Standard JWT claims (iss, sub, aud, exp, etc.) |
83
+
84
+ ### Discovery & Token Exchange
85
+
86
+ | Export | Import Path | Description |
87
+ |---|---|---|
88
+ | `fetchAuthorizationServerMetadata` | `@keycardai/oauth/discovery` | Fetches `.well-known/oauth-authorization-server` metadata |
89
+ | `TokenExchangeClient` | `@keycardai/oauth/tokenExchange` | RFC 8693 token exchange client with auto-discovery |
90
+
91
+ ### Errors
92
+
93
+ | Export | Import Path | Description |
94
+ |---|---|---|
95
+ | `HTTPError` | `@keycardai/oauth/errors` | Base HTTP error |
96
+ | `BadRequestError` | `@keycardai/oauth/errors` | 400 Bad Request |
97
+ | `UnauthorizedError` | `@keycardai/oauth/errors` | 401 Unauthorized |
98
+ | `OAuthError` | `@keycardai/oauth/errors` | OAuth error with error code and URI |
99
+ | `InvalidTokenError` | `@keycardai/oauth/errors` | Token validation failure |
100
+ | `InsufficientScopeError` | `@keycardai/oauth/errors` | Missing required scopes |
101
+
102
+ ### Utilities
103
+
104
+ | Export | Import Path | Description |
105
+ |---|---|---|
106
+ | `base64url` | `@keycardai/oauth/base64url` | Base64url encode/decode utilities |
107
+
108
+ ## Related Packages
109
+
110
+ - [`@keycardai/mcp`](../mcp/) — MCP-specific OAuth integration with Express middleware, bearer auth, and delegated access
111
+ - [`@keycardai/sdk`](../sdk/) — Aggregate package re-exporting from both oauth and mcp
112
+ - [Keycard TypeScript SDK](../../README.md) — Root documentation with full quick start guide
package/package.json CHANGED
@@ -1,8 +1,13 @@
1
1
  {
2
2
  "name": "@keycardai/oauth",
3
- "version": "0.1.0",
3
+ "version": "0.1.1",
4
4
  "description": "Pure OAuth 2.0 primitives for Keycard — JWKS key management, JWT signing/verification, and authorization server discovery",
5
5
  "license": "MIT",
6
+ "repository": {
7
+ "type": "git",
8
+ "url": "git+https://github.com/keycardai/typescript-sdk.git",
9
+ "directory": "packages/oauth"
10
+ },
6
11
  "type": "module",
7
12
  "exports": {
8
13
  ".": {
@@ -51,20 +56,22 @@
51
56
  ],
52
57
  "typesVersions": {
53
58
  "*": {
54
- "*": ["./dist/esm/*"]
59
+ "*": [
60
+ "./dist/esm/*"
61
+ ]
55
62
  }
56
63
  },
64
+ "dependencies": {
65
+ "zod": "^3.25.74"
66
+ },
67
+ "devDependencies": {
68
+ "typescript": "^5.8.3"
69
+ },
57
70
  "scripts": {
58
71
  "build": "pnpm run build:esm && pnpm run build:cjs",
59
72
  "build:esm": "tsc -p tsconfig.prod.json && echo '{\"type\": \"module\"}' > dist/esm/package.json",
60
73
  "build:cjs": "tsc -p tsconfig.cjs.json && echo '{\"type\": \"commonjs\"}' > dist/cjs/package.json",
61
74
  "typecheck": "tsc --noEmit",
62
75
  "clean": "rm -rf dist"
63
- },
64
- "dependencies": {
65
- "zod": "^3.25.74"
66
- },
67
- "devDependencies": {
68
- "typescript": "^5.8.3"
69
76
  }
70
- }
77
+ }