@opentdf/sdk 0.13.0-beta.119 → 0.13.0-beta.123

package/src/access.ts

@@ -1,4 +1,4 @@
-import { type AuthProvider } from './auth/auth.js';
+import { type AuthConfig, resolveAuthConfig } from './auth/interceptors.js';
 import { RewrapResponse } from './platform/kas/kas_pb.js';
 import { getPlatformUrlFromKasEndpoint, validateSecureUrl } from './utils.js';
 import { base64 } from './encodings/index.js';
@@ -37,19 +37,28 @@ export type RewrapRequest = {
 export async function fetchWrappedKey(
   url: string,
   signedRequestToken: string,
-  authProvider: AuthProvider,
+  auth: AuthConfig,
   fulfillableObligationFQNs: string[]
 ): Promise<RewrapResponse> {
   const platformUrl = getPlatformUrlFromKasEndpoint(url);
+  const { interceptors, authProvider } = resolveAuthConfig(auth);
+
+  const rpcCall = () =>
+    fetchWrappedKeysRpc(
+      platformUrl,
+      signedRequestToken,
+      { interceptors },
+      rewrapAdditionalContextHeader(fulfillableObligationFQNs)
+    );
+
+  // When no AuthProvider is available, skip the legacy fallback so the real
+  // RPC error propagates instead of being masked by tryPromisesUntilFirstSuccess.
+  if (!authProvider) {
+    return await rpcCall();
+  }
 
   return await tryPromisesUntilFirstSuccess(
-    () =>
-      fetchWrappedKeysRpc(
-        platformUrl,
-        signedRequestToken,
-        authProvider,
-        rewrapAdditionalContextHeader(fulfillableObligationFQNs)
-      ),
+    rpcCall,
     // We intentionally do not provide the rewrap additional context to legacy requests destined for older platforms.
     // Platforms new enough to have knowledge of obligations will be handling RPC requests successfully.
     () =>
@@ -164,11 +173,18 @@ export type KasPublicKeyInfo = {
  */
 export async function fetchKeyAccessServers(
   platformUrl: string,
-  authProvider: AuthProvider
+  auth: AuthConfig
 ): Promise<OriginAllowList> {
-  return await tryPromisesUntilFirstSuccess(
-    () => fetchKeyAccessServersRpc(platformUrl, authProvider),
-    () => fetchKeyAccessServersLegacy(platformUrl, authProvider)
+  const { interceptors, authProvider } = resolveAuthConfig(auth);
+
+  const rpcCall = () => fetchKeyAccessServersRpc(platformUrl, { interceptors });
+
+  if (!authProvider) {
+    return await rpcCall();
+  }
+
+  return await tryPromisesUntilFirstSuccess(rpcCall, () =>
+    fetchKeyAccessServersLegacy(platformUrl, authProvider)
   );
 }
 

package/src/auth/interceptors.ts

@@ -0,0 +1,197 @@
+import { type Interceptor } from '@connectrpc/connect';
+export type { Interceptor } from '@connectrpc/connect';
+import { type CryptoService, type KeyPair } from '../../tdf3/src/crypto/declarations.js';
+import * as DefaultCryptoService from '../../tdf3/src/crypto/index.js';
+import DPoP from './dpop.js';
+import { type AuthProvider } from './auth.js';
+import { base64 } from '../encodings/index.js';
+
+/**
+ * A function that returns a valid access token string.
+ * Called per-request; implementations should handle caching/refresh internally.
+ */
+export type TokenProvider = () => Promise<string>;
+
+/**
+ * Options for creating a DPoP-aware auth interceptor.
+ */
+export type DPoPInterceptorOptions = {
+  /** Function that returns a valid access token (may cache/refresh internally). */
+  tokenProvider: TokenProvider;
+  /** DPoP signing key pair. If omitted, one is generated automatically. */
+  dpopKeys?: KeyPair | Promise<KeyPair>;
+  /** CryptoService for signing. Defaults to DefaultCryptoService. */
+  cryptoService?: CryptoService;
+};
+
+/**
+ * A DPoP interceptor that also exposes the resolved signing key pair.
+ * TDF encrypt/decrypt needs these keys for request body signing (reqSignature).
+ */
+export type DPoPInterceptor = Interceptor & {
+  /** The resolved DPoP key pair, for use in TDF request token signing. */
+  readonly dpopKeys: Promise<KeyPair>;
+};
+
+/**
+ * Creates a simple bearer-token interceptor.
+ * Calls `tokenProvider()` per-request and sets the `Authorization` header.
+ *
+ * @param tokenProvider Function returning a valid access token.
+ * @returns A Connect RPC Interceptor.
+ *
+ * @example
+ * ```ts
+ * const opentdf = new OpenTDF({
+ *   interceptors: [authTokenInterceptor(() => myAuth.getAccessToken())],
+ *   platformUrl: '/api',
+ * });
+ * ```
+ */
+export function authTokenInterceptor(tokenProvider: TokenProvider): Interceptor {
+  return (next) => async (req) => {
+    const token = await tokenProvider();
+    req.header.set('Authorization', `Bearer ${token}`);
+    return next(req);
+  };
+}
+
+/**
+ * Creates a DPoP-aware auth interceptor.
+ * Per-request: gets token, generates DPoP proof JWT, sets Authorization + DPoP + X-VirtruPubKey headers.
+ * Exposes `dpopKeys` for TDF request body signing.
+ *
+ * @param options DPoP interceptor configuration.
+ * @returns A DPoP interceptor with an exposed `dpopKeys` promise.
+ *
+ * @example
+ * ```ts
+ * const dpopInterceptor = authTokenDPoPInterceptor({
+ *   tokenProvider: () => myAuth.getAccessToken(),
+ * });
+ * const opentdf = new OpenTDF({
+ *   interceptors: [dpopInterceptor],
+ *   dpopKeys: dpopInterceptor.dpopKeys,
+ *   platformUrl: '/api',
+ * });
+ * ```
+ */
+export function authTokenDPoPInterceptor(options: DPoPInterceptorOptions): DPoPInterceptor {
+  const cryptoService = options.cryptoService ?? DefaultCryptoService;
+  const dpopKeysPromise: Promise<KeyPair> = options.dpopKeys
+    ? Promise.resolve(options.dpopKeys)
+    : cryptoService.generateSigningKeyPair();
+
+  const interceptor: Interceptor = (next) => async (req) => {
+    const [token, keys] = await Promise.all([options.tokenProvider(), dpopKeysPromise]);
+
+    const url = new URL(req.url);
+    const httpUri = `${url.origin}${url.pathname}`;
+
+    // Generate DPoP proof JWT for this request
+    const dpopProof = await DPoP(keys, cryptoService, httpUri, 'POST');
+
+    // Export public key PEM for X-VirtruPubKey header
+    const publicKeyPem = await cryptoService.exportPublicKeyPem(keys.publicKey);
+
+    req.header.set('Authorization', `Bearer ${token}`);
+    req.header.set('DPoP', dpopProof);
+    req.header.set('X-VirtruPubKey', base64.encode(publicKeyPem));
+
+    return next(req);
+  };
+
+  // Attach dpopKeys to the interceptor function
+  const dpopInterceptor = interceptor as DPoPInterceptor;
+  Object.defineProperty(dpopInterceptor, 'dpopKeys', {
+    value: dpopKeysPromise,
+    writable: false,
+    enumerable: true,
+  });
+
+  return dpopInterceptor;
+}
+
+/**
+ * Creates an interceptor that bridges an existing AuthProvider to the Interceptor pattern.
+ * Use this for backwards compatibility when migrating from AuthProvider to interceptors.
+ *
+ * @param authProvider The legacy AuthProvider to bridge.
+ * @returns A Connect RPC Interceptor.
+ */
+export function authProviderInterceptor(authProvider: AuthProvider): Interceptor {
+  return (next) => async (req) => {
+    const url = new URL(req.url);
+    const pathOnly = url.pathname;
+    // Signs only the path of the url in the request
+    let token;
+    try {
+      token = await authProvider.withCreds({
+        url: pathOnly,
+        method: 'POST',
+        // Start with any headers Connect already has
+        headers: {
+          ...Object.fromEntries(req.header.entries()),
+          'Content-Type': 'application/json',
+        },
+      });
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      if (msg.includes('public key') || msg.includes('updateClientPublicKey')) {
+        throw new Error(
+          'PlatformClient: DPoP key binding is not complete. ' +
+            'If you are using OpenTDF with PlatformClient, create OpenTDF first and ' +
+            '`await client.ready` before constructing PlatformClient. ' +
+            `Original error: ${msg}`
+        );
+      }
+      throw err;
+    }
+
+    Object.entries(token.headers).forEach(([key, value]) => {
+      req.header.set(key, value);
+    });
+
+    return await next(req);
+  };
+}
+
+/**
+ * Auth configuration: either a legacy AuthProvider or an object with interceptors.
+ */
+export type AuthConfig = AuthProvider | { interceptors: Interceptor[] };
+
+/**
+ * Type guard for AuthConfig with interceptors.
+ */
+export function isInterceptorConfig(auth: AuthConfig): auth is { interceptors: Interceptor[] } {
+  return 'interceptors' in auth && Array.isArray((auth as { interceptors: unknown }).interceptors);
+}
+
+/**
+ * Resolves an AuthConfig into interceptors for use with PlatformClient.
+ * If the config is an AuthProvider, it is bridged via authProviderInterceptor.
+ */
+export function resolveInterceptors(auth: AuthConfig): Interceptor[] {
+  if (isInterceptorConfig(auth)) {
+    return auth.interceptors;
+  }
+  return [authProviderInterceptor(auth)];
+}
+
+/**
+ * Resolves an AuthConfig into both interceptors and an optional AuthProvider.
+ * The AuthProvider is available for legacy code paths that need withCreds().
+ */
+export function resolveAuthConfig(auth: AuthConfig): {
+  interceptors: Interceptor[];
+  authProvider?: AuthProvider;
+} {
+  if (isInterceptorConfig(auth)) {
+    return { interceptors: auth.interceptors };
+  }
+  return {
+    interceptors: [authProviderInterceptor(auth)],
+    authProvider: auth,
+  };
+}

package/src/auth/oidc.ts

@@ -11,7 +11,7 @@ import { type CryptoService, type KeyPair } from '../../tdf3/src/crypto/declarat
 export type CommonCredentials = {
   /** The OIDC client ID used for token issuance and exchange flows */
   clientId: string;
-  /** The endpoint of the OIDC IdP to authenticate against, ex. 'https://virtru.com/auth' */
+  /** The endpoint of the OIDC IdP to authenticate against, ex. 'https://keycloak.opentdf.local/auth' */
   oidcOrigin: string;
   oidcTokenEndpoint?: string;
   oidcUserInfoEndpoint?: string;
@@ -176,6 +176,8 @@ export class AccessToken {
       }
       // Export opaque public key to PEM format for header
       const publicKeyPem = await this.cryptoService.exportPublicKeyPem(this.signingKey.publicKey);
+      // TODO: Rename to X-OpenTDF-PubKey; requires coordinated change with
+      // platform Keycloak mapper (lib/fixtures/keycloak.go `client.publickey`).
       headers['X-VirtruPubKey'] = base64.encode(publicKeyPem);
       headers.DPoP = await dpopFn(this.signingKey, this.cryptoService, url, 'POST');
     }
@@ -300,9 +302,9 @@ export class AccessToken {
   }
 
   async withCreds(httpReq: HttpRequest): Promise<HttpRequest> {
-    if (!this.signingKey) {
+    if (this.config.dpopEnabled && !this.signingKey) {
       throw new ConfigurationError(
-        'Client public key was not set via `updateClientPublicKey` or passed in via constructor, cannot fetch OIDC token with valid Virtru claims'
+        'Client public key was not set via `updateClientPublicKey` or passed in via constructor; required when DPoP is enabled'
       );
     }
     const accessToken = (this.currentAccessToken ??= await this.get());

package/src/index.ts

@@ -1,5 +1,15 @@
 export { type AuthProvider, type HttpMethod, HttpRequest, withHeaders } from './auth/auth.js';
 export * as AuthProviders from './auth/providers.js';
+export {
+  authTokenInterceptor,
+  authTokenDPoPInterceptor,
+  authProviderInterceptor,
+  type AuthConfig,
+  type DPoPInterceptor,
+  type DPoPInterceptorOptions,
+  type Interceptor,
+  type TokenProvider,
+} from './auth/interceptors.js';
 export { attributeFQNsAsValues } from './policy/api.js';
 export {
   listAttributes,

package/src/opentdf.ts

@@ -1,4 +1,5 @@
 import { type AuthProvider } from './auth/providers.js';
+import { type Interceptor } from '@connectrpc/connect';
 import { ConfigurationError, InvalidFileError } from './errors.js';
 export { Client as TDF3Client } from '../tdf3/src/client/index.js';
 import { Chunker, fromSource, sourceToStream, type Source } from './seekable.js';
@@ -164,8 +165,17 @@ export type OpenTDFOptions = {
   /** Platform URL. */
   platformUrl?: string;
 
-  /** Auth provider for connections to the policy service and KASes. */
-  authProvider: AuthProvider;
+  /**
+   * Connect RPC interceptors for authentication. Preferred over authProvider.
+   * Use `authTokenInterceptor()` or `authTokenDPoPInterceptor()` to create interceptors.
+   */
+  interceptors?: Interceptor[];
+
+  /**
+   * Auth provider for connections to the policy service and KASes.
+   * @deprecated since 0.14.0. Use `interceptors` with `authTokenInterceptor()` or `authTokenDPoPInterceptor()` instead.
+   */
+  authProvider?: AuthProvider;
 
   /** Default settings for 'encrypt' type requests. */
   defaultCreateOptions?: Omit<CreateOptions, 'source'>;
@@ -236,18 +246,10 @@ export type TDFReader = {
  * It also requires a platform URL to be set, which is used to fetch key access servers and policies.
  * @example
  * ```
- * import { type Chunker, OpenTDF } from '@opentdf/sdk';
- *
- * const oidcCredentials: RefreshTokenCredentials = {
- *   clientId: keycloakClientId,
- *   exchange: 'refresh',
- *   refreshToken: refreshToken,
- *   oidcOrigin: keycloakUrl,
- * };
- * const authProvider = await AuthProviders.refreshAuthProvider(oidcCredentials);
+ * import { authTokenInterceptor, OpenTDF } from '@opentdf/sdk';
  *
  * const client = new OpenTDF({
- *   authProvider,
+ *   interceptors: [authTokenInterceptor(() => `${myAuth.token.accessToken}`)],
  *   platformUrl: 'https://platform.example.com',
  * });
  *
@@ -264,8 +266,10 @@ export class OpenTDF {
   readonly platformUrl: string;
   /** The policy service endpoint */
   readonly policyEndpoint: string;
-  /** The auth provider for the OpenTDF instance. */
-  readonly authProvider: AuthProvider;
+  /** The auth provider for the OpenTDF instance (deprecated, use interceptors). */
+  readonly authProvider?: AuthProvider;
+  /** Connect RPC interceptors for authentication. */
+  readonly interceptors?: Interceptor[];
   /** If DPoP is enabled for this instance. */
   readonly dpopEnabled: boolean;
   /** Default options for creating TDF objects. */
@@ -283,6 +287,7 @@ export class OpenTDF {
 
   constructor({
     authProvider,
+    interceptors,
     dpopKeys,
     defaultCreateOptions,
     defaultReadOptions,
@@ -291,7 +296,11 @@ export class OpenTDF {
     platformUrl,
     cryptoService,
   }: OpenTDFOptions) {
+    if (!authProvider && !interceptors?.length) {
+      throw new ConfigurationError('Either authProvider or interceptors must be provided.');
+    }
     this.authProvider = authProvider;
+    this.interceptors = interceptors;
     this.defaultCreateOptions = defaultCreateOptions || {};
     this.defaultReadOptions = defaultReadOptions || {};
     this.dpopEnabled = !disableDPoP;
@@ -308,6 +317,7 @@ export class OpenTDF {
     this.dpopKeys = dpopKeys ?? this.cryptoService.generateSigningKeyPair();
     this.tdf3Client = new TDF3Client({
       authProvider,
+      interceptors,
       dpopEnabled: this.dpopEnabled,
       dpopKeys: this.dpopEnabled ? this.dpopKeys : undefined,
       kasEndpoint: this.platformUrl || 'https://disallow.all.invalid',
@@ -315,21 +325,31 @@ export class OpenTDF {
       policyEndpoint,
       cryptoService: this.cryptoService,
     });
-    // Eagerly bind DPoP keys to the auth provider so PlatformClient
-    // can make gRPC calls without waiting for a TDF operation first.
-    // Note: TDF3Client.createSessionKeys() also calls updateClientPublicKey
-    // with the same keys, but the duplicate call is benign —
-    // refreshTokenClaimsWithClientPubkeyIfNeeded short-circuits when
-    // the signing key hasn't changed.
-    this.ready = this.dpopEnabled
-      ? this.dpopKeys.then((keys) => authProvider.updateClientPublicKey(keys))
-      : Promise.resolve();
-    // Prevent unhandled rejection if caller doesn't await ready.
-    // The error will still surface via TDF3Client's own key binding
-    // when encrypt/decrypt is called.
-    this.ready.catch((err) => {
-      console.warn('OpenTDF: DPoP key binding failed during initialization:', err);
-    });
+
+    if (interceptors?.length && !authProvider) {
+      // Interceptor path: no updateClientPublicKey needed.
+      // DPoP key binding is handled by the interceptor itself.
+      this.ready = Promise.resolve();
+    } else if (authProvider) {
+      // Legacy AuthProvider path: eagerly bind DPoP keys to the auth provider
+      // so PlatformClient can make gRPC calls without waiting for a TDF
+      // operation first.
+      // Note: TDF3Client.createSessionKeys() also calls updateClientPublicKey
+      // with the same keys, but the duplicate call is benign —
+      // refreshTokenClaimsWithClientPubkeyIfNeeded short-circuits when
+      // the signing key hasn't changed.
+      this.ready = this.dpopEnabled
+        ? this.dpopKeys.then((keys) => authProvider.updateClientPublicKey(keys))
+        : Promise.resolve();
+      // Prevent unhandled rejection if caller doesn't await ready.
+      // The error will still surface via TDF3Client's own key binding
+      // when encrypt/decrypt is called.
+      this.ready.catch((err) => {
+        console.warn('OpenTDF: DPoP key binding failed during initialization:', err);
+      });
+    } else {
+      this.ready = Promise.resolve();
+    }
   }
 
   /** Creates a new TDF stream. */
@@ -485,9 +505,9 @@ class ZTDFReader {
 
     const dpopKeys = await this.client.dpopKeys;
 
-    const { authProvider, cryptoService } = this.client;
-    if (!authProvider) {
-      throw new ConfigurationError('authProvider is required');
+    const { auth, cryptoService } = this.client;
+    if (!auth) {
+      throw new ConfigurationError('authProvider or interceptors are required');
     }
 
     let allowList: OriginAllowList | undefined;
@@ -498,14 +518,14 @@ class ZTDFReader {
         this.opts.ignoreAllowlist
       );
     } else if (this.opts.platformUrl) {
-      allowList = await fetchKeyAccessServers(this.opts.platformUrl, authProvider);
+      allowList = await fetchKeyAccessServers(this.opts.platformUrl, auth);
     }
 
     const overview = await this.overview;
     const oldStream = await decryptStreamFrom(
       {
         allowList,
-        authProvider,
+        auth,
         chunker: this.source,
         concurrencyLimit: 1,
         cryptoService,

package/src/platform.ts

@@ -3,7 +3,8 @@ export * as platformConnectWeb from '@connectrpc/connect-web';
 export * as platformConnect from '@connectrpc/connect';
 
 import { createConnectTransport } from '@connectrpc/connect-web';
-import { AuthProvider } from '../tdf3/index.js';
+import type { AuthProvider } from '../tdf3/index.js';
+import { authProviderInterceptor } from './auth/interceptors.js';
 
 import { Client, createClient, Interceptor } from '@connectrpc/connect';
 import { WellKnownService } from './platform/wellknownconfiguration/wellknown_configuration_pb.js';
@@ -44,9 +45,12 @@ export interface PlatformServicesV2 {
 }
 
 export interface PlatformClientOptions {
-  /** Optional authentication provider for generating auth interceptor. */
+  /**
+   * Authentication provider for generating auth interceptor.
+   * @deprecated since 0.14.0. Use `interceptors` with `authTokenInterceptor()` or `authTokenDPoPInterceptor()` instead.
+   */
   authProvider?: AuthProvider;
-  /** Array of custom interceptors to apply to rpc requests. */
+  /** Array of interceptors to apply to rpc requests. Preferred over authProvider. */
   interceptors?: Interceptor[];
   /** Base URL of the platform API. */
   platformUrl: string;
@@ -85,8 +89,7 @@ export class PlatformClient {
     const interceptors: Interceptor[] = [];
 
     if (options.authProvider) {
-      const authInterceptor = createAuthInterceptor(options.authProvider);
-      interceptors.push(authInterceptor);
+      interceptors.push(authProviderInterceptor(options.authProvider));
     }
 
     if (options.interceptors?.length) {
@@ -120,50 +123,3 @@ export class PlatformClient {
     };
   }
 }
-
-/**
- * Creates an interceptor that adds authentication headers to outgoing requests.
- *
- * This function uses the provided `AuthProvider` to generate authentication credentials
- * for each request. The `AuthProvider` is expected to implement a `withCreds` method
- * that returns an object containing authentication headers. These headers are then
- * added to the request before it is sent to the server.
- *
- */
-function createAuthInterceptor(authProvider: AuthProvider): Interceptor {
-  const authInterceptor: Interceptor = (next) => async (req) => {
-    const url = new URL(req.url);
-    const pathOnly = url.pathname;
-    // Signs only the path of the url in the request
-    let token;
-    try {
-      token = await authProvider.withCreds({
-        url: pathOnly,
-        method: 'POST',
-        // Start with any headers Connect already has
-        headers: {
-          ...Object.fromEntries(req.header.entries()),
-          'Content-Type': 'application/json',
-        },
-      });
-    } catch (err) {
-      const msg = err instanceof Error ? err.message : String(err);
-      if (msg.includes('public key') || msg.includes('updateClientPublicKey')) {
-        throw new Error(
-          'PlatformClient: DPoP key binding is not complete. ' +
-            'If you are using OpenTDF with PlatformClient, create OpenTDF first and ' +
-            '`await client.ready` before constructing PlatformClient. ' +
-            `Original error: ${msg}`
-        );
-      }
-      throw err;
-    }
-
-    Object.entries(token.headers).forEach(([key, value]) => {
-      req.header.set(key, value);
-    });
-
-    return await next(req);
-  };
-  return authInterceptor;
-}

package/src/policy/api.ts

@@ -1,5 +1,5 @@
 import { NetworkError } from '../errors.js';
-import { AuthProvider } from '../auth/auth.js';
+import { type AuthConfig, resolveInterceptors } from '../auth/interceptors.js';
 import { extractRpcErrorMessage, getPlatformUrlFromKasEndpoint } from '../utils.js';
 import { PlatformClient } from '../platform.js';
 import { Value } from './attributes.js';
@@ -12,11 +12,11 @@ import { ValueSchema } from '../platform/policy/objects_pb.js';
 // TODO KAS: go over web-sdk and remove policyEndpoint that is only defined to be used here
 export async function attributeFQNsAsValues(
   platformUrl: string,
-  authProvider: AuthProvider,
+  auth: AuthConfig,
   ...fqns: string[]
 ): Promise<Value[]> {
   platformUrl = getPlatformUrlFromKasEndpoint(platformUrl);
-  const platform = new PlatformClient({ authProvider, platformUrl });
+  const platform = new PlatformClient({ interceptors: resolveInterceptors(auth), platformUrl });
 
   let response: GetAttributeValuesByFqnsResponse;
   try {
@@ -52,7 +52,7 @@ export async function attributeFQNsAsValues(
 // Get root certificates from a namespace
 export async function getRootCertsFromNamespace(
   platformUrl: string,
-  authProvider?: AuthProvider,
+  auth?: AuthConfig,
   namespaceId?: string,
   fqn?: string
 ): Promise<Certificate[]> {
@@ -63,7 +63,10 @@ export async function getRootCertsFromNamespace(
     throw new Error('Either namespaceId or fqn must be provided');
   }
 
-  const platform = new PlatformClient({ authProvider, platformUrl });
+  const platform = new PlatformClient({
+    ...(auth ? { interceptors: resolveInterceptors(auth) } : {}),
+    platformUrl,
+  });
 
   let response: GetNamespaceResponse;
   try {

package/src/policy/discovery.ts

@@ -1,6 +1,6 @@
 import { ConnectError, Code } from '@connectrpc/connect';
 import { AttributeNotFoundError, ConfigurationError, NetworkError } from '../errors.js';
-import { type AuthProvider } from '../auth/auth.js';
+import { type AuthConfig, resolveInterceptors } from '../auth/interceptors.js';
 import { extractRpcErrorMessage, validateSecureUrl } from '../utils.js';
 import { PlatformClient } from '../platform.js';
 import type { Attribute } from '../platform/policy/objects_pb.js';
@@ -49,13 +49,13 @@ const ATTRIBUTE_FQN_RE = /^https?:\/\/[a-zA-Z0-9._~%-]+\/attr\/[a-zA-Z0-9._~%-]+
  */
 export async function listAttributes(
   platformUrl: string,
-  authProvider: AuthProvider,
+  auth: AuthConfig,
   namespace?: string
 ): Promise<Attribute[]> {
   if (!validateSecureUrl(platformUrl)) {
     throw new ConfigurationError('platformUrl must use HTTPS protocol');
   }
-  const platform = new PlatformClient({ authProvider, platformUrl });
+  const platform = new PlatformClient({ interceptors: resolveInterceptors(auth), platformUrl });
   const result: Attribute[] = [];
   let nextOffset = 0;
 
@@ -106,7 +106,7 @@ export async function listAttributes(
  */
 export async function validateAttributes(
   platformUrl: string,
-  authProvider: AuthProvider,
+  auth: AuthConfig,
   fqns: string[]
 ): Promise<void> {
   if (!fqns || fqns.length === 0) {
@@ -129,7 +129,7 @@ export async function validateAttributes(
     }
   }
 
-  const platform = new PlatformClient({ authProvider, platformUrl });
+  const platform = new PlatformClient({ interceptors: resolveInterceptors(auth), platformUrl });
   let resp;
   try {
     resp = await platform.v1.attributes.getAttributeValuesByFqns({ fqns });
@@ -159,7 +159,7 @@ export async function validateAttributes(
  */
 export async function attributeExists(
   platformUrl: string,
-  authProvider: AuthProvider,
+  auth: AuthConfig,
   attributeFqn: string
 ): Promise<boolean> {
   if (!validateSecureUrl(platformUrl)) {
@@ -170,7 +170,7 @@ export async function attributeExists(
     throw new ConfigurationError('invalid attribute FQN format');
   }
 
-  const platform = new PlatformClient({ authProvider, platformUrl });
+  const platform = new PlatformClient({ interceptors: resolveInterceptors(auth), platformUrl });
   try {
     await platform.v1.attributes.getAttribute({
       identifier: { case: 'fqn', value: attributeFqn },
@@ -199,7 +199,7 @@ export async function attributeExists(
  */
 export async function attributeValueExists(
   platformUrl: string,
-  authProvider: AuthProvider,
+  auth: AuthConfig,
   valueFqn: string
 ): Promise<boolean> {
   if (!validateSecureUrl(platformUrl)) {
@@ -210,7 +210,7 @@ export async function attributeValueExists(
     throw new ConfigurationError('invalid attribute value FQN format');
   }
 
-  const platform = new PlatformClient({ authProvider, platformUrl });
+  const platform = new PlatformClient({ interceptors: resolveInterceptors(auth), platformUrl });
   let resp;
   try {
     resp = await platform.v1.attributes.getAttributeValuesByFqns({ fqns: [valueFqn] });