@opentdf/sdk 0.13.0-beta.122 → 0.13.0-beta.123

package/src/opentdf.ts

@@ -1,4 +1,5 @@
 import { type AuthProvider } from './auth/providers.js';
+import { type Interceptor } from '@connectrpc/connect';
 import { ConfigurationError, InvalidFileError } from './errors.js';
 export { Client as TDF3Client } from '../tdf3/src/client/index.js';
 import { Chunker, fromSource, sourceToStream, type Source } from './seekable.js';
@@ -164,8 +165,17 @@ export type OpenTDFOptions = {
   /** Platform URL. */
   platformUrl?: string;
 
-  /** Auth provider for connections to the policy service and KASes. */
-  authProvider: AuthProvider;
+  /**
+   * Connect RPC interceptors for authentication. Preferred over authProvider.
+   * Use `authTokenInterceptor()` or `authTokenDPoPInterceptor()` to create interceptors.
+   */
+  interceptors?: Interceptor[];
+
+  /**
+   * Auth provider for connections to the policy service and KASes.
+   * @deprecated since 0.14.0. Use `interceptors` with `authTokenInterceptor()` or `authTokenDPoPInterceptor()` instead.
+   */
+  authProvider?: AuthProvider;
 
   /** Default settings for 'encrypt' type requests. */
   defaultCreateOptions?: Omit<CreateOptions, 'source'>;
@@ -236,18 +246,10 @@ export type TDFReader = {
  * It also requires a platform URL to be set, which is used to fetch key access servers and policies.
  * @example
  * ```
- * import { type Chunker, OpenTDF } from '@opentdf/sdk';
- *
- * const oidcCredentials: RefreshTokenCredentials = {
- *   clientId: keycloakClientId,
- *   exchange: 'refresh',
- *   refreshToken: refreshToken,
- *   oidcOrigin: keycloakUrl,
- * };
- * const authProvider = await AuthProviders.refreshAuthProvider(oidcCredentials);
+ * import { authTokenInterceptor, OpenTDF } from '@opentdf/sdk';
  *
  * const client = new OpenTDF({
- *   authProvider,
+ *   interceptors: [authTokenInterceptor(() => `${myAuth.token.accessToken}`)],
  *   platformUrl: 'https://platform.example.com',
  * });
  *
@@ -264,8 +266,10 @@ export class OpenTDF {
   readonly platformUrl: string;
   /** The policy service endpoint */
   readonly policyEndpoint: string;
-  /** The auth provider for the OpenTDF instance. */
-  readonly authProvider: AuthProvider;
+  /** The auth provider for the OpenTDF instance (deprecated, use interceptors). */
+  readonly authProvider?: AuthProvider;
+  /** Connect RPC interceptors for authentication. */
+  readonly interceptors?: Interceptor[];
   /** If DPoP is enabled for this instance. */
   readonly dpopEnabled: boolean;
   /** Default options for creating TDF objects. */
@@ -283,6 +287,7 @@ export class OpenTDF {
 
   constructor({
     authProvider,
+    interceptors,
     dpopKeys,
     defaultCreateOptions,
     defaultReadOptions,
@@ -291,7 +296,11 @@ export class OpenTDF {
     platformUrl,
     cryptoService,
   }: OpenTDFOptions) {
+    if (!authProvider && !interceptors?.length) {
+      throw new ConfigurationError('Either authProvider or interceptors must be provided.');
+    }
     this.authProvider = authProvider;
+    this.interceptors = interceptors;
     this.defaultCreateOptions = defaultCreateOptions || {};
     this.defaultReadOptions = defaultReadOptions || {};
     this.dpopEnabled = !disableDPoP;
@@ -308,6 +317,7 @@ export class OpenTDF {
     this.dpopKeys = dpopKeys ?? this.cryptoService.generateSigningKeyPair();
     this.tdf3Client = new TDF3Client({
       authProvider,
+      interceptors,
       dpopEnabled: this.dpopEnabled,
       dpopKeys: this.dpopEnabled ? this.dpopKeys : undefined,
       kasEndpoint: this.platformUrl || 'https://disallow.all.invalid',
@@ -315,21 +325,31 @@ export class OpenTDF {
       policyEndpoint,
       cryptoService: this.cryptoService,
     });
-    // Eagerly bind DPoP keys to the auth provider so PlatformClient
-    // can make gRPC calls without waiting for a TDF operation first.
-    // Note: TDF3Client.createSessionKeys() also calls updateClientPublicKey
-    // with the same keys, but the duplicate call is benign —
-    // refreshTokenClaimsWithClientPubkeyIfNeeded short-circuits when
-    // the signing key hasn't changed.
-    this.ready = this.dpopEnabled
-      ? this.dpopKeys.then((keys) => authProvider.updateClientPublicKey(keys))
-      : Promise.resolve();
-    // Prevent unhandled rejection if caller doesn't await ready.
-    // The error will still surface via TDF3Client's own key binding
-    // when encrypt/decrypt is called.
-    this.ready.catch((err) => {
-      console.warn('OpenTDF: DPoP key binding failed during initialization:', err);
-    });
+
+    if (interceptors?.length && !authProvider) {
+      // Interceptor path: no updateClientPublicKey needed.
+      // DPoP key binding is handled by the interceptor itself.
+      this.ready = Promise.resolve();
+    } else if (authProvider) {
+      // Legacy AuthProvider path: eagerly bind DPoP keys to the auth provider
+      // so PlatformClient can make gRPC calls without waiting for a TDF
+      // operation first.
+      // Note: TDF3Client.createSessionKeys() also calls updateClientPublicKey
+      // with the same keys, but the duplicate call is benign —
+      // refreshTokenClaimsWithClientPubkeyIfNeeded short-circuits when
+      // the signing key hasn't changed.
+      this.ready = this.dpopEnabled
+        ? this.dpopKeys.then((keys) => authProvider.updateClientPublicKey(keys))
+        : Promise.resolve();
+      // Prevent unhandled rejection if caller doesn't await ready.
+      // The error will still surface via TDF3Client's own key binding
+      // when encrypt/decrypt is called.
+      this.ready.catch((err) => {
+        console.warn('OpenTDF: DPoP key binding failed during initialization:', err);
+      });
+    } else {
+      this.ready = Promise.resolve();
+    }
   }
 
   /** Creates a new TDF stream. */
@@ -485,9 +505,9 @@ class ZTDFReader {
 
     const dpopKeys = await this.client.dpopKeys;
 
-    const { authProvider, cryptoService } = this.client;
-    if (!authProvider) {
-      throw new ConfigurationError('authProvider is required');
+    const { auth, cryptoService } = this.client;
+    if (!auth) {
+      throw new ConfigurationError('authProvider or interceptors are required');
     }
 
     let allowList: OriginAllowList | undefined;
@@ -498,14 +518,14 @@ class ZTDFReader {
         this.opts.ignoreAllowlist
       );
     } else if (this.opts.platformUrl) {
-      allowList = await fetchKeyAccessServers(this.opts.platformUrl, authProvider);
+      allowList = await fetchKeyAccessServers(this.opts.platformUrl, auth);
     }
 
     const overview = await this.overview;
     const oldStream = await decryptStreamFrom(
       {
         allowList,
-        authProvider,
+        auth,
         chunker: this.source,
         concurrencyLimit: 1,
         cryptoService,

package/src/platform.ts

@@ -3,7 +3,8 @@ export * as platformConnectWeb from '@connectrpc/connect-web';
 export * as platformConnect from '@connectrpc/connect';
 
 import { createConnectTransport } from '@connectrpc/connect-web';
-import { AuthProvider } from '../tdf3/index.js';
+import type { AuthProvider } from '../tdf3/index.js';
+import { authProviderInterceptor } from './auth/interceptors.js';
 
 import { Client, createClient, Interceptor } from '@connectrpc/connect';
 import { WellKnownService } from './platform/wellknownconfiguration/wellknown_configuration_pb.js';
@@ -44,9 +45,12 @@ export interface PlatformServicesV2 {
 }
 
 export interface PlatformClientOptions {
-  /** Optional authentication provider for generating auth interceptor. */
+  /**
+   * Authentication provider for generating auth interceptor.
+   * @deprecated since 0.14.0. Use `interceptors` with `authTokenInterceptor()` or `authTokenDPoPInterceptor()` instead.
+   */
   authProvider?: AuthProvider;
-  /** Array of custom interceptors to apply to rpc requests. */
+  /** Array of interceptors to apply to rpc requests. Preferred over authProvider. */
   interceptors?: Interceptor[];
   /** Base URL of the platform API. */
   platformUrl: string;
@@ -85,8 +89,7 @@ export class PlatformClient {
     const interceptors: Interceptor[] = [];
 
     if (options.authProvider) {
-      const authInterceptor = createAuthInterceptor(options.authProvider);
-      interceptors.push(authInterceptor);
+      interceptors.push(authProviderInterceptor(options.authProvider));
     }
 
     if (options.interceptors?.length) {
@@ -120,50 +123,3 @@ export class PlatformClient {
     };
   }
 }
-
-/**
- * Creates an interceptor that adds authentication headers to outgoing requests.
- *
- * This function uses the provided `AuthProvider` to generate authentication credentials
- * for each request. The `AuthProvider` is expected to implement a `withCreds` method
- * that returns an object containing authentication headers. These headers are then
- * added to the request before it is sent to the server.
- *
- */
-function createAuthInterceptor(authProvider: AuthProvider): Interceptor {
-  const authInterceptor: Interceptor = (next) => async (req) => {
-    const url = new URL(req.url);
-    const pathOnly = url.pathname;
-    // Signs only the path of the url in the request
-    let token;
-    try {
-      token = await authProvider.withCreds({
-        url: pathOnly,
-        method: 'POST',
-        // Start with any headers Connect already has
-        headers: {
-          ...Object.fromEntries(req.header.entries()),
-          'Content-Type': 'application/json',
-        },
-      });
-    } catch (err) {
-      const msg = err instanceof Error ? err.message : String(err);
-      if (msg.includes('public key') || msg.includes('updateClientPublicKey')) {
-        throw new Error(
-          'PlatformClient: DPoP key binding is not complete. ' +
-            'If you are using OpenTDF with PlatformClient, create OpenTDF first and ' +
-            '`await client.ready` before constructing PlatformClient. ' +
-            `Original error: ${msg}`
-        );
-      }
-      throw err;
-    }
-
-    Object.entries(token.headers).forEach(([key, value]) => {
-      req.header.set(key, value);
-    });
-
-    return await next(req);
-  };
-  return authInterceptor;
-}

package/src/policy/api.ts

@@ -1,5 +1,5 @@
 import { NetworkError } from '../errors.js';
-import { AuthProvider } from '../auth/auth.js';
+import { type AuthConfig, resolveInterceptors } from '../auth/interceptors.js';
 import { extractRpcErrorMessage, getPlatformUrlFromKasEndpoint } from '../utils.js';
 import { PlatformClient } from '../platform.js';
 import { Value } from './attributes.js';
@@ -12,11 +12,11 @@ import { ValueSchema } from '../platform/policy/objects_pb.js';
 // TODO KAS: go over web-sdk and remove policyEndpoint that is only defined to be used here
 export async function attributeFQNsAsValues(
   platformUrl: string,
-  authProvider: AuthProvider,
+  auth: AuthConfig,
   ...fqns: string[]
 ): Promise<Value[]> {
   platformUrl = getPlatformUrlFromKasEndpoint(platformUrl);
-  const platform = new PlatformClient({ authProvider, platformUrl });
+  const platform = new PlatformClient({ interceptors: resolveInterceptors(auth), platformUrl });
 
   let response: GetAttributeValuesByFqnsResponse;
   try {
@@ -52,7 +52,7 @@ export async function attributeFQNsAsValues(
 // Get root certificates from a namespace
 export async function getRootCertsFromNamespace(
   platformUrl: string,
-  authProvider?: AuthProvider,
+  auth?: AuthConfig,
   namespaceId?: string,
   fqn?: string
 ): Promise<Certificate[]> {
@@ -63,7 +63,10 @@ export async function getRootCertsFromNamespace(
     throw new Error('Either namespaceId or fqn must be provided');
   }
 
-  const platform = new PlatformClient({ authProvider, platformUrl });
+  const platform = new PlatformClient({
+    ...(auth ? { interceptors: resolveInterceptors(auth) } : {}),
+    platformUrl,
+  });
 
   let response: GetNamespaceResponse;
   try {

package/src/policy/discovery.ts

@@ -1,6 +1,6 @@
 import { ConnectError, Code } from '@connectrpc/connect';
 import { AttributeNotFoundError, ConfigurationError, NetworkError } from '../errors.js';
-import { type AuthProvider } from '../auth/auth.js';
+import { type AuthConfig, resolveInterceptors } from '../auth/interceptors.js';
 import { extractRpcErrorMessage, validateSecureUrl } from '../utils.js';
 import { PlatformClient } from '../platform.js';
 import type { Attribute } from '../platform/policy/objects_pb.js';
@@ -49,13 +49,13 @@ const ATTRIBUTE_FQN_RE = /^https?:\/\/[a-zA-Z0-9._~%-]+\/attr\/[a-zA-Z0-9._~%-]+
  */
 export async function listAttributes(
   platformUrl: string,
-  authProvider: AuthProvider,
+  auth: AuthConfig,
   namespace?: string
 ): Promise<Attribute[]> {
   if (!validateSecureUrl(platformUrl)) {
     throw new ConfigurationError('platformUrl must use HTTPS protocol');
   }
-  const platform = new PlatformClient({ authProvider, platformUrl });
+  const platform = new PlatformClient({ interceptors: resolveInterceptors(auth), platformUrl });
   const result: Attribute[] = [];
   let nextOffset = 0;
 
@@ -106,7 +106,7 @@ export async function listAttributes(
  */
 export async function validateAttributes(
   platformUrl: string,
-  authProvider: AuthProvider,
+  auth: AuthConfig,
   fqns: string[]
 ): Promise<void> {
   if (!fqns || fqns.length === 0) {
@@ -129,7 +129,7 @@ export async function validateAttributes(
     }
   }
 
-  const platform = new PlatformClient({ authProvider, platformUrl });
+  const platform = new PlatformClient({ interceptors: resolveInterceptors(auth), platformUrl });
   let resp;
   try {
     resp = await platform.v1.attributes.getAttributeValuesByFqns({ fqns });
@@ -159,7 +159,7 @@ export async function validateAttributes(
  */
 export async function attributeExists(
   platformUrl: string,
-  authProvider: AuthProvider,
+  auth: AuthConfig,
   attributeFqn: string
 ): Promise<boolean> {
   if (!validateSecureUrl(platformUrl)) {
@@ -170,7 +170,7 @@ export async function attributeExists(
     throw new ConfigurationError('invalid attribute FQN format');
   }
 
-  const platform = new PlatformClient({ authProvider, platformUrl });
+  const platform = new PlatformClient({ interceptors: resolveInterceptors(auth), platformUrl });
   try {
     await platform.v1.attributes.getAttribute({
       identifier: { case: 'fqn', value: attributeFqn },
@@ -199,7 +199,7 @@ export async function attributeExists(
  */
 export async function attributeValueExists(
   platformUrl: string,
-  authProvider: AuthProvider,
+  auth: AuthConfig,
   valueFqn: string
 ): Promise<boolean> {
   if (!validateSecureUrl(platformUrl)) {
@@ -210,7 +210,7 @@ export async function attributeValueExists(
     throw new ConfigurationError('invalid attribute value FQN format');
   }
 
-  const platform = new PlatformClient({ authProvider, platformUrl });
+  const platform = new PlatformClient({ interceptors: resolveInterceptors(auth), platformUrl });
   let resp;
   try {
     resp = await platform.v1.attributes.getAttributeValuesByFqns({ fqns: [valueFqn] });

package/tdf3/src/client/index.ts

@@ -19,6 +19,8 @@ import { OIDCRefreshTokenProvider } from '../../../src/auth/oidc-refreshtoken-pr
 import { OIDCExternalJwtProvider } from '../../../src/auth/oidc-externaljwt-provider.js';
 import { CryptoService } from '../crypto/declarations.js';
 import { type AuthProvider, HttpRequest, withHeaders } from '../../../src/auth/auth.js';
+import { type AuthConfig } from '../../../src/auth/interceptors.js';
+import { type Interceptor } from '@connectrpc/connect';
 import { getPlatformUrlFromKasEndpoint, rstrip, validateSecureUrl } from '../../../src/utils.js';
 
 import {
@@ -154,7 +156,10 @@ export interface ClientConfig {
   kasPublicKey?: string;
   oidcOrigin?: string;
   externalJwt?: string;
+  /** @deprecated since 0.14.0. Use `interceptors` instead. */
   authProvider?: AuthProvider;
+  /** Connect RPC interceptors for authentication. Preferred over authProvider. */
+  interceptors?: Interceptor[];
   readerUrl?: string;
   entityObjectEndpoint?: string;
   fileStreamServiceWorker?: string;
@@ -347,7 +352,11 @@ export class Client {
 
   readonly clientId?: string;
 
-  readonly authProvider?: AuthProvider;
+  /**
+   * Resolved auth configuration. Set once in the constructor from either
+   * authProvider or interceptors. Threaded through all internal layers.
+   */
+  readonly auth?: AuthConfig;
 
   readonly readerUrl?: string;
 
@@ -424,13 +433,16 @@ export class Client {
       this.easEndpoint = clientConfig.easEndpoint;
     }
 
-    this.authProvider = config.authProvider;
     this.clientConfig = clientConfig;
 
+    // Resolve auth once at the boundary. Internally, only `this.auth` is used.
+    let authProvider = config.authProvider;
     this.clientId = clientConfig.clientId;
-    if (!this.authProvider) {
+    if (!authProvider && !config.interceptors?.length) {
       if (!clientConfig.clientId) {
-        throw new ConfigurationError('Client ID or custom AuthProvider must be defined');
+        throw new ConfigurationError(
+          'Client ID, custom AuthProvider, or interceptors must be defined'
+        );
       }
 
       //Are we exchanging a refreshToken for a bearer token (normal AuthCode browser auth flow)?
@@ -438,7 +450,7 @@ export class Client {
       //browser-based OIDC login and authentication process against the OIDC endpoint using their chosen method,
       //and provide us with a valid refresh token/clientId obtained from that process.
       if (clientConfig.refreshToken) {
-        this.authProvider = new OIDCRefreshTokenProvider(
+        authProvider = new OIDCRefreshTokenProvider(
           {
             clientId: clientConfig.clientId,
             refreshToken: clientConfig.refreshToken,
@@ -448,7 +460,7 @@ export class Client {
         );
       } else if (clientConfig.externalJwt) {
         //Are we exchanging a JWT previously issued by a trusted external entity (e.g. Google) for a bearer token?
-        this.authProvider = new OIDCExternalJwtProvider(
+        authProvider = new OIDCExternalJwtProvider(
           {
             clientId: clientConfig.clientId,
             externalJwt: clientConfig.externalJwt,
@@ -458,11 +470,25 @@ export class Client {
         );
       }
     }
-    this.dpopKeys = createSessionKeys({
-      authProvider: this.authProvider,
-      cryptoService: this.cryptoService,
-      dpopKeys: clientConfig.dpopKeys,
-    });
+
+    // Resolve to AuthConfig: interceptors take precedence over authProvider.
+    if (config.interceptors?.length) {
+      this.auth = { interceptors: config.interceptors };
+    } else if (authProvider) {
+      this.auth = authProvider;
+    }
+
+    if (config.interceptors?.length && !authProvider) {
+      // Interceptor path: no updateClientPublicKey needed.
+      // Still need dpopKeys for request body signing (reqSignature).
+      this.dpopKeys = clientConfig.dpopKeys ?? this.cryptoService.generateSigningKeyPair();
+    } else {
+      this.dpopKeys = createSessionKeys({
+        authProvider,
+        cryptoService: this.cryptoService,
+        dpopKeys: clientConfig.dpopKeys,
+      });
+    }
   }
 
   /** Necessary only for testing. A dependency-injection approach should be preferred, but that is difficult currently */
@@ -566,9 +592,12 @@ export class Client {
         if (!this.platformUrl) {
           throw new ConfigurationError('platformUrl not set in TDF3 Client constructor');
         }
+        if (!this.auth) {
+          throw new ConfigurationError('AuthProvider or interceptors required for autoconfigure');
+        }
         const fetchedFQNValues = await attributeFQNsAsValues(
           this.platformUrl,
-          this.authProvider as AuthProvider,
+          this.auth,
           ...fqnsWithoutValues
         );
         fetchedFQNValues.forEach((fetchedValue) => {
@@ -739,7 +768,7 @@ export class Client {
       contentStream: opts.source,
       mimeType,
       policy: policyObject,
-      authProvider: this.authProvider,
+      auth: this.auth,
       progressHandler: this.clientConfig.progressHandler,
       keyForEncryption,
       keyForManifest,
@@ -775,14 +804,14 @@ export class Client {
     fulfillableObligationFQNs = [],
   }: DecryptParams): Promise<DecoratedReadableStream> {
     const dpopKeys = await this.dpopKeys;
-    if (!this.authProvider) {
-      throw new ConfigurationError('AuthProvider missing');
+    if (!this.auth) {
+      throw new ConfigurationError('AuthProvider or interceptors missing');
     }
     const chunker = await makeChunkable(source);
     if (!allowList && this.allowedKases) {
       allowList = this.allowedKases;
     } else if (this.platformUrl) {
-      allowList = await fetchKeyAccessServers(this.platformUrl, this.authProvider);
+      allowList = await fetchKeyAccessServers(this.platformUrl, this.auth);
     } else {
       throw new ConfigurationError('platformUrl is required when allowedKases is empty');
     }
@@ -798,7 +827,7 @@ export class Client {
     return await (streamMiddleware as DecryptStreamMiddleware)(
       await readStream({
         allowList,
-        authProvider: this.authProvider,
+        auth: this.auth,
         chunker,
         concurrencyLimit,
         cryptoService: this.cryptoService,

package/tdf3/src/tdf.ts

@@ -15,6 +15,7 @@ import {
   UnsignedRewrapRequest_WithKeyAccessObjectSchema,
 } from '../../src/platform/kas/kas_pb.js';
 import { type AuthProvider, reqSignature } from '../../src/auth/auth.js';
+import { type AuthConfig } from '../../src/auth/interceptors.js';
 import { handleRpcRewrapErrorString } from '../../src/access/access-rpc.js';
 import { allPool, anyPool } from '../../src/concurrency.js';
 import { base64, hex } from '../../src/encodings/index.js';
@@ -152,7 +153,8 @@ export type EncryptConfiguration = {
   contentStream: ReadableStream<Uint8Array>;
   mimeType?: string;
   policy: Policy;
-  authProvider?: AuthProvider;
+  /** Auth configuration: AuthProvider or { interceptors }. */
+  auth?: AuthConfig;
   byteLimit: number;
   progressHandler?: (bytesProcessed: number) => void;
   keyForEncryption: KeyInfo;
@@ -166,7 +168,8 @@ export type DecryptConfiguration = {
   fulfillableObligations: string[];
   allowedKases?: string[];
   allowList?: OriginAllowList;
-  authProvider: AuthProvider;
+  /** Auth configuration: AuthProvider or { interceptors }. */
+  auth?: AuthConfig;
   cryptoService: CryptoService;
 
   dpopKeys: KeyPair;
@@ -371,7 +374,7 @@ function isTargetSpecLegacyTDF(targetSpecVersion?: string): boolean {
 }
 
 export async function writeStream(cfg: EncryptConfiguration): Promise<DecoratedReadableStream> {
-  if (!cfg.authProvider) {
+  if (!cfg.auth) {
     throw new ConfigurationError('No authorization middleware defined');
   }
   if (!cfg.contentStream) {
@@ -737,7 +740,7 @@ type RewrapResponseData = {
 async function unwrapKey({
   manifest,
   allowedKases,
-  authProvider,
+  auth,
   dpopKeys,
   concurrencyLimit,
   cryptoService,
@@ -746,18 +749,18 @@ async function unwrapKey({
 }: {
   manifest: Manifest;
   allowedKases: OriginAllowList;
-  authProvider: AuthProvider;
+  /** Auth configuration: AuthProvider or { interceptors }. */
+  auth?: AuthConfig;
   concurrencyLimit?: number;
   dpopKeys: KeyPair;
   cryptoService: CryptoService;
   wrappingKeyAlgorithm?: KasPublicKeyAlgorithm;
   fulfillableObligations: string[];
 }) {
-  if (authProvider === undefined) {
-    throw new ConfigurationError(
-      'rewrap requires auth provider; must be configured in client constructor'
-    );
+  if (!auth) {
+    throw new ConfigurationError('rewrap requires auth; must be configured in client constructor');
   }
+  const resolvedAuth: AuthConfig = auth;
   const { keyAccess } = manifest.encryptionInformation;
   const splitPotentials = splitLookupTableFactory(keyAccess, allowedKases);
 
@@ -829,7 +832,7 @@ async function unwrapKey({
     const rewrapResp = await fetchWrappedKey(
       url,
       signedRequestToken,
-      authProvider,
+      resolvedAuth,
       fulfillableObligations
     );
     // Upgrade V1 response to V2 format if needed
@@ -1143,7 +1146,7 @@ export async function decryptStreamFrom(
   const { metadata, reconstructedKey, requiredObligations } = await unwrapKey({
     fulfillableObligations: cfg.fulfillableObligations,
     manifest,
-    authProvider: cfg.authProvider,
+    auth: cfg.auth,
     allowedKases: allowList,
     dpopKeys: cfg.dpopKeys,
     cryptoService: cfg.cryptoService,