@opentdf/sdk 0.13.0 → 0.14.0-beta.134

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opentdf/sdk",
-  "version": "0.13.0",
+  "version": "0.14.0-beta.134",
   "description": "OpenTDF for the Web",
   "homepage": "https://github.com/opentdf/web-sdk",
   "bugs": {

package/src/access/access-rpc.ts

@@ -6,7 +6,7 @@ import {
   OriginAllowList,
 } from '../access.js';
 
-import { type AuthProvider } from '../auth/auth.js';
+import { type AuthConfig, resolveInterceptors } from '../auth/interceptors.js';
 import {
   ConfigurationError,
   InvalidFileError,
@@ -37,11 +37,11 @@ import { ConnectError, Code } from '@connectrpc/connect';
 export async function fetchWrappedKey(
   url: string,
   signedRequestToken: string,
-  authProvider: AuthProvider,
+  auth: AuthConfig,
   rewrapAdditionalContextHeader?: string
 ): Promise<RewrapResponse> {
   const platformUrl = getPlatformUrlFromKasEndpoint(url);
-  const platform = new PlatformClient({ authProvider, platformUrl });
+  const platform = new PlatformClient({ interceptors: resolveInterceptors(auth), platformUrl });
   const options: CallOptions = {};
   if (rewrapAdditionalContextHeader) {
     options.headers = {
@@ -121,11 +121,11 @@ export function handleRpcRewrapErrorString(
 
 export async function fetchKeyAccessServers(
   platformUrl: string,
-  authProvider: AuthProvider
+  auth: AuthConfig
 ): Promise<OriginAllowList> {
   let nextOffset = 0;
   const allServers = [];
-  const platform = new PlatformClient({ authProvider, platformUrl });
+  const platform = new PlatformClient({ interceptors: resolveInterceptors(auth), platformUrl });
 
   do {
     let response: ListKeyAccessServersResponse;

package/src/access.ts

@@ -1,4 +1,4 @@
-import { type AuthProvider } from './auth/auth.js';
+import { type AuthConfig, resolveAuthConfig } from './auth/interceptors.js';
 import { RewrapResponse } from './platform/kas/kas_pb.js';
 import { getPlatformUrlFromKasEndpoint, validateSecureUrl } from './utils.js';
 import { base64 } from './encodings/index.js';
@@ -37,19 +37,28 @@ export type RewrapRequest = {
 export async function fetchWrappedKey(
   url: string,
   signedRequestToken: string,
-  authProvider: AuthProvider,
+  auth: AuthConfig,
   fulfillableObligationFQNs: string[]
 ): Promise<RewrapResponse> {
   const platformUrl = getPlatformUrlFromKasEndpoint(url);
+  const { interceptors, authProvider } = resolveAuthConfig(auth);
+
+  const rpcCall = () =>
+    fetchWrappedKeysRpc(
+      platformUrl,
+      signedRequestToken,
+      { interceptors },
+      rewrapAdditionalContextHeader(fulfillableObligationFQNs)
+    );
+
+  // When no AuthProvider is available, skip the legacy fallback so the real
+  // RPC error propagates instead of being masked by tryPromisesUntilFirstSuccess.
+  if (!authProvider) {
+    return await rpcCall();
+  }
 
   return await tryPromisesUntilFirstSuccess(
-    () =>
-      fetchWrappedKeysRpc(
-        platformUrl,
-        signedRequestToken,
-        authProvider,
-        rewrapAdditionalContextHeader(fulfillableObligationFQNs)
-      ),
+    rpcCall,
     // We intentionally do not provide the rewrap additional context to legacy requests destined for older platforms.
     // Platforms new enough to have knowledge of obligations will be handling RPC requests successfully.
     () =>
@@ -164,11 +173,18 @@ export type KasPublicKeyInfo = {
  */
 export async function fetchKeyAccessServers(
   platformUrl: string,
-  authProvider: AuthProvider
+  auth: AuthConfig
 ): Promise<OriginAllowList> {
-  return await tryPromisesUntilFirstSuccess(
-    () => fetchKeyAccessServersRpc(platformUrl, authProvider),
-    () => fetchKeyAccessServersLegacy(platformUrl, authProvider)
+  const { interceptors, authProvider } = resolveAuthConfig(auth);
+
+  const rpcCall = () => fetchKeyAccessServersRpc(platformUrl, { interceptors });
+
+  if (!authProvider) {
+    return await rpcCall();
+  }
+
+  return await tryPromisesUntilFirstSuccess(rpcCall, () =>
+    fetchKeyAccessServersLegacy(platformUrl, authProvider)
   );
 }
 

package/src/auth/interceptors.ts

@@ -0,0 +1,197 @@
+import { type Interceptor } from '@connectrpc/connect';
+export type { Interceptor } from '@connectrpc/connect';
+import { type CryptoService, type KeyPair } from '../../tdf3/src/crypto/declarations.js';
+import * as DefaultCryptoService from '../../tdf3/src/crypto/index.js';
+import DPoP from './dpop.js';
+import { type AuthProvider } from './auth.js';
+import { base64 } from '../encodings/index.js';
+
+/**
+ * A function that returns a valid access token string.
+ * Called per-request; implementations should handle caching/refresh internally.
+ */
+export type TokenProvider = () => Promise<string>;
+
+/**
+ * Options for creating a DPoP-aware auth interceptor.
+ */
+export type DPoPInterceptorOptions = {
+  /** Function that returns a valid access token (may cache/refresh internally). */
+  tokenProvider: TokenProvider;
+  /** DPoP signing key pair. If omitted, one is generated automatically. */
+  dpopKeys?: KeyPair | Promise<KeyPair>;
+  /** CryptoService for signing. Defaults to DefaultCryptoService. */
+  cryptoService?: CryptoService;
+};
+
+/**
+ * A DPoP interceptor that also exposes the resolved signing key pair.
+ * TDF encrypt/decrypt needs these keys for request body signing (reqSignature).
+ */
+export type DPoPInterceptor = Interceptor & {
+  /** The resolved DPoP key pair, for use in TDF request token signing. */
+  readonly dpopKeys: Promise<KeyPair>;
+};
+
+/**
+ * Creates a simple bearer-token interceptor.
+ * Calls `tokenProvider()` per-request and sets the `Authorization` header.
+ *
+ * @param tokenProvider Function returning a valid access token.
+ * @returns A Connect RPC Interceptor.
+ *
+ * @example
+ * ```ts
+ * const opentdf = new OpenTDF({
+ *   interceptors: [authTokenInterceptor(() => myAuth.getAccessToken())],
+ *   platformUrl: '/api',
+ * });
+ * ```
+ */
+export function authTokenInterceptor(tokenProvider: TokenProvider): Interceptor {
+  return (next) => async (req) => {
+    const token = await tokenProvider();
+    req.header.set('Authorization', `Bearer ${token}`);
+    return next(req);
+  };
+}
+
+/**
+ * Creates a DPoP-aware auth interceptor.
+ * Per-request: gets token, generates DPoP proof JWT, sets Authorization + DPoP + X-VirtruPubKey headers.
+ * Exposes `dpopKeys` for TDF request body signing.
+ *
+ * @param options DPoP interceptor configuration.
+ * @returns A DPoP interceptor with an exposed `dpopKeys` promise.
+ *
+ * @example
+ * ```ts
+ * const dpopInterceptor = authTokenDPoPInterceptor({
+ *   tokenProvider: () => myAuth.getAccessToken(),
+ * });
+ * const opentdf = new OpenTDF({
+ *   interceptors: [dpopInterceptor],
+ *   dpopKeys: dpopInterceptor.dpopKeys,
+ *   platformUrl: '/api',
+ * });
+ * ```
+ */
+export function authTokenDPoPInterceptor(options: DPoPInterceptorOptions): DPoPInterceptor {
+  const cryptoService = options.cryptoService ?? DefaultCryptoService;
+  const dpopKeysPromise: Promise<KeyPair> = options.dpopKeys
+    ? Promise.resolve(options.dpopKeys)
+    : cryptoService.generateSigningKeyPair();
+
+  const interceptor: Interceptor = (next) => async (req) => {
+    const [token, keys] = await Promise.all([options.tokenProvider(), dpopKeysPromise]);
+
+    const url = new URL(req.url);
+    const httpUri = `${url.origin}${url.pathname}`;
+
+    // Generate DPoP proof JWT for this request
+    const dpopProof = await DPoP(keys, cryptoService, httpUri, 'POST');
+
+    // Export public key PEM for X-VirtruPubKey header
+    const publicKeyPem = await cryptoService.exportPublicKeyPem(keys.publicKey);
+
+    req.header.set('Authorization', `Bearer ${token}`);
+    req.header.set('DPoP', dpopProof);
+    req.header.set('X-VirtruPubKey', base64.encode(publicKeyPem));
+
+    return next(req);
+  };
+
+  // Attach dpopKeys to the interceptor function
+  const dpopInterceptor = interceptor as DPoPInterceptor;
+  Object.defineProperty(dpopInterceptor, 'dpopKeys', {
+    value: dpopKeysPromise,
+    writable: false,
+    enumerable: true,
+  });
+
+  return dpopInterceptor;
+}
+
+/**
+ * Creates an interceptor that bridges an existing AuthProvider to the Interceptor pattern.
+ * Use this for backwards compatibility when migrating from AuthProvider to interceptors.
+ *
+ * @param authProvider The legacy AuthProvider to bridge.
+ * @returns A Connect RPC Interceptor.
+ */
+export function authProviderInterceptor(authProvider: AuthProvider): Interceptor {
+  return (next) => async (req) => {
+    const url = new URL(req.url);
+    const pathOnly = url.pathname;
+    // Signs only the path of the url in the request
+    let token;
+    try {
+      token = await authProvider.withCreds({
+        url: pathOnly,
+        method: 'POST',
+        // Start with any headers Connect already has
+        headers: {
+          ...Object.fromEntries(req.header.entries()),
+          'Content-Type': 'application/json',
+        },
+      });
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      if (msg.includes('public key') || msg.includes('updateClientPublicKey')) {
+        throw new Error(
+          'PlatformClient: DPoP key binding is not complete. ' +
+            'If you are using OpenTDF with PlatformClient, create OpenTDF first and ' +
+            '`await client.ready` before constructing PlatformClient. ' +
+            `Original error: ${msg}`
+        );
+      }
+      throw err;
+    }
+
+    Object.entries(token.headers).forEach(([key, value]) => {
+      req.header.set(key, value);
+    });
+
+    return await next(req);
+  };
+}
+
+/**
+ * Auth configuration: either a legacy AuthProvider or an object with interceptors.
+ */
+export type AuthConfig = AuthProvider | { interceptors: Interceptor[] };
+
+/**
+ * Type guard for AuthConfig with interceptors.
+ */
+export function isInterceptorConfig(auth: AuthConfig): auth is { interceptors: Interceptor[] } {
+  return 'interceptors' in auth && Array.isArray((auth as { interceptors: unknown }).interceptors);
+}
+
+/**
+ * Resolves an AuthConfig into interceptors for use with PlatformClient.
+ * If the config is an AuthProvider, it is bridged via authProviderInterceptor.
+ */
+export function resolveInterceptors(auth: AuthConfig): Interceptor[] {
+  if (isInterceptorConfig(auth)) {
+    return auth.interceptors;
+  }
+  return [authProviderInterceptor(auth)];
+}
+
+/**
+ * Resolves an AuthConfig into both interceptors and an optional AuthProvider.
+ * The AuthProvider is available for legacy code paths that need withCreds().
+ */
+export function resolveAuthConfig(auth: AuthConfig): {
+  interceptors: Interceptor[];
+  authProvider?: AuthProvider;
+} {
+  if (isInterceptorConfig(auth)) {
+    return { interceptors: auth.interceptors };
+  }
+  return {
+    interceptors: [authProviderInterceptor(auth)],
+    authProvider: auth,
+  };
+}

package/src/auth/oidc.ts

@@ -11,7 +11,7 @@ import { type CryptoService, type KeyPair } from '../../tdf3/src/crypto/declarat
 export type CommonCredentials = {
   /** The OIDC client ID used for token issuance and exchange flows */
   clientId: string;
-  /** The endpoint of the OIDC IdP to authenticate against, ex. 'https://virtru.com/auth' */
+  /** The endpoint of the OIDC IdP to authenticate against, ex. 'https://keycloak.opentdf.local/auth' */
   oidcOrigin: string;
   oidcTokenEndpoint?: string;
   oidcUserInfoEndpoint?: string;
@@ -176,6 +176,8 @@ export class AccessToken {
       }
       // Export opaque public key to PEM format for header
       const publicKeyPem = await this.cryptoService.exportPublicKeyPem(this.signingKey.publicKey);
+      // TODO: Rename to X-OpenTDF-PubKey; requires coordinated change with
+      // platform Keycloak mapper (lib/fixtures/keycloak.go `client.publickey`).
       headers['X-VirtruPubKey'] = base64.encode(publicKeyPem);
       headers.DPoP = await dpopFn(this.signingKey, this.cryptoService, url, 'POST');
     }
@@ -300,9 +302,9 @@ export class AccessToken {
   }
 
   async withCreds(httpReq: HttpRequest): Promise<HttpRequest> {
-    if (!this.signingKey) {
+    if (this.config.dpopEnabled && !this.signingKey) {
       throw new ConfigurationError(
-        'Client public key was not set via `updateClientPublicKey` or passed in via constructor, cannot fetch OIDC token with valid Virtru claims'
+        'Client public key was not set via `updateClientPublicKey` or passed in via constructor; required when DPoP is enabled'
       );
     }
     const accessToken = (this.currentAccessToken ??= await this.get());

package/src/auth/token-providers.ts

@@ -0,0 +1,303 @@
+import { type TokenProvider } from './interceptors.js';
+import { ConfigurationError, TdfError } from '../errors.js';
+import { rstrip } from '../utils.js';
+
+/**
+ * Options for client credentials token provider.
+ *
+ * **Not for browser use.** Client secrets must not be exposed in client-side code.
+ * Use this only in server-side (Node.js/Deno) environments.
+ */
+export type ClientCredentialsTokenProviderOptions = {
+  /** OIDC client ID. */
+  clientId: string;
+  /** OIDC client secret. */
+  clientSecret: string;
+  /** OIDC IdP origin, e.g. 'http://localhost:8080/auth/realms/opentdf'. */
+  oidcOrigin: string;
+  /** Override the token endpoint (defaults to `${oidcOrigin}/protocol/openid-connect/token`). */
+  oidcTokenEndpoint?: string;
+};
+
+/**
+ * Options for refresh token provider.
+ */
+export type RefreshTokenProviderOptions = {
+  /** OIDC client ID. */
+  clientId: string;
+  /** Refresh token obtained from a prior login flow. */
+  refreshToken: string;
+  /** OIDC IdP origin, e.g. 'http://localhost:8080/auth/realms/opentdf'. */
+  oidcOrigin: string;
+  /** Override the token endpoint. */
+  oidcTokenEndpoint?: string;
+};
+
+/**
+ * Options for external JWT token provider (RFC 8693 token exchange).
+ */
+export type ExternalJwtTokenProviderOptions = {
+  /** OIDC client ID. */
+  clientId: string;
+  /** External JWT to exchange. */
+  externalJwt: string;
+  /** OIDC IdP origin, e.g. 'http://localhost:8080/auth/realms/opentdf'. */
+  oidcOrigin: string;
+  /** Override the token endpoint. */
+  oidcTokenEndpoint?: string;
+};
+
+type TokenResponse = {
+  access_token: string;
+  refresh_token?: string;
+  expires_in?: number;
+};
+
+function resolveTokenEndpoint(oidcOrigin: string, override?: string): string {
+  if (override?.trim()) return override;
+  const base = oidcOrigin?.trim();
+  if (!base) {
+    throw new ConfigurationError('oidcOrigin or oidcTokenEndpoint is required');
+  }
+  return `${rstrip(base, '/')}/protocol/openid-connect/token`;
+}
+
+/**
+ * Decode a JWT's exp claim without verifying the signature.
+ * Returns the expiration time in seconds since epoch, or undefined if not present.
+ */
+function getJwtExpiration(token: string): number | undefined {
+  try {
+    const parts = token.split('.');
+    if (parts.length !== 3) return undefined;
+    // Base64url decode the payload
+    const payload = parts[1].replace(/-/g, '+').replace(/_/g, '/');
+    const padded = payload + '='.repeat((4 - (payload.length % 4)) % 4);
+    const decoded = JSON.parse(atob(padded));
+    return typeof decoded.exp === 'number' ? decoded.exp : undefined;
+  } catch {
+    return undefined;
+  }
+}
+
+/**
+ * Compute the absolute expiry (seconds since epoch) for a token response.
+ * Prefers `expires_in` from the token response, falls back to the JWT `exp` claim.
+ */
+function resolveTokenExpiry(accessToken: string, expiresIn?: number): number | undefined {
+  if (typeof expiresIn === 'number') {
+    return Date.now() / 1000 + expiresIn;
+  }
+  return getJwtExpiration(accessToken);
+}
+
+function isTokenExpired(expiry: number | undefined, bufferSeconds = 30): boolean {
+  if (expiry === undefined) return true;
+  return Date.now() / 1000 >= expiry - bufferSeconds;
+}
+
+async function fetchToken(
+  tokenEndpoint: string,
+  body: Record<string, string>
+): Promise<TokenResponse> {
+  const response = await fetch(tokenEndpoint, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/x-www-form-urlencoded',
+      Accept: 'application/json',
+    },
+    body: new URLSearchParams(body).toString(),
+  });
+  if (!response.ok) {
+    const text = await response.text();
+    throw new TdfError(
+      `Token request failed: POST [${tokenEndpoint}] => ${response.status} ${response.statusText}: ${text}`
+    );
+  }
+  return (await response.json()) as TokenResponse;
+}
+
+/**
+ * Creates a TokenProvider that obtains tokens via the OAuth2 client credentials grant.
+ * Tokens are cached and automatically refreshed when expired.
+ *
+ * **Not for browser use.** Client secrets must not be exposed in client-side code.
+ * Use this only in server-side (Node.js/Deno) environments.
+ *
+ * @example
+ * ```ts
+ * const client = new OpenTDF({
+ *   interceptors: [authTokenInterceptor(clientCredentialsTokenProvider({
+ *     clientId: 'opentdf',
+ *     clientSecret: 'secret',
+ *     oidcOrigin: 'http://localhost:8080/auth/realms/opentdf',
+ *   }))],
+ *   platformUrl: 'http://localhost:8080',
+ * });
+ * ```
+ */
+export function clientCredentialsTokenProvider(
+  options: ClientCredentialsTokenProviderOptions
+): TokenProvider {
+  if (!options.clientId || !options.clientSecret) {
+    throw new ConfigurationError('clientId and clientSecret are required');
+  }
+  const tokenEndpoint = resolveTokenEndpoint(options.oidcOrigin, options.oidcTokenEndpoint);
+  let cachedToken: string | undefined;
+  let cachedExpiry: number | undefined;
+  let inFlight: Promise<string> | undefined;
+
+  return async () => {
+    if (cachedToken && !isTokenExpired(cachedExpiry)) {
+      return cachedToken;
+    }
+    if (!inFlight) {
+      inFlight = (async () => {
+        try {
+          const resp = await fetchToken(tokenEndpoint, {
+            grant_type: 'client_credentials',
+            client_id: options.clientId,
+            client_secret: options.clientSecret,
+          });
+          cachedToken = resp.access_token;
+          cachedExpiry = resolveTokenExpiry(resp.access_token, resp.expires_in);
+          return cachedToken;
+        } finally {
+          inFlight = undefined;
+        }
+      })();
+    }
+    return inFlight;
+  };
+}
+
+/**
+ * Creates a TokenProvider that uses a refresh token to obtain access tokens.
+ * On the first call, exchanges the refresh token. Subsequent calls use the
+ * latest refresh token from the IdP response.
+ *
+ * @example
+ * ```ts
+ * const client = new OpenTDF({
+ *   interceptors: [authTokenInterceptor(refreshTokenProvider({
+ *     clientId: 'my-app',
+ *     refreshToken: 'refresh-token-from-login',
+ *     oidcOrigin: 'http://localhost:8080/auth/realms/opentdf',
+ *   }))],
+ *   platformUrl: 'http://localhost:8080',
+ * });
+ * ```
+ */
+export function refreshTokenProvider(options: RefreshTokenProviderOptions): TokenProvider {
+  if (!options.clientId || !options.refreshToken) {
+    throw new ConfigurationError('clientId and refreshToken are required');
+  }
+  const tokenEndpoint = resolveTokenEndpoint(options.oidcOrigin, options.oidcTokenEndpoint);
+  let currentRefreshToken = options.refreshToken;
+  let cachedToken: string | undefined;
+  let cachedExpiry: number | undefined;
+  let inFlight: Promise<string> | undefined;
+
+  return async () => {
+    if (cachedToken && !isTokenExpired(cachedExpiry)) {
+      return cachedToken;
+    }
+    if (!inFlight) {
+      inFlight = (async () => {
+        try {
+          const resp = await fetchToken(tokenEndpoint, {
+            grant_type: 'refresh_token',
+            refresh_token: currentRefreshToken,
+            client_id: options.clientId,
+          });
+          cachedToken = resp.access_token;
+          cachedExpiry = resolveTokenExpiry(resp.access_token, resp.expires_in);
+          if (resp.refresh_token) {
+            currentRefreshToken = resp.refresh_token;
+          }
+          return cachedToken;
+        } finally {
+          inFlight = undefined;
+        }
+      })();
+    }
+    return inFlight;
+  };
+}
+
+/**
+ * Creates a TokenProvider that exchanges an external JWT for a platform token
+ * via RFC 8693 token exchange. After the initial exchange, uses the refresh
+ * token for subsequent calls.
+ *
+ * @example
+ * ```ts
+ * const client = new OpenTDF({
+ *   interceptors: [authTokenInterceptor(externalJwtTokenProvider({
+ *     clientId: 'my-app',
+ *     externalJwt: 'eyJhbGciOi...',
+ *     oidcOrigin: 'http://localhost:8080/auth/realms/opentdf',
+ *   }))],
+ *   platformUrl: 'http://localhost:8080',
+ * });
+ * ```
+ */
+export function externalJwtTokenProvider(options: ExternalJwtTokenProviderOptions): TokenProvider {
+  if (!options.clientId || !options.externalJwt) {
+    throw new ConfigurationError('clientId and externalJwt are required');
+  }
+  const tokenEndpoint = resolveTokenEndpoint(options.oidcOrigin, options.oidcTokenEndpoint);
+  let cachedToken: string | undefined;
+  let cachedExpiry: number | undefined;
+  let currentRefreshToken: string | undefined;
+  let initialExchangeDone = false;
+  let inFlight: Promise<string> | undefined;
+
+  return async () => {
+    if (cachedToken && !isTokenExpired(cachedExpiry)) {
+      return cachedToken;
+    }
+    if (!inFlight) {
+      inFlight = (async () => {
+        try {
+          let resp: TokenResponse;
+          if (!initialExchangeDone) {
+            resp = await fetchToken(tokenEndpoint, {
+              grant_type: 'urn:ietf:params:oauth:grant-type:token-exchange',
+              subject_token: options.externalJwt,
+              subject_token_type: 'urn:ietf:params:oauth:token-type:jwt',
+              audience: options.clientId,
+              client_id: options.clientId,
+            });
+            initialExchangeDone = true;
+          } else if (currentRefreshToken) {
+            resp = await fetchToken(tokenEndpoint, {
+              grant_type: 'refresh_token',
+              refresh_token: currentRefreshToken,
+              client_id: options.clientId,
+            });
+          } else {
+            // Re-exchange the original JWT if no refresh token available
+            resp = await fetchToken(tokenEndpoint, {
+              grant_type: 'urn:ietf:params:oauth:grant-type:token-exchange',
+              subject_token: options.externalJwt,
+              subject_token_type: 'urn:ietf:params:oauth:token-type:jwt',
+              audience: options.clientId,
+              client_id: options.clientId,
+            });
+          }
+
+          cachedToken = resp.access_token;
+          cachedExpiry = resolveTokenExpiry(resp.access_token, resp.expires_in);
+          if (resp.refresh_token) {
+            currentRefreshToken = resp.refresh_token;
+          }
+          return cachedToken;
+        } finally {
+          inFlight = undefined;
+        }
+      })();
+    }
+    return inFlight;
+  };
+}

package/src/index.ts

@@ -1,6 +1,31 @@
 export { type AuthProvider, type HttpMethod, HttpRequest, withHeaders } from './auth/auth.js';
 export * as AuthProviders from './auth/providers.js';
+export {
+  authTokenInterceptor,
+  authTokenDPoPInterceptor,
+  authProviderInterceptor,
+  type AuthConfig,
+  type DPoPInterceptor,
+  type DPoPInterceptorOptions,
+  type Interceptor,
+  type TokenProvider,
+} from './auth/interceptors.js';
+export {
+  clientCredentialsTokenProvider,
+  refreshTokenProvider,
+  externalJwtTokenProvider,
+  type ClientCredentialsTokenProviderOptions,
+  type RefreshTokenProviderOptions,
+  type ExternalJwtTokenProviderOptions,
+} from './auth/token-providers.js';
 export { attributeFQNsAsValues } from './policy/api.js';
+export {
+  forEmail,
+  forClientId,
+  forUserName,
+  forToken,
+  withRequestToken,
+} from './platform/authorization/entity-identifiers.js';
 export {
   listAttributes,
   validateAttributes,