@openziti/ziti-mcp-server 0.6.0 → 0.7.0

package/README.md

@@ -16,12 +16,19 @@
 
 </div>
 
+The Ziti MCP Server is sponsored by [NetFoundry](https://netfoundry.io) as part of its portfolio of solutions
+for secure workloads and agentic computing.
+NetFoundry is the creator of [OpenZiti](https://netfoundry.io/docs/openziti/)
+and [zrok](https://netfoundry.io/docs/zrok/getting-started).
+
 [MCP (Model Context Protocol)](https://modelcontextprotocol.io/introduction) is an open protocol introduced by Anthropic that standardizes how large language models communicate with external tools, resources or remote services.
 
 The Ziti MCP Server integrates with LLMs and AI agents, allowing you to perform various Ziti network management operations using natural language. For instance, you could simply ask Claude Desktop to perform Ziti management operations:
 
 - > List which identities exist
-- > Which identities have access to the Demo1 service
+- > Tell me if there are any exposures in the network
+- > Do you see potential misconfigurations?
+- > Which identities have access to the Demo1 service?
 - > Create a new Ziti identity named "Demo" and get its ID
 - > etc.
 
@@ -40,30 +47,66 @@ The Ziti MCP Server integrates with LLMs and AI agents, allowing you to perform
 
 ### Install the Ziti MCP Server
 
-Install Ziti MCP Server and configure it to work with your preferred MCP Client. The `--tools` parameter specifies which tools should be available (defaults to `*` if not provided).
+Install Ziti MCP Server and configure it to work with your preferred MCP Client. The `--auth-mode` parameter is required and specifies the authentication method:
+
+- `device-auth`: Interactive browser-based login (requires `--idp-audience`)
+- `client-credentials`: Service account authentication (requires `--idp-client-secret`)
+
+The `--tools` parameter specifies which tools should be available (defaults to `*` if not provided).
 
-**Claude Desktop with all tools**
+**Device Auth Mode (Interactive Login)**
 
 ```bash
-npx @openziti/ziti-mcp-server init
+npx @openziti/ziti-mcp-server init \
+  --auth-mode device-auth \
+  --ziti-controller-host <your-controller-host> \
+  --idp-domain <your-idp-domain> \
+  --idp-client-id <your-client-id> \
+  --idp-audience <your-audience>
 ```
 
-**Claude Desktop with read-only tools**
+**Client Credentials Mode (Service Account)**
 
 ```bash
-npx @openziti/ziti-mcp-server init --read-only
+npx @openziti/ziti-mcp-server init \
+  --auth-mode client-credentials \
+  --ziti-controller-host <your-controller-host> \
+  --idp-domain <your-idp-domain> \
+  --idp-client-id <your-client-id> \
+  --idp-client-secret <your-client-secret>
+```
+
+**With read-only tools**
+
+```bash
+npx @openziti/ziti-mcp-server init \
+  --auth-mode device-auth \
+  --ziti-controller-host <host> \
+  --idp-domain <domain> \
+  --idp-client-id <id> \
+  --idp-audience <audience> \
+  --read-only
 ```
 
 You can also explicitly select read-only tools:
 
 ```bash
-npx @openziti/ziti-mcp-server init --tools 'list*,get*'
+npx @openziti/ziti-mcp-server init \
+  --auth-mode device-auth \
+  ... \
+  --tools 'list*,get*'
 ```
 
 **Windsurf**
 
 ```bash
-npx @openziti/ziti-mcp-server init --client windsurf
+npx @openziti/ziti-mcp-server init \
+  --auth-mode device-auth \
+  --client windsurf \
+  --ziti-controller-host <host> \
+  --idp-domain <domain> \
+  --idp-client-id <id> \
+  --idp-audience <audience>
 ```
 
 **Cursor**
@@ -75,19 +118,35 @@ Step 1:
 Step 2:
 
 ```bash
-npx @openziti/ziti-mcp-server init --client cursor
+npx @openziti/ziti-mcp-server init \
+  --auth-mode device-auth \
+  --client cursor \
+  --ziti-controller-host <host> \
+  --idp-domain <domain> \
+  --idp-client-id <id> \
+  --idp-audience <audience>
 ```
 
 **Cursor with limited tools access**
 
 ```bash
-npx @openziti/ziti-mcp-server init --client cursor --tools 'listIdentities,listIdentity'
+npx @openziti/ziti-mcp-server init \
+  --auth-mode device-auth \
+  --client cursor \
+  ... \
+  --tools 'listIdentities,listIdentity'
 ```
 
 **VS Code**
 
 ```bash
-npx @openziti/ziti-mcp-server init --client vscode
+npx @openziti/ziti-mcp-server init \
+  --auth-mode device-auth \
+  --client vscode \
+  --ziti-controller-host <host> \
+  --idp-domain <domain> \
+  --idp-client-id <id> \
+  --idp-audience <audience>
 ```
 
 You can configure VS Code for either global or workspace scope:
@@ -100,7 +159,11 @@ The command will prompt you to choose your preferred scope and automatically con
 **VS Code with limited tools access**
 
 ```bash
-npx @openziti/ziti-mcp-server init --client vscode --tools 'list*,get*' --read-only
+npx @openziti/ziti-mcp-server init \
+  --auth-mode device-auth \
+  --client vscode \
+  ... \
+  --tools 'list*,get*' --read-only
 ```
 
 **Other MCP Clients**
@@ -115,7 +178,7 @@ To use Ziti MCP Server with any other MCP Client, you can manually add this conf
       "args": ["-y", "@openziti/ziti-mcp-server", "run"],
       "capabilities": ["tools"],
       "env": {
-        "DEBUG": "ziti-mcp"
+        "DEBUG": "ziti-mcp-server"
       }
     }
   }
@@ -137,7 +200,7 @@ Restart your MCP Client (Claude Desktop, Windsurf, Cursor, Warp, etc.) and ask i
 
 ## 🕸️ Architecture
 
-The Ziti MCP Server implements the Model Context Protocol, allowing Claude to:
+The Ziti MCP Server implements the Model Context Protocol, allowing clients (like Claude) to:
 
 1. Request a list of available Ziti tools
 2. Call specific tools with parameters
@@ -158,13 +221,35 @@ The Ziti MCP Server uses the Ziti Management API and requires authentication to
 
 ### Initial Setup
 
-> [!NOTE]
-> Users should authenticate with [client credentials](https://auth0.com/docs/get-started/authentication-and-authorization-flow/client-credentials-flow). Keep the token lifetime as minimal as possible to reduce security risks. [See more](https://auth0.com/docs/secure/tokens/access-tokens/update-access-token-lifetime)
+The Ziti MCP Server supports two authentication modes:
+
+#### Device Auth Mode (Interactive Login)
 
-To authenticate the MCP Server:
+Use this mode for interactive browser-based login. This is recommended for development and user-facing scenarios:
 
 ```bash
-npx @openziti/ziti-mcp-server init --idp-domain <idp-domain> --idp-client-id <idp-client-id> --idp-client-secret <idp-client-secret>
+npx @openziti/ziti-mcp-server init \
+  --auth-mode device-auth \
+  --ziti-controller-host <your-controller-host> \
+  --idp-domain <your-idp-domain> \
+  --idp-client-id <your-client-id> \
+  --idp-audience <your-audience>
+```
+
+#### Client Credentials Mode (Service Account)
+
+Use this mode for service accounts and automation. Recommended for production environments:
+
+> [!NOTE]
+> Keep the token lifetime as minimal as possible to reduce security risks. [See more](https://auth0.com/docs/secure/tokens/access-tokens/update-access-token-lifetime)
+
+```bash
+npx @openziti/ziti-mcp-server init \
+  --auth-mode client-credentials \
+  --ziti-controller-host <your-controller-host> \
+  --idp-domain <your-idp-domain> \
+  --idp-client-id <your-client-id> \
+  --idp-client-secret <your-client-secret>
 ```
 
 > [!IMPORTANT]
@@ -204,9 +289,19 @@ The Ziti MCP server uses OAuth 2.0 device authorization flow for secure authenti
   <img src="assets/auth-seq.jpg" alt="Authentication Sequence Diagram" width="800">
 </div>
 
-## 🛠️ Supported Tools
+#### NOTE for WSL (Windows Subsystem for Linux) Users
+
+The Ziti MCP server uses a package called `keytar` to securely manage the token persistence. `keytar` supports mac, win, and linux, however
+WSL doesn't include a running secret service by default. To ensure the Ziti MCP server can properly secure your token, you need to install
+`gnome-keyring`. You can do thet by running the following command:
+
+```bash
+sudo apt install -y libsecret-1-dev gnome-keyring
+```
+
+## 🛠️ Supported MCP Tools
 
-The Ziti MCP Server provides **126 tools** for managing your Ziti network through natural language. Tools are organized by resource type.
+The Ziti MCP Server provides **206 tools** for managing your Ziti network through natural language. Tools are organized by resource type.
 
 > **Tip:** Use `--read-only` or `--tools` patterns to expose only the tools you need. See [Security Best Practices](#-security-best-practices-for-tool-access).
 
@@ -705,7 +800,7 @@ npx @openziti/ziti-mcp-server help
 #### 🐞 Debug Mode
 
 - More detailed logging
-- Enable by setting environment variable: `export DEBUG=ziti-mcp`
+- Enable by setting environment variable: `export DEBUG=ziti-mcp-server`
 
 > [!TIP]
 > Debug mode is particularly useful when troubleshooting connection or authentication issues.
@@ -720,10 +815,10 @@ The server provides an interactive scope selection interface during initializati
 
   ```bash
   # Select all read scopes
-  npx @openziti/ziti-mcp-server init --scopes 'read:*'
+  npx @openziti/ziti-mcp-server init --auth-mode device-auth ... --scopes 'read:*'
 
   # Select multiple scope patterns (comma-separated)
-  npx @openziti/ziti-mcp-server init --scopes 'read:*,create:identities,update:services'
+  npx @openziti/ziti-mcp-server init --auth-mode device-auth ... --scopes 'read:*,create:identities,update:services'
   ```
 
 > [!NOTE]
@@ -743,7 +838,7 @@ To use Ziti MCP Server with any other MCP Client, you can add this configuration
       "args": ["-y", "@openziti/ziti-mcp-server", "run"],
       "capabilities": ["tools"],
       "env": {
-        "DEBUG": "ziti-mcp"
+        "DEBUG": "ziti-mcp-server"
       }
     }
   }
@@ -757,22 +852,22 @@ To use Ziti MCP Server with any other MCP Client, you can add this configuration
 
 1. **Authentication Failures**
    - Ensure you have the correct permissions in your IdP tenant and Ziti network
-   - Try re-initializing with `npx @openziti/ziti-mcp-server init`
+   - Try re-initializing with `npx @openziti/ziti-mcp-server init --auth-mode <mode> ...`
 
 2. **Claude Desktop Can't Connect to the Server**
    - Restart Claude Desktop after installation
-   - Check that the server is running with `ps aux | grep ziti-mcp`
+   - Check that the server is running with `ps aux | grep ziti-mcp-server`
 
 3. **API Errors or Permission Issues**
-   - Enable debug mode with `export DEBUG=ziti-mcp`
+   - Enable debug mode with `export DEBUG=ziti-mcp-server`
    - Check your token status: `npx @openziti/ziti-mcp-server session`
-   - Reinitialize with specific scopes: `npx @openziti/ziti-mcp-server init --scopes 'read:*,update:*,create:*'`
+   - Reinitialize with specific scopes: `npx @openziti/ziti-mcp-server init --auth-mode <mode> ... --scopes 'read:*,update:*,create:*'`
    - If a specific operation fails, you may be missing the required scope
 
 4. **Invalid Configuration Error**
    - This typically happens when your authorization token is missing or expired
    - Run `npx @openziti/ziti-mcp-server session` to check your token status
-   - If expired or missing, run `npx @openziti/ziti-mcp-server init` to authenticate
+   - If expired or missing, run `npx @openziti/ziti-mcp-server init --auth-mode <mode> ...` to authenticate
 
 > [!TIP]
 > Most connection issues can be resolved by restarting both the server and Claude Desktop.
@@ -782,7 +877,7 @@ To use Ziti MCP Server with any other MCP Client, you can add this configuration
 Enable debug mode to view detailed logs:
 
 ```sh
-export DEBUG=ziti-mcp
+export DEBUG=ziti-mcp-server
 ```
 
 Get detailed MCP Client logs from Claude Desktop:
@@ -795,13 +890,13 @@ tail -n 20 -F ~/Library/Logs/Claude/mcp*.log
 For advanced troubleshooting, use the MCP Inspector:
 
 ```sh
-npx @modelcontextprotocol/inspector -e DEBUG='ziti-mcp' @openziti/ziti-mcp-server run
+npx @modelcontextprotocol/inspector -e DEBUG='ziti-mcp-server' @openziti/ziti-mcp-server run
 ```
 
 For detailed MCP Server logs, run the server in debug mode:
 
 ```bash
-DEBUG=ziti-mcp npx @openziti/ziti-mcp-server run
+DEBUG=ziti-mcp-server npx @openziti/ziti-mcp-server run
 ```
 
 ## 👨‍💻 Development
@@ -819,8 +914,8 @@ npm install
 # Build the project
 npm run build
 
-# Initiate device auth flow
-npx . init
+# Initiate auth flow (choose your auth mode)
+npx . init --auth-mode device-auth --ziti-controller-host <host> --idp-domain <domain> --idp-client-id <id> --idp-audience <audience>
 
 # Configure your MCP Client (e.g. Claude Desktop) with MCP server path
 npm run setup

package/dist/auth/client-credentials-flow.js

@@ -2,7 +2,7 @@ import chalk from 'chalk';
 import { cliOutput } from '../utils/terminal.js';
 import { log, logError } from '../utils/logger.js';
 import { keychain } from '../utils/keychain.js';
-import { getAuthenticationClient } from '../utils/auth0-client.js';
+import { getTokenEndpoint } from './oidc-discovery.js';
 /**
  * Request authorization using client credentials flow
  *
@@ -15,15 +15,39 @@ import { getAuthenticationClient } from '../utils/auth0-client.js';
 export async function requestClientCredentialsAuthorization(config) {
     log('Initiating client credentials flow authentication...');
     try {
-        // Auth client
-        const authClient = await getAuthenticationClient(config.idpDomain, config.idpClientId, config.idpClientSecret);
-        // Set audience if provided, otherwise use a default based on the domain
-        const audience = config.audience || `https://${config.idpDomain}/api/v2/`;
+        // Discover token endpoint via OIDC discovery
+        log(`Discovering OIDC endpoints for ${config.idpDomain}...`);
+        const tokenEndpoint = await getTokenEndpoint(config.idpDomain);
+        log(`Using token endpoint: ${tokenEndpoint}`);
+        // Build the token request body
+        const body = {
+            grant_type: 'client_credentials',
+            client_id: config.idpClientId,
+            client_secret: config.idpClientSecret,
+            audience: config.audience || `${config.idpDomain}/api/v2/`,
+        };
+        if (config.audience) {
+            body.audience = config.audience;
+        }
+        if (config.scopes && config.scopes.length > 0) {
+            body.scope = config.scopes.join(' ');
+        }
         // Make the token request
-        const { data: { access_token, expires_in }, } = await authClient.oauth.clientCredentialsGrant({
-            audience,
+        const response = await fetch(tokenEndpoint, {
+            method: 'POST',
+            headers: {
+                Accept: 'application/json',
+                'Content-Type': 'application/x-www-form-urlencoded',
+            },
+            body: new URLSearchParams(body),
         });
-        const tokenSet = { access_token, expires_in };
+        const tokenSet = await response.json();
+        if (tokenSet.error) {
+            throw new Error(`Token request failed: ${tokenSet.error} - ${tokenSet.error_description || ''}`);
+        }
+        if (!tokenSet.access_token) {
+            throw new Error('Token response did not contain an access_token');
+        }
         // Store the token information
         await storeTokenInfo(tokenSet, config.zitiControllerHost, config.idpDomain);
         cliOutput(`\n${chalk.green('✓')} Successfully authenticated to ${chalk.blue(config.idpDomain)} using client credentials.\n`);
@@ -36,13 +60,8 @@ export async function requestClientCredentialsAuthorization(config) {
 }
 /**
  * Store token information from client credentials flow
- *
- * @param {any} tokenSet - Token response from the server
- * @param {string} domain - The domain used for authentication
  */
 async function storeTokenInfo(tokenSet, zitiControllerHost, domain) {
-    // For client credentials flow, we use the provided domain directly,
-    // as the token may not contain tenant information in the same format as device flow
     // Store access token
     await keychain.setToken(tokenSet.access_token);
     await keychain.setZitiControllerHost(zitiControllerHost);

package/dist/auth/client-credentials-flow.js.map

@@ -1 +1 @@
-{"version":3,"file":"client-credentials-flow.js","sourceRoot":"","sources":["../../src/auth/client-credentials-flow.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AACjD,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,uBAAuB,EAAE,MAAM,0BAA0B,CAAC;AAcnE;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,qCAAqC,CACzD,MAA+B;IAE/B,GAAG,CAAC,sDAAsD,CAAC,CAAC;IAE5D,IAAI,CAAC;QACH,cAAc;QACd,MAAM,UAAU,GAAG,MAAM,uBAAuB,CAC9C,MAAM,CAAC,SAAS,EAChB,MAAM,CAAC,WAAW,EAClB,MAAM,CAAC,eAAe,CACvB,CAAC;QAEF,wEAAwE;QACxE,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,IAAI,WAAW,MAAM,CAAC,SAAS,UAAU,CAAC;QAE1E,yBAAyB;QACzB,MAAM,EACJ,IAAI,EAAE,EAAE,YAAY,EAAE,UAAU,EAAE,GACnC,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,sBAAsB,CAAC;YAChD,QAAQ;SACT,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,EAAE,YAAY,EAAE,UAAU,EAAE,CAAC;QAE9C,8BAA8B;QAC9B,MAAM,cAAc,CAAC,QAAQ,EAAE,MAAM,CAAC,kBAAkB,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;QAE5E,SAAS,CACP,KAAK,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,kCAAkC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,8BAA8B,CAClH,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,QAAQ,CAAC,0CAA0C,EAAE,KAAK,CAAC,CAAC;QAC5D,SAAS,CAAC,KAAK,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,oDAAoD,CAAC,CAAC;QACnF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,cAAc,CAC3B,QAAa,EACb,kBAA0B,EAC1B,MAAc;IAEd,oEAAoE;IACpE,oFAAoF;IAEpF,qBAAqB;IACrB,MAAM,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;IAC/C,MAAM,QAAQ,CAAC,qBAAqB,CAAC,kBAAkB,CAAC,CAAC;IACzD,MAAM,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAEjC,kEAAkE;IAClE,mCAAmC;IACnC,IAAI,QAAQ,CAAC,aAAa,EAAE,CAAC;QAC3B,MAAM,QAAQ,CAAC,eAAe,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QACvD,GAAG,CAAC,kCAAkC,CAAC,CAAC;IAC1C,CAAC;IAED,uBAAuB;IACvB,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;QACxB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,UAAU,GAAG,IAAI,CAAC;QAC1D,MAAM,QAAQ,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;QAC5C,GAAG,CAAC,qBAAqB,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;IAChE,CAAC;AACH,CAAC"}
+{"version":3,"file":"client-credentials-flow.js","sourceRoot":"","sources":["../../src/auth/client-credentials-flow.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AACjD,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAcvD;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,qCAAqC,CACzD,MAA+B;IAE/B,GAAG,CAAC,sDAAsD,CAAC,CAAC;IAE5D,IAAI,CAAC;QACH,6CAA6C;QAC7C,GAAG,CAAC,kCAAkC,MAAM,CAAC,SAAS,KAAK,CAAC,CAAC;QAC7D,MAAM,aAAa,GAAG,MAAM,gBAAgB,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAC/D,GAAG,CAAC,yBAAyB,aAAa,EAAE,CAAC,CAAC;QAE9C,+BAA+B;QAC/B,MAAM,IAAI,GAA2B;YACnC,UAAU,EAAE,oBAAoB;YAChC,SAAS,EAAE,MAAM,CAAC,WAAW;YAC7B,aAAa,EAAE,MAAM,CAAC,eAAe;YACrC,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,GAAG,MAAM,CAAC,SAAS,UAAU;SAC3D,CAAC;QAEF,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACpB,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;QAClC,CAAC;QAED,IAAI,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9C,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACvC,CAAC;QAED,yBAAyB;QACzB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,aAAa,EAAE;YAC1C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,MAAM,EAAE,kBAAkB;gBAC1B,cAAc,EAAE,mCAAmC;aACpD;YACD,IAAI,EAAE,IAAI,eAAe,CAAC,IAAI,CAAC;SAChC,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAEvC,IAAI,QAAQ,CAAC,KAAK,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CACb,yBAAyB,QAAQ,CAAC,KAAK,MAAM,QAAQ,CAAC,iBAAiB,IAAI,EAAE,EAAE,CAChF,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,YAAY,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;QACpE,CAAC;QAED,8BAA8B;QAC9B,MAAM,cAAc,CAAC,QAAQ,EAAE,MAAM,CAAC,kBAAkB,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;QAE5E,SAAS,CACP,KAAK,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,kCAAkC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,8BAA8B,CAClH,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,QAAQ,CAAC,0CAA0C,EAAE,KAAK,CAAC,CAAC;QAC5D,SAAS,CAAC,KAAK,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,oDAAoD,CAAC,CAAC;QACnF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,cAAc,CAC3B,QAA+E,EAC/E,kBAA0B,EAC1B,MAAc;IAEd,qBAAqB;IACrB,MAAM,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;IAC/C,MAAM,QAAQ,CAAC,qBAAqB,CAAC,kBAAkB,CAAC,CAAC;IACzD,MAAM,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAEjC,kEAAkE;IAClE,mCAAmC;IACnC,IAAI,QAAQ,CAAC,aAAa,EAAE,CAAC;QAC3B,MAAM,QAAQ,CAAC,eAAe,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QACvD,GAAG,CAAC,kCAAkC,CAAC,CAAC;IAC1C,CAAC;IAED,uBAAuB;IACvB,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;QACxB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,UAAU,GAAG,IAAI,CAAC;QAC1D,MAAM,QAAQ,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;QAC5C,GAAG,CAAC,qBAAqB,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;IAChE,CAAC;AACH,CAAC"}

package/dist/auth/device-auth-flow.d.ts

@@ -1,47 +1,16 @@
 declare function requestAuthorization(selectedScopes?: string[], idpDomain?: string, idpClientId?: string, idpAudience?: string): Promise<void>;
-export declare function refreshAccessToken(selectedScopes?: string[]): Promise<string | null>;
+export declare function refreshAccessToken(idpDomain?: string, idpClientId?: string): Promise<string | null>;
 /**
- * Revokes the refresh token that is previously set within keychain when offline_access is requested.
- * Returns true if the call is successful or if the refresh token does not exist.
- * @returns {Promise<boolean>}
+ * Revokes the refresh token stored in the keychain.
+ * Returns true if successful or if no refresh token exists.
  */
-export declare function revokeRefreshToken(): Promise<boolean>;
+export declare function revokeRefreshToken(idpDomain?: string, idpClientId?: string): Promise<boolean>;
 /**
  * Determines if the current access token is expired or will expire soon.
- *
- * This security check is crucial for maintaining continuous authenticated access
- * to Auth0 APIs. It includes a configurable buffer time to proactively detect
- * tokens that will expire soon, preventing potential disruptions during operations
- * that might span multiple API calls. This proactive approach allows the system to
- * initiate refresh flows before actual expiration occurs.
- *
- * The function considers a token expired in the following cases:
- * - No expiration time is found in the keychain via `keychain.getTokenExpiresAt()`
- * - Current time + buffer exceeds the token's expiration time
- * - Error occurs during expiration check (fails secure)
- *
- * This function is used both by `validateAuthorization()` in `run.ts` for user-friendly
- * startup validation and by `validateConfig()` for continuous runtime validation.
- *
- * @param {number} bufferSeconds - Seconds before actual expiration to consider token expired (default: 300s/5min)
- * @returns {Promise<boolean>} True if token is expired or will expire within the buffer period
  */
 export declare function isTokenExpired(bufferSeconds?: number): Promise<boolean>;
 /**
- * Retrieves a valid access token for OpenZiti Controller Management API operations.
- *
- * This function serves as the main entry point for credential retrieval,
- * ensuring that only valid, non-expired tokens are provided to API operations.
- * It implements a critical security checkpoint that prevents operations from
- * proceeding with invalid authentication, which could lead to API failures
- * or unpredictable behavior.
- *
- * The function performs these key security checks:
- * 1. Verifies token expiration status using isTokenExpired
- * 2. Provides clear guidance to users when re-authentication is needed
- * 3. Handles errors gracefully with a fail-secure approach
- *
- * @returns {Promise<string|null>} A valid access token, or null if no valid token is available
+ * Retrieves a valid access token for API operations.
  */
 export declare function getValidAccessToken(): Promise<string | null>;
 export { requestAuthorization };