@workos-inc/authkit-nextjs 3.0.0-beta.1 → 3.0.0

package/src/cookie.ts

@@ -92,6 +92,35 @@ export function getCookieOptions(
   };
 }
 
+/**
+ * Cookie options for the PKCE verifier cookie.
+ * 'strict' blocks the cookie on the cross-site redirect back from WorkOS; downgrade to 'lax'.
+ * 'none' is more permissive and must be preserved for iframe/cross-origin embed flows.
+ */
+export function getPKCECookieOptions(): CookieOptions;
+export function getPKCECookieOptions(redirectUri: string | null | undefined, asString: true, expired?: boolean): string;
+export function getPKCECookieOptions(
+  redirectUri?: string | null,
+  asString?: boolean,
+  expired?: boolean,
+): CookieOptions | string;
+export function getPKCECookieOptions(
+  redirectUri?: string | null,
+  asString: boolean = false,
+  expired: boolean = false,
+): CookieOptions | string {
+  if (asString) {
+    const options = getCookieOptions(redirectUri, true, expired);
+    return options.replace(/SameSite=Strict/i, 'SameSite=Lax');
+  }
+
+  const options = getCookieOptions(redirectUri);
+  return {
+    ...options,
+    sameSite: options.sameSite.toLowerCase() === 'strict' ? 'lax' : options.sameSite,
+  };
+}
+
 export function getJwtCookie(body: string | null, requestUrlOrRedirectUri?: string | null, expired?: boolean): string {
   const cookie = `${JWT_COOKIE_NAME}=${expired ? '' : (body ?? '')}`;
 

package/src/env-variables.ts

@@ -12,6 +12,7 @@ const WORKOS_COOKIE_DOMAIN = getEnvVariable('WORKOS_COOKIE_DOMAIN');
 const WORKOS_COOKIE_MAX_AGE = getEnvVariable('WORKOS_COOKIE_MAX_AGE');
 const WORKOS_COOKIE_NAME = getEnvVariable('WORKOS_COOKIE_NAME');
 const WORKOS_COOKIE_SAMESITE = getEnvVariable('WORKOS_COOKIE_SAMESITE') as 'lax' | 'strict' | 'none' | undefined;
+const WORKOS_CLAIM_TOKEN = getEnvVariable('WORKOS_CLAIM_TOKEN');
 
 // Required env variables
 const WORKOS_API_KEY = getEnvVariable('WORKOS_API_KEY') ?? '';
@@ -24,6 +25,7 @@ export {
   WORKOS_API_HTTPS,
   WORKOS_API_KEY,
   WORKOS_API_PORT,
+  WORKOS_CLAIM_TOKEN,
   WORKOS_CLIENT_ID,
   WORKOS_COOKIE_DOMAIN,
   WORKOS_COOKIE_MAX_AGE,

package/src/errors.spec.ts

@@ -0,0 +1,108 @@
+import { AuthKitError, TokenRefreshError, getSessionErrorContext } from './errors.js';
+import type { Session } from './interfaces.js';
+import type { User } from '@workos-inc/node';
+
+describe('AuthKitError', () => {
+  it('creates error with message', () => {
+    const error = new AuthKitError('Test error');
+
+    expect(error.message).toBe('Test error');
+    expect(error.name).toBe('AuthKitError');
+    expect(error).toBeInstanceOf(Error);
+  });
+
+  it('creates error with cause and data', () => {
+    const originalError = new Error('Original error');
+    const data = { userId: '123' };
+    const error = new AuthKitError('Test error', originalError, data);
+
+    expect(error.cause).toBe(originalError);
+    expect(error.data).toEqual(data);
+  });
+});
+
+describe('TokenRefreshError', () => {
+  it('creates error with correct name and inheritance', () => {
+    const error = new TokenRefreshError('Refresh failed');
+
+    expect(error.name).toBe('TokenRefreshError');
+    expect(error.message).toBe('Refresh failed');
+    expect(error).toBeInstanceOf(AuthKitError);
+    expect(error).toBeInstanceOf(Error);
+  });
+
+  it('creates error with cause and context', () => {
+    const originalError = new Error('Network error');
+    const error = new TokenRefreshError('Refresh failed', originalError, {
+      userId: 'user_123',
+      sessionId: 'session_456',
+    });
+
+    expect(error.cause).toBe(originalError);
+    expect(error.userId).toBe('user_123');
+    expect(error.sessionId).toBe('session_456');
+  });
+
+  it('has undefined properties when no context provided', () => {
+    const error = new TokenRefreshError('Refresh failed');
+
+    expect(error.userId).toBeUndefined();
+    expect(error.sessionId).toBeUndefined();
+  });
+});
+
+describe('getSessionErrorContext', () => {
+  function createTestJwt(payload: Record<string, unknown>): string {
+    const header = btoa(JSON.stringify({ alg: 'HS256', typ: 'JWT' }));
+    const payloadStr = btoa(JSON.stringify(payload));
+    return `${header}.${payloadStr}.test-signature`;
+  }
+
+  it('returns empty object for missing session', () => {
+    expect(getSessionErrorContext(null)).toEqual({});
+    expect(getSessionErrorContext(undefined)).toEqual({});
+  });
+
+  it('extracts userId and sessionId from access token', () => {
+    const session: Session = {
+      accessToken: createTestJwt({ sub: 'user_456', sid: 'session_123' }),
+      refreshToken: 'refresh_token',
+      user: {
+        id: 'user_456',
+        email: 'test@example.com',
+        emailVerified: true,
+        profilePictureUrl: null,
+        firstName: null,
+        lastName: null,
+        createdAt: '2024-01-01',
+        updatedAt: '2024-01-01',
+        object: 'user',
+      } as User,
+    };
+
+    const context = getSessionErrorContext(session);
+    expect(context.userId).toBe('user_456');
+    expect(context.sessionId).toBe('session_123');
+  });
+
+  it('returns empty object for invalid JWT', () => {
+    const session: Session = {
+      accessToken: 'invalid-jwt',
+      refreshToken: 'refresh_token',
+      user: {
+        id: 'user_123',
+        email: 'test@example.com',
+        emailVerified: true,
+        profilePictureUrl: null,
+        firstName: null,
+        lastName: null,
+        createdAt: '2024-01-01',
+        updatedAt: '2024-01-01',
+        object: 'user',
+      } as User,
+    };
+
+    const context = getSessionErrorContext(session);
+    expect(context).toEqual({});
+  });
+});

package/src/errors.ts

@@ -0,0 +1,46 @@
+import type { Session } from './interfaces.js';
+import { decodeJwt } from './jwt.js';
+
+export class AuthKitError extends Error {
+  data?: Record<string, unknown>;
+
+  constructor(message: string, cause?: unknown, data?: Record<string, unknown>) {
+    super(message);
+    this.name = 'AuthKitError';
+    this.cause = cause;
+    this.data = data;
+  }
+}
+
+export interface TokenRefreshErrorContext {
+  userId?: string;
+  sessionId?: string;
+}
+
+export class TokenRefreshError extends AuthKitError {
+  readonly userId?: string;
+  readonly sessionId?: string;
+
+  constructor(message: string, cause?: unknown, context?: TokenRefreshErrorContext) {
+    super(message, cause);
+    this.name = 'TokenRefreshError';
+    this.userId = context?.userId;
+    this.sessionId = context?.sessionId;
+  }
+}
+
+export function getSessionErrorContext(session?: Session | null): TokenRefreshErrorContext {
+  if (!session?.accessToken) {
+    return {};
+  }
+
+  try {
+    const { payload } = decodeJwt(session.accessToken);
+    return {
+      userId: payload.sub,
+      sessionId: payload.sid,
+    };
+  } catch {
+    return {};
+  }
+}

package/src/get-authorization-url.spec.ts

@@ -1,33 +1,45 @@
-import { describe, it, expect, beforeEach, jest } from '@jest/globals';
 import { getAuthorizationUrl } from './get-authorization-url.js';
 import { headers } from 'next/headers';
 import { getWorkOS } from './workos.js';
-
-jest.mock('next/headers');
+import { getStateFromPKCECookieValue } from './pkce.js';
 
 // Mock dependencies
-const fakeWorkosInstance = {
-  userManagement: {
-    getAuthorizationUrl: jest.fn(),
+const { fakeWorkosInstance } = vi.hoisted(() => ({
+  fakeWorkosInstance: {
+    baseURL: 'https://api.workos.com',
+    userManagement: {
+      getAuthorizationUrl: vi.fn(),
+    },
+    pkce: {
+      generate: vi.fn().mockResolvedValue({
+        codeVerifier: 'test-code-verifier',
+        codeChallenge: 'test-code-challenge',
+        codeChallengeMethod: 'S256' as const,
+      }),
+    },
   },
-};
+}));
 
-jest.mock('./workos', () => ({
-  getWorkOS: jest.fn(() => fakeWorkosInstance),
+vi.mock('./workos', () => ({
+  getWorkOS: vi.fn(() => fakeWorkosInstance),
 }));
 
 describe('getAuthorizationUrl', () => {
   const workos = getWorkOS();
   beforeEach(() => {
-    jest.clearAllMocks();
+    vi.clearAllMocks();
+    fakeWorkosInstance.pkce.generate.mockResolvedValue({
+      codeVerifier: 'test-code-verifier',
+      codeChallenge: 'test-code-challenge',
+      codeChallengeMethod: 'S256' as const,
+    });
   });
 
   it('uses x-redirect-uri header when redirectUri option is not provided', async () => {
     const nextHeaders = await headers();
     nextHeaders.set('x-redirect-uri', 'http://test-redirect.com');
 
-    // Mock workos.userManagement.getAuthorizationUrl
-    jest.mocked(workos.userManagement.getAuthorizationUrl).mockReturnValue('mock-url');
+    vi.mocked(workos.userManagement.getAuthorizationUrl).mockReturnValue('mock-url');
 
     await getAuthorizationUrl({});
 
@@ -39,15 +51,15 @@ describe('getAuthorizationUrl', () => {
   });
 
   it('works when called with no arguments', async () => {
-    jest.mocked(workos.userManagement.getAuthorizationUrl).mockReturnValue('mock-url');
+    vi.mocked(workos.userManagement.getAuthorizationUrl).mockReturnValue('mock-url');
 
-    await getAuthorizationUrl(); // Call with no arguments
+    await getAuthorizationUrl();
 
     expect(workos.userManagement.getAuthorizationUrl).toHaveBeenCalled();
   });
 
   it('works when prompt is provided', async () => {
-    jest.mocked(workos.userManagement.getAuthorizationUrl).mockReturnValue('mock-url');
+    vi.mocked(workos.userManagement.getAuthorizationUrl).mockReturnValue('mock-url');
 
     await getAuthorizationUrl({ prompt: 'consent' });
 
@@ -57,4 +69,147 @@ describe('getAuthorizationUrl', () => {
       }),
     );
   });
+
+  describe('claim nonce', () => {
+    afterEach(() => {
+      delete process.env.WORKOS_CLAIM_TOKEN;
+    });
+
+    it('does not fetch nonce when WORKOS_CLAIM_TOKEN is not set', async () => {
+      const fetchSpy = vi.spyOn(globalThis, 'fetch');
+      vi.mocked(workos.userManagement.getAuthorizationUrl).mockReturnValue('mock-url');
+
+      await getAuthorizationUrl({});
+
+      expect(fetchSpy).not.toHaveBeenCalledWith(expect.stringContaining('claim-nonces'), expect.anything());
+      expect(workos.userManagement.getAuthorizationUrl).toHaveBeenCalledWith(
+        expect.not.objectContaining({ claimNonce: expect.any(String) }),
+      );
+      fetchSpy.mockRestore();
+    });
+
+    it('fetches nonce and passes claimNonce when WORKOS_CLAIM_TOKEN is set', async () => {
+      process.env.WORKOS_CLAIM_TOKEN = 'test-claim-token';
+      const fetchSpy = vi
+        .spyOn(globalThis, 'fetch')
+        .mockResolvedValueOnce(new Response(JSON.stringify({ nonce: 'test-nonce' }), { status: 201 }));
+
+      vi.resetModules();
+      const { getAuthorizationUrl: freshGetAuthorizationUrl } = await import('./get-authorization-url.js');
+      vi.mocked(workos.userManagement.getAuthorizationUrl).mockReturnValue('mock-url');
+
+      await freshGetAuthorizationUrl({});
+
+      expect(fetchSpy).toHaveBeenCalledWith(
+        'https://api.workos.com/x/one-shot-environments/claim-nonces',
+        expect.objectContaining({
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ client_id: 'client_1234567890', claim_token: 'test-claim-token' }),
+        }),
+      );
+      expect(workos.userManagement.getAuthorizationUrl).toHaveBeenCalledWith(
+        expect.objectContaining({ claimNonce: 'test-nonce' }),
+      );
+      fetchSpy.mockRestore();
+    });
+
+    it('proceeds without nonce on network error', async () => {
+      process.env.WORKOS_CLAIM_TOKEN = 'test-claim-token';
+      const fetchSpy = vi.spyOn(globalThis, 'fetch').mockRejectedValueOnce(new Error('Network error'));
+      const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+
+      vi.resetModules();
+      const { getAuthorizationUrl: freshGetAuthorizationUrl } = await import('./get-authorization-url.js');
+      vi.mocked(workos.userManagement.getAuthorizationUrl).mockReturnValue('mock-url');
+
+      await freshGetAuthorizationUrl({});
+
+      expect(workos.userManagement.getAuthorizationUrl).toHaveBeenCalledWith(
+        expect.not.objectContaining({ claimNonce: expect.any(String) }),
+      );
+      expect(warnSpy).toHaveBeenCalledWith(
+        '[authkit-nextjs]: Failed to exchange WORKOS_CLAIM_TOKEN. Try removing WORKOS_CLAIM_TOKEN from your environment variables.',
+        expect.any(Error),
+      );
+      fetchSpy.mockRestore();
+      warnSpy.mockRestore();
+    });
+
+    it('proceeds without nonce on non-OK response', async () => {
+      process.env.WORKOS_CLAIM_TOKEN = 'test-claim-token';
+      const fetchSpy = vi
+        .spyOn(globalThis, 'fetch')
+        .mockResolvedValueOnce(new Response('Unauthorized', { status: 401 }));
+      const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+
+      vi.resetModules();
+      const { getAuthorizationUrl: freshGetAuthorizationUrl } = await import('./get-authorization-url.js');
+      vi.mocked(workos.userManagement.getAuthorizationUrl).mockReturnValue('mock-url');
+
+      await freshGetAuthorizationUrl({});
+
+      expect(workos.userManagement.getAuthorizationUrl).toHaveBeenCalledWith(
+        expect.not.objectContaining({ claimNonce: expect.any(String) }),
+      );
+      expect(warnSpy).toHaveBeenCalledWith(
+        '[authkit-nextjs]: Failed to exchange WORKOS_CLAIM_TOKEN (401). Try removing WORKOS_CLAIM_TOKEN from your environment variables.',
+      );
+      fetchSpy.mockRestore();
+      warnSpy.mockRestore();
+    });
+
+    it('includes PKCE and claim nonce together', async () => {
+      process.env.WORKOS_CLAIM_TOKEN = 'test-claim-token';
+      const fetchSpy = vi
+        .spyOn(globalThis, 'fetch')
+        .mockResolvedValueOnce(new Response(JSON.stringify({ nonce: 'test-nonce' }), { status: 201 }));
+
+      vi.resetModules();
+      const { getAuthorizationUrl: freshGetAuthorizationUrl } = await import('./get-authorization-url.js');
+      vi.mocked(workos.userManagement.getAuthorizationUrl).mockReturnValue('mock-url');
+
+      const result = await freshGetAuthorizationUrl({});
+
+      expect(workos.userManagement.getAuthorizationUrl).toHaveBeenCalledWith(
+        expect.objectContaining({
+          claimNonce: 'test-nonce',
+          codeChallenge: 'test-code-challenge',
+          codeChallengeMethod: 'S256',
+        }),
+      );
+      expect(result.sealedState).toBeDefined();
+      fetchSpy.mockRestore();
+    });
+  });
+
+  describe('PKCE', () => {
+    it('always generates PKCE pair and includes code challenge', async () => {
+      vi.mocked(workos.userManagement.getAuthorizationUrl).mockReturnValue('mock-url');
+
+      const result = await getAuthorizationUrl({});
+
+      expect(fakeWorkosInstance.pkce.generate).toHaveBeenCalled();
+      expect(workos.userManagement.getAuthorizationUrl).toHaveBeenCalledWith(
+        expect.objectContaining({
+          codeChallenge: 'test-code-challenge',
+          codeChallengeMethod: 'S256',
+        }),
+      );
+      expect(result.url).toBe('mock-url');
+      expect(result.sealedState).toBeDefined();
+      expect(result.sealedState).not.toBe('');
+    });
+
+    it('seals codeVerifier and nonce into state', async () => {
+      vi.mocked(workos.userManagement.getAuthorizationUrl).mockReturnValue('mock-url');
+
+      const result = await getAuthorizationUrl({});
+
+      const { codeVerifier, nonce } = await getStateFromPKCECookieValue(result.sealedState);
+      expect(codeVerifier).toBe('test-code-verifier');
+      expect(nonce).toBeDefined();
+      expect(typeof nonce).toBe('string');
+    });
+  });
 });

package/src/get-authorization-url.ts

@@ -1,37 +1,83 @@
-import { getWorkOS } from './workos.js';
-import { WORKOS_CLIENT_ID, WORKOS_REDIRECT_URI } from './env-variables.js';
-import { GetAuthURLOptions } from './interfaces.js';
+import { sealData } from 'iron-session';
 import { headers } from 'next/headers';
+import { WORKOS_CLAIM_TOKEN, WORKOS_CLIENT_ID, WORKOS_COOKIE_PASSWORD, WORKOS_REDIRECT_URI } from './env-variables.js';
+import { GetAuthURLOptions, GetAuthURLResult, State } from './interfaces.js';
+import { getWorkOS } from './workos.js';
 
-async function getAuthorizationUrl(options: GetAuthURLOptions = {}) {
-  const headersList = await headers();
-  const {
-    returnPathname,
-    screenHint,
-    organizationId,
-    redirectUri = headersList.get('x-redirect-uri'),
-    loginHint,
-    prompt,
-    state: customState,
-  } = options;
+async function fetchClaimNonce(baseURL: string): Promise<string | null> {
+  try {
+    const response = await fetch(`${baseURL}/x/one-shot-environments/claim-nonces`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        client_id: WORKOS_CLIENT_ID,
+        claim_token: WORKOS_CLAIM_TOKEN,
+      }),
+    });
+    if (!response.ok) {
+      if (response.status !== 409) {
+        console.warn(
+          `[authkit-nextjs]: Failed to exchange WORKOS_CLAIM_TOKEN (${response.status}). Try removing WORKOS_CLAIM_TOKEN from your environment variables.`,
+        );
+      }
+      return null;
+    }
+    const data = await response.json();
+    return data.nonce;
+  } catch (error) {
+    console.warn(
+      '[authkit-nextjs]: Failed to exchange WORKOS_CLAIM_TOKEN. Try removing WORKOS_CLAIM_TOKEN from your environment variables.',
+      error,
+    );
+    return null;
+  }
+}
+
+async function getAuthorizationUrl({
+  returnPathname,
+  screenHint,
+  organizationId,
+  loginHint,
+  prompt,
+  state: customState,
+  redirectUri,
+}: GetAuthURLOptions = {}): Promise<GetAuthURLResult> {
+  const redirectUriToUse = await (async () => {
+    if (redirectUri) {
+      return redirectUri;
+    }
+
+    const headersList = await headers();
+    return headersList.get('x-redirect-uri') ?? undefined;
+  })();
 
-  const internalState = returnPathname
-    ? btoa(JSON.stringify({ returnPathname })).replace(/\+/g, '-').replace(/\//g, '_')
-    : null;
+  const pkce = await getWorkOS().pkce.generate();
+  const claimNonce = WORKOS_CLAIM_TOKEN ? await fetchClaimNonce(getWorkOS().baseURL) : null;
 
-  const finalState =
-    internalState && customState ? `${internalState}.${customState}` : internalState || customState || undefined;
+  const state = {
+    nonce: crypto.randomUUID(),
+    codeVerifier: pkce.codeVerifier,
+    customState,
+    returnPathname,
+  } satisfies State;
+
+  const sealedState = await sealData(state, { password: WORKOS_COOKIE_PASSWORD, ttl: 600 });
 
-  return getWorkOS().userManagement.getAuthorizationUrl({
-    provider: 'authkit',
+  const url = getWorkOS().userManagement.getAuthorizationUrl({
+    provider: 'authkit' as const,
     clientId: WORKOS_CLIENT_ID,
-    redirectUri: redirectUri ?? WORKOS_REDIRECT_URI,
-    state: finalState,
+    redirectUri: redirectUriToUse ?? WORKOS_REDIRECT_URI,
     screenHint,
     organizationId,
     loginHint,
     prompt,
+    state: sealedState,
+    codeChallenge: pkce.codeChallenge,
+    codeChallengeMethod: pkce.codeChallengeMethod,
+    ...(claimNonce && { claimNonce }),
   });
+
+  return { url, sealedState };
 }
 
 export { getAuthorizationUrl };

package/src/index.ts

@@ -1,22 +1,40 @@
 import { getSignInUrl, getSignUpUrl, signOut, switchToOrganization } from './auth.js';
 import { handleAuth } from './authkit-callback-route.js';
-import { authkit, authkitMiddleware } from './middleware.js';
+import { AuthKitError, TokenRefreshError } from './errors.js';
+import { authkit, authkitMiddleware, authkitProxy } from './middleware.js';
+export {
+  applyResponseHeaders,
+  handleAuthkitHeaders,
+  handleAuthkitProxy,
+  partitionAuthkitHeaders,
+  isAuthkitRequestHeader,
+  AUTHKIT_REQUEST_HEADERS,
+  type AuthkitHeadersResult,
+  type AuthkitRedirectStatus,
+  type AuthkitRequestHeader,
+  type HandleAuthkitHeadersOptions,
+} from './middleware-helpers.js';
 import { getTokenClaims, refreshSession, saveSession, withAuth } from './session.js';
+import { validateApiKey } from './validate-api-key.js';
 import { getWorkOS } from './workos.js';
 
 export * from './interfaces.js';
 
 export {
+  AuthKitError,
+  TokenRefreshError,
   authkit,
   authkitMiddleware,
+  authkitProxy,
   getSignInUrl,
   getSignUpUrl,
+  getTokenClaims,
   getWorkOS,
   handleAuth,
   refreshSession,
   saveSession,
   signOut,
   switchToOrganization,
+  validateApiKey,
   withAuth,
-  getTokenClaims,
 };

package/src/interfaces.ts

@@ -1,5 +1,6 @@
 import type { AuthenticationResponse, OauthTokens, User } from '@workos-inc/node';
 import { type NextRequest } from 'next/server';
+import * as v from 'valibot';
 
 export interface HandleAuthOptions {
   returnPathname?: string;
@@ -61,6 +62,20 @@ export interface AccessToken {
   feature_flags?: string[];
 }
 
+export const StateSchema = v.object({
+  nonce: v.string(),
+  customState: v.optional(v.string()),
+  returnPathname: v.optional(v.string()),
+  codeVerifier: v.string(),
+});
+
+export type State = v.InferOutput<typeof StateSchema>;
+
+export interface GetAuthURLResult {
+  url: string;
+  sealedState: string;
+}
+
 export interface GetAuthURLOptions {
   screenHint?: 'sign-up' | 'sign-in';
   returnPathname?: string;

package/src/jwt.ts

@@ -2,16 +2,16 @@
  * JWT (JSON Web Token) Interface Definitions
  */
 export interface JWTHeader {
-  'alg': string;
-  'typ'?: string | undefined;
-  'cty'?: string | undefined;
-  'crit'?: Array<string | Exclude<keyof JWTHeader, 'crit'>> | undefined;
-  'kid'?: string | undefined;
-  'jku'?: string | undefined;
-  'x5u'?: string | string[] | undefined;
+  alg: string;
+  typ?: string | undefined;
+  cty?: string | undefined;
+  crit?: Array<string | Exclude<keyof JWTHeader, 'crit'>> | undefined;
+  kid?: string | undefined;
+  jku?: string | undefined;
+  x5u?: string | string[] | undefined;
   'x5t#S256'?: string | undefined;
-  'x5t'?: string | undefined;
-  'x5c'?: string | string[] | undefined;
+  x5t?: string | undefined;
+  x5c?: string | string[] | undefined;
 }
 /**
  * JWT Payload Interface