openai 6.32.0 → 6.34.0

package/CHANGELOG.md

@@ -1,5 +1,62 @@
 # Changelog
 
+## 6.34.0 (2026-04-08)
+
+Full Changelog: [v6.33.0...v6.34.0](https://github.com/openai/openai-node/compare/v6.33.0...v6.34.0)
+
+### Features
+
+* **api:** add phase field to Message in conversations ([eb7cbc1](https://github.com/openai/openai-node/commit/eb7cbc1cb9d8f3189b4db6b59a6ff2c45376a598))
+* **client:** add support for short-lived tokens ([#839](https://github.com/openai/openai-node/issues/839)) ([a72ebcf](https://github.com/openai/openai-node/commit/a72ebcf06bcbf4100a3f3c8723b66c34f7c261ec))
+
+
+### Bug Fixes
+
+* **api:** remove web_search_call.results from ResponseIncludable in responses ([1f6968e](https://github.com/openai/openai-node/commit/1f6968e1c0add39034d26f4268a75cadad42abf0))
+
+
+### Chores
+
+* **internal:** codegen related update ([1081460](https://github.com/openai/openai-node/commit/1081460b68a90915fb019f81d9c24c0dfa48a3c4))
+* **internal:** update multipart form array serialization ([3faee8d](https://github.com/openai/openai-node/commit/3faee8da8d286871adb3ce1258df57aab67272da))
+* **tests:** bump steady to v0.20.1 ([b73cc6b](https://github.com/openai/openai-node/commit/b73cc6b9db6489b7e8b55cab79789ddb21e6d83f))
+
+
+### Documentation
+
+* **api:** add multi-file ingestion recommendations to vector-stores files/file-batches ([1bc32a3](https://github.com/openai/openai-node/commit/1bc32a3cbc4d453e2835db3a1844e7c99f55df24))
+
+## 6.33.0 (2026-03-25)
+
+Full Changelog: [v6.32.0...v6.33.0](https://github.com/openai/openai-node/compare/v6.32.0...v6.33.0)
+
+### Features
+
+* **api:** add keys field to computer action types ([27a850e](https://github.com/openai/openai-node/commit/27a850e8a698cde5b7e05da70d8babb1205b2830))
+* **client:** add async iterator and stream() to WebSocket classes ([e1c16ee](https://github.com/openai/openai-node/commit/e1c16ee35b8ef9db30e9a99a2b3460368f3044d0))
+
+
+### Bug Fixes
+
+* **api:** align SDK response types with expanded item schemas ([491cd52](https://github.com/openai/openai-node/commit/491cd5290c36e6b1de7ff9787e80c73899d8b642))
+* **types:** make type required in ResponseInputMessageItem ([2012293](https://github.com/openai/openai-node/commit/20122931977c2de8630cb03182766fbf6dc37868))
+
+
+### Chores
+
+* **ci:** skip lint on metadata-only changes ([74a917f](https://github.com/openai/openai-node/commit/74a917fd92dd2a1bd3089f3b5f79781bdc0d4ec3))
+* **internal:** refactor imports ([cfe9c60](https://github.com/openai/openai-node/commit/cfe9c60aa41e9ed53e7d5f9187d31baf4364f8bd))
+* **internal:** update gitignore ([71bd114](https://github.com/openai/openai-node/commit/71bd114f97e24c547660694d03c19b22d62ae961))
+* **tests:** bump steady to v0.19.4 ([f2e9dea](https://github.com/openai/openai-node/commit/f2e9dea844405f189cc63a1d1493de3eabfcb7e7))
+* **tests:** bump steady to v0.19.5 ([37c6cf4](https://github.com/openai/openai-node/commit/37c6cf495b9a05128572f9e955211b67d01410f3))
+* **tests:** bump steady to v0.19.6 ([496b3af](https://github.com/openai/openai-node/commit/496b3af4371cf40f5d14f72d0770e152710b09df))
+* **tests:** bump steady to v0.19.7 ([8491eb6](https://github.com/openai/openai-node/commit/8491eb6d83cf8680bdc9d69e60b8e5d09e2bc8e8))
+
+
+### Refactors
+
+* **tests:** switch from prism to steady ([47c0581](https://github.com/openai/openai-node/commit/47c0581a1923c9e700a619dd6bfa3fb93a188899))
+
 ## 6.32.0 (2026-03-17)
 
 Full Changelog: [v6.31.0...v6.32.0](https://github.com/openai/openai-node/compare/v6.31.0...v6.32.0)

package/README.md

@@ -69,6 +69,102 @@ const completion = await client.chat.completions.create({
 console.log(completion.choices[0].message.content);
 ```
 
+## Workload Identity Authentication
+
+For secure, automated environments like cloud-managed Kubernetes, Azure, and GCP, you can use workload identity authentication with short-lived tokens from cloud identity providers instead of long-lived API keys.
+
+The `workloadIdentity` parameter is mutually exclusive with `apiKey`.
+
+### Kubernetes (service account tokens)
+
+```ts
+import OpenAI from 'openai';
+import { k8sServiceAccountTokenProvider } from 'openai/auth';
+
+const client = new OpenAI({
+  workloadIdentity: {
+    clientId: 'your-client-id',
+    identityProviderId: 'idp-123',
+    serviceAccountId: 'sa-456',
+    provider: k8sServiceAccountTokenProvider('/var/run/secrets/kubernetes.io/serviceaccount/token'),
+  },
+});
+
+const response = await client.chat.completions.create({
+  model: 'gpt-4',
+  messages: [{ role: 'user', content: 'Hello!' }],
+});
+```
+
+### Azure (managed identity)
+
+```ts
+import OpenAI from 'openai';
+import { azureManagedIdentityTokenProvider } from 'openai/auth';
+
+const client = new OpenAI({
+  workloadIdentity: {
+    clientId: 'your-client-id',
+    identityProviderId: 'idp-123',
+    serviceAccountId: 'sa-456',
+    provider: azureManagedIdentityTokenProvider(),
+  },
+});
+```
+
+### GCP (compute engine metadata)
+
+```ts
+import OpenAI from 'openai';
+import { gcpIDTokenProvider } from 'openai/auth';
+
+const client = new OpenAI({
+  workloadIdentity: {
+    clientId: 'your-client-id',
+    identityProviderId: 'idp-123',
+    serviceAccountId: 'sa-456',
+    provider: gcpIDTokenProvider(),
+  },
+});
+```
+
+### Custom subject token provider
+
+```ts
+import OpenAI from 'openai';
+
+const client = new OpenAI({
+  workloadIdentity: {
+    clientId: 'your-client-id',
+    identityProviderId: 'idp-123',
+    serviceAccountId: 'sa-456',
+    provider: {
+      tokenType: 'jwt',
+      getToken: async () => {
+        return 'your-jwt-token';
+      },
+    },
+  },
+});
+```
+
+You can also customize the token refresh buffer (default is 1200 seconds (20 minutes) before expiration):
+
+```ts
+import OpenAI from 'openai';
+import { k8sServiceAccountTokenProvider } from 'openai/auth';
+
+const client = new OpenAI({
+  workloadIdentity: {
+    clientId: 'your-client-id',
+    identityProviderId: 'idp-123',
+    serviceAccountId: 'sa-456',
+    provider: k8sServiceAccountTokenProvider('/var/token'),
+    refreshBufferSeconds: 120.0,
+  },
+});
+```
+
 ## Streaming responses
 
 We provide support for streaming responses using Server Sent Events (SSE).

package/auth/index.d.mts

@@ -0,0 +1,4 @@
+export type { WorkloadIdentity, SubjectTokenProvider, TokenExchangeResponse } from "./types.mjs";
+export { k8sServiceAccountTokenProvider, azureManagedIdentityTokenProvider, gcpIDTokenProvider, } from "./subject-token-providers.mjs";
+export { OAuthError, SubjectTokenProviderError } from "../core/error.mjs";
+//# sourceMappingURL=index.d.mts.map

package/auth/index.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.mts","sourceRoot":"","sources":["../src/auth/index.ts"],"names":[],"mappings":"YAAY,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,qBAAqB,EAAE;OAEtE,EACL,8BAA8B,EAC9B,iCAAiC,EACjC,kBAAkB,GACnB;OAEM,EAAE,UAAU,EAAE,yBAAyB,EAAE"}

package/auth/index.d.ts

@@ -0,0 +1,4 @@
+export type { WorkloadIdentity, SubjectTokenProvider, TokenExchangeResponse } from "./types.js";
+export { k8sServiceAccountTokenProvider, azureManagedIdentityTokenProvider, gcpIDTokenProvider, } from "./subject-token-providers.js";
+export { OAuthError, SubjectTokenProviderError } from "../core/error.js";
+//# sourceMappingURL=index.d.ts.map

package/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/auth/index.ts"],"names":[],"mappings":"YAAY,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,qBAAqB,EAAE;OAEtE,EACL,8BAA8B,EAC9B,iCAAiC,EACjC,kBAAkB,GACnB;OAEM,EAAE,UAAU,EAAE,yBAAyB,EAAE"}

package/auth/index.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SubjectTokenProviderError = exports.OAuthError = exports.gcpIDTokenProvider = exports.azureManagedIdentityTokenProvider = exports.k8sServiceAccountTokenProvider = void 0;
+var subject_token_providers_1 = require("./subject-token-providers.js");
+Object.defineProperty(exports, "k8sServiceAccountTokenProvider", { enumerable: true, get: function () { return subject_token_providers_1.k8sServiceAccountTokenProvider; } });
+Object.defineProperty(exports, "azureManagedIdentityTokenProvider", { enumerable: true, get: function () { return subject_token_providers_1.azureManagedIdentityTokenProvider; } });
+Object.defineProperty(exports, "gcpIDTokenProvider", { enumerable: true, get: function () { return subject_token_providers_1.gcpIDTokenProvider; } });
+var error_1 = require("../core/error.js");
+Object.defineProperty(exports, "OAuthError", { enumerable: true, get: function () { return error_1.OAuthError; } });
+Object.defineProperty(exports, "SubjectTokenProviderError", { enumerable: true, get: function () { return error_1.SubjectTokenProviderError; } });
+//# sourceMappingURL=index.js.map

package/auth/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/auth/index.ts"],"names":[],"mappings":";;;AAEA,wEAImC;AAHjC,yIAAA,8BAA8B,OAAA;AAC9B,4IAAA,iCAAiC,OAAA;AACjC,6HAAA,kBAAkB,OAAA;AAGpB,0CAAsE;AAA7D,mGAAA,UAAU,OAAA;AAAE,kHAAA,yBAAyB,OAAA"}

package/auth/index.mjs

@@ -0,0 +1,3 @@
+export { k8sServiceAccountTokenProvider, azureManagedIdentityTokenProvider, gcpIDTokenProvider, } from "./subject-token-providers.mjs";
+export { OAuthError, SubjectTokenProviderError } from "../core/error.mjs";
+//# sourceMappingURL=index.mjs.map

package/auth/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.mjs","sourceRoot":"","sources":["../src/auth/index.ts"],"names":[],"mappings":"OAEO,EACL,8BAA8B,EAC9B,iCAAiC,EACjC,kBAAkB,GACnB;OAEM,EAAE,UAAU,EAAE,yBAAyB,EAAE"}

package/auth/subject-token-providers.d.mts

@@ -0,0 +1,20 @@
+import type { SubjectTokenProvider } from "./types.mjs";
+import type { Fetch } from "../internal/builtin-types.mjs";
+type ReadFile = (path: string) => Promise<string>;
+export declare function k8sServiceAccountTokenProvider(tokenPath?: string, config?: {
+    readFile?: ReadFile;
+}): SubjectTokenProvider;
+export declare function azureManagedIdentityTokenProvider(resource?: string, config?: {
+    objectId?: string;
+    clientId?: string;
+    msiResId?: string;
+    apiVersion?: string;
+    timeout?: number;
+    fetch?: Fetch;
+}): SubjectTokenProvider;
+export declare function gcpIDTokenProvider(audience?: string, config?: {
+    timeout?: number;
+    fetch?: Fetch;
+}): SubjectTokenProvider;
+export {};
+//# sourceMappingURL=subject-token-providers.d.mts.map

package/auth/subject-token-providers.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"subject-token-providers.d.mts","sourceRoot":"","sources":["../src/auth/subject-token-providers.ts"],"names":[],"mappings":"OAAO,KAAK,EAAE,oBAAoB,EAAE;OAC7B,KAAK,EAAE,KAAK,EAAE;AAQrB,KAAK,QAAQ,GAAG,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;AAclD,wBAAgB,8BAA8B,CAC5C,SAAS,GAAE,MAA8D,EACzE,MAAM,CAAC,EAAE;IACP,QAAQ,CAAC,EAAE,QAAQ,CAAC;CACrB,GACA,oBAAoB,CAiCtB;AAED,wBAAgB,iCAAiC,CAC/C,QAAQ,GAAE,MAAyB,EACnC,MAAM,CAAC,EAAE;IACP,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,KAAK,CAAC;CACf,GACA,oBAAoB,CA4DtB;AAED,wBAAgB,kBAAkB,CAChC,QAAQ,GAAE,MAAoC,EAC9C,MAAM,CAAC,EAAE;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,KAAK,CAAA;CAAE,GAC3C,oBAAoB,CA8CtB"}

package/auth/subject-token-providers.d.ts

@@ -0,0 +1,20 @@
+import type { SubjectTokenProvider } from "./types.js";
+import type { Fetch } from "../internal/builtin-types.js";
+type ReadFile = (path: string) => Promise<string>;
+export declare function k8sServiceAccountTokenProvider(tokenPath?: string, config?: {
+    readFile?: ReadFile;
+}): SubjectTokenProvider;
+export declare function azureManagedIdentityTokenProvider(resource?: string, config?: {
+    objectId?: string;
+    clientId?: string;
+    msiResId?: string;
+    apiVersion?: string;
+    timeout?: number;
+    fetch?: Fetch;
+}): SubjectTokenProvider;
+export declare function gcpIDTokenProvider(audience?: string, config?: {
+    timeout?: number;
+    fetch?: Fetch;
+}): SubjectTokenProvider;
+export {};
+//# sourceMappingURL=subject-token-providers.d.ts.map

package/auth/subject-token-providers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"subject-token-providers.d.ts","sourceRoot":"","sources":["../src/auth/subject-token-providers.ts"],"names":[],"mappings":"OAAO,KAAK,EAAE,oBAAoB,EAAE;OAC7B,KAAK,EAAE,KAAK,EAAE;AAQrB,KAAK,QAAQ,GAAG,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;AAclD,wBAAgB,8BAA8B,CAC5C,SAAS,GAAE,MAA8D,EACzE,MAAM,CAAC,EAAE;IACP,QAAQ,CAAC,EAAE,QAAQ,CAAC;CACrB,GACA,oBAAoB,CAiCtB;AAED,wBAAgB,iCAAiC,CAC/C,QAAQ,GAAE,MAAyB,EACnC,MAAM,CAAC,EAAE;IACP,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,KAAK,CAAC;CACf,GACA,oBAAoB,CA4DtB;AAED,wBAAgB,kBAAkB,CAChC,QAAQ,GAAE,MAAoC,EAC9C,MAAM,CAAC,EAAE;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,KAAK,CAAA;CAAE,GAC3C,oBAAoB,CA8CtB"}

package/auth/subject-token-providers.js

@@ -0,0 +1,127 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.k8sServiceAccountTokenProvider = k8sServiceAccountTokenProvider;
+exports.azureManagedIdentityTokenProvider = azureManagedIdentityTokenProvider;
+exports.gcpIDTokenProvider = gcpIDTokenProvider;
+const tslib_1 = require("../internal/tslib.js");
+const Shims = tslib_1.__importStar(require("../internal/shims.js"));
+const error_1 = require("../core/error.js");
+const DEFAULT_RESOURCE = 'https://management.azure.com/';
+const DEFAULT_AZURE_API_VERSION = '2018-02-01';
+const AZURE_IMDS_BASE_URL = 'http://169.254.169.254/metadata/identity/oauth2/token';
+let fsPromisesModule;
+async function defaultReadFile(path) {
+    fsPromisesModule ?? (fsPromisesModule = Promise.resolve().then(() => tslib_1.__importStar(require('fs/promises'))).catch((error) => {
+        fsPromisesModule = undefined;
+        throw error;
+    }));
+    const { readFile } = await fsPromisesModule;
+    return readFile(path, 'utf8');
+}
+function k8sServiceAccountTokenProvider(tokenPath = '/var/run/secrets/kubernetes.io/serviceaccount/token', config) {
+    const readFile = config?.readFile ?? defaultReadFile;
+    return {
+        tokenType: 'jwt',
+        getToken: async () => {
+            let rawToken;
+            try {
+                rawToken = await readFile(tokenPath);
+            }
+            catch (error) {
+                if (error instanceof error_1.SubjectTokenProviderError) {
+                    throw error;
+                }
+                throw new error_1.SubjectTokenProviderError(`Failed to read Kubernetes service account token from ${tokenPath}: ${error instanceof Error ? error.message : String(error)}`, 'kubernetes', error instanceof Error ? error : undefined);
+            }
+            const token = rawToken.trim();
+            if (token.length === 0) {
+                throw new error_1.SubjectTokenProviderError(`The token file at ${tokenPath} is empty.`, 'kubernetes');
+            }
+            return token;
+        },
+    };
+}
+function azureManagedIdentityTokenProvider(resource = DEFAULT_RESOURCE, config) {
+    const apiVersion = config?.apiVersion ?? DEFAULT_AZURE_API_VERSION;
+    const timeout = config?.timeout ?? 10000;
+    return {
+        tokenType: 'jwt',
+        getToken: async () => {
+            const url = new URL(AZURE_IMDS_BASE_URL);
+            url.searchParams.set('api-version', apiVersion);
+            url.searchParams.set('resource', resource);
+            if (config?.objectId) {
+                url.searchParams.set('object_id', config.objectId);
+            }
+            if (config?.clientId) {
+                url.searchParams.set('client_id', config.clientId);
+            }
+            if (config?.msiResId) {
+                url.searchParams.set('msi_res_id', config.msiResId);
+            }
+            const controller = new AbortController();
+            const timeoutId = setTimeout(() => controller.abort(), timeout);
+            try {
+                const response = await (config?.fetch ?? Shims.getDefaultFetch())(url.toString(), {
+                    headers: {
+                        Metadata: 'true',
+                    },
+                    signal: controller.signal,
+                });
+                if (!response.ok) {
+                    throw new error_1.SubjectTokenProviderError(`Failed to fetch token from Azure IMDS: status ${response.status}`, 'azure-imds');
+                }
+                const data = (await response.json());
+                if (!data.access_token) {
+                    throw new error_1.SubjectTokenProviderError("IMDS response missing 'access_token' field", 'azure-imds');
+                }
+                return data.access_token;
+            }
+            catch (error) {
+                if (error instanceof error_1.SubjectTokenProviderError) {
+                    throw error;
+                }
+                throw new error_1.SubjectTokenProviderError('failed to fetch token from IMDS', 'azure-imds', error instanceof Error ? error : undefined);
+            }
+            finally {
+                clearTimeout(timeoutId);
+            }
+        },
+    };
+}
+function gcpIDTokenProvider(audience = 'https://api.openai.com/v1', config) {
+    const timeout = config?.timeout || 10000;
+    return {
+        tokenType: 'id',
+        getToken: async () => {
+            const url = new URL(`http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity`);
+            url.searchParams.set('audience', audience);
+            const controller = new AbortController();
+            const timeoutId = setTimeout(() => controller.abort(), timeout);
+            try {
+                const response = await (config?.fetch ?? Shims.getDefaultFetch())(url.toString(), {
+                    headers: {
+                        'Metadata-Flavor': 'Google',
+                    },
+                    signal: controller.signal,
+                });
+                if (!response.ok) {
+                    const errorText = await response.text();
+                    throw new Error(`GCP Metadata Server returned ${response.status}: ${errorText}`);
+                }
+                const token = (await response.text()).trim();
+                if (!token) {
+                    throw new Error('GCP metadata server returned an empty token');
+                }
+                return token;
+            }
+            catch (error) {
+                throw new error_1.SubjectTokenProviderError(`Failed to fetch token from GCP Metadata Server: ${error instanceof Error ? error.message : String(error)}`, 'gcp-metadata', error instanceof Error ? error : undefined);
+            }
+            finally {
+                clearTimeout(timeoutId);
+            }
+        },
+    };
+}
+//# sourceMappingURL=subject-token-providers.js.map

package/auth/subject-token-providers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"subject-token-providers.js","sourceRoot":"","sources":["../src/auth/subject-token-providers.ts"],"names":[],"mappings":";;AAuBA,wEAsCC;AAED,8EAsEC;AAED,gDAiDC;;AAtLD,oEAA2C;AAC3C,4CAA0D;AAE1D,MAAM,gBAAgB,GAAG,+BAA+B,CAAC;AACzD,MAAM,yBAAyB,GAAG,YAAY,CAAC;AAC/C,MAAM,mBAAmB,GAAG,uDAAuD,CAAC;AAIpF,IAAI,gBAAwE,CAAC;AAE7E,KAAK,UAAU,eAAe,CAAC,IAAY;IACzC,gBAAgB,KAAhB,gBAAgB,GAAK,0DAAO,aAAa,IAAE,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;QACzD,gBAAgB,GAAG,SAAS,CAAC;QAC7B,MAAM,KAAK,CAAC;IACd,CAAC,CAAC,EAAC;IAEH,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,gBAAgB,CAAC;IAC5C,OAAO,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;AAChC,CAAC;AAED,SAAgB,8BAA8B,CAC5C,YAAoB,qDAAqD,EACzE,MAEC;IAED,MAAM,QAAQ,GAAG,MAAM,EAAE,QAAQ,IAAI,eAAe,CAAC;IAErD,OAAO;QACL,SAAS,EAAE,KAAK;QAChB,QAAQ,EAAE,KAAK,IAAqB,EAAE;YACpC,IAAI,QAAgB,CAAC;YAErB,IAAI,CAAC;gBACH,QAAQ,GAAG,MAAM,QAAQ,CAAC,SAAS,CAAC,CAAC;YACvC,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,IAAI,KAAK,YAAY,iCAAyB,EAAE,CAAC;oBAC/C,MAAM,KAAK,CAAC;gBACd,CAAC;gBAED,MAAM,IAAI,iCAAyB,CACjC,wDAAwD,SAAS,KAC/D,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,EACF,YAAY,EACZ,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAC3C,CAAC;YACJ,CAAC;YAED,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC;YAE9B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACvB,MAAM,IAAI,iCAAyB,CAAC,qBAAqB,SAAS,YAAY,EAAE,YAAY,CAAC,CAAC;YAChG,CAAC;YAED,OAAO,KAAK,CAAC;QACf,CAAC;KACF,CAAC;AACJ,CAAC;AAED,SAAgB,iCAAiC,CAC/C,WAAmB,gBAAgB,EACnC,MAOC;IAED,MAAM,UAAU,GAAG,MAAM,EAAE,UAAU,IAAI,yBAAyB,CAAC;IACnE,MAAM,OAAO,GAAG,MAAM,EAAE,OAAO,IAAI,KAAK,CAAC;IAEzC,OAAO;QACL,SAAS,EAAE,KAAK;QAChB,QAAQ,EAAE,KAAK,IAAqB,EAAE;YACpC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,mBAAmB,CAAC,CAAC;YACzC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;YAChD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;YAE3C,IAAI,MAAM,EAAE,QAAQ,EAAE,CAAC;gBACrB,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;YACrD,CAAC;YACD,IAAI,MAAM,EAAE,QAAQ,EAAE,CAAC;gBACrB,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;YACrD,CAAC;YACD,IAAI,MAAM,EAAE,QAAQ,EAAE,CAAC;gBACrB,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,YAAY,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;YACtD,CAAC;YAED,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;YACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,OAAO,CAAC,CAAC;YAEhE,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,IAAI,KAAK,CAAC,eAAe,EAAE,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE;oBAChF,OAAO,EAAE;wBACP,QAAQ,EAAE,MAAM;qBACjB;oBACD,MAAM,EAAE,UAAU,CAAC,MAAM;iBAC1B,CAAC,CAAC;gBAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;oBACjB,MAAM,IAAI,iCAAyB,CACjC,iDAAiD,QAAQ,CAAC,MAAM,EAAE,EAClE,YAAY,CACb,CAAC;gBACJ,CAAC;gBAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA8B,CAAC;gBAElE,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;oBACvB,MAAM,IAAI,iCAAyB,CAAC,4CAA4C,EAAE,YAAY,CAAC,CAAC;gBAClG,CAAC;gBAED,OAAO,IAAI,CAAC,YAAY,CAAC;YAC3B,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,IAAI,KAAK,YAAY,iCAAyB,EAAE,CAAC;oBAC/C,MAAM,KAAK,CAAC;gBACd,CAAC;gBACD,MAAM,IAAI,iCAAyB,CACjC,iCAAiC,EACjC,YAAY,EACZ,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAC3C,CAAC;YACJ,CAAC;oBAAS,CAAC;gBACT,YAAY,CAAC,SAAS,CAAC,CAAC;YAC1B,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC;AAED,SAAgB,kBAAkB,CAChC,WAAmB,2BAA2B,EAC9C,MAA4C;IAE5C,MAAM,OAAO,GAAG,MAAM,EAAE,OAAO,IAAI,KAAK,CAAC;IAEzC,OAAO;QACL,SAAS,EAAE,IAAI;QACf,QAAQ,EAAE,KAAK,IAAqB,EAAE;YACpC,MAAM,GAAG,GAAG,IAAI,GAAG,CACjB,+FAA+F,CAChG,CAAC;YACF,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;YAE3C,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;YACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,OAAO,CAAC,CAAC;YAEhE,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,IAAI,KAAK,CAAC,eAAe,EAAE,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE;oBAChF,OAAO,EAAE;wBACP,iBAAiB,EAAE,QAAQ;qBAC5B;oBACD,MAAM,EAAE,UAAU,CAAC,MAAM;iBAC1B,CAAC,CAAC;gBAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;oBACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;oBACxC,MAAM,IAAI,KAAK,CAAC,gCAAgC,QAAQ,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC,CAAC;gBACnF,CAAC;gBAED,MAAM,KAAK,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC7C,IAAI,CAAC,KAAK,EAAE,CAAC;oBACX,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;gBACjE,CAAC;gBAED,OAAO,KAAK,CAAC;YACf,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,IAAI,iCAAyB,CACjC,mDACE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,EACF,cAAc,EACd,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAC3C,CAAC;YACJ,CAAC;oBAAS,CAAC;gBACT,YAAY,CAAC,SAAS,CAAC,CAAC;YAC1B,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC"}

package/auth/subject-token-providers.mjs

@@ -0,0 +1,121 @@
+import * as Shims from "../internal/shims.mjs";
+import { SubjectTokenProviderError } from "../core/error.mjs";
+const DEFAULT_RESOURCE = 'https://management.azure.com/';
+const DEFAULT_AZURE_API_VERSION = '2018-02-01';
+const AZURE_IMDS_BASE_URL = 'http://169.254.169.254/metadata/identity/oauth2/token';
+let fsPromisesModule;
+async function defaultReadFile(path) {
+    fsPromisesModule ?? (fsPromisesModule = import('fs/promises').catch((error) => {
+        fsPromisesModule = undefined;
+        throw error;
+    }));
+    const { readFile } = await fsPromisesModule;
+    return readFile(path, 'utf8');
+}
+export function k8sServiceAccountTokenProvider(tokenPath = '/var/run/secrets/kubernetes.io/serviceaccount/token', config) {
+    const readFile = config?.readFile ?? defaultReadFile;
+    return {
+        tokenType: 'jwt',
+        getToken: async () => {
+            let rawToken;
+            try {
+                rawToken = await readFile(tokenPath);
+            }
+            catch (error) {
+                if (error instanceof SubjectTokenProviderError) {
+                    throw error;
+                }
+                throw new SubjectTokenProviderError(`Failed to read Kubernetes service account token from ${tokenPath}: ${error instanceof Error ? error.message : String(error)}`, 'kubernetes', error instanceof Error ? error : undefined);
+            }
+            const token = rawToken.trim();
+            if (token.length === 0) {
+                throw new SubjectTokenProviderError(`The token file at ${tokenPath} is empty.`, 'kubernetes');
+            }
+            return token;
+        },
+    };
+}
+export function azureManagedIdentityTokenProvider(resource = DEFAULT_RESOURCE, config) {
+    const apiVersion = config?.apiVersion ?? DEFAULT_AZURE_API_VERSION;
+    const timeout = config?.timeout ?? 10000;
+    return {
+        tokenType: 'jwt',
+        getToken: async () => {
+            const url = new URL(AZURE_IMDS_BASE_URL);
+            url.searchParams.set('api-version', apiVersion);
+            url.searchParams.set('resource', resource);
+            if (config?.objectId) {
+                url.searchParams.set('object_id', config.objectId);
+            }
+            if (config?.clientId) {
+                url.searchParams.set('client_id', config.clientId);
+            }
+            if (config?.msiResId) {
+                url.searchParams.set('msi_res_id', config.msiResId);
+            }
+            const controller = new AbortController();
+            const timeoutId = setTimeout(() => controller.abort(), timeout);
+            try {
+                const response = await (config?.fetch ?? Shims.getDefaultFetch())(url.toString(), {
+                    headers: {
+                        Metadata: 'true',
+                    },
+                    signal: controller.signal,
+                });
+                if (!response.ok) {
+                    throw new SubjectTokenProviderError(`Failed to fetch token from Azure IMDS: status ${response.status}`, 'azure-imds');
+                }
+                const data = (await response.json());
+                if (!data.access_token) {
+                    throw new SubjectTokenProviderError("IMDS response missing 'access_token' field", 'azure-imds');
+                }
+                return data.access_token;
+            }
+            catch (error) {
+                if (error instanceof SubjectTokenProviderError) {
+                    throw error;
+                }
+                throw new SubjectTokenProviderError('failed to fetch token from IMDS', 'azure-imds', error instanceof Error ? error : undefined);
+            }
+            finally {
+                clearTimeout(timeoutId);
+            }
+        },
+    };
+}
+export function gcpIDTokenProvider(audience = 'https://api.openai.com/v1', config) {
+    const timeout = config?.timeout || 10000;
+    return {
+        tokenType: 'id',
+        getToken: async () => {
+            const url = new URL(`http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity`);
+            url.searchParams.set('audience', audience);
+            const controller = new AbortController();
+            const timeoutId = setTimeout(() => controller.abort(), timeout);
+            try {
+                const response = await (config?.fetch ?? Shims.getDefaultFetch())(url.toString(), {
+                    headers: {
+                        'Metadata-Flavor': 'Google',
+                    },
+                    signal: controller.signal,
+                });
+                if (!response.ok) {
+                    const errorText = await response.text();
+                    throw new Error(`GCP Metadata Server returned ${response.status}: ${errorText}`);
+                }
+                const token = (await response.text()).trim();
+                if (!token) {
+                    throw new Error('GCP metadata server returned an empty token');
+                }
+                return token;
+            }
+            catch (error) {
+                throw new SubjectTokenProviderError(`Failed to fetch token from GCP Metadata Server: ${error instanceof Error ? error.message : String(error)}`, 'gcp-metadata', error instanceof Error ? error : undefined);
+            }
+            finally {
+                clearTimeout(timeoutId);
+            }
+        },
+    };
+}
+//# sourceMappingURL=subject-token-providers.mjs.map

package/auth/subject-token-providers.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"subject-token-providers.mjs","sourceRoot":"","sources":["../src/auth/subject-token-providers.ts"],"names":[],"mappings":"OAEO,KAAK,KAAK;OACV,EAAE,yBAAyB,EAAE;AAEpC,MAAM,gBAAgB,GAAG,+BAA+B,CAAC;AACzD,MAAM,yBAAyB,GAAG,YAAY,CAAC;AAC/C,MAAM,mBAAmB,GAAG,uDAAuD,CAAC;AAIpF,IAAI,gBAAwE,CAAC;AAE7E,KAAK,UAAU,eAAe,CAAC,IAAY;IACzC,gBAAgB,KAAhB,gBAAgB,GAAK,MAAM,CAAC,aAAa,EAAE,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;QACzD,gBAAgB,GAAG,SAAS,CAAC;QAC7B,MAAM,KAAK,CAAC;IACd,CAAC,CAAC,EAAC;IAEH,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,gBAAgB,CAAC;IAC5C,OAAO,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;AAChC,CAAC;AAED,MAAM,UAAU,8BAA8B,CAC5C,YAAoB,qDAAqD,EACzE,MAEC;IAED,MAAM,QAAQ,GAAG,MAAM,EAAE,QAAQ,IAAI,eAAe,CAAC;IAErD,OAAO;QACL,SAAS,EAAE,KAAK;QAChB,QAAQ,EAAE,KAAK,IAAqB,EAAE;YACpC,IAAI,QAAgB,CAAC;YAErB,IAAI,CAAC;gBACH,QAAQ,GAAG,MAAM,QAAQ,CAAC,SAAS,CAAC,CAAC;YACvC,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,IAAI,KAAK,YAAY,yBAAyB,EAAE,CAAC;oBAC/C,MAAM,KAAK,CAAC;gBACd,CAAC;gBAED,MAAM,IAAI,yBAAyB,CACjC,wDAAwD,SAAS,KAC/D,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,EACF,YAAY,EACZ,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAC3C,CAAC;YACJ,CAAC;YAED,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC;YAE9B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACvB,MAAM,IAAI,yBAAyB,CAAC,qBAAqB,SAAS,YAAY,EAAE,YAAY,CAAC,CAAC;YAChG,CAAC;YAED,OAAO,KAAK,CAAC;QACf,CAAC;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,iCAAiC,CAC/C,WAAmB,gBAAgB,EACnC,MAOC;IAED,MAAM,UAAU,GAAG,MAAM,EAAE,UAAU,IAAI,yBAAyB,CAAC;IACnE,MAAM,OAAO,GAAG,MAAM,EAAE,OAAO,IAAI,KAAK,CAAC;IAEzC,OAAO;QACL,SAAS,EAAE,KAAK;QAChB,QAAQ,EAAE,KAAK,IAAqB,EAAE;YACpC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,mBAAmB,CAAC,CAAC;YACzC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;YAChD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;YAE3C,IAAI,MAAM,EAAE,QAAQ,EAAE,CAAC;gBACrB,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;YACrD,CAAC;YACD,IAAI,MAAM,EAAE,QAAQ,EAAE,CAAC;gBACrB,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;YACrD,CAAC;YACD,IAAI,MAAM,EAAE,QAAQ,EAAE,CAAC;gBACrB,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,YAAY,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;YACtD,CAAC;YAED,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;YACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,OAAO,CAAC,CAAC;YAEhE,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,IAAI,KAAK,CAAC,eAAe,EAAE,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE;oBAChF,OAAO,EAAE;wBACP,QAAQ,EAAE,MAAM;qBACjB;oBACD,MAAM,EAAE,UAAU,CAAC,MAAM;iBAC1B,CAAC,CAAC;gBAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;oBACjB,MAAM,IAAI,yBAAyB,CACjC,iDAAiD,QAAQ,CAAC,MAAM,EAAE,EAClE,YAAY,CACb,CAAC;gBACJ,CAAC;gBAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA8B,CAAC;gBAElE,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;oBACvB,MAAM,IAAI,yBAAyB,CAAC,4CAA4C,EAAE,YAAY,CAAC,CAAC;gBAClG,CAAC;gBAED,OAAO,IAAI,CAAC,YAAY,CAAC;YAC3B,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,IAAI,KAAK,YAAY,yBAAyB,EAAE,CAAC;oBAC/C,MAAM,KAAK,CAAC;gBACd,CAAC;gBACD,MAAM,IAAI,yBAAyB,CACjC,iCAAiC,EACjC,YAAY,EACZ,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAC3C,CAAC;YACJ,CAAC;oBAAS,CAAC;gBACT,YAAY,CAAC,SAAS,CAAC,CAAC;YAC1B,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,kBAAkB,CAChC,WAAmB,2BAA2B,EAC9C,MAA4C;IAE5C,MAAM,OAAO,GAAG,MAAM,EAAE,OAAO,IAAI,KAAK,CAAC;IAEzC,OAAO;QACL,SAAS,EAAE,IAAI;QACf,QAAQ,EAAE,KAAK,IAAqB,EAAE;YACpC,MAAM,GAAG,GAAG,IAAI,GAAG,CACjB,+FAA+F,CAChG,CAAC;YACF,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;YAE3C,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;YACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,OAAO,CAAC,CAAC;YAEhE,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,IAAI,KAAK,CAAC,eAAe,EAAE,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE;oBAChF,OAAO,EAAE;wBACP,iBAAiB,EAAE,QAAQ;qBAC5B;oBACD,MAAM,EAAE,UAAU,CAAC,MAAM;iBAC1B,CAAC,CAAC;gBAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;oBACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;oBACxC,MAAM,IAAI,KAAK,CAAC,gCAAgC,QAAQ,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC,CAAC;gBACnF,CAAC;gBAED,MAAM,KAAK,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC7C,IAAI,CAAC,KAAK,EAAE,CAAC;oBACX,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;gBACjE,CAAC;gBAED,OAAO,KAAK,CAAC;YACf,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,IAAI,yBAAyB,CACjC,mDACE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,EACF,cAAc,EACd,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAC3C,CAAC;YACJ,CAAC;oBAAS,CAAC;gBACT,YAAY,CAAC,SAAS,CAAC,CAAC;YAC1B,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC"}

package/auth/types.d.mts

@@ -0,0 +1,23 @@
+export interface SubjectTokenProvider {
+    tokenType: 'jwt' | 'id';
+    getToken: () => Promise<string>;
+}
+export interface WorkloadIdentity {
+    /**A unique string that identifies the client.*/
+    clientId: string;
+    /**Identity provider resource id in WIFAPI.*/
+    identityProviderId: string;
+    /**OpenAI Service account id to bind the verified external identity to.*/
+    serviceAccountId: string;
+    /**The provider configuration for obtaining the subject token.*/
+    provider: SubjectTokenProvider;
+    /**Optional buffer time in seconds to refresh the OpenAI token before it expires. Defaults to 1200 seconds (20 minutes).*/
+    refreshBufferSeconds?: number;
+}
+export interface TokenExchangeResponse {
+    access_token: string;
+    issued_token_type: string;
+    token_type: string;
+    expires_in?: number;
+}
+//# sourceMappingURL=types.d.mts.map

package/auth/types.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.mts","sourceRoot":"","sources":["../src/auth/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,KAAK,GAAG,IAAI,CAAC;IACxB,QAAQ,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;CACjC;AAED,MAAM,WAAW,gBAAgB;IAC/B,gDAAgD;IAChD,QAAQ,EAAE,MAAM,CAAC;IAEjB,6CAA6C;IAC7C,kBAAkB,EAAE,MAAM,CAAC;IAE3B,yEAAyE;IACzE,gBAAgB,EAAE,MAAM,CAAC;IAEzB,gEAAgE;IAChE,QAAQ,EAAE,oBAAoB,CAAC;IAE/B,0HAA0H;IAC1H,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED,MAAM,WAAW,qBAAqB;IACpC,YAAY,EAAE,MAAM,CAAC;IACrB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB"}

package/auth/types.d.ts

@@ -0,0 +1,23 @@
+export interface SubjectTokenProvider {
+    tokenType: 'jwt' | 'id';
+    getToken: () => Promise<string>;
+}
+export interface WorkloadIdentity {
+    /**A unique string that identifies the client.*/
+    clientId: string;
+    /**Identity provider resource id in WIFAPI.*/
+    identityProviderId: string;
+    /**OpenAI Service account id to bind the verified external identity to.*/
+    serviceAccountId: string;
+    /**The provider configuration for obtaining the subject token.*/
+    provider: SubjectTokenProvider;
+    /**Optional buffer time in seconds to refresh the OpenAI token before it expires. Defaults to 1200 seconds (20 minutes).*/
+    refreshBufferSeconds?: number;
+}
+export interface TokenExchangeResponse {
+    access_token: string;
+    issued_token_type: string;
+    token_type: string;
+    expires_in?: number;
+}
+//# sourceMappingURL=types.d.ts.map

package/auth/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/auth/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,KAAK,GAAG,IAAI,CAAC;IACxB,QAAQ,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;CACjC;AAED,MAAM,WAAW,gBAAgB;IAC/B,gDAAgD;IAChD,QAAQ,EAAE,MAAM,CAAC;IAEjB,6CAA6C;IAC7C,kBAAkB,EAAE,MAAM,CAAC;IAE3B,yEAAyE;IACzE,gBAAgB,EAAE,MAAM,CAAC;IAEzB,gEAAgE;IAChE,QAAQ,EAAE,oBAAoB,CAAC;IAE/B,0HAA0H;IAC1H,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED,MAAM,WAAW,qBAAqB;IACpC,YAAY,EAAE,MAAM,CAAC;IACrB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB"}

package/auth/types.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/auth/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/auth/types.ts"],"names":[],"mappings":""}

package/auth/types.mjs

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.mjs.map

package/auth/types.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.mjs","sourceRoot":"","sources":["../src/auth/types.ts"],"names":[],"mappings":""}

package/auth/workload-identity-auth.d.mts

@@ -0,0 +1,16 @@
+import type { WorkloadIdentity } from "./types.mjs";
+import type { Fetch } from "../internal/builtin-types.mjs";
+export declare class WorkloadIdentityAuth {
+    private cachedToken;
+    private refreshPromise;
+    private readonly config;
+    private readonly tokenExchangeUrl;
+    private readonly fetch;
+    constructor(config: WorkloadIdentity, fetch?: Fetch);
+    getToken(): Promise<string>;
+    private refreshToken;
+    private isTokenExpired;
+    private needsRefresh;
+    invalidateToken(): void;
+}
+//# sourceMappingURL=workload-identity-auth.d.mts.map

package/auth/workload-identity-auth.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"workload-identity-auth.d.mts","sourceRoot":"","sources":["../src/auth/workload-identity-auth.ts"],"names":[],"mappings":"OAAO,KAAK,EAAE,gBAAgB,EAAyB;OAChD,KAAK,EAAE,KAAK,EAAE;AAgBrB,qBAAa,oBAAoB;IAC/B,OAAO,CAAC,WAAW,CAA4B;IAC/C,OAAO,CAAC,cAAc,CAAgC;IACtD,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAmB;IAC1C,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAiD;IAClF,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAQ;gBAElB,MAAM,EAAE,gBAAgB,EAAE,KAAK,CAAC,EAAE,KAAK;IAK7C,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC;YAyBnB,YAAY;IAiD1B,OAAO,CAAC,cAAc;IAItB,OAAO,CAAC,YAAY;IAMpB,eAAe,IAAI,IAAI;CAIxB"}

package/auth/workload-identity-auth.d.ts

@@ -0,0 +1,16 @@
+import type { WorkloadIdentity } from "./types.js";
+import type { Fetch } from "../internal/builtin-types.js";
+export declare class WorkloadIdentityAuth {
+    private cachedToken;
+    private refreshPromise;
+    private readonly config;
+    private readonly tokenExchangeUrl;
+    private readonly fetch;
+    constructor(config: WorkloadIdentity, fetch?: Fetch);
+    getToken(): Promise<string>;
+    private refreshToken;
+    private isTokenExpired;
+    private needsRefresh;
+    invalidateToken(): void;
+}
+//# sourceMappingURL=workload-identity-auth.d.ts.map