tredi-sdk 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +55 -0
- package/LICENSE +21 -0
- package/README.md +278 -0
- package/dist/index.cjs +912 -0
- package/dist/index.cjs.map +1 -0
- package/dist/index.d.cts +798 -0
- package/dist/index.d.ts +798 -0
- package/dist/index.js +890 -0
- package/dist/index.js.map +1 -0
- package/docs/README.md +14 -0
- package/docs/api-reference.md +452 -0
- package/docs/architecture.md +172 -0
- package/docs/guides.md +322 -0
- package/examples/fetch-insights.ts +32 -0
- package/examples/oauth-flow.ts +55 -0
- package/examples/publish-text.ts +39 -0
- package/examples/reply-autopilot.ts +62 -0
- package/package.json +76 -0
package/CHANGELOG.md
ADDED
|
@@ -0,0 +1,55 @@
|
|
|
1
|
+
# Changelog
|
|
2
|
+
|
|
3
|
+
All notable changes to this project are documented here.
|
|
4
|
+
|
|
5
|
+
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
|
|
6
|
+
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
7
|
+
|
|
8
|
+
## [Unreleased]
|
|
9
|
+
|
|
10
|
+
<!--
|
|
11
|
+
Add entries under the relevant heading as you work. Move them into a new
|
|
12
|
+
versioned section on release.
|
|
13
|
+
|
|
14
|
+
### Added
|
|
15
|
+
### Changed
|
|
16
|
+
### Deprecated
|
|
17
|
+
### Removed
|
|
18
|
+
### Fixed
|
|
19
|
+
### Security
|
|
20
|
+
-->
|
|
21
|
+
|
|
22
|
+
### Security
|
|
23
|
+
|
|
24
|
+
- Every request now rejects an id (`mediaId`, `postId`, `replyId`, `userId`,
|
|
25
|
+
`containerId`, ...) that contains `?`, `#`, or whitespace before it's
|
|
26
|
+
interpolated into the request path, throwing `ThreadsValidationError`
|
|
27
|
+
instead of silently building a request with smuggled query params or an
|
|
28
|
+
unintended path. This matters most when an id comes from untrusted input
|
|
29
|
+
(e.g. an inbound webhook payload) and was never validated by the caller.
|
|
30
|
+
- Added regression tests pinning down that OAuth secrets (`client_secret`,
|
|
31
|
+
the one-time `code`) and access tokens never reach a configured `logger`,
|
|
32
|
+
including for `exchangeForLongLivedToken` (a GET request where
|
|
33
|
+
`client_secret` is genuinely part of the URL sent to Meta, though never
|
|
34
|
+
part of what the SDK logs) and for failed requests.
|
|
35
|
+
|
|
36
|
+
## [0.1.0] - 2026-06-20
|
|
37
|
+
|
|
38
|
+
### Added
|
|
39
|
+
|
|
40
|
+
- Initial release.
|
|
41
|
+
- `ThreadsClient` with resource namespaces: `profile`, `posts`, `publishing`,
|
|
42
|
+
`replies`, `insights`, `mentions`, `search`.
|
|
43
|
+
- Standalone OAuth helpers: `getAuthorizationUrl`, `exchangeCodeForToken`,
|
|
44
|
+
`exchangeForLongLivedToken`, `refreshLongLivedToken`.
|
|
45
|
+
- Core HTTP engine: per-request timeout, idempotency-aware retries with
|
|
46
|
+
exponential backoff + jitter, `Retry-After` support.
|
|
47
|
+
- Typed error hierarchy (`ThreadsError` and subtypes) with Graph error mapping.
|
|
48
|
+
- Redacting logging hooks — access tokens, app secrets, and OAuth codes are
|
|
49
|
+
never logged.
|
|
50
|
+
- Dual ESM/CJS build with type declarations; `sideEffects: false`.
|
|
51
|
+
- Post deletion (`publishing.deletePost`) and polls (`publishing.publishPoll`).
|
|
52
|
+
|
|
53
|
+
<!-- Replace egnedko once this repo has a real home on GitHub. -->
|
|
54
|
+
[Unreleased]: https://github.com/egnedko/tredi-sdk/compare/v0.1.0...HEAD
|
|
55
|
+
[0.1.0]: https://github.com/egnedko/tredi-sdk/releases/tag/v0.1.0
|
package/LICENSE
ADDED
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
MIT License
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2026 Ievgen Gniedko
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
7
|
+
in the Software without restriction, including without limitation the rights
|
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
10
|
+
furnished to do so, subject to the following conditions:
|
|
11
|
+
|
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
|
13
|
+
copies or substantial portions of the Software.
|
|
14
|
+
|
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
21
|
+
SOFTWARE.
|
package/README.md
ADDED
|
@@ -0,0 +1,278 @@
|
|
|
1
|
+
# Tredi (Threads API sdk)
|
|
2
|
+
|
|
3
|
+
<!-- Replace egnedko once this repo has a real home on GitHub. -->
|
|
4
|
+
[](https://github.com/egnedko/tredi-sdk/actions/workflows/ci.yml)
|
|
5
|
+
[](https://www.npmjs.com/package/tredi-sdk)
|
|
6
|
+
[](./LICENSE)
|
|
7
|
+
|
|
8
|
+
A typed, ESM-first SDK for the [Meta Threads API](https://developers.facebook.com/docs/threads).
|
|
9
|
+
|
|
10
|
+
- **TypeScript-first** — strict types, every endpoint and field modeled from the official docs.
|
|
11
|
+
- **Zero runtime dependencies** — uses the platform `fetch` (Node 18+, Bun, Deno, edge).
|
|
12
|
+
- **Production-ready** — request timeout, idempotency-safe retries with backoff, typed errors, redacting log hooks.
|
|
13
|
+
- **ESM + CJS** — dual output, `sideEffects: false`, tree-shakeable.
|
|
14
|
+
- **Security-first** — access tokens and app secrets are never written to logs.
|
|
15
|
+
|
|
16
|
+
> Scope: this SDK models the documented Threads endpoints — publishing (text, image, video, carousel, polls, deletion), posts, replies & moderation, insights, mentions, keyword search, quota, OAuth. See [Coverage](#coverage).
|
|
17
|
+
|
|
18
|
+
## Documentation
|
|
19
|
+
|
|
20
|
+
- [API Reference](./docs/api-reference.md) — every export, signatures, scopes, endpoint mapping
|
|
21
|
+
- [Architecture](./docs/architecture.md) — design, request lifecycle, retry model, decisions (with diagrams)
|
|
22
|
+
- [Guides](./docs/guides.md) — task recipes: OAuth, publishing, reply automation, analytics, errors
|
|
23
|
+
- [Examples](./examples) — runnable scripts
|
|
24
|
+
|
|
25
|
+
## Install
|
|
26
|
+
|
|
27
|
+
```bash
|
|
28
|
+
pnpm add tredi-sdk
|
|
29
|
+
# or: npm i tredi-sdk / yarn add tredi-sdk
|
|
30
|
+
```
|
|
31
|
+
|
|
32
|
+
Requires Node 18+ (global `fetch`). On older runtimes, pass a `fetch` implementation in the client config.
|
|
33
|
+
|
|
34
|
+
## Quick start
|
|
35
|
+
|
|
36
|
+
```ts
|
|
37
|
+
import { ThreadsClient } from 'tredi-sdk'
|
|
38
|
+
|
|
39
|
+
const threads = new ThreadsClient({ accessToken: process.env.THREADS_TOKEN! })
|
|
40
|
+
|
|
41
|
+
// Who am I?
|
|
42
|
+
const me = await threads.profile.get()
|
|
43
|
+
console.log(me.username)
|
|
44
|
+
|
|
45
|
+
// Publish a text post (create container → publish, handled for you)
|
|
46
|
+
const post = await threads.publishing.publishText('Hello, Threads 👋')
|
|
47
|
+
console.log('Published:', post.id)
|
|
48
|
+
```
|
|
49
|
+
|
|
50
|
+
## Authentication
|
|
51
|
+
|
|
52
|
+
Token-exchange helpers are standalone functions (tree-shakeable) and **must run server-side** — they require your app secret.
|
|
53
|
+
|
|
54
|
+
```ts
|
|
55
|
+
import {
|
|
56
|
+
getAuthorizationUrl,
|
|
57
|
+
exchangeCodeForToken,
|
|
58
|
+
exchangeForLongLivedToken,
|
|
59
|
+
refreshLongLivedToken,
|
|
60
|
+
} from 'tredi-sdk'
|
|
61
|
+
|
|
62
|
+
// 1. Redirect the user to the authorization window.
|
|
63
|
+
const url = getAuthorizationUrl({
|
|
64
|
+
clientId: process.env.THREADS_APP_ID!,
|
|
65
|
+
redirectUri: 'https://app.example.com/auth/threads/callback',
|
|
66
|
+
scopes: ['threads_basic', 'threads_content_publish', 'threads_manage_replies'],
|
|
67
|
+
state: csrfToken, // verify this on the callback
|
|
68
|
+
})
|
|
69
|
+
|
|
70
|
+
// 2. In your callback handler, exchange the code for a short-lived token.
|
|
71
|
+
const short = await exchangeCodeForToken({
|
|
72
|
+
clientId: process.env.THREADS_APP_ID!,
|
|
73
|
+
clientSecret: process.env.THREADS_APP_SECRET!,
|
|
74
|
+
code,
|
|
75
|
+
redirectUri: 'https://app.example.com/auth/threads/callback',
|
|
76
|
+
})
|
|
77
|
+
|
|
78
|
+
// 3. Upgrade to a long-lived (~60 day) token and store it.
|
|
79
|
+
const long = await exchangeForLongLivedToken({
|
|
80
|
+
clientSecret: process.env.THREADS_APP_SECRET!,
|
|
81
|
+
shortLivedToken: short.access_token,
|
|
82
|
+
})
|
|
83
|
+
|
|
84
|
+
// 4. Before it expires (and at least 24h old), refresh it for another 60 days.
|
|
85
|
+
const refreshed = await refreshLongLivedToken({ longLivedToken: long.access_token })
|
|
86
|
+
```
|
|
87
|
+
|
|
88
|
+
**Scopes** (validated against the docs): `threads_basic` (required), `threads_content_publish`, `threads_read_replies`, `threads_manage_replies`, `threads_manage_insights`, `threads_keyword_search`, `threads_delete`, `threads_location_tagging`.
|
|
89
|
+
|
|
90
|
+
## Usage
|
|
91
|
+
|
|
92
|
+
### Profile
|
|
93
|
+
|
|
94
|
+
```ts
|
|
95
|
+
await threads.profile.get() // the token owner ("me")
|
|
96
|
+
await threads.profile.get({ userId: '178...' }) // a specific user
|
|
97
|
+
```
|
|
98
|
+
|
|
99
|
+
### Posts (retrieve & discover)
|
|
100
|
+
|
|
101
|
+
```ts
|
|
102
|
+
const page = await threads.posts.list({ limit: 25 })
|
|
103
|
+
for (const post of page.data) console.log(post.text)
|
|
104
|
+
|
|
105
|
+
// Cursor pagination
|
|
106
|
+
const next = await threads.posts.list({ after: page.paging?.cursors?.after })
|
|
107
|
+
|
|
108
|
+
// A single post
|
|
109
|
+
await threads.posts.get('MEDIA_ID', { fields: ['id', 'text', 'permalink'] })
|
|
110
|
+
```
|
|
111
|
+
|
|
112
|
+
### Publishing
|
|
113
|
+
|
|
114
|
+
```ts
|
|
115
|
+
// Text, image, video, carousel — each handles the container→publish flow.
|
|
116
|
+
await threads.publishing.publishText('gm ☕')
|
|
117
|
+
await threads.publishing.publishImage({ imageUrl: 'https://…/a.jpg', text: 'caption', altText: 'a cat' })
|
|
118
|
+
await threads.publishing.publishVideo({ videoUrl: 'https://…/v.mp4' }) // waits for processing
|
|
119
|
+
await threads.publishing.publishCarousel({
|
|
120
|
+
items: [{ imageUrl: 'https://…/1.jpg' }, { imageUrl: 'https://…/2.jpg' }],
|
|
121
|
+
text: 'a set',
|
|
122
|
+
})
|
|
123
|
+
await threads.publishing.publishPoll('Coffee or tea?', { optionA: 'Coffee', optionB: 'Tea' })
|
|
124
|
+
|
|
125
|
+
// Or drive the two steps manually for full control.
|
|
126
|
+
const { id: creationId } = await threads.publishing.createContainer({ mediaType: 'TEXT', text: 'hi' })
|
|
127
|
+
await threads.publishing.publishContainer(creationId)
|
|
128
|
+
|
|
129
|
+
// Delete a published post (requires the `threads_delete` scope).
|
|
130
|
+
await threads.publishing.deletePost(post.id)
|
|
131
|
+
|
|
132
|
+
// Remaining quotas (250 posts / 1000 replies / 100 deletes per 24h).
|
|
133
|
+
const limit = await threads.publishing.getPublishingLimit()
|
|
134
|
+
```
|
|
135
|
+
|
|
136
|
+
### Replies & moderation
|
|
137
|
+
|
|
138
|
+
```ts
|
|
139
|
+
const replies = await threads.replies.list('MEDIA_ID')
|
|
140
|
+
const thread = await threads.replies.conversation('MEDIA_ID')
|
|
141
|
+
|
|
142
|
+
await threads.replies.publish('MEDIA_ID', 'Thanks for reading!')
|
|
143
|
+
await threads.replies.hide('REPLY_ID')
|
|
144
|
+
await threads.replies.unhide('REPLY_ID')
|
|
145
|
+
|
|
146
|
+
// Reply-approval queue (when enabled on the post)
|
|
147
|
+
const pending = await threads.replies.listPending('MEDIA_ID', { approvalStatus: 'pending' })
|
|
148
|
+
await threads.replies.managePending('REPLY_ID', true) // approve
|
|
149
|
+
```
|
|
150
|
+
|
|
151
|
+
### Insights
|
|
152
|
+
|
|
153
|
+
```ts
|
|
154
|
+
await threads.insights.media('MEDIA_ID') // views, likes, replies, reposts, quotes, shares
|
|
155
|
+
await threads.insights.user({ metrics: ['views', 'followers_count'] })
|
|
156
|
+
await threads.insights.user({ metrics: ['follower_demographics'], breakdown: 'country' })
|
|
157
|
+
```
|
|
158
|
+
|
|
159
|
+
### Mentions & keyword search
|
|
160
|
+
|
|
161
|
+
```ts
|
|
162
|
+
const mentions = await threads.mentions.list()
|
|
163
|
+
const found = await threads.search.keyword('cold brew', { searchType: 'RECENT', limit: 50 })
|
|
164
|
+
```
|
|
165
|
+
|
|
166
|
+
## Configuration
|
|
167
|
+
|
|
168
|
+
```ts
|
|
169
|
+
new ThreadsClient({
|
|
170
|
+
accessToken: '…', // required
|
|
171
|
+
userId: 'me', // default node for user-scoped calls
|
|
172
|
+
baseUrl: 'https://graph.threads.net',
|
|
173
|
+
version: 'v1.0',
|
|
174
|
+
timeoutMs: 30_000,
|
|
175
|
+
retry: { maxRetries: 2, initialDelayMs: 500, maxDelayMs: 8_000, backoffFactor: 2 }, // or `false`
|
|
176
|
+
logger: myLogger, // optional, see below
|
|
177
|
+
fetch: customFetch, // optional, for non-standard runtimes/tests
|
|
178
|
+
})
|
|
179
|
+
```
|
|
180
|
+
|
|
181
|
+
## Error handling
|
|
182
|
+
|
|
183
|
+
Every failure is an instance of `ThreadsError`. Narrow with `instanceof`:
|
|
184
|
+
|
|
185
|
+
| Class | When |
|
|
186
|
+
|---|---|
|
|
187
|
+
| `ThreadsValidationError` | Bad input — no request was sent |
|
|
188
|
+
| `ThreadsTimeoutError` | Request exceeded `timeoutMs` |
|
|
189
|
+
| `ThreadsNetworkError` | Connection failed before any response |
|
|
190
|
+
| `ThreadsAPIError` | Non-2xx response (`status`, `code`, `subcode`, `type`, `fbtraceId`) |
|
|
191
|
+
| `ThreadsAuthError` | Invalid/expired token (HTTP 401 or code 190) |
|
|
192
|
+
| `ThreadsRateLimitError` | Throttled (HTTP 429 / throttle code); `retryAfterMs` when known |
|
|
193
|
+
|
|
194
|
+
```ts
|
|
195
|
+
import { ThreadsRateLimitError, ThreadsAuthError } from 'tredi-sdk'
|
|
196
|
+
|
|
197
|
+
try {
|
|
198
|
+
await threads.publishing.publishText('hi')
|
|
199
|
+
} catch (err) {
|
|
200
|
+
if (err instanceof ThreadsAuthError) await refreshAndRetry()
|
|
201
|
+
else if (err instanceof ThreadsRateLimitError) await wait(err.retryAfterMs ?? 60_000)
|
|
202
|
+
else throw err
|
|
203
|
+
}
|
|
204
|
+
```
|
|
205
|
+
|
|
206
|
+
## Retries & rate limits
|
|
207
|
+
|
|
208
|
+
Automatic retries use exponential backoff with equal jitter and honor a server `Retry-After`. Retries are **idempotency-aware** so a publish is never duplicated:
|
|
209
|
+
|
|
210
|
+
- **GET** retries on network errors, timeouts, `429`, and `5xx`.
|
|
211
|
+
- **POST** retries **only** on network errors and `429` (request rejected before processing) — never on `5xx`/timeout, which may have already taken effect.
|
|
212
|
+
|
|
213
|
+
Disable with `retry: false`, or tune per the [config](#configuration).
|
|
214
|
+
|
|
215
|
+
## Logging & security
|
|
216
|
+
|
|
217
|
+
The SDK never writes to the console. Pass a `logger` to receive structured events; **tokens, app secrets, and OAuth codes are always redacted** before they reach it.
|
|
218
|
+
|
|
219
|
+
```ts
|
|
220
|
+
const logger = { log: (level, message, ctx) => console[level]?.(message, ctx) }
|
|
221
|
+
new ThreadsClient({ accessToken, logger })
|
|
222
|
+
// → debug "threads.request.success" { method, url: "…access_token=REDACTED", attempt, durationMs }
|
|
223
|
+
```
|
|
224
|
+
|
|
225
|
+
Security notes:
|
|
226
|
+
|
|
227
|
+
- Token-exchange helpers require the app secret — call them **server-side only**.
|
|
228
|
+
- Tokens are held in memory on the client instance and sent per request; they are never logged. Use `client.withToken(t)` to scope a token per user without mutating shared config.
|
|
229
|
+
- For multi-tenant storage, encrypt tokens at rest (e.g. Supabase Vault).
|
|
230
|
+
|
|
231
|
+
## ESM / CJS & tree-shaking
|
|
232
|
+
|
|
233
|
+
Ships both ESM (`import`) and CJS (`require`) with `sideEffects: false`. Import only the OAuth helpers and your bundle won't pull in the client, and vice-versa.
|
|
234
|
+
|
|
235
|
+
## Escape hatch
|
|
236
|
+
|
|
237
|
+
Need an endpoint the SDK doesn't model yet? Call any path with full response typing:
|
|
238
|
+
|
|
239
|
+
```ts
|
|
240
|
+
const data = await threads.request<{ data: unknown[] }>({
|
|
241
|
+
method: 'GET',
|
|
242
|
+
path: '/me/threads',
|
|
243
|
+
params: { fields: 'id,text', limit: 5 },
|
|
244
|
+
})
|
|
245
|
+
```
|
|
246
|
+
|
|
247
|
+
## Coverage
|
|
248
|
+
|
|
249
|
+
| Area | Status |
|
|
250
|
+
|---|---|
|
|
251
|
+
| OAuth (code → short → long → refresh) | ✅ |
|
|
252
|
+
| Profile, Posts, Single media | ✅ |
|
|
253
|
+
| Publishing (text/image/video/carousel, container status, quota) | ✅ |
|
|
254
|
+
| Replies, Conversation, Hide/Unhide, Approval queue | ✅ |
|
|
255
|
+
| Insights (media + user, demographics breakdown) | ✅ |
|
|
256
|
+
| Mentions, Keyword search | ✅ |
|
|
257
|
+
| Post deletion | ✅ |
|
|
258
|
+
|
|
259
|
+
## Development
|
|
260
|
+
|
|
261
|
+
```bash
|
|
262
|
+
pnpm install
|
|
263
|
+
pnpm typecheck # tsc --noEmit
|
|
264
|
+
pnpm test # vitest (unit + mock-based)
|
|
265
|
+
pnpm test:coverage
|
|
266
|
+
pnpm lint # eslint
|
|
267
|
+
pnpm build # tsup → dist (esm + cjs + d.ts)
|
|
268
|
+
```
|
|
269
|
+
|
|
270
|
+
## Contributing
|
|
271
|
+
|
|
272
|
+
Issues and PRs welcome — see [CONTRIBUTING.md](./CONTRIBUTING.md). Please
|
|
273
|
+
follow the [Code of Conduct](./CODE_OF_CONDUCT.md). Found a security issue?
|
|
274
|
+
See [SECURITY.md](./SECURITY.md) instead of opening a public issue.
|
|
275
|
+
|
|
276
|
+
## License
|
|
277
|
+
|
|
278
|
+
MIT — see [LICENSE](./LICENSE).
|