@contio/partner-sdk - v1.7.1
    Preparing search index...

    Class OAuthClient

    OAuth 2.0 client for Contio Partner API authentication.

    Supports authorization code flow, client credentials, token refresh, and token introspection. Tokens are opaque (not JWTs) for security.

    const oauth = new OAuthClient({
      clientId: 'your-client-id',
      clientSecret: 'your-client-secret',
      redirectUri: 'https://your-app.com/callback',
      scope: ['openid', 'profile', 'meetings:read', 'meetings:write']
    });

    // Generate authorization URL
    const authUrl = oauth.getAuthorizationUrl(crypto.randomUUID());

    // After callback, exchange code for tokens
    const tokens = await oauth.exchangeCodeForToken(code);
    Index

    Constructors

    constructor

    Methods

    checkConsent exchangeCodeForToken getAccessToken getAuthorizationUrl getAvailableScopes getClientCredentialsToken getPartnerInfo getUserInfo initiatePartnerAuth introspectToken isTokenExpired refreshAccessToken revokeToken setTokens verifyPartnerAuth

    Constructors

    • Create a new OAuthClient instance.

      Parameters

      • config: OAuthConfig

        OAuth configuration

        • OptionalauthorizationUrl?: string
        • clientId: string
        • clientSecret: string
        • redirectUri: string
        • Optionalscope?: string[]
        • OptionaltokenUrl?: string

      Returns OAuthClient

    Methods

    • Check if a user has already granted consent for the requested scopes.

      Use this to determine if you can skip the consent screen for returning users.

      Parameters

      • email: string

        User's email address

      Returns Promise<{ hasConsent: boolean; redirectUrl?: string; requiresConsent: boolean }>

      Consent status and optional redirect URL

      If the check fails

    • Exchange an authorization code for access and refresh tokens.

      Call this after the user is redirected back to your app with an authorization code. The tokens are automatically stored in the client for subsequent API calls.

      Parameters

      • code: string

        The authorization code from the callback URL query parameter

      Returns Promise<AuthTokens>

      The token set including access token, refresh token, and expiration

      If the code is invalid, expired, or already used

      // In your callback handler
      const code = req.query.code as string;
      const tokens = await oauth.exchangeCodeForToken(code);

      // Store tokens securely for later use
      await storeTokens(userId, tokens);

    • Get the current access token stored in the client.

      Returns string | undefined

      The access token, or undefined if not authenticated

    • Generate the authorization URL for OAuth flow

      Parameters

      • Optionalstate: string

        Optional CSRF protection state parameter

      • Optionaloptions: AuthorizationUrlOptions

        Optional additional parameters (e.g., loginHint to pre-fill email)

      Returns string

      The authorization URL to redirect users to

      // Basic usage
      const url = oauth.getAuthorizationUrl('random-state');

      // With login_hint to pre-fill and lock email
      const url = oauth.getAuthorizationUrl('random-state', {
        loginHint: 'user@example.com'
      });

    • Get the list of available OAuth scopes.

      Returns Promise<string[]>

      Array of available scope strings

      If the request fails

    • Get an access token using client credentials grant.

      Use this for server-to-server authentication where no user context is needed. This is typically used for admin operations or background jobs.

      Parameters

      • Optionalscope: string[]

        Optional scopes to request; uses configured scopes if not provided

      Returns Promise<AuthTokens>

      Token set (no refresh token for client credentials)

      If authentication fails

      const tokens = await oauth.getClientCredentialsToken(['admin:read']);

    • Get public partner app information.

      This endpoint does not require authentication and is safe to call from frontend code. Use it to display partner branding on login screens.

      Returns Promise<
          {
              description?: string;
              logoUrl?: string;
              name: string;
              websiteUrl?: string;
          },
      >

      Partner app public information (name, logo, etc.)

      If the partner app is not found

    • Get user information using an access token.

      Returns OIDC standard claims about the authenticated user. Requires the 'openid' and 'profile' scopes.

      Parameters

      • OptionalaccessToken: string

        Optional access token; uses stored token if not provided

      Returns Promise<{ email?: string; name?: string; picture?: string; sub: string }>

      User information including subject ID, email, name, and picture

      If no access token is available or the request fails

      const userInfo = await oauth.getUserInfo();
      console.log(`Hello, ${userInfo.name}!`);
      console.log(`Email: ${userInfo.email}`);

    • Initiate partner passwordless authentication.

      Starts the passwordless login flow by sending a verification code to the user's email. Use this for embedded authentication flows within your app.

      Parameters

      • email: string

        User's email address

      • Optionalname: string

        Optional user's name (used for new user provisioning)

      • Optionaloptions: InitiatePartnerAuthOptions

        Optional shared workspace configuration

        Options for initiating partner authentication with shared workspace support.

        • Optionalis_admin?: boolean

          When true, assigns WORKSPACE_ADMIN role instead of WORKSPACE_MEMBER when joining a shared workspace. Ignored when workspace_id is not provided.

          false
        • Optionalworkspace_id?: string

          Target workspace for the new user. If omitted, a personal workspace is created for the user (preserving current default behavior).

      Returns Promise<
          {
              challengeName: string;
              challengeParams?: Record<string, string>;
              session: string;
              userProvisioned?: boolean;
          },
      >

      Session info for completing authentication

      If initiation fails

      workspace_not_found (400) if workspace_id does not exist

      workspace_not_authorized (403) if the workspace is not owned by a user from the same partner

      workspace_conflict (409) if the user is already in a different workspace

      // Provision user into a shared workspace as admin
      const result = await oauth.initiatePartnerAuth(
        'newuser@example.com',
        'New User',
        { workspace_id: 'workspace-uuid', is_admin: true }
      );

    • Introspect an access token to check its validity and metadata.

      Since Contio uses opaque tokens (not JWTs), you cannot decode them locally. Use this method to check if a token is still valid and get its metadata.

      Parameters

      • token: string

        The access token to introspect

      Returns Promise<
          {
              active: boolean;
              clientId?: string;
              exp?: number;
              iat?: number;
              scope?: string;
              username?: string;
          },
      >

      Token metadata including active status, scopes, and expiration

      If introspection fails

      const info = await oauth.introspectToken(accessToken);
      if (!info.active) {
        // Token is expired or revoked, refresh it
        await oauth.refreshAccessToken();
      }
      console.log('Scopes:', info.scope);
      console.log('Expires:', new Date(info.exp * 1000));

    • Check if the current access token is expired.

      Returns boolean

      true if the token is expired or expiration is unknown, false otherwise

    • Refresh the access token using a refresh token.

      Access tokens expire after 24 hours. Use this method to get a new access token without requiring the user to re-authorize. Refresh tokens are valid for 30 days.

      Parameters

      • OptionalrefreshToken: string

        Optional refresh token; uses stored token if not provided

      Returns Promise<AuthTokens>

      New token set with fresh access token

      If no refresh token is available or the token is invalid/expired

      // Proactively refresh before expiration
      if (oauth.isTokenExpired()) {
        const newTokens = await oauth.refreshAccessToken();
        await storeTokens(userId, newTokens);
      }

    • Revoke an access or refresh token.

      Use this when a user disconnects your app or you need to invalidate tokens. Revoked tokens cannot be used for API calls.

      Parameters

      • token: string

        The token to revoke

      • tokenType: "refresh_token" | "access_token" = 'access_token'

        Type of token: 'access_token' or 'refresh_token' (default: 'access_token')

      Returns Promise<void>

      If revocation fails

      // Revoke when user disconnects
      await oauth.revokeToken(tokens.accessToken, 'access_token');
      await oauth.revokeToken(tokens.refreshToken, 'refresh_token');

    • Set tokens directly from storage.

      Use this to restore tokens from your secure storage when initializing the client for a returning user.

      Parameters

      Returns void

      // Restore tokens from database
      const storedTokens = await getStoredTokens(userId);
      oauth.setTokens(storedTokens);

      // Now the client can make authenticated requests
      const meetings = await user.getMeetings();

    • Verify partner passwordless authentication.

      Completes the passwordless login flow by verifying the code sent to the user's email.

      Parameters

      • email: string

        User's email address

      • code: string

        Verification code from email

      • session: string

        Session ID from initiatePartnerAuth

      Returns Promise<{ redirectUrl?: string }>

      Redirect URL to complete OAuth flow

      If verification fails or code is invalid

    Settings

    Member Visibility

    On This Page

    Constructors
    Methods