@mondaydotcomorg/atp-protocol/dist/auth.d.ts

Core protocol types and interfaces for Agent Tool Protocol

/**
 * Authentication and credential management types for Agent Tool Protocol
 */
/**
 * Supported authentication schemes
 */
export type AuthScheme = 'apiKey' | 'bearer' | 'basic' | 'oauth2' | 'custom' | 'composite';
/**
 * Base authentication configuration
 */
export interface BaseAuthConfig {
    scheme: AuthScheme;
    /** Environment variable name to read credentials from */
    envVar?: string;
    /** Direct credential value (not recommended for production) */
    value?: string;
    /**
     * Credential source: 'server' for server-level env vars (default), 'user' for user-scoped OAuth
     */
    source?: 'server' | 'user';
    /**
     * OAuth provider name for user-scoped credentials (e.g., 'github', 'google')
     * Required when source='user'. Used to look up user's OAuth token from AuthProvider.
     * Note: This is different from the 'provider' field which is for runtime credential providers.
     */
    oauthProvider?: string;
    /** Runtime credential provider function name */
    provider?: string;
}
/**
 * API Key authentication (in header or query param)
 */
export interface APIKeyAuthConfig extends BaseAuthConfig {
    scheme: 'apiKey';
    /** Where to send the API key */
    in: 'header' | 'query';
    /** Parameter/header name */
    name: string;
}
/**
 * Bearer token authentication
 */
export interface BearerAuthConfig extends BaseAuthConfig {
    scheme: 'bearer';
    /** Optional bearer format (e.g., 'JWT') */
    bearerFormat?: string;
}
/**
 * HTTP Basic authentication
 */
export interface BasicAuthConfig extends BaseAuthConfig {
    scheme: 'basic';
    /** Username (can use envVar for dynamic value) */
    username?: string;
    /** Username environment variable */
    usernameEnvVar?: string;
    /** Password environment variable */
    passwordEnvVar?: string;
}
/**
 * OAuth2 authentication with automatic token refresh
 */
export interface OAuth2AuthConfig extends BaseAuthConfig {
    scheme: 'oauth2';
    /** OAuth2 flow type */
    flow: 'clientCredentials' | 'authorizationCode' | 'implicit' | 'password';
    /** Token endpoint URL */
    tokenUrl: string;
    /** Authorization endpoint (for authorizationCode/implicit) */
    authorizationUrl?: string;
    /** Client ID */
    clientId?: string;
    /** Client ID environment variable */
    clientIdEnvVar?: string;
    /** Client secret environment variable */
    clientSecretEnvVar?: string;
    /** Scopes required */
    scopes?: string[];
    /** Refresh token environment variable (for token refresh) */
    refreshTokenEnvVar?: string;
}
/**
 * Custom authentication with arbitrary headers
 */
export interface CustomAuthConfig extends BaseAuthConfig {
    scheme: 'custom';
    /** Custom headers to inject */
    headers: Record<string, string>;
    /** Environment variables to use for header values */
    headerEnvVars?: Record<string, string>;
    /** Query parameters to inject */
    queryParams?: Record<string, string>;
    /** Environment variables to use for query parameter values */
    queryParamEnvVars?: Record<string, string>;
}
/**
 * Composite authentication - combines multiple auth mechanisms
 * Useful for APIs that require multiple credentials (e.g., projectId + apiKey + secret)
 */
export interface CompositeAuthConfig extends BaseAuthConfig {
    scheme: 'composite';
    /**
     * Multiple credentials to combine
     * Example: { projectId: { envVar: 'PROJECT_ID' }, apiKey: { envVar: 'API_KEY' }, secret: { envVar: 'API_SECRET' } }
     */
    credentials: Record<string, CredentialConfig>;
    /** How to inject credentials: 'header', 'query', or 'both' */
    injectAs?: 'header' | 'query' | 'both';
}
/**
 * Individual credential configuration for composite auth
 */
export interface CredentialConfig {
    /** Environment variable to read from */
    envVar?: string;
    /** Direct value (not recommended) */
    value?: string;
    /** Header name if injecting as header */
    headerName?: string;
    /** Query param name if injecting as query */
    queryParamName?: string;
    /** Whether this credential is required */
    required?: boolean;
}
/**
 * Union type of all auth configurations
 */
export type AuthConfig = APIKeyAuthConfig | BearerAuthConfig | BasicAuthConfig | OAuth2AuthConfig | CustomAuthConfig | CompositeAuthConfig;
/**
 * Runtime credential provider
 * Allows dynamic credential resolution at runtime
 */
export interface CredentialProvider {
    name: string;
    /** Resolves credentials dynamically */
    resolve: () => Promise<Credentials> | Credentials;
}
/**
 * Resolved credentials ready to be injected into requests
 */
export interface Credentials {
    headers?: Record<string, string>;
    queryParams?: Record<string, string>;
}
/**
 * Credential resolver - resolves auth config to actual credentials
 */
export declare class CredentialResolver {
    private providers;
    /**
     * Registers a runtime credential provider
     */
    registerProvider(provider: CredentialProvider): void;
    /**
     * Resolves auth configuration to credentials
     */
    resolve(authConfig: AuthConfig): Promise<Credentials>;
    private resolveAPIKey;
    private resolveBearer;
    private resolveBasic;
    private resolveOAuth2;
    private resolveCustom;
    private resolveComposite;
    /**
     * Gets credential value from config (env var or direct value)
     */
    private getValue;
    /**
     * Fetches OAuth2 token using client credentials flow
     */
    private fetchOAuth2Token;
}
//# sourceMappingURL=auth.d.ts.map