Skip to content

OAuth Package

The OAuth packages exchange existing subject authority for resource mandates through the STS /oauth/2/token endpoint.

EcosystemPackage
TypeScriptnpm install @caracalai/oauth
Pythonpip install caracalai-oauth
Gogo get github.com/garudex-labs/caracal/packages/oauth/go
OptionMeaning
Subject tokenExisting user, service, agent, or application authority.
ResourceResource identifier or audience requested from STS.
Client secret or assertionApplication authentication for client-secret flows.
Actor tokenOptional actor authority for delegated exchanges.
Session IDSubject session anchor.
Agent session IDAgent execution anchor.
Delegation edge IDDelegated authority anchor.
ScopesRequested resource scopes.
TTL secondsRequested mandate lifetime.
import { OAuthClient, InteractionRequiredError } from "@caracalai/oauth";
const oauth = new OAuthClient(stsUrl, zoneId, applicationId);
try {
const token = await oauth.exchange(subjectToken, "https://api.example.com/tickets", {
scopes: ["tickets:read"],
clientSecret: process.env.CARACAL_APP_CLIENT_SECRET,
});
console.log(token.accessToken, token.expiresIn);
} catch (error) {
if (error instanceof InteractionRequiredError) {
console.log("step-up required", error.challengeId);
} else {
throw error;
}
}
  • Successful responses are validated for access_token, token_type, and expires_in.
  • Token responses are cached by identity, resource, scopes, TTL, and credential context.
  • Concurrent identical exchanges share in-flight work.
  • Transient HTTP statuses are retried with bounded backoff.
  • STS interaction_required responses surface as InteractionRequiredError.