Authlete Typescript SDK

Developer-friendly & type-safe Typescript SDK specifically catered to leverage Authlete API.

Important

This is a beta SDK.

🎓 Tutorials

If you're new to Authlete or want to see sample implementations, these resources will help you get started:

• 🚀 Getting Started with Authlete
• 🔑 From Sign-Up to the First API Request

🛠 Contact Us

If you have any questions or need assistance, our team is here to help:

• Contact Page

Summary

Authlete API: Welcome to the Authlete API documentation. Authlete is an API-first service where every aspect of the platform is configurable via API. This documentation will help you authenticate and integrate with Authlete to build powerful OAuth 2.0 and OpenID Connect servers. 🚀

At a high level, the Authlete API is grouped into two categories:

• Management APIs: Enable you to manage services and clients. 🔧
• Runtime APIs: Allow you to build your own Authorization Servers or Verifiable Credential (VC) issuers. 🔐

🌐 API Servers

Authlete is a global service with clusters available in multiple regions across the world:

• 🇺🇸 US: https://us.authlete.com
• 🇯🇵 Japan: https://jp.authlete.com
• 🇪🇺 Europe: https://eu.authlete.com
• 🇧🇷 Brazil: https://br.authlete.com

Our customers can host their data in the region that best meets their requirements.

🔑 Authentication

All API endpoints are secured using Bearer token authentication. You must include an access token in every request:

Authorization: Bearer YOUR_ACCESS_TOKEN

Getting Your Access Token

Authlete supports two types of access tokens:

Service Access Token - Scoped to a single service (authorization server instance)

1. Log in to Authlete Console
2. Navigate to your service → Settings → Access Tokens
3. Click Create Token and select permissions (e.g., service.read, client.write)
4. Copy the generated token

Organization Token - Scoped to your entire organization

1. Log in to Authlete Console
2. Navigate to Organization Settings → Access Tokens
3. Click Create Token and select org-level permissions
4. Copy the generated token

⚠️ Important Note: Tokens inherit the permissions of the account that creates them. Service tokens can only access their specific service, while organization tokens can access all services within your org.

Token Security Best Practices

• Never commit tokens to version control - Store in environment variables or secure secret managers
• Rotate regularly - Generate new tokens periodically and revoke old ones
• Scope appropriately - Request only the permissions your application needs
• Revoke unused tokens - Delete tokens you're no longer using from the console

Quick Test

Verify your token works with a simple API call:

curl -X GET https://us.authlete.com/api/service/get/list \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

🎓 Tutorials

If you're new to Authlete or want to see sample implementations, these resources will help you get started:

• 🚀 Getting Started with Authlete
• 🔑 From Sign-Up to the First API Request

🛠 Contact Us

If you have any questions or need assistance, our team is here to help:

• Contact Page

Table of Contents

• Authlete Typescript SDK
  • 🎓 Tutorials
  • 🛠 Contact Us
  • 🌐 API Servers
  • 🔑 Authentication
  • 🎓 Tutorials
  • 🛠 Contact Us
  • SDK Installation
  • Requirements
  • Access Tokens
  • SDK Example Usage
  • Authentication
  • Available Resources and Operations
  • Standalone functions
  • Retries
  • Error Handling
  • Server Selection
  • Custom HTTP Client
  • Debugging
• Development
  • Maturity
  • Contributions

SDK Installation

The SDK can be installed with either npm, pnpm, bun or yarn package managers.

NPM

npm add @authlete/typescript-sdk

PNPM

pnpm add @authlete/typescript-sdk

Bun

bun add @authlete/typescript-sdk

Yarn

yarn add @authlete/typescript-sdk

Note

This package is published with CommonJS and ES Modules (ESM) support.

Requirements

For supported JavaScript runtimes, please consult RUNTIMES.md.

Access Tokens

You need to pass a valid access token to be able to use any resource or operation. Refer to Creating an Access Token to learn how to create one.

Authlete supports two types of access tokens:

• Service Access Token - Scoped to a single service (authorization server instance). Create from Service Settings → Access Tokens in the Authlete Console.
• Organization Token - Scoped to your entire organization, allowing access to all services. Create from Organization Settings → Access Tokens.

Make sure that you create a token with the correct scope. If you face permission (403) errors when already sending a token, it can be one of the following problems:

• The token you are using has expired. Check the expiry date in the Authlete Console.
• The token does not have access to the correct scope, either not the right service or it does not have account level access.
• The resource or operation you are trying to use is not available for that service tier. For example, some features are Enterprise-only and you may be using a token for a service on a different plan.

SDK Example Usage

Example

import { Authlete } from "@authlete/typescript-sdk";

const authlete = new Authlete({
  bearer: process.env["AUTHLETE_BEARER"] ?? "",
});

async function run() {
  const result = await authlete.service.get({
    serviceId: "<id>",
  });

  console.log(result);
}

run();

Authentication

Per-Client Security Schemes

This SDK supports the following security scheme globally:

Name	Type	Scheme	Environment Variable
bearer	http	HTTP Bearer	AUTHLETE_BEARER

To authenticate with the API the bearer parameter must be set when initializing the SDK client instance. For example:

import { Authlete } from "@authlete/typescript-sdk";

const authlete = new Authlete({
  bearer: process.env["AUTHLETE_BEARER"] ?? "",
});

async function run() {
  const result = await authlete.service.get({
    serviceId: "<id>",
  });

  console.log(result);
}

run();

Available Resources and Operations

Available methods

authorization

• processRequest - Process Authorization Request
• fail - Fail Authorization Request
• issue - Issue Authorization Response

authorization.management

• getTicketInfo - Get Ticket Information
• updateTicket - Update Ticket Information

ciba

• processAuthentication - Process Backchannel Authentication Request
• issue - Issue Backchannel Authentication Response
• fail - Fail Backchannel Authentication Request
• complete - Complete Backchannel Authentication

client

• get - Get Client
• list - List Clients
• create - Create Client
• update - Update Client
• delete - Delete Client ⚡

client.management

• updateLockFlag - Update Client Lock
• refreshSecret - Rotate Client Secret
• updateSecret - Update Client Secret
• listAuthorizations - Get Authorized Applications
• updateAuthorizations - Update Client Tokens
• deleteAuthorizations - Delete Client Tokens
• getGrantedScopes - Get Granted Scopes
• deleteGrantedScopes - Delete Granted Scopes
• getRequestableScopes - Get Requestable Scopes
• updateRequestableScopes - Update Requestable Scopes
• deleteRequestableScopes - Delete Requestable Scopes

deviceFlow

• authorization - Process Device Authorization Request
• verification - Process Device Verification Request
• complete - Complete Device Authorization

dynamicClientRegistration

• register - Register Client
• get - Get Client
• update - Update Client
• delete - Delete Client

federation

• configuration - Process Entity Configuration Request
• registration - Process Federation Registration Request

grantManagement

• processRequest - Process Grant Management Request

hardwareSecurityKeys

• create - Create Security Key
• delete - Delete Security Key
• get - Get Security Key
• list - List Security Keys

introspection

• process - Process Introspection Request
• standardProcess - Process OAuth 2.0 Introspection Request

joseObject

• joseVerifyApi - Verify JOSE

jwkSetEndpoint

• serviceJwksGetApi - Get JWK Set

nativeSso

• process - Native SSO Processing
• logout - Native SSO Logout Processing

pushedAuthorization

• create - Process Pushed Authorization Request

revocation

• process - Process Revocation Request

service

• get - Get Service
• list - List Services
• create - Create Service
• update - Update Service
• delete - Delete Service ⚡
• getConfiguration - Get Service Configuration

token

• process - Process Token Request
• fail - Fail Token Request
• issue - Issue Token Response

token.management

• reissueIdToken - Reissue ID Token
• list - List Issued Tokens
• create - Create Access Token
• update - Update Access Token
• delete - Delete Access Token
• revoke - Revoke Access Token

userinfo

• process - Process UserInfo Request
• issue - Issue UserInfo Response

verifiableCredentials

• getMetadata - Get Verifiable Credential Issuer Metadata
• getJwtIssuer - Get JWT Issuer Information
• getJwks - Get JSON Web Key Set
• createOffer - Create Credential Offer
• getOfferInfo - Get Credential Offer Information
• parse - Parse Single Credential
• issue - Issue Single Credential
• batchParse - Parse Batch Credentials
• batchIssue - Issue Batch Credentials
• deferredParse - Parse Deferred Credential
• deferredIssue - Issue Deferred Credential

Standalone functions

All the methods listed above are available as standalone functions. These functions are ideal for use in applications running in the browser, serverless runtimes or other environments where application bundle size is a primary concern. When using a bundler to build your application, all unused functionality will be either excluded from the final bundle or tree-shaken away.

To read more about standalone functions, check FUNCTIONS.md.

Available standalone functions

• authorizationFail - Fail Authorization Request
• authorizationIssue - Issue Authorization Response
• authorizationManagementGetTicketInfo - Get Ticket Information
• authorizationManagementUpdateTicket - Update Ticket Information
• authorizationProcessRequest - Process Authorization Request
• cibaComplete - Complete Backchannel Authentication
• cibaFail - Fail Backchannel Authentication Request
• cibaIssue - Issue Backchannel Authentication Response
• cibaProcessAuthentication - Process Backchannel Authentication Request
• clientCreate - Create Client
• clientDelete - Delete Client ⚡
• clientGet - Get Client
• clientList - List Clients
• clientManagementDeleteAuthorizations - Delete Client Tokens
• clientManagementDeleteGrantedScopes - Delete Granted Scopes
• clientManagementDeleteRequestableScopes - Delete Requestable Scopes
• clientManagementGetGrantedScopes - Get Granted Scopes
• clientManagementGetRequestableScopes - Get Requestable Scopes
• clientManagementListAuthorizations - Get Authorized Applications
• clientManagementRefreshSecret - Rotate Client Secret
• clientManagementUpdateAuthorizations - Update Client Tokens
• clientManagementUpdateLockFlag - Update Client Lock
• clientManagementUpdateRequestableScopes - Update Requestable Scopes
• clientManagementUpdateSecret - Update Client Secret
• clientUpdate - Update Client
• deviceFlowAuthorization - Process Device Authorization Request
• deviceFlowComplete - Complete Device Authorization
• deviceFlowVerification - Process Device Verification Request
• dynamicClientRegistrationDelete - Delete Client
• dynamicClientRegistrationGet - Get Client
• dynamicClientRegistrationRegister - Register Client
• dynamicClientRegistrationUpdate - Update Client
• federationConfiguration - Process Entity Configuration Request
• federationRegistration - Process Federation Registration Request
• grantManagementProcessRequest - Process Grant Management Request
• hardwareSecurityKeysCreate - Create Security Key
• hardwareSecurityKeysDelete - Delete Security Key
• hardwareSecurityKeysGet - Get Security Key
• hardwareSecurityKeysList - List Security Keys
• introspectionProcess - Process Introspection Request
• introspectionStandardProcess - Process OAuth 2.0 Introspection Request
• joseObjectJoseVerifyApi - Verify JOSE
• jwkSetEndpointServiceJwksGetApi - Get JWK Set
• nativeSsoLogout - Native SSO Logout Processing
• nativeSsoProcess - Native SSO Processing
• pushedAuthorizationCreate - Process Pushed Authorization Request
• revocationProcess - Process Revocation Request
• serviceCreate - Create Service
• serviceDelete - Delete Service ⚡
• serviceGet - Get Service
• serviceGetConfiguration - Get Service Configuration
• serviceList - List Services
• serviceUpdate - Update Service
• tokenFail - Fail Token Request
• tokenIssue - Issue Token Response
• tokenManagementCreate - Create Access Token
• tokenManagementDelete - Delete Access Token
• tokenManagementList - List Issued Tokens
• tokenManagementReissueIdToken - Reissue ID Token
• tokenManagementRevoke - Revoke Access Token
• tokenManagementUpdate - Update Access Token
• tokenProcess - Process Token Request
• userinfoIssue - Issue UserInfo Response
• userinfoProcess - Process UserInfo Request
• verifiableCredentialsBatchIssue - Issue Batch Credentials
• verifiableCredentialsBatchParse - Parse Batch Credentials
• verifiableCredentialsCreateOffer - Create Credential Offer
• verifiableCredentialsDeferredIssue - Issue Deferred Credential
• verifiableCredentialsDeferredParse - Parse Deferred Credential
• verifiableCredentialsGetJwks - Get JSON Web Key Set
• verifiableCredentialsGetJwtIssuer - Get JWT Issuer Information
• verifiableCredentialsGetMetadata - Get Verifiable Credential Issuer Metadata
• verifiableCredentialsGetOfferInfo - Get Credential Offer Information
• verifiableCredentialsIssue - Issue Single Credential
• verifiableCredentialsParse - Parse Single Credential

Retries

Some of the endpoints in this SDK support retries. If you use the SDK without any configuration, it will fall back to the default retry strategy provided by the API. However, the default retry strategy can be overridden on a per-operation basis, or across the entire SDK.

To change the default retry strategy for a single API call, simply provide a retryConfig object to the call:

import { Authlete } from "@authlete/typescript-sdk";

const authlete = new Authlete({
  bearer: process.env["AUTHLETE_BEARER"] ?? "",
});

async function run() {
  const result = await authlete.service.get({
    serviceId: "<id>",
  }, {
    retries: {
      strategy: "backoff",
      backoff: {
        initialInterval: 1,
        maxInterval: 50,
        exponent: 1.1,
        maxElapsedTime: 100,
      },
      retryConnectionErrors: false,
    },
  });

  console.log(result);
}

run();

If you'd like to override the default retry strategy for all operations that support retries, you can provide a retryConfig at SDK initialization:

import { Authlete } from "@authlete/typescript-sdk";

const authlete = new Authlete({
  retryConfig: {
    strategy: "backoff",
    backoff: {
      initialInterval: 1,
      maxInterval: 50,
      exponent: 1.1,
      maxElapsedTime: 100,
    },
    retryConnectionErrors: false,
  },
  bearer: process.env["AUTHLETE_BEARER"] ?? "",
});

async function run() {
  const result = await authlete.service.get({
    serviceId: "<id>",
  });

  console.log(result);
}

run();

Error Handling

AuthleteError is the base class for all HTTP error responses. It has the following properties:

Property	Type	Description
error.message	string	Error message
error.statusCode	number	HTTP response status code eg 404
error.headers	Headers	HTTP response headers
error.body	string	HTTP body. Can be empty string if no body is returned.
error.rawResponse	Response	Raw HTTP response
error.data$		Optional. Some errors may contain structured data. See Error Classes.

Example

import { Authlete } from "@authlete/typescript-sdk";
import * as errors from "@authlete/typescript-sdk/models/errors";

const authlete = new Authlete({
  bearer: process.env["AUTHLETE_BEARER"] ?? "",
});

async function run() {
  try {
    const result = await authlete.service.get({
      serviceId: "<id>",
    });

    console.log(result);
  } catch (error) {
    // The base class for HTTP error responses
    if (error instanceof errors.AuthleteError) {
      console.log(error.message);
      console.log(error.statusCode);
      console.log(error.body);
      console.log(error.headers);

      // Depending on the method different errors may be thrown
      if (error instanceof errors.ResultError) {
        console.log(error.data$.resultCode); // string
        console.log(error.data$.resultMessage); // string
      }
    }
  }
}

run();

Error Classes

Primary errors:

• AuthleteError: The base class for HTTP error responses.
  • ResultError: .

Less common errors (6)

Network errors:

• ConnectionError: HTTP client was unable to make a request to a server.
• RequestTimeoutError: HTTP request timed out due to an AbortSignal signal.
• RequestAbortedError: HTTP request was aborted by the client.
• InvalidRequestError: Any input used to create a request is invalid.
• UnexpectedClientError: Unrecognised or unexpected error.

Inherit from AuthleteError:

• ResponseValidationError: Type mismatch between the data returned from the server and the structure expected by the SDK. See error.rawValue for the raw value and error.pretty() for a nicely formatted multi-line string.

Server Selection

Select Server by Index

You can override the default server globally by passing a server index to the serverIdx: number optional parameter when initializing the SDK client instance. The selected server will then be used as the default on the operations that use it. This table lists the indexes associated with the available servers:

#	Server	Description
0	https://us.authlete.com	🇺🇸 US Cluster
1	https://jp.authlete.com	🇯🇵 Japan Cluster
2	https://eu.authlete.com	🇪🇺 Europe Cluster
3	https://br.authlete.com	🇧🇷 Brazil Cluster

Example

import { Authlete } from "@authlete/typescript-sdk";

const authlete = new Authlete({
  serverIdx: 0,
  bearer: process.env["AUTHLETE_BEARER"] ?? "",
});

async function run() {
  const result = await authlete.service.get({
    serviceId: "<id>",
  });

  console.log(result);
}

run();

Override Server URL Per-Client

The default server can also be overridden globally by passing a URL to the serverURL: string optional parameter when initializing the SDK client instance. For example:

import { Authlete } from "@authlete/typescript-sdk";

const authlete = new Authlete({
  serverURL: "https://br.authlete.com",
  bearer: process.env["AUTHLETE_BEARER"] ?? "",
});

async function run() {
  const result = await authlete.service.get({
    serviceId: "<id>",
  });

  console.log(result);
}

run();

Custom HTTP Client

The TypeScript SDK makes API calls using an HTTPClient that wraps the native Fetch API. This client is a thin wrapper around fetch and provides the ability to attach hooks around the request lifecycle that can be used to modify the request or handle errors and response.

The HTTPClient constructor takes an optional fetcher argument that can be used to integrate a third-party HTTP client or when writing tests to mock out the HTTP client and feed in fixtures.

The following example shows how to use the "beforeRequest" hook to to add a custom header and a timeout to requests and how to use the "requestError" hook to log errors:

import { Authlete } from "@authlete/typescript-sdk";
import { HTTPClient } from "@authlete/typescript-sdk/lib/http";

const httpClient = new HTTPClient({
  // fetcher takes a function that has the same signature as native `fetch`.
  fetcher: (request) => {
    return fetch(request);
  }
});

httpClient.addHook("beforeRequest", (request) => {
  const nextRequest = new Request(request, {
    signal: request.signal || AbortSignal.timeout(5000)
  });

  nextRequest.headers.set("x-custom-header", "custom value");

  return nextRequest;
});

httpClient.addHook("requestError", (error, request) => {
  console.group("Request Error");
  console.log("Reason:", `${error}`);
  console.log("Endpoint:", `${request.method} ${request.url}`);
  console.groupEnd();
});

const sdk = new Authlete({ httpClient: httpClient });

Debugging

You can setup your SDK to emit debug logs for SDK requests and responses.

You can pass a logger that matches console's interface as an SDK option.

Warning

Beware that debug logging will reveal secrets, like API tokens in headers, in log messages printed to a console or files. It's recommended to use this feature only during local development and not in production.

import { Authlete } from "@authlete/typescript-sdk";

const sdk = new Authlete({ debugLogger: console });

You can also enable a default debug logger by setting an environment variable AUTHLETE_DEBUG to true.

Development

Maturity

This SDK is in beta, and there may be breaking changes between versions without a major version update. Therefore, we recommend pinning usage to a specific package version. This way, you can install the same version each time without breaking changes unless you are intentionally looking for the latest version.

Contributions

While we value open-source contributions to this SDK, this library is generated programmatically. Any manual changes added to internal files will be overwritten on the next generation. We look forward to hearing your feedback. Feel free to open a PR or an issue with a proof of concept and we'll do our best to include it in a future release.

SDK Created by Speakeasy