Skip to content

feat(ts): allow a pre-minted JWT instead of an API key#36

Merged
fat merged 2 commits into
mainfrom
user-supplied-jwt
Jun 23, 2026
Merged

feat(ts): allow a pre-minted JWT instead of an API key#36
fat merged 2 commits into
mainfrom
user-supplied-jwt

Conversation

@unknwon

@unknwon unknwon commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Summary

Lets the TypeScript SDK accept a caller-supplied JWT instead of an ES256 private key. When a token is provided, the client sends it verbatim on every authenticated request rather than minting a fresh JWT per call.

This is the natural unit for "act as an end user our backend already minted a token for" — the token's own claims (repo, scopes, expiry) govern access.

Changes

  • GitStorageOptions: key is now optional; added optional token. Constructor requires name plus either key or token.
  • generateJWT: short-circuits to return the supplied token verbatim, so all existing call sites flow through unchanged. Per-call permissions / ttl / refPolicies are ignored in token mode (documented).
  • New constructor error messages: requires a name, requires either a key or a token, token must be a non-empty string.
  • README: updated GitStorageOptions interface + added a token-init example.

Caveats

  • name is still required in token mode (used to derive default API/storage base URLs).
  • A supplied token is fixed to one repo + one scope set — a read-only token fails on writes; a token for repo A won't work against repo B. Inherent to this approach and called out in the README.
  • Python and Go SDKs are not changed in this PR — TS only, by request. Happy to mirror in follow-ups.

Test evidence

pnpm --filter @pierre/storage build — success (incl. DTS).
pnpm --filter @pierre/storage exec vitest --run196 passed.

Added tests: construct-with-token, empty-token rejection, and an end-to-end check that the supplied token is sent verbatim as the Authorization: Bearer header. Updated existing constructor-validation assertions for the new error messages.

unknwon added 2 commits June 23, 2026 10:32
GitStorageOptions now accepts an optional `token`; `key` is optional when a token is supplied. When set, the token is sent verbatim on every request and per-call scope/ttl/refPolicy options are ignored (the token's own claims govern access). Constructor requires name plus either key or token.
@fat fat merged commit e3cb392 into main Jun 23, 2026
3 checks passed
@fat fat deleted the user-supplied-jwt branch June 23, 2026 20:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants