atproto/oauth/tokens

Token endpoint calls: exchange an authorization code for DPoP-bound tokens, refresh them with the rotating refresh token, and best-effort revocation. Confidential clients pass client-assertion fields via extra_form.

Types

pub type Tokens {
  Tokens(
    access_token: String,
    refresh_token: String,
    sub: String,
    expires_in: Int,
  )
}

Constructors

  • Tokens(
      access_token: String,
      refresh_token: String,
      sub: String,
      expires_in: Int,
    )

Values

pub fn exchange_code(
  client: xrpc.Client,
  flow flow: flow.Flow,
  code code: String,
  redirect_uri redirect_uri: String,
  extra_form extra_form: List(#(String, String)),
) -> Result(Tokens, String)
pub fn refresh(
  client: xrpc.Client,
  token_endpoint token_endpoint: String,
  refresh_token refresh_token: String,
  client_id client_id: String,
  dpop_key dpop_key: gose.Key(String),
  extra_form extra_form: List(#(String, String)),
) -> Result(Tokens, String)
pub fn revoke(
  client: xrpc.Client,
  issuer issuer: String,
  refresh_token refresh_token: String,
  client_id client_id: String,
  dpop_key dpop_key: gose.Key(String),
  extra_form extra_form: List(#(String, String)),
) -> Nil

Best-effort refresh-token revocation at logout: discover the AS revocation endpoint from the issuer and revoke. Failures are ignored (the caller clears its local session regardless).

Search Document