Authorization endpoint (where the browser is redirected to sign in).
Public client identifier.
OptionalclockClock-skew tolerance in milliseconds. A credential is treated as expiring this long before its real expiry so a refresh happens before requests fail. Defaults to 60_000.
OptionalextraExtra query params appended to the authorization request.
OptionalextraExtra body params appended to token/refresh requests.
OptionalfetchOverride fetch (Node/tests). Defaults to globalThis.fetch.
Optionalinit: RequestInitOptionalinit: RequestInitOptionalmodeInteractive mode. Defaults to redirect.
OptionalonAuth lifecycle listener.
OptionalpopupPopup window features string (popup mode).
Registered redirect URI that receives the authorization code+state.
OptionalrevocationOptional revocation endpoint (RFC 7009) called on signOut().
OptionalscopesRequested scopes.
OptionalserviceStable key that scopes stored credentials to this service. Defaults to
${clientId}@${origin of tokenEndpoint} so tokens are never shared across
services or origins.
OptionalstoreCredential store. Defaults to an in-memory store. Scoped per origin/service via OAuth2Config.serviceKey.
Token endpoint (code exchange + refresh).
OptionalwindowWindow used for redirect/popup + transaction persistence. Defaults to
globalThis.window. Injectable for tests / non-DOM hosts.
Configuration for the OAuth2 authorization-code + PKCE provider produced by oauth2. Only WebCrypto is used for PKCE (Node ≥20 exposes
globalThis.crypto); no new hard dependencies are introduced.