@mistrive/noekl
v0.1.4
Published
Node TypeScript client for Noekl identity, sessions, and integration delegation APIs
Readme
@mistrive/noekl
Node-only TypeScript SDK for Noekl gRPC control-plane APIs.
import { NoeklClient } from "@mistrive/noekl";
import { DelegationGrantActorType } from "@mistrive/noekl/generated/mistrive/noekl/v1/integration_pb.js";
const noekl = new NoeklClient({
baseUrl: process.env.NOEKL_BASE_URL,
token: process.env.NOEKL_API_KEY,
});
const grant = await noekl.integrations.createDelegationGrant({
parent: "tenants/acme/integrations/google-workspace",
delegationGrant: {
actorType: DelegationGrantActorType.SERVICE_ACCOUNT,
actor: "tenants/acme/serviceAccounts/sync",
subject: "tenants/acme/users/user-1",
grantedScopes: ["gmail.readonly"],
maxTtlSeconds: 600n,
},
});
const token = await noekl.integrations.exchangeDelegatedToken({
name: "tenants/acme/integrations/google-workspace",
delegationGrant: grant.name,
subject: "tenants/acme/users/user-1",
audience: "https://acme.noekl.com/integrations/v1/",
});Use noekl.integrations.listUserVisible({ parent: "tenants/acme" }) with a forwarded user bearer or Tenant API exchanged bearer scoped to integration.list to discover integrations visible to the current user.
For long-running backend work that should not hold a user's session token, use SubjectAssertionTokenProvider with a trusted tenant OIDC client whose access policy allows the target API audience and subject:
import { SubjectAssertionTokenProvider } from "@mistrive/noekl";
const tokenProvider = new SubjectAssertionTokenProvider({
tokenUrl: "https://acme.noekl.com/oauth/token",
clientId: process.env.NOEKL_CLIENT_ID!,
clientSecret: process.env.NOEKL_CLIENT_SECRET!,
subject: "tenants/acme/users/user-1",
audience: "https://anchor.acme.example/api/v1/",
scope: ["anchor.sandbox.read"],
});ExchangeDelegatedToken omits scope unless explicitly supplied, allowing Noekl to inherit the delegation grant scopes.
Run examples/delegated-m2m.ts with NOEKL_BASE_URL, client credentials, integration resource names, and NOEKL_INTEGRATION_AUDIENCE to exercise the full create-grant, exchange-token, and proxy-request flow.
