npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@schematize/client-credentials

v0.6.7

Published

Schematize Client Credentials Auth Library

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

benjaminbythewaybenjaminbytheway

Keywords

Readme

@schematize/client-credentials

OAuth 2.0 client credentials grant for machine-to-machine use. Obtains an access token with client_id and client_secret, keeps bearer headers in memory, and skips redundant token requests while the token is still valid (with a short clock skew window).

Features

  • grant_type=client_credentials via POST with Content-Type: application/json body (client_id, client_secret, scope, optional resource array).
  • In-memory tokens only (no persistent storage in this library).
  • Concurrent authorize() calls collapse to one in-flight request via authorizing.
  • Node.js (node:https) and browser (fetch); browsers log a console warning because embedding client_secret is unsafe.

Dependencies

  • @schematize/refs
  • @schematize/metamodel

Installation

npm install @schematize/client-credentials

Usage (Node)

import ClientCredentials from '@schematize/client-credentials';

const auth = ClientCredentials({
  endpoints: {
    token: 'https://auth.example.com/token',
  },
  clientId: 'your-client-id',
  clientSecret: process.env.CLIENT_SECRET,
  scope: 'api:read api:write',
});

await auth.authorize();

const response = await fetch('https://api.example.com/data', {
  headers: auth.headers,
});

Configuration

  • endpoints.token (required): string URL of the token endpoint.
  • clientId, clientSecret (required).
  • scope: optional string passed in the JSON body.
  • resources: optional string[]; when set, the JSON body includes resource: [...] (must be an array).

There is no endpoints.revoke support in this package: signout only clears local state on the instance.

API

auth.initialized

Same promise as initialize(). Tokens are only in memory, so you typically await auth.authorize() first; you can still await auth.initialized for a consistent shape with other auth helpers.

await auth.initialized;

initialize()

Resolves immediately; reserved for future automatic token lifecycle behavior. The constructor sets initialized to this promise.

await auth.initialize();

authorize()

  • If accessToken exists and expires (milliseconds) is more than 20 seconds in the future, returns Promise.resolve() (no return value).
  • Otherwise POSTs JSON to endpoints.token and on success sets:
    • authorized, accessToken, headers, expires = Date.now() + expires_in * 1000
    • clears error, errorDescription, errorUri
  • Returns a Promise that resolves to this on success.
  • authorizing exposes the in-flight promise while a request runs.
await auth.authorize();

const api = await fetch(`https://api.example.com/v1/resource`, {
  headers: auth.headers,
});

// Token still valid: second call may resolve immediately without a network POST
await auth.authorize();

// Wait for another caller’s in-flight token request
if (auth.authorizing) {
  await auth.authorizing;
}

signout()

Clears authorized, accessToken, expires, headers, userInfo, and error fields. Does not call a revoke endpoint.

await auth.signout();
console.log(auth.authorized);

getUserInfo()

Always throws: not applicable for client credentials.

try {
  await auth.getUserInfo();
} catch (e) {
  console.error(e.message);
}

Properties

| Property | Notes | | --- | --- | | authorized | Boolean | | accessToken | String when authorized | | headers | { Authorization: 'Bearer …' } when authorized | | expires | Milliseconds since epoch when the access token should be treated as expired | | userInfo | Cleared on signout; not populated by this flow | | error, errorDescription, errorUri | Set from token error JSON when present | | authorizing | Promise while a token request is in flight, otherwise undefined | | initialized | Promise from initialize() |

Security

In browsers the constructor logs:

auth.clientCredentials: You should NEVER use this in a browser environment.You will expose your 'clientSecret' to anyone who can inspect this code allowing anyone access.

Keep client_secret on the server, use HTTPS for the token endpoint, and prefer environment-backed secrets in Node.

License

MIT

Author

Benjamin Bytheway