npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

cf-access-auth-fetch-ts

v0.1.0

Published

Cloudflare Access Managed OAuth aware fetch wrapper for Node.js CLIs and servers.

Readme

cf-access-auth-fetch-ts

Cloudflare Access Managed OAuth aware fetch wrapper for Node.js CLIs, SDKs, and other interactive non-browser clients.

Use this package when a Node.js client needs to call a Cloudflare Access protected HTTP application on behalf of a user. It handles Access Managed OAuth discovery, browser login, token storage, refresh, and retrying the original request with an OAuth bearer token.

Cloudflare setup

Enable Cloudflare Access Managed OAuth on the protected self-hosted Access application or MCP server portal.

For local CLI flows, configure Managed OAuth to allow the redirect URI style your client uses:

  • Allow loopback clients for 127.0.0.1 redirect URIs.
  • Allow localhost clients for localhost redirect URIs.
  • Use a short access token lifetime and a longer grant session duration so the fetch wrapper can refresh silently between interactive logins.

Managed OAuth is intended for user-authenticated clients. Use Cloudflare service tokens instead for unattended machine-to-machine jobs.

Install

npm install cf-access-auth-fetch-ts

The package requires Node.js 22 or newer.

Usage

import { createAuthFetch, FileTokenStore } from "cf-access-auth-fetch-ts";

const authFetch = createAuthFetch({
  store: new FileTokenStore(),
});

const response = await authFetch("https://internal.example.com/api");
console.log(await response.text());

The first unauthenticated request receives Cloudflare Access's 401 WWW-Authenticate challenge, opens the user's browser, completes the authorization-code flow, stores the token, and retries the request. Later requests reuse or refresh the stored token.

Direct manager use

Use AuthManager directly when you want explicit login, logout, metadata, or token control.

import { AuthManager } from "cf-access-auth-fetch-ts";

const manager = new AuthManager();

const record = await manager.login("https://internal.example.com/api");
const token = await manager.getToken(record.resourceURL);
await manager.logout(record.resourceURL);

Static client fallback

Managed OAuth can dynamically register clients when the Access application allows the redirect URI. If dynamic registration is not available, configure a static client.

import { AuthManager } from "cf-access-auth-fetch-ts";

const manager = new AuthManager({
  staticClient: {
    clientId: process.env.OAUTH_CLIENT_ID!,
    clientSecret: process.env.OAUTH_CLIENT_SECRET,
  },
});

For multiple issuers or applications, pass a staticClient function that accepts (issuer, resourceURL).

Token storage

AuthManager uses FileTokenStore by default. The default path is:

~/.cf-access-auth-fetch/tokens.json

The token file is written with 0600 permissions where supported. Use MemoryTokenStore for tests or short-lived processes, or implement TokenStore to integrate with a platform keychain or another secure store.

Behavior

  • Handles 401 WWW-Authenticate discovery from Cloudflare Access.
  • Prefers RFC 9728 protected resource metadata from the resource_metadata challenge parameter.
  • Validates the discovered protected resource resource exactly.
  • Falls back to Cloudflare Managed OAuth's /.well-known/oauth-authorization-server endpoint when protected resource metadata is not available.
  • Fetches RFC 8414 authorization-server metadata and honors HTTP cache headers.
  • Uses authorization-code flow with PKCE S256 only.
  • Includes RFC 8707 resource in authorization and token requests.
  • Uses Dynamic Client Registration when advertised, or a configured static client.
  • Stores opaque access tokens without decoding JWTs.
  • Refreshes before expiry using a 60 second default skew.

HTTPS is required for resource and metadata URLs by default. Tests can opt into local HTTP with allowInsecureHTTP: true.

Development

npm install
npm test