npmpackage.info

Gathering detailed insights and metrics for @octokit/auth-oauth-device

@octokit/auth-oauth-device - 8.0.1 | npmpackage.info

@octokit/auth-oauth-device

GitHub OAuth Device authentication strategy for JavaScript

8.0.1

MIT

TypeScript

37.71 kB

6.6

Installations

npm install @octokit/auth-oauth-device

Developer Guide

BETA

Typescript

Yes

Module System

ESM

Min. Node Version

>= 20

Node Version

22.15.0

NPM Version

10.9.2 Pull Requests

Open

2

Total

339

Closed

13

Merged

324

Issues

Open

0

Total

9

Closed

9

Releases

v8.0.1

Updated on May 20, 2025

v8.0.0

Updated on May 20, 2025

v7.1.5

Updated on Apr 10, 2025

v7.1.4

Updated on Mar 18, 2025

v7.1.3

Updated on Feb 13, 2025

v7.1.2

Updated on Jan 03, 2025

View All 35 releases

Languages

TypeScript

JavaScript

TypeScript (94.75%)

JavaScript (5.25%)

Developer

octokit

Download Statistics

Total Downloads

Last Day

Last Week

Last Month

Last Year

GitHub Statistics

MIT License

13 Stars

350 Commits

6 Forks

5 Watchers

6 Branches

18 Contributors

Updated on May 26, 2025

Maintainers

View All 18 Contributors

Package Meta Information

Latest Version

8.0.1

Package Id

@octokit/auth-oauth-device@8.0.1

Unpacked Size

37.71 kB

Size

8.44 kB

File Count

NPM Version

10.9.2

Node Version

22.15.0

Published on

May 20, 2025

Total Downloads

Cumulative downloads

Total Downloads

NaN

Last Day

NaN

Compared to previous day

Last Week

NaN

Compared to previous week

Last Month

NaN

Compared to previous month

Last Year

NaN

Compared to previous year

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dependencies

@octokit/oauth-methods @octokit/request @octokit/types universal-user-agent

Dev Dependencies

@octokit/tsconfig @types/node @vitest/coverage-v8 esbuild fetch-mock glob prettier semantic-release-plugin-update-version-in-files typescript vitest

auth-oauth-device.js

GitHub OAuth Device authentication strategy for JavaScript

@octokit/auth-oauth-device is implementing one of GitHub’s OAuth Device Flow.

Usage
- For OAuth Apps
- For GitHub Apps
createOAuthDeviceAuth(options)
auth(options)
Authentication object
auth.hook(request, route, parameters) or auth.hook(request, options)
Types
How it works
Contributing
License

Usage

Browsers	Load `@octokit/auth-oauth-device` directly from esm.sh `1<script type="module"> 2 import { createOAuthDeviceAuth } from "https://esm.sh/@octokit/auth-oauth-device"; 3</script>`
Node	Install with `npm install @octokit/core @octokit/auth-oauth-device` `1import { createOAuthDeviceAuth } from "@octokit/auth-oauth-device";`

Browsers

Load @octokit/auth-oauth-device directly from esm.sh

1<script type="module">
2  import { createOAuthDeviceAuth } from "https://esm.sh/@octokit/auth-oauth-device";
3</script>

Node

Install with npm install @octokit/core @octokit/auth-oauth-device

1import { createOAuthDeviceAuth } from "@octokit/auth-oauth-device";

[!IMPORTANT] As we use conditional exports, you will need to adapt your tsconfig.json by setting "moduleResolution": "node16", "module": "node16".

See the TypeScript docs on package.json "exports".
See this helpful guide on transitioning to ESM from @sindresorhus

For OAuth Apps

1const auth = createOAuthDeviceAuth({
2  clientType: "oauth-app",
3  clientId: "1234567890abcdef1234",
4  scopes: ["public_repo"],
5  onVerification(verification) {
6    // verification example
7    // {
8    //   device_code: "3584d83530557fdd1f46af8289938c8ef79f9dc5",
9    //   user_code: "WDJB-MJHT",
10    //   verification_uri: "https://github.com/login/device",
11    //   expires_in: 900,
12    //   interval: 5,
13    // };
14
15    console.log("Open %s", verification.verification_uri);
16    console.log("Enter code: %s", verification.user_code);
17  },
18});
19
20const tokenAuthentication = await auth({
21  type: "oauth",
22});
23// resolves with
24// {
25//   type: "token",
26//   tokenType: "oauth",
27//   clientType: "oauth-app",
28//   clientId: "1234567890abcdef1234",
29//   token: "...", /* the created oauth token */
30//   scopes: [] /* depend on request scopes by OAuth app */
31// }

For GitHub Apps

GitHub Apps do not support scopes. Client IDs of GitHub Apps have a lv1. prefix. If the GitHub App has expiring user tokens enabled, the resulting authentication object has extra properties related to expiration and refreshing the token.

1const auth = createOAuthDeviceAuth({
2  clientType: "github-app",
3  clientId: "lv1.1234567890abcdef",
4  onVerification(verification) {
5    // verification example
6    // {
7    //   device_code: "3584d83530557fdd1f46af8289938c8ef79f9dc5",
8    //   user_code: "WDJB-MJHT",
9    //   verification_uri: "https://github.com/login/device",
10    //   expires_in: 900,
11    //   interval: 5,
12    // };
13
14    console.log("Open %s", verification.verification_uri);
15    console.log("Enter code: %s", verification.user_code);
16  },
17});
18
19const tokenAuthentication = await auth({
20  type: "oauth",
21});
22// resolves with
23// {
24//   type: "token",
25//   tokenType: "oauth",
26//   clientType: "github-app",
27//   clientId: "lv1.1234567890abcdef",
28//   token: "...", /* the created oauth token */
29// }
30// or if expiring user tokens are enabled
31// {
32//   type: "token",
33//   tokenType: "oauth",
34//   clientType: "github-app",
35//   clientId: "lv1.1234567890abcdef",
36//   token: "...", /* the created oauth token */
37//   refreshToken: "...",
38//   expiresAt: "2022-01-01T08:00:0.000Z",
39//   refreshTokenExpiresAt: "2021-07-01T00:00:0.000Z",
40// }

`createOAuthDeviceAuth(options)`

The createOAuthDeviceAuth method accepts a single options parameter

name	type	description
`clientId`	`string`	Required. Find your OAuth app’s `Client ID` in your account’s developer settings.
`onVerification`	`function`	Required. A function that is called once the device and user codes were retrieved The `onVerification()` callback can be used to pause until the user completes step 2, which might result in a better user experience. `1const auth = createOAuthDeviceAuth({ 2 clientId: "1234567890abcdef1234", 3 onVerification(verification) { 4 console.log("Open %s", verification.verification_uri); 5 console.log("Enter code: %s", verification.user_code); 6 7 await prompt("press enter when you are ready to continue"); 8 }, 9});`
`clientType`	`string`	Must be either `oauth-app` or `github-app`. Defaults to `oauth-app`.
`request`	`function`	You can pass in your own `@octokit/request` instance. For usage with enterprise, set `baseUrl` to the API root endpoint. Example: `1import { request } from "@octokit/request"; 2createOAuthDeviceAuth({ 3 clientId: "1234567890abcdef1234", 4 clientSecret: "secret", 5 request: request.defaults({ 6 baseUrl: "https://ghe.my-company.com/api/v3", 7 }), 8});`
`scopes`	`array of strings`	Only relevant if `clientType` is set to `"oauth-app"`. Array of scope names enabled for the token. Defaults to `[]`. See available scopes.

`auth(options)`

The async auth() method returned by createOAuthDeviceAuth(options) accepts the following options

name type description

type string Required. Must be set to "oauth"

name	type	description
`type`	`string`	Required. Must be set to `"oauth"`
`scopes`	`array of strings`	Only relevant if the `clientType` strategy options was set to `"oauth-app"` Array of scope names enabled for the token. Defaults to what was set in the strategy options. See available scopes
`refresh`	`boolean`	Defaults to `false`. When set to `false`, calling `auth(options)` will resolve with a token that was previously created for the same scopes if it exists. If set to `true` a new token will always be created.

scopes

array of strings

Only relevant if the clientType strategy options was set to "oauth-app"

Array of scope names enabled for the token. Defaults to what was set in the strategy options. See available scopes

refresh

boolean

Defaults to false. When set to false, calling auth(options) will resolve with a token that was previously created for the same scopes if it exists. If set to true a new token will always be created.

Authentication object

The async auth(options) method resolves to one of three possible objects

OAuth APP user authentication
GitHub APP user authentication with expiring tokens disabled
GitHub APP user authentication with expiring tokens enabled

The differences are

scopes is only present for OAuth Apps
refreshToken, expiresAt, refreshTokenExpiresAt are only present for GitHub Apps, and only if token expiration is enabled

OAuth APP user authentication

name	type	description
`type`	`string`	`"token"`
`tokenType`	`string`	`"oauth"`
`clientType`	`string`	`"github-app"`
`clientId`	`string`	The app's `Client ID`
`token`	`string`	The personal access token
`scopes`	`array of strings`	array of scope names enabled for the token

GitHub APP user authentication with expiring tokens disabled

name	type	description
`type`	`string`	`"token"`
`tokenType`	`string`	`"oauth"`
`clientType`	`string`	`"github-app"`
`clientId`	`string`	The app's `Client ID`
`token`	`string`	The personal access token

GitHub APP user authentication with expiring tokens enabled

name	type	description
`type`	`string`	`"token"`
`tokenType`	`string`	`"oauth"`
`clientType`	`string`	`"github-app"`
`clientId`	`string`	The app's `Client ID`
`token`	`string`	The user access token
`refreshToken`	`string`	The refresh token
`expiresAt`	`string`	Date timestamp in ISO 8601 standard. Example: `2022-01-01T08:00:0.000Z`
`refreshTokenExpiresAt`	`string`	Date timestamp in ISO 8601 standard. Example: `2021-07-01T00:00:0.000Z`

`auth.hook(request, route, parameters)` or `auth.hook(request, options)`

auth.hook() hooks directly into the request life cycle. It amends the request to authenticate correctly based on the request URL.

The request option is an instance of @octokit/request. The route/options parameters are the same as for the request() method.

auth.hook() can be called directly to send an authenticated request

1const { data: user } = await auth.hook(request, "GET /user");

Or it can be passed as option to request().

1const requestWithAuth = request.defaults({
2  request: {
3    hook: auth.hook,
4  },
5});
6
7const { data: user } = await requestWithAuth("GET /user");

Types

1import {
2  OAuthAppStrategyOptions,
3  OAuthAppAuthOptions,
4  OAuthAppAuthentication,
5  GitHubAppStrategyOptions,
6  GitHubAppAuthOptions,
7  GitHubAppAuthentication,
8  GitHubAppAuthenticationWithExpiration,
9} from "@octokit/auth-oauth-device";

How it works

GitHub's OAuth Device flow is different from the web flow in two ways

It does not require a URL redirect, which makes it great for devices and CLI apps
It does not require the OAuth client secret, which means there is no user-owned server component required.

The flow has 3 parts (see GitHub documentation)

@octokit/auth-oauth-device requests a device and user code
Then the user has to open https://github.com/login/device (or it's GitHub Enterprise Server equivalent) and enter the user code
While the user enters the code, @octokit/auth-oauth-device is sending requests in the background to retrieve the OAuth access token. Once the user completed step 2, the request will succeed and the token will be returned

Contributing

See CONTRIBUTING.md

License

MIT

No vulnerabilities found.

10

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

10

Binary-Artifacts

Determines if the project has generated executable (binary) artifacts in the source repository.

10

Dangerous-Workflow

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10

License

Determines if the project has defined a license.

10

Packaging

Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.

10

SAST

Determines if the project uses static code analysis.

9

Vulnerabilities

Determines if the project has open, known unfixed vulnerabilities.

6

Pinned-Dependencies

Determines if the project has declared and pinned the dependencies of its build process.

Reason

dependency not pinned by hash detected -- score normalized to 6

Details

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/add_to_octokit_project.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/auth-oauth-device.js/add_to_octokit_project.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/auth-oauth-device.js/codeql-analysis.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/auth-oauth-device.js/codeql-analysis.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/auth-oauth-device.js/codeql-analysis.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/immediate-response.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/auth-oauth-device.js/immediate-response.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/auth-oauth-device.js/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/auth-oauth-device.js/test.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update-prettier.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/auth-oauth-device.js/update-prettier.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/update-prettier.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/auth-oauth-device.js/update-prettier.yml/main?enable=pin
Info: 5 out of 12 GitHub-owned GitHubAction dependencies pinned
Info: 0 out of 2 third-party GitHubAction dependencies pinned
Info: 4 out of 4 npmCommand dependencies pinned

5

Maintained

Determines if the project is "actively maintained".

0

CII-Best-Practices

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0

Token-Permissions

Determines if the project's workflows follow the principle of least privilege.

0

Fuzzing

Determines if the project uses fuzzing.

0

Security-Policy

Determines if the project has published a security policy.

Score

6.6

/10

Last Scanned on 2025-07-07

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

Learn More

@octokit/auth-oauth-device

Installations

Developer Guide

Yes

ESM

>= 20

22.15.0

10.9.2

Pull Requests

2

339

13

324

Issues

0

9

9

Releases

Languages

Developer

octokit

Download Statistics

GitHub Statistics

Maintainers

Package Meta Information

Total Downloads

NaN

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dependencies

Dev Dependencies

auth-oauth-device.js

Usage

For OAuth Apps

For GitHub Apps

createOAuthDeviceAuth(options)

auth(options)

Authentication object

OAuth APP user authentication

GitHub APP user authentication with expiring tokens disabled

GitHub APP user authentication with expiring tokens enabled

auth.hook(request, route, parameters) or auth.hook(request, options)

Types

How it works

Contributing

License

10

10

10

10

10

10

9

6

5

0

0

0

0

6.6

/10

`createOAuthDeviceAuth(options)`

`auth(options)`

`auth.hook(request, route, parameters)` or `auth.hook(request, options)`