Gathering detailed insights and metrics for @octokit/auth-oauth-device
Gathering detailed insights and metrics for @octokit/auth-oauth-device
GitHub OAuth Device authentication strategy for JavaScript
Installations
npm install @octokit/auth-oauth-deviceDeveloper Guide
BETA
Typescript
Yes
Module System
ESM
Min. Node Version
>= 20
Node Version
22.15.0
NPM Version
10.9.2
Releases
35
Languages
2
TypeScript
JavaScript
TypeScript (94.75%)
JavaScript (5.25%)
Developer
octokit
Download Statistics
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
GitHub Statistics
MIT License
13 Stars
350 Commits
6 Forks
5 Watchers
6 Branches
18 Contributors
Updated on May 26, 2025
Maintainers
1
Package Meta Information
Latest Version
8.0.1
Package Id
@octokit/auth-oauth-device@8.0.1
Unpacked Size
37.71 kB
Size
8.44 kB
File Count
16
NPM Version
10.9.2
Node Version
22.15.0
Published on
May 20, 2025
Total Downloads
Cumulative downloads
Total Downloads
NaN
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
auth-oauth-device.js
GitHub OAuth Device authentication strategy for JavaScript
@octokit/auth-oauth-device is implementing one of GitHub’s OAuth Device Flow.
- Usage
createOAuthDeviceAuth(options)auth(options)- Authentication object
auth.hook(request, route, parameters)orauth.hook(request, options)- Types
- How it works
- Contributing
- License
Usage
|
Browsers |
Load
|
|---|---|
|
Node |
Install with
|
[!IMPORTANT] As we use conditional exports, you will need to adapt your
tsconfig.jsonby setting"moduleResolution": "node16", "module": "node16".See the TypeScript docs on package.json "exports".
See this helpful guide on transitioning to ESM from @sindresorhus
For OAuth Apps
1const auth = createOAuthDeviceAuth({ 2 clientType: "oauth-app", 3 clientId: "1234567890abcdef1234", 4 scopes: ["public_repo"], 5 onVerification(verification) { 6 // verification example 7 // { 8 // device_code: "3584d83530557fdd1f46af8289938c8ef79f9dc5", 9 // user_code: "WDJB-MJHT", 10 // verification_uri: "https://github.com/login/device", 11 // expires_in: 900, 12 // interval: 5, 13 // }; 14 15 console.log("Open %s", verification.verification_uri); 16 console.log("Enter code: %s", verification.user_code); 17 }, 18}); 19 20const tokenAuthentication = await auth({ 21 type: "oauth", 22}); 23// resolves with 24// { 25// type: "token", 26// tokenType: "oauth", 27// clientType: "oauth-app", 28// clientId: "1234567890abcdef1234", 29// token: "...", /* the created oauth token */ 30// scopes: [] /* depend on request scopes by OAuth app */ 31// }
For GitHub Apps
GitHub Apps do not support scopes. Client IDs of GitHub Apps have a lv1. prefix. If the GitHub App has expiring user tokens enabled, the resulting authentication object has extra properties related to expiration and refreshing the token.
1const auth = createOAuthDeviceAuth({ 2 clientType: "github-app", 3 clientId: "lv1.1234567890abcdef", 4 onVerification(verification) { 5 // verification example 6 // { 7 // device_code: "3584d83530557fdd1f46af8289938c8ef79f9dc5", 8 // user_code: "WDJB-MJHT", 9 // verification_uri: "https://github.com/login/device", 10 // expires_in: 900, 11 // interval: 5, 12 // }; 13 14 console.log("Open %s", verification.verification_uri); 15 console.log("Enter code: %s", verification.user_code); 16 }, 17}); 18 19const tokenAuthentication = await auth({ 20 type: "oauth", 21}); 22// resolves with 23// { 24// type: "token", 25// tokenType: "oauth", 26// clientType: "github-app", 27// clientId: "lv1.1234567890abcdef", 28// token: "...", /* the created oauth token */ 29// } 30// or if expiring user tokens are enabled 31// { 32// type: "token", 33// tokenType: "oauth", 34// clientType: "github-app", 35// clientId: "lv1.1234567890abcdef", 36// token: "...", /* the created oauth token */ 37// refreshToken: "...", 38// expiresAt: "2022-01-01T08:00:0.000Z", 39// refreshTokenExpiresAt: "2021-07-01T00:00:0.000Z", 40// }
createOAuthDeviceAuth(options)
The createOAuthDeviceAuth method accepts a single options parameter
| name | type | description |
|---|---|---|
clientId
|
string
|
Required. Find your OAuth app’s Client ID in your account’s developer settings.
|
onVerification
|
function
|
Required. A function that is called once the device and user codes were retrieved
The
|
clientType
|
string
|
Must be either |
request
|
function
|
You can pass in your own @octokit/request instance. For usage with enterprise, set baseUrl to the API root endpoint. Example:
|
scopes
|
array of strings
|
Only relevant if Array of scope names enabled for the token. Defaults to |
auth(options)
The async auth() method returned by createOAuthDeviceAuth(options) accepts the following options
| name | type | description |
|---|---|---|
type
|
string
|
Required. Must be set to "oauth"
|
scopes
|
array of strings
|
Only relevant if the Array of scope names enabled for the token. Defaults to what was set in the strategy options. See available scopes |
refresh
|
boolean
|
Defaults to |
Authentication object
The async auth(options) method resolves to one of three possible objects
- OAuth APP user authentication
- GitHub APP user authentication with expiring tokens disabled
- GitHub APP user authentication with expiring tokens enabled
The differences are
scopesis only present for OAuth AppsrefreshToken,expiresAt,refreshTokenExpiresAtare only present for GitHub Apps, and only if token expiration is enabled
OAuth APP user authentication
| name | type | description |
|---|---|---|
type
|
string
|
"token"
|
tokenType
|
string
|
"oauth"
|
clientType
|
string
|
"github-app"
|
clientId
|
string
|
The app's Client ID
|
token
|
string
| The personal access token |
scopes
|
array of strings
| array of scope names enabled for the token |
GitHub APP user authentication with expiring tokens disabled
| name | type | description |
|---|---|---|
type
|
string
|
"token"
|
tokenType
|
string
|
"oauth"
|
clientType
|
string
|
"github-app"
|
clientId
|
string
|
The app's Client ID
|
token
|
string
| The personal access token |
GitHub APP user authentication with expiring tokens enabled
| name | type | description |
|---|---|---|
type
|
string
|
"token"
|
tokenType
|
string
|
"oauth"
|
clientType
|
string
|
"github-app"
|
clientId
|
string
|
The app's Client ID
|
token
|
string
| The user access token |
refreshToken
|
string
| The refresh token |
expiresAt
|
string
|
Date timestamp in ISO 8601 standard. Example: 2022-01-01T08:00:0.000Z
|
refreshTokenExpiresAt
|
string
|
Date timestamp in ISO 8601 standard. Example: 2021-07-01T00:00:0.000Z
|
auth.hook(request, route, parameters) or auth.hook(request, options)
auth.hook() hooks directly into the request life cycle. It amends the request to authenticate correctly based on the request URL.
The request option is an instance of @octokit/request. The route/options parameters are the same as for the request() method.
auth.hook() can be called directly to send an authenticated request
1const { data: user } = await auth.hook(request, "GET /user");
Or it can be passed as option to request().
1const requestWithAuth = request.defaults({ 2 request: { 3 hook: auth.hook, 4 }, 5}); 6 7const { data: user } = await requestWithAuth("GET /user");
Types
1import { 2 OAuthAppStrategyOptions, 3 OAuthAppAuthOptions, 4 OAuthAppAuthentication, 5 GitHubAppStrategyOptions, 6 GitHubAppAuthOptions, 7 GitHubAppAuthentication, 8 GitHubAppAuthenticationWithExpiration, 9} from "@octokit/auth-oauth-device";
How it works
GitHub's OAuth Device flow is different from the web flow in two ways
- It does not require a URL redirect, which makes it great for devices and CLI apps
- It does not require the OAuth client secret, which means there is no user-owned server component required.
The flow has 3 parts (see GitHub documentation)
@octokit/auth-oauth-devicerequests a device and user code- Then the user has to open https://github.com/login/device (or it's GitHub Enterprise Server equivalent) and enter the user code
- While the user enters the code,
@octokit/auth-oauth-deviceis sending requests in the background to retrieve the OAuth access token. Once the user completed step 2, the request will succeed and the token will be returned
Contributing
See CONTRIBUTING.md
License
No vulnerabilities found.
Reason
all changesets reviewed
Reason
no binaries found in the repo
Reason
no dangerous workflow patterns detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
packaging workflow detected
Details
- Info: Project packages its releases by way of GitHub Actions.: .github/workflows/release.yml:17
Reason
SAST tool is run on all commits
Details
- Info: SAST configuration detected: CodeQL
- Info: all commits (30) are checked with a SAST tool
Reason
1 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
Reason
dependency not pinned by hash detected -- score normalized to 6
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/add_to_octokit_project.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/auth-oauth-device.js/add_to_octokit_project.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/auth-oauth-device.js/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/auth-oauth-device.js/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/auth-oauth-device.js/codeql-analysis.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/immediate-response.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/auth-oauth-device.js/immediate-response.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/auth-oauth-device.js/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/auth-oauth-device.js/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update-prettier.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/auth-oauth-device.js/update-prettier.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/update-prettier.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/auth-oauth-device.js/update-prettier.yml/main?enable=pin
- Info: 5 out of 12 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 2 third-party GitHubAction dependencies pinned
- Info: 4 out of 4 npmCommand dependencies pinned
Reason
6 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:28
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:29
- Warn: no topLevel permission defined: .github/workflows/add_to_octokit_project.yml:1
- Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1
- Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yml:11
- Warn: no topLevel permission defined: .github/workflows/test.yml:1
- Warn: no topLevel permission defined: .github/workflows/update-prettier.yml:1
- Info: no jobLevel write permissions found
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Score
6.6
/10
Last Scanned on 2025-07-07
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More