Interface: AuthClientOptions

Defined in: auth-server-nest/src/config/auth-client.config.ts:13

Config consumed by AuthClientModule.forRoot.

Every option is plain data — no DI tokens, no callbacks — so consumers can build it from any source (ConfigService, dotenv, a static file, tests). This is the entire surface a consumer needs to understand.

Properties

authServerApiPrefix?

optional authServerApiPrefix?: string

Defined in: auth-server-nest/src/config/auth-client.config.ts:20

Defaults to ‘/api/v1’.

authServerUrl

authServerUrl: string

Defined in: auth-server-nest/src/config/auth-client.config.ts:18

Base URL of the @vendidit/auth-server (e.g. http://localhost:8080).

checkRevocation?

optional checkRevocation?: boolean

Defined in: auth-server-nest/src/config/auth-client.config.ts:44

Check Redis auth:blacklist:{jti} on every authenticated request so logouts / revocations propagate within ~100ms instead of waiting for the 15m access-token TTL. Requires a Redis client wired to the AUTH_CLIENT_REDIS token by the consumer.

devUserId?

optional devUserId?: string

Defined in: auth-server-nest/src/config/auth-client.config.ts:36

enabled?

optional enabled?: boolean

Defined in: auth-server-nest/src/config/auth-client.config.ts:35

Master switch. false → JwtAuthGuard bypasses and attaches a synthetic system_admin user with id devUserId. Intended for NODE_ENV=development only; env validation elsewhere should refuse to flip this in staging/prod.

jwtAudience?

optional jwtAudience?: string

Defined in: auth-server-nest/src/config/auth-client.config.ts:28

jwtIssuer?

optional jwtIssuer?: string

Defined in: auth-server-nest/src/config/auth-client.config.ts:27

jwtSecret?

optional jwtSecret?: string

Defined in: auth-server-nest/src/config/auth-client.config.ts:26

Local HS256 verification settings. Required when enabled !== false. jwtSecret must match the auth server’s JWT_ACCESS_SECRET exactly.

m2m?

optional m2m?: object

Defined in: auth-server-nest/src/config/auth-client.config.ts:54

Machine-to-machine credentials. Opt-in — only needed if this service makes authenticated outbound calls to the auth server on its own behalf (permission registration, /auth/me lookups with service identity, etc.).

ServiceAuthClient uses these to run the client-credentials flow against POST /oauth/token and caches the returned JWT until ~60s before expiry.

clientId

clientId: string

clientSecret

clientSecret: string

refreshSkewSeconds?

optional refreshSkewSeconds?: number

Seconds-before-expiry to refresh. Default 60.

permissions?

optional permissions?: object

Defined in: auth-server-nest/src/config/auth-client.config.ts:68

Declarative permission manifest — the set of permission codes this service owns. Registered with auth server at boot via POST /admin/permissions/register (upserts the set, prunes removals).

Requires m2m credentials. Omit to skip registration.

manifest

manifest: PermissionManifestEntry[]

registerOnBoot?

optional registerOnBoot?: boolean

If false, the service won’t register on boot (useful in tests). Default: true.

serviceName

serviceName: string

Defined in: auth-server-nest/src/config/auth-client.config.ts:15

Stable identifier for this service, used when registering permissions.