Files
lancedb/docs/src/js/interfaces/OAuthConfig.md
Jack Ye 10fecdf051 feat(node): expose OAuth connection config (#3587)
Expose the merged Rust OAuth header provider through the Node/TypeScript
connection path.

Includes:
- Native OAuthConfig conversion for napi-rs
- ConnectionOptions.oauthConfig plumbing
- Public TypeScript OAuthConfig and OAuthFlowType exports
- Generated TypeScript API docs for the new config surface
- input-validation and debug-redaction coverage in the Rust binding
layer

Local validation: cargo fmt --all; git diff --check.
2026-06-29 16:55:45 -07:00

1.9 KiB

@lancedb/lancedbDocs


@lancedb/lancedb / OAuthConfig

Interface: OAuthConfig

OAuth configuration for LanceDB authentication.

This is the public TypeScript OAuth configuration type. The generated NativeOAuthConfig type has the same runtime shape but is an implementation detail of the napi-rs binding.

All token acquisition and refresh is handled in the Rust layer. This config is passed through to Rust via napi-rs.

Examples

const config: OAuthConfig = {
  issuerUrl: "https://login.microsoftonline.com/{tenant}/v2.0",
  clientId: "app-id",
  clientSecret: "secret",
  scopes: ["api://lancedb-api/.default"],
};
const config: OAuthConfig = {
  issuerUrl: "https://login.microsoftonline.com/{tenant}/v2.0",
  clientId: "app-id",
  scopes: ["api://lancedb-api/.default"],
  flow: OAuthFlowType.AzureManagedIdentity,
};

Properties

clientId

clientId: string;

Application / Client ID.


clientSecret?

optional clientSecret: string;

Client secret (required for ClientCredentials).


flow?

optional flow: OAuthFlowType;

Authentication flow (default: ClientCredentials).


issuerUrl

issuerUrl: string;

OIDC issuer URL or OAuth authority URL. For Azure: https://login.microsoftonline.com/{tenant_id}/v2.0


managedIdentityClientId?

optional managedIdentityClientId: string;

Client ID for user-assigned managed identity (AzureManagedIdentity).


refreshBufferSecs?

optional refreshBufferSecs: number;

Seconds before expiry to trigger proactive refresh (default: 300). Keep this well below the token TTL; if it is greater than or equal to the TTL, each request refreshes the token.


scopes

scopes: string[];

OAuth scopes to request. For Azure managed identity, exactly one scope or resource is required. For example: ["api://{app_id}/.default"]