Archipel API Docs

Appearance

@archipel/platform-authentication Auto-generated

@breadstone/archipel-platform-authentication

Classes

ClassDescription
AnonymousAuthGuardThe AnonymousAuthGuard protects routes using anonymous authentication.
AuthModuleThe AuthModule handles JWT-based authentication, including token creation and validation.
AuthSubjectPortAbstract port for resolving authentication subjects by identity. Used by the JWT, Local, and Anonymous strategies.
AuthTokenServiceGeneric service responsible for creating JWT access tokens. Builds a base payload from IAuthSubject and optionally enriches it via the TokenEnricherPort with product-specific claims.
ChallengeServiceStores and validates MFA login challenges.
GithubAuthGuardThe GithubAuthGuard protects routes using GitHub authentication.
JwtAuthGuardThe JwtAuthGuard protects routes using JWT-based authentication.
JwtPayloadBaseAbstract base class for JWT payloads. Products extend this to add their own claims (e.g. profileId, isPro). Used as both a serialization contract and NestJS injection token.
LastActiveMiddlewareMiddleware to automatically update the lastActive timestamp for authenticated sessions. Extracts the JWT token from the Authorization header and updates the session asynchronously.
LocalAuthGuardThe LocalAuthGuard protects routes using local authentication.
MfaServiceOrchestrates MFA channels, backup codes, and user preferences.
MfaSubjectPortAbstract port for reading and writing MFA state on the underlying subject entity. Used by the MfaService and all MFA channel implementations.
RolesGuard-
SessionMappingProfileMapping profile for Session entity to response transformations.
SessionPersistencePortAbstract port for persisting and querying sessions. Used by the SessionService and LastActiveMiddleware.
SessionResponseThe SessionResponse class.
SessionServiceManages user sessions via the SessionPersistencePort.
SocialAuthGuard-
SocialAuthPortAbstract port for resolving or creating subjects from social / OAuth profiles. Used by all social strategies (GitHub, Google, Microsoft, Apple).
TokenEnricherPortAbstract port for enriching JWT claims with product-specific data. This is an optional port: when not provided, the token contains only base claims.
VerificationServiceManages email / PIN verification tokens via the VerificationSubjectPort.
VerificationSubjectPortAbstract port for verifiable subject persistence. Used by the VerificationService to manage email/PIN verification.

Interfaces

InterfaceDescription
IAuthModuleOptionsOptions for configuring the AuthModule.
IAuthSubjectGeneric authentication subject returned by the AuthSubjectPort. Represents any entity that can authenticate (user, service account, etc.).
IMfaChallengePayloadRepresents the MFA challenge payload encoded in a challenge token.
IMfaChallengeState-
IMfaConfirmationRepresents the activation result for multi-factor authentication.
IMfaSetupRepresents the data required to onboard a multi-factor authenticator.
IMfaSubjectRepresents an MFA-enabled subject. Contains the data the MFA subsystem needs to read and write MFA state on the underlying user-like entity.
IMfaSubjectUpdateData payload for updating MFA state on the underlying entity. All properties are optional — only the provided ones are applied.
ISessionRecordRepresents a persisted session record.
ISignInResultRepresents the outcome of a sign-in attempt.
ISocialProfileProfile data received from a social / OAuth provider.
IStoreSessionArgsArguments for storing a new session.
IVerifiableSubjectRepresents a verifiable authentication subject. Used by the VerificationService to verify email / PIN.

Variables

VariableDescription
AUTH_APPLE_CALLBACK_URLApple Sign-In callback URL.
AUTH_APPLE_CLIENT_IDApple Sign-In client (service) ID.
AUTH_APPLE_KEY_IDApple Sign-In key ID.
AUTH_APPLE_PRIVATE_KEYApple Sign-In private key (PEM string).
AUTH_APPLE_TEAM_IDApple developer team ID.
AUTH_GITHUB_CLIENT_IDGitHub OAuth client ID.
AUTH_GITHUB_CLIENT_SECRETGitHub OAuth client secret.
AUTH_GOOGLE_CALLBACK_URLGoogle OAuth2 callback URL.
AUTH_GOOGLE_CLIENT_IDGoogle OAuth2 client ID.
AUTH_GOOGLE_CLIENT_SECRETGoogle OAuth2 client secret.
AUTH_JWT_EXPIRES_INLifetime of access tokens (e.g. '15m', '1h').
AUTH_JWT_SECRETSecret used to sign JWTs.
AUTH_MFA_CHALLENGE_EXPIRES_INHow long an MFA challenge stays valid (e.g. '5m').
AUTH_MFA_EMAIL_CODE_TTLTime-to-live for email OTP codes (e.g. '10m').
AUTH_MFA_EMAIL_MIN_RESENDMinimum interval between email OTP resend requests (e.g. '30s').
AUTH_MFA_ENCRYPTION_KEYAES encryption key used to encrypt MFA secrets at rest.
AUTH_MFA_MAX_ATTEMPTSMaximum number of failed MFA attempts before lockout.
AUTH_MFA_PUSH_CODE_TTLTime-to-live for push OTP codes (e.g. '10m').
AUTH_MFA_PUSH_MIN_RESENDMinimum interval between push OTP resend requests (e.g. '30s').
AUTH_MFA_SMS_CODE_TTLTime-to-live for SMS OTP codes (e.g. '10m').
AUTH_MFA_SMS_MIN_RESENDMinimum interval between SMS resend requests (e.g. '30s').
AUTH_MICROSOFT_CALLBACK_URLMicrosoft OAuth2 callback URL.
AUTH_MICROSOFT_CLIENT_IDMicrosoft OAuth2 client ID.
AUTH_MICROSOFT_CLIENT_SECRETMicrosoft OAuth2 client secret.
AUTH_MICROSOFT_TENANTMicrosoft tenant ID or 'common' for multi-tenant.
AUTH_VERIFY_JWT_EXPIRES_INLifetime of email-verification JWTs.
PLATFORM_AUTHENTICATION_CONFIG_ENTRIESAll configuration entries required by platform-authentication.
ROLES_KEYRepresents the key for the UseRoles decorator.
SEED_ANONYMOUS_USERNAMEUsername used for the anonymous seed user.
SESSION_LIST_MAPPING_KEYType-safe mapping key for Session entity list to response list transformation.
SESSION_MAPPING_KEYType-safe mapping key for Session entity to response transformation.
UserRepresents the User decorator.

Functions

FunctionDescription
socialAuthGuardFactory-
TokenRepresents the Token decorator.
UseRolesRepresents the UseRoles decorator.

Released under the MIT License.

© 2026 Archipel Platform