A JavaScript API for working with OAuth 2 and OpenID Connect, providing helpers for common authentication and authorization flows. It is useful for integrating with authorization servers, including metadata discovery, authorization code flow, refresh tokens, device authorization, CIBA, client credentials, and features like introspection, revocation, and pushed authorization requests.
Project status
- The repository appears actively maintained, with recent versioned updates in 2025 to 2026 (latest shown update v6.8.4 on 2026-04-27) and a very recent upstream push on 2026-06-03.
- Apparent update cadence is steady but not uniform, with smaller gaps recently (v6.8.4 to v6.8.3 is about two weeks) and longer breaks at times (for example, v6.8.3 to v6.8.2 is about two months). Overall, it looks like ongoing maintenance rather than a stalled project.
AI summary generated
Recent updates
v6.8.4
v6.8.4 focuses on correctness fixes around generic grant handling, JWE decryption key selection, and abort-signal propagation during device and backchannel grant polling. The release notes enumerate four specific fixes, and the code diff shows corresponding internal refactors plus targeted tests for them.
v6.8.3
v6.8.3 is a small maintenance release focused on documentation and a passport integration fix. The release notes mention a documented workaround for `redirect_uri` edge cases and a passport callback change to remove one-time state after use.
v6.8.2
Release v6.8.2 primarily addresses a fetch-related issue involving streaming request bodies. The visible code diff also shows multiple TypeScript and documentation formatting-only adjustments, plus CI and dependency updates that are not mentioned in the release notes.
v6.8.1
v6.8.1 is a small refactor release focused on DPoP nonce caching behavior when using customFetch. The changelog/release notes mention a workaround related to DPoP nonce caching caveats, and the codebase updates documentation/comments accordingly.
v6.8.0
v6.8.0 adds retry timing improvements for OAuth polling by respecting the Retry-After header during CIBA and Device Authorization Grant polling. The release notes also include a small documentation cleanup to remove mention of Edge Runtime from the README.
Featuresv6.7.1
v6.7.1 is a small patch release that adjusts the passport Strategy URL building logic. The only functional change in the diff is in passport integration, where the computed URL host value is made more compatible with Express 5 behavior when using Express 4.
v6.7.0
Release v6.7.0 adds support for ML-DSA JWS algorithm identifiers. In the actual codebase, it also includes TypeScript typing updates for JWS/JWK, bumps dependencies (jose and oauth4webapi), and makes a small change to the test/demo server logic.
Featuresv6.6.4
v6.6.4 includes a fix to token exchange handling so that token responses with token_type set to n_a are recognized and parsed. The main production code change is in genericGrantRequest, where additional token type recognition is conditionally passed to processGenericTokenEndpointResponse for the token exchange grant type.
v6.6.3
v6.6.3 primarily updates passport Strategy behavior to make the initiation vs callback decision overridable via a new hook method, shouldInitiateAuthRequest. It also fixes the documentation for TokenEndpointResponseHelpers.claims() to correctly describe when it returns undefined. Additionally, several dependency versions were bumped, though these were not mentioned in the release notes.
Featuresv6.6.2
Release v6.6.2 is documented as an RFC8414 fix that strips a terminating slash when a pathname is present. In the provided diff, the only visible source changes are version string updates for the user agent, while the rest of the changes are release metadata plus dependency version bumps.