Skip to content

add support for token provider #1587

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

add support for token provider #1587

wants to merge 1 commit into from
+185 −84

Conversation

deyaaeldeen
Copy link
Contributor

  • I understand that this repository is auto-generated and my pull request may not be merged

Changes being requested

This PR introduces a new tokenProvider option to the OpenAI client, enabling dynamic token retrieval for authentication scenarios where API keys need to be refreshed or obtained at runtime.

Additional context & links

Changes

New Feature: tokenProvider Option

  • Added TokenProvider type definition: () => Promise<AccessToken>
  • Added AccessToken interface with token: string property
  • Added tokenProvider option to ClientOptions interface
  • Implemented token provider logic in the _setToken() method

Key Benefits

  1. Dynamic Authentication: Supports scenarios where tokens expire and need to be refreshed
  2. Enhanced Security: Tokens can be retrieved just-in-time rather than stored statically
  3. Enterprise Integration: Enables integration with corporate identity providers and token management systems
  4. Flexible Authentication: Provides an alternative to static API keys for environments requiring dynamic credentials

Implementation Details

Client Construction:

  • tokenProvider and apiKey are mutually exclusive - only one can be provided
  • If neither is provided, an error is thrown requiring one of the two authentication methods
  • Browser usage automatically allowed when using tokenProvider (sets dangerouslyAllowBrowser: true)

Token Management:

  • _setToken() method now returns a boolean indicating if a token was successfully retrieved
  • Token provider is called on every request preparation via prepareOptions()

Usage Example

const client = new OpenAI({
  tokenProvider: async () => {
    // Fetch token from your auth service
    const response = await fetch('/api/auth/token');
    const data = await response.json();
    return { token: data.access_token };
  }
});

Backward Compatibility

This change is fully backward compatible. Existing code using apiKey continues to work unchanged. The new tokenProvider option is purely additive.

@deyaaeldeen deyaaeldeen force-pushed the feat/token-provider branch from 276b556 to b4dd476 Compare July 16, 2025 23:36
@deyaaeldeen deyaaeldeen force-pushed the feat/token-provider branch from b4dd476 to f514473 Compare July 16, 2025 23:40
RobertCraigie
RobertCraigie reviewed Jul 28, 2025
View reviewed changes
src/client.ts
/**
* A function that returns a token to use for authentication.
*/
tokenProvider?: TokenProvider | undefined;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: why call it tokenProvider and not apiKeyProvider? I think the former matches the existing terminology better

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

API key auth is already supported. This feature enables short-lived token-based auth and we want to advertise it as such. Implementation-wise, it is piggybacking off the apiKey field which is just a hack to simplify the implementation.

RobertCraigie
RobertCraigie reviewed Jul 28, 2025
View reviewed changes
src/client.ts
@@ -438,6 +457,31 @@ export class OpenAI {
return Errors.APIError.generate(status, error, message, headers);
}

async _setToken(): Promise<boolean> {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: I think "refresh" is a better verb than "set" here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The decision to refresh is taken by the input function and not by this method, i.e. it is not guaranteed that the token will be refreshed if this method is called. However, let me know if you feel strongly about it and I can update the name.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RobertCraigie RobertCraigie RobertCraigie left review comments

@tetraprod tetraprod tetraprod approved these changes

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@deyaaeldeen @RobertCraigie @tetraprod