OptionalfetchCustom fetch implementation (default: global fetch).
Primarily a testing hook — lets unit tests stub the authorization server
without intercepting the global.
Optionalinit: RequestInitOptionalinit: RequestInitOptionaltimeoutRequest timeout in milliseconds (default: 30_000). Guards against a silently hung authorization server blocking the caller indefinitely.
OptionalallowAllow token_endpoint to resolve to a private / loopback IP address.
Default: false (SSRF guard). The CLI opts in because the operator is
explicitly configuring the endpoint; hosted consumers accepting
user-supplied configs should leave this off.
OptionalstorageStorage backend used to persist refreshed tokens. Optional — if omitted,
tokens are only mutated on the in-memory agent object and the caller
is responsible for persisting.
OptionalforceForce a re-exchange even if the cached token looks valid. Useful after a 401 in case the authorization server rotated something out-of-band.
OptionalexpirationExpiration skew (ms). Treat the token as expired this many milliseconds
before its nominal expires_at — protects against clock skew and
in-flight requests. Default: 60_000 (1 minute). The interactive auth
code flow uses 5 minutes; client credentials refresh is cheap (single
POST) so the shorter window is fine here.
Options for ensureClientCredentialsTokens.