Interface: ClientMetadata

March 19, 2026 · View on GitHub

💗 Help the project

Support from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by becoming a sponsor.

A subset of the IANA OAuth Client Metadata registry that has an effect on how the Client functions

Indexable

[metadata: string]: JsonValue | undefined

Properties

client_id

• client_id: string

Client identifier.

[clockSkew]?

• optional [clockSkew]?: number

See clockSkew.

[clockTolerance]?

• optional [clockTolerance]?: number

See clockTolerance.

authorization_signed_response_alg?

• optional authorization_signed_response_alg?: string

JWS alg algorithm required for signing authorization responses. When not configured the default is to allow only algorithms listed in as.authorization\_signing\_alg\_values\_supported and fall back to RS256 when the authorization server metadata is not set.

client_secret?

• optional client_secret?: string

Client secret.

default_max_age?

• optional default_max_age?: number

Default Maximum Authentication Age.

id_token_signed_response_alg?

• optional id_token_signed_response_alg?: string

JWS alg algorithm required for signing the ID Token issued to this Client. When not configured the default is to allow only algorithms listed in as.id\_token\_signing\_alg\_values\_supported and fall back to RS256 when the authorization server metadata is not set.

introspection_signed_response_alg?

• optional introspection_signed_response_alg?: string

JWS alg algorithm REQUIRED for signed introspection responses. When not configured the default is to allow only algorithms listed in as.introspection\_signing\_alg\_values\_supported and fall back to RS256 when the authorization server metadata is not set.

require_auth_time?

• optional require_auth_time?: boolean

Boolean value specifying whether the auth\_time Claim in the ID Token is REQUIRED. Default is false.

use_mtls_endpoint_aliases?

• optional use_mtls_endpoint_aliases?: boolean

Indicates the requirement for a client to use mutual TLS endpoint aliases indicated by the Authorization Server Metadata. Default is false.

When combined with customFetch (to use a Fetch API implementation that supports client certificates) this can be used to target security profiles that utilize Mutual-TLS for either client authentication or sender constraining.

Examples

(Node.js) Using nodejs/undici for Mutual-TLS Client Authentication and Certificate-Bound Access Tokens support.

import * as undici from 'undici'

let config!: client.Configuration
let key!: string // PEM-encoded key
let cert!: string // PEM-encoded certificate

let agent = new undici.Agent({ connect: { key, cert } })

config[client.customFetch] = (...args) =>
  // @ts-expect-error
  undici.fetch(args[0], { ...args[1], dispatcher: agent })

(Deno) Using Deno.createHttpClient API for Mutual-TLS Client Authentication and Certificate-Bound Access Tokens support.

let config!: client.Configuration
let key!: string // PEM-encoded key
let cert!: string // PEM-encoded certificate

// @ts-expect-error
let agent = Deno.createHttpClient({ key, cert })

config[client.customFetch] = (...args) =>
  // @ts-expect-error
  fetch(args[0], { ...args[1], client: agent })

See

RFC 8705 - OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens

userinfo_signed_response_alg?

• optional userinfo_signed_response_alg?: string

JWS alg algorithm REQUIRED for signing UserInfo Responses. When not configured the default is to allow only algorithms listed in as.userinfo\_signing\_alg\_values\_supported and fail otherwise.