InvokeTool

Local Auth Persistence

Keep provider credentials in the embedding application, not on InvokeTool servers.

Local Auth Persistence

InvokeTool never stores module provider credentials on the hosted API. OAuth tokens, API keys, bearer tokens, and provider connection state live in the embedding application through SDK persistence hooks.

AuthStore

interface AuthStore {
  get(moduleId: string, connectionId: string, key: string): Promise<Uint8Array | undefined>;
  set(
    moduleId: string,
    connectionId: string,
    key: string,
    value: Uint8Array,
    metadata?: Record<string, unknown>,
  ): Promise<void>;
  delete(moduleId: string, connectionId: string, key: string): Promise<void>;
  list(moduleId?: string): Promise<AuthRecord[]>;
}

The default in-memory store is for tests and development. Production hosts should use an encrypted database, keychain, secure enclave, browser storage with application encryption, or a secret manager.

TypeScript Stores

The TypeScript SDK includes three store implementations:

  • InMemoryAuthStore for tests and local demos.
  • BrowserLocalAuthStore for browser hosts that want a localStorage-compatible persistence adapter.
  • EncryptedAuthStore for server-side or desktop hosts that need AES-GCM encryption before records are written to a backing store.
import {
  BrowserLocalAuthStore,
  EncryptedAuthStore,
  importAesGcmKey,
} from "@invoketool/sdk";

const browserStore = new BrowserLocalAuthStore(window.localStorage);

const key = await importAesGcmKey(raw32ByteKey);
const encryptedStore = new EncryptedAuthStore({
  key,
  keyId: "prod-2026-05",
});

A runnable server-side encrypted persistence example lives at examples/embedding/typescript/src/server-encrypted-auth-store.ts. It wraps a tenant-scoped database-style AuthStore with EncryptedAuthStore, verifies the backing row never contains plaintext provider tokens, and is exercised by:

npm --workspace @invoketool/example-embedding-typescript run auth-store-demo

OAuth Hooks

Marketplace auth metadata provides scopes, OAuth URLs, callback requirements, and provider names. The embedding product owns the user experience, callback handling, token refresh, revocation, and secure persistence.

MiniGo CodeMode does not receive raw provider tokens. Modules request authorized host calls, and the SDK host fulfills them with locally persisted credentials.

Lifecycle Methods

InvokeClient exposes lifecycle helpers that call the configured store and hooks:

  • persistTokens({ moduleId, connectionId, tokenSet })
  • requireTokenSet(moduleId, connectionId)
  • refreshTokens(moduleId, connectionId)
  • revokeAuth(moduleId, connectionId)

Auth errors are reported through onAuthError; missing auth triggers onAuthRequired; refresh and deletion paths call onTokenRefresh and onAuthDelete.

Embedding Example

End-to-end flow for embedding InvokeTool in an agent-capable application.

Marketplace APIs

Search integrations, inspect versions, pin modules, and request signed integration downloads.

On this page

Local Auth PersistenceAuthStoreTypeScript StoresOAuth HooksLifecycle Methods