auth

package
v0.3.28-beta Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 5, 2026 License: MIT Imports: 19 Imported by: 0

Documentation

Overview

Package auth provides authentication mechanisms for various AI providers. It handles OAuth2 flows, credential storage, and token management for Anthropic Claude and GitHub Copilot integrations.

Package auth provides authentication mechanisms for various AI providers. This file implements Codex CLI authentication for the ChatGPT backend API.

Index

Constants

View Source 
const (
	// CodexAPIBaseURL is the endpoint for the Codex Responses API.
	CodexAPIBaseURL = "https://chatgpt.com/backend-api/codex"

	// CodexOriginator identifies the client making requests.
	// Using the official Codex CLI originator for compatibility.
	CodexOriginator = "kodelet"
)

Variables

This section is empty.

Functions

func AccountExists 

func AccountExists(alias string) (bool, error)

AccountExists checks if an account with the given alias exists.

func AnthropicAccessToken 

func AnthropicAccessToken(ctx context.Context, alias string) (string, error)

AnthropicAccessToken retrieves a valid Anthropic access token for the specified account alias. If alias is empty, uses the default account. It automatically handles token refresh when the token is within 10 minutes of expiration.

func AnthropicAccessTokenForAlias 

func AnthropicAccessTokenForAlias(ctx context.Context, alias string) (string, error)

AnthropicAccessTokenForAlias is an alias for AnthropicAccessToken for backward compatibility. Deprecated: Use AnthropicAccessToken directly.

func AnthropicHeader 

func AnthropicHeader(ctx context.Context, alias string) ([]option.RequestOption, error)

AnthropicHeader retrieves an access token for the specified account alias and returns the HTTP request options for Anthropic API calls. If alias is empty, uses the default account.

func AnthropicHeaderWithToken 

func AnthropicHeaderWithToken(accessToken string) []option.RequestOption

AnthropicHeaderWithToken returns the HTTP request options for Anthropic API calls with a pre-fetched access token. This is useful when you already have the token and want to avoid another lookup.

func AnthropicSystemPrompt 

func AnthropicSystemPrompt() []anthropic.TextBlockParam

AnthropicSystemPrompt returns the system prompt text blocks for Anthropic Claude interactions.

func CodexHeader 

func CodexHeader(ctx context.Context) ([]option.RequestOption, error)

CodexHeader returns the HTTP request options for Codex API calls. These headers are required for authentication with the ChatGPT backend API.

func CodexHeaderWithCredentials 

func CodexHeaderWithCredentials(creds *CodexCredentials) []option.RequestOption

CodexHeaderWithCredentials returns the HTTP request options for Codex API calls using the provided credentials. Returns nil if credentials are nil or empty.

func CopilotAccessToken 

func CopilotAccessToken(ctx context.Context) (string, error)

CopilotAccessToken retrieves a valid Copilot token, refreshing it if necessary. It automatically handles token refresh when the token is within 10 minutes of expiration.

func DeleteCodexCredentials 

func DeleteCodexCredentials() error

DeleteCodexCredentials removes the Codex auth file.

func DeleteCopilotCredentials 

func DeleteCopilotCredentials() error

DeleteCopilotCredentials removes the Copilot credentials file from the user's home directory.

func GenerateAliasFromEmail 

func GenerateAliasFromEmail(email string) string

GenerateAliasFromEmail extracts the prefix (part before @) from an email address to use as an alias.

func GenerateAnthropicAuthURL 

func GenerateAnthropicAuthURL() (authURL string, verifier string, err error)

GenerateAnthropicAuthURL generates an OAuth2 authorization URL for Anthropic authentication. It returns the auth URL, PKCE verifier, and any error encountered.

func GenerateCodexAuthURL 

func GenerateCodexAuthURL() (authURL string, verifier string, state string, err error)

GenerateCodexAuthURL generates an OAuth2 authorization URL for OpenAI Codex authentication. It returns the auth URL, PKCE verifier, state, and any error encountered.

func GetAnthropicCredentialsExists 

func GetAnthropicCredentialsExists() (bool, error)

GetAnthropicCredentialsExists checks if the Anthropic credentials file exists in the user's home directory.

func GetCodexAccessToken 

func GetCodexAccessToken(ctx context.Context) (string, error)

GetCodexAccessToken retrieves a valid Codex access token, refreshing if necessary.

func GetCodexCredentialsExists 

func GetCodexCredentialsExists() (bool, error)

GetCodexCredentialsExists checks if the Codex auth file exists.

func GetCopilotCredentialsExists 

func GetCopilotCredentialsExists() (bool, error)

GetCopilotCredentialsExists checks if Copilot credentials file exists in the user's home directory.

func GetDefaultAnthropicAccount 

func GetDefaultAnthropicAccount() (string, error)

GetDefaultAnthropicAccount returns the alias of the default account.

func IsCodexOAuthEnabled 

func IsCodexOAuthEnabled(creds *CodexCredentials) bool

IsCodexOAuthEnabled returns true if OAuth credentials are available.

func RemoveAnthropicAccount 

func RemoveAnthropicAccount(alias string) error

RemoveAnthropicAccount removes an account by alias. If removing the default account, clears the default (or sets to another account if available).

func RenameAnthropicAccount 

func RenameAnthropicAccount(oldAlias, newAlias string) error

RenameAnthropicAccount renames an account from oldAlias to newAlias. If the account being renamed is the default, updates the default to the new alias.

func SaveAnthropicCredentials 

func SaveAnthropicCredentials(creds *AnthropicCredentials) (string, error)

SaveAnthropicCredentials saves Anthropic credentials to the multi-account storage. Uses the email prefix as the alias. If this is the first account, it becomes the default. Returns the file path where credentials were saved.

func SaveAnthropicCredentialsWithAlias 

func SaveAnthropicCredentialsWithAlias(alias string, creds *AnthropicCredentials) (string, error)

SaveAnthropicCredentialsWithAlias saves credentials for a specific account alias. If this is the first account, it will be set as default. Returns the file path where credentials were saved.

func SaveCodexCredentials 

func SaveCodexCredentials(creds *CodexCredentials) (string, error)

SaveCodexCredentials saves Codex credentials to the auth file. Returns the file path where credentials were saved.

func SaveCopilotCredentials 

func SaveCopilotCredentials(creds *CopilotCredentials) (string, error)

SaveCopilotCredentials saves Copilot credentials to a JSON file in the user's home directory. Returns the file path where credentials were saved.

func SetDefaultAnthropicAccount 

func SetDefaultAnthropicAccount(alias string) error

SetDefaultAnthropicAccount sets the default account alias.

func ValidateAlias 

func ValidateAlias(alias string) error

ValidateAlias checks if an alias is valid for use as an account identifier. Valid aliases cannot contain whitespace, path separators, or be empty.

Types

type AnthropicAccountInfo 

type AnthropicAccountInfo struct {
	Alias     string
	Email     string
	ExpiresAt int64
	IsDefault bool
}

AnthropicAccountInfo represents summary information about an account for listing.

func ListAnthropicAccounts 

func ListAnthropicAccounts() ([]AnthropicAccountInfo, error)

ListAnthropicAccounts returns information about all stored Anthropic accounts.

type AnthropicCredentials 

type AnthropicCredentials struct {
	Email        string `json:"email"`
	Scope        string `json:"scope"`
	AccessToken  string `json:"access_token"`
	RefreshToken string `json:"refresh_token"`
	ExpiresAt    int64  `json:"expires_at"`
}

AnthropicCredentials stores the authentication credentials for Anthropic Claude API.

func ExchangeAnthropicCode 

func ExchangeAnthropicCode(ctx context.Context, code string, verifier string) (*AnthropicCredentials, error)

ExchangeAnthropicCode exchanges an authorization code for Anthropic access credentials. The code parameter should be in the format "code#state".

func GetAnthropicCredentialsByAlias 

func GetAnthropicCredentialsByAlias(alias string) (*AnthropicCredentials, error)

GetAnthropicCredentialsByAlias retrieves credentials for a specific account alias. If alias is empty, returns the default account credentials.

type AnthropicCredentialsFile 

type AnthropicCredentialsFile struct {
	DefaultAccount string                          `json:"default"`
	Accounts       map[string]AnthropicCredentials `json:"accounts"`
}

AnthropicCredentialsFile stores multiple Anthropic accounts with a default selection.

type AnthropicTokenResponse 

type AnthropicTokenResponse struct {
	AccessToken  string `json:"access_token"`
	RefreshToken string `json:"refresh_token"`
	ExpiresIn    int64  `json:"expires_in"`
	Scope        string `json:"scope"`
	Account      struct {
		EmailAddress string `json:"email_address"`
	}
}

AnthropicTokenResponse represents the OAuth2 token response from Anthropic's authentication endpoint.

type CodexAuthFile 

type CodexAuthFile struct {
	Tokens       CodexTokens `json:"tokens"`
	OpenAIAPIKey string      `json:"OPENAI_API_KEY,omitempty"`
}

CodexAuthFile represents the authentication file created by the Codex CLI. This file is located at ~/.kodelet/codex-credentials.json and is created by running `kodelet codex login`.

type CodexCredentials 

type CodexCredentials struct {
	IDToken      string
	AccessToken  string
	RefreshToken string
	AccountID    string
	ExpiresAt    int64
	APIKey       string // Fallback OpenAI API key if tokens are not available
}

CodexCredentials contains the resolved credentials for making Codex API calls.

func CompleteCodexDeviceCodeLogin 

func CompleteCodexDeviceCodeLogin(ctx context.Context, deviceCode *CodexDeviceCode) (*CodexCredentials, error)

CompleteCodexDeviceCodeLogin waits for the device authorization flow to complete and exchanges the resulting authorization code for Codex credentials.

func ExchangeCodexCode 

func ExchangeCodexCode(ctx context.Context, code string, verifier string) (*CodexCredentials, error)

ExchangeCodexCode exchanges an authorization code for Codex access credentials.

func GetCodexCredentials 

func GetCodexCredentials() (*CodexCredentials, error)

GetCodexCredentials reads and returns the Codex credentials from the auth file.

func GetCodexCredentialsForRequest 

func GetCodexCredentialsForRequest(ctx context.Context) (*CodexCredentials, error)

GetCodexCredentialsForRequest returns credentials suitable for making Codex API calls. OAuth access tokens are refreshed when they are within the configured refresh threshold.

func RefreshCodexToken 

func RefreshCodexToken(ctx context.Context, refreshToken string) (*CodexCredentials, error)

RefreshCodexToken refreshes the Codex access token using the refresh token.

type CodexCredits 

type CodexCredits struct {
	HasCredits bool
	Unlimited  bool
	Balance    string
}

CodexCredits contains workspace credit information when available.

type CodexDeviceCode 

type CodexDeviceCode struct {
	VerificationURL string
	UserCode        string
	// contains filtered or unexported fields
}

CodexDeviceCode contains the device authorization details shown to the user.

func RequestCodexDeviceCode 

func RequestCodexDeviceCode(ctx context.Context) (*CodexDeviceCode, error)

RequestCodexDeviceCode starts the device authorization flow for Codex.

type CodexOAuthServer 

type CodexOAuthServer struct {
	// contains filtered or unexported fields
}

CodexOAuthServer handles the local OAuth callback server.

func StartCodexOAuthServer 

func StartCodexOAuthServer(expectedState string) (*CodexOAuthServer, error)

StartCodexOAuthServer starts a local HTTP server to receive the OAuth callback. It returns a server that can be used to wait for the authorization code.

func (*CodexOAuthServer) Cancel 

func (s *CodexOAuthServer) Cancel()

Cancel cancels the OAuth flow.

func (*CodexOAuthServer) Close 

func (s *CodexOAuthServer) Close() error

Close shuts down the OAuth callback server.

func (*CodexOAuthServer) WaitForCode 

func (s *CodexOAuthServer) WaitForCode(timeout time.Duration) (string, error)

WaitForCode waits for the authorization code from the OAuth callback. It returns the code or an error if the wait times out or is cancelled.

type CodexTokens 

type CodexTokens struct {
	IDToken      string `json:"id_token,omitempty"`
	AccessToken  string `json:"access_token"`
	RefreshToken string `json:"refresh_token,omitempty"`
	AccountID    string `json:"account_id"`
	ExpiresAt    int64  `json:"expires_at,omitempty"`
}

CodexTokens represents the OAuth tokens stored by the Codex CLI.

type CodexUsageSnapshot 

type CodexUsageSnapshot struct {
	LimitID   string
	LimitName string
	Primary   *CodexUsageWindow
	Secondary *CodexUsageWindow
	Credits   *CodexCredits
}

CodexUsageSnapshot contains usage data for a specific metered feature.

type CodexUsageStats 

type CodexUsageStats struct {
	PlanType  string
	Snapshots []CodexUsageSnapshot
}

CodexUsageStats contains the live ChatGPT-backed Codex usage information.

func GetCodexUsageStats 

func GetCodexUsageStats(ctx context.Context) (*CodexUsageStats, error)

GetCodexUsageStats loads the current credentials, refreshing OAuth tokens when needed, and fetches the live ChatGPT-backed Codex usage windows.

func GetCodexUsageStatsWithCredentials 

func GetCodexUsageStatsWithCredentials(ctx context.Context, creds *CodexCredentials) (*CodexUsageStats, error)

GetCodexUsageStatsWithCredentials fetches live ChatGPT-backed Codex usage windows using the provided OAuth credentials.

type CodexUsageWindow 

type CodexUsageWindow struct {
	UsedPercent           float64
	WindowDurationMinutes int64
	ResetsAt              time.Time
}

CodexUsageWindow contains one rolling usage window.

type CopilotCredentials 

type CopilotCredentials struct {
	AccessToken    string `json:"access_token"`
	CopilotToken   string `json:"copilot_token"`
	Scope          string `json:"scope"`
	CopilotExpires int64  `json:"copilot_expires_at"`
}

CopilotCredentials stores the authentication credentials for GitHub Copilot API.

type CopilotDeviceCodeResponse 

type CopilotDeviceCodeResponse struct {
	DeviceCode      string `json:"device_code"`
	UserCode        string `json:"user_code"`
	VerificationURI string `json:"verification_uri"`
	ExpiresIn       int    `json:"expires_in"`
	Interval        int    `json:"interval"`
}

CopilotDeviceCodeResponse represents the response from GitHub's device flow initiation endpoint.

func GenerateCopilotDeviceFlow 

func GenerateCopilotDeviceFlow(ctx context.Context) (*CopilotDeviceCodeResponse, error)

GenerateCopilotDeviceFlow initiates the GitHub device authorization flow for Copilot. Returns device code information including the user code and verification URI.

type CopilotExchangeResponse 

type CopilotExchangeResponse struct {
	Token     string `json:"token"`
	ExpiresAt int64  `json:"expires_at"`
}

CopilotExchangeResponse represents the response from exchanging GitHub OAuth token for Copilot token.

func ExchangeCopilotToken 

func ExchangeCopilotToken(ctx context.Context, accessToken string) (*CopilotExchangeResponse, error)

ExchangeCopilotToken exchanges a GitHub OAuth access token for a Copilot-specific token.

type CopilotTokenResponse 

type CopilotTokenResponse struct {
	AccessToken string `json:"access_token"`
	TokenType   string `json:"token_type"`
	Scope       string `json:"scope"`
	Error       string `json:"error"`
	ErrorDesc   string `json:"error_description"`
}

CopilotTokenResponse represents the OAuth2 token response from GitHub's device flow.

func PollCopilotToken 

func PollCopilotToken(ctx context.Context, deviceCode string, interval int) (*CopilotTokenResponse, error)

PollCopilotToken polls GitHub's OAuth endpoint to check if the user has authorized the device. It continues polling at the specified interval until authorization completes or an error occurs.

type CopilotTransport 

type CopilotTransport struct {
	// contains filtered or unexported fields
}

CopilotTransport is a custom HTTP transport for GitHub Copilot requests

func NewCopilotTransport 

func NewCopilotTransport(token string) *CopilotTransport

NewCopilotTransport creates a new transport for GitHub Copilot with the given token

func (*CopilotTransport) RoundTrip 

func (t *CopilotTransport) RoundTrip(req *http.Request) (*http.Response, error)

RoundTrip implements the http.RoundTripper interface for GitHub Copilot

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.