Struct OAuthCredential 

#[non_exhaustive]
pub struct OAuthCredential {
    pub access_token: String,
    pub refresh_token: Option<String>,
    pub expires_at_ms: i64,
    pub subscription_type: Option<String>,
    pub scopes: Vec<String>,
}

A refreshable OAuth credential read from / written to the claude CLI’s credential file.

Field naming mirrors the on-disk JSON exactly so deserialization stays a one-line serde_json::from_slice. #[non_exhaustive] closes off direct struct-literal construction so future server-returned fields ship as additive minor releases — use OAuthCredential::new plus the with_* chain.

Fields (Non-exhaustive)

Non-exhaustive structs could have additional fields added in future. Therefore, non-exhaustive structs cannot be constructed in external crates using the traditional Struct { .. } syntax; cannot be matched against without a wildcard ..; and struct update syntax will not work.

access_token: String

Bearer token forwarded to Anthropic in the Authorization header.

refresh_token: Option<String>

Long-lived refresh token. None means the credential cannot renew itself once the access token expires.

expires_at_ms: i64

Unix-millis epoch at which the access token expires.

subscription_type: Option<String>

pro / team / etc. — informational, not load-bearing for transport. Preserved across refresh so storage round-trips keep the original metadata.

scopes: Vec<String>

OAuth scopes granted to this token. Preserved across refresh.

Implementations

impl OAuthCredential

pub fn new(access_token: impl Into<String>, expires_at_ms: i64) -> Self

Construct a credential from the two mandatory fields. Use the with_* chain for the optional ones.

pub fn with_refresh_token(self, token: impl Into<String>) -> Self

Set the long-lived refresh token.

pub fn with_subscription_type(self, tier: impl Into<String>) -> Self

Set the subscription tier (pro / team / …).

pub fn with_scopes<I, S>(self, scopes: I) -> Self

where I: IntoIterator<Item = S>, S: Into<String>,

Replace the granted-scopes list.

pub fn expires_at(&self) -> Option<DateTime<Utc>>

Wall-clock instant the access token expires, or None when expires_at_ms does not represent a valid Unix-millis epoch (storage corruption / server bug). Surfaces the loss explicitly rather than coercing to “now” — the credential is then treated as already expired by Self::needs_refresh.

pub fn needs_refresh(&self) -> bool

True when the access token is past its expiry — resolve must trigger a refresh before handing the token to a transport. An unrepresentable expires_at_ms (storage corruption, server bug) reads as already-expired so the provider refreshes rather than handing out a stale token. Includes a 60-second skew window so a token about to expire mid-flight refreshes proactively.

pub fn to_bearer_secret(&self) -> SecretString

Wrap the access token in a SecretString formatted as Bearer <token> for transport use. Allocates a fresh secret per call so callers can hand it straight to entelix_core::auth::Credentials::header_value.

Trait Implementations

impl Clone for OAuthCredential

fn clone(&self) -> OAuthCredential

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for OAuthCredential

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<'de> Deserialize<'de> for OAuthCredential

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl Serialize for OAuthCredential

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.