Skip to main content

Module openrouter_oauth

Module openrouter_oauth 

Source
Expand description

OpenRouter OAuth PKCE authentication flow.

This module implements the OAuth PKCE flow for OpenRouter, allowing users to authenticate with their OpenRouter account securely.

§Security Model

Tokens are stored using OS-specific secure storage (keyring) by default, with fallback to AES-256-GCM encrypted files if the keyring is unavailable.

§Keyring Storage (Default)

Uses the platform-native credential store:

  • macOS: Keychain (accessible only to the user)
  • Windows: Credential Manager (encrypted with user’s credentials)
  • Linux: Secret Service API / libsecret (requires a keyring daemon)

§File Storage (Fallback)

When keyring is unavailable, tokens are stored in: ~/.vtcode/auth/openrouter.json

The file is encrypted with AES-256-GCM using a machine-derived key:

  • Machine hostname
  • User ID (where available)
  • A static salt

§Migration

When loading tokens, the system checks the keyring first, then falls back to file storage for backward compatibility. This allows seamless migration from file-based to keyring-based storage.

Re-exports§

pub use super::credentials::AuthCredentialsStoreMode;

Structs§

OpenRouterOAuthConfig
Configuration for OpenRouter OAuth authentication.
OpenRouterToken
Stored OAuth token with metadata.

Enums§

AuthStatus
OAuth authentication status.

Constants§

DEFAULT_CALLBACK_PORT
Default callback port for localhost OAuth server

Functions§

clear_oauth_token
Clear the stored OAuth token from all storage locations.
exchange_code_for_token
Exchange an authorization code for an API key.
get_auth_status
Get the current OAuth authentication status.
get_auth_url
Generate the OAuth authorization URL.
load_oauth_token
Load an OAuth token from storage using the default mode.
load_oauth_token_with_mode
Load an OAuth token from storage with specified mode.
save_oauth_token
Save an OAuth token to encrypted storage using the default mode.
save_oauth_token_with_mode
Save an OAuth token to encrypted storage with specified mode.