Type: MonoCloudBackendNodeClientOptions

Configuration options for the MonoCloudBackendNodeClient.

Configuration Sources

Configuration values can be provided using either:

Constructor options - passed when creating the client instance.
Environment variables - using MONOCLOUD_BACKEND_* variables.

When both are provided, constructor options override environment variables.

Environment Variables

Core Configuration (Required)

Environment Variable	Description
`MONOCLOUD_BACKEND_TENANT_DOMAIN`	The domain of your MonoCloud tenant (for example, `https://your-tenant.us.monocloud.com`).
`MONOCLOUD_BACKEND_AUDIENCE`	The expected audience for access token validation (for example, `https://api.example.com`).

Introspection

Environment Variable	Description
`MONOCLOUD_BACKEND_CLIENT_ID`	Unique identifier for your application/client.
`MONOCLOUD_BACKEND_CLIENT_SECRET`	Application/client secret used for authentication.
`MONOCLOUD_BACKEND_CLIENT_AUTH_METHOD`	Client authentication method (for example, `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`).

Token Validation

Environment Variable	Description
`MONOCLOUD_BACKEND_CLOCK_SKEW`	Allowed clock drift (in seconds) when validating token timestamps.
`MONOCLOUD_BACKEND_CLOCK_TOLERANCE`	Additional time tolerance (in seconds) for time-based claim validation.
`MONOCLOUD_BACKEND_INTROSPECT_JWT_TOKENS`	When `true`, JWT tokens are introspected at the server instead of being validated locally.

Group Validation

Environment Variable	Description
`MONOCLOUD_BACKEND_GROUPS_CLAIM`	The claim name in the token that contains group memberships.
`MONOCLOUD_BACKEND_GROUPS_MATCH_ALL`	When `true`, requires the token to contain all specified groups.

Caching

Environment Variable	Description
`MONOCLOUD_BACKEND_JWKS_CACHE_DURATION`	Duration (in seconds) to cache the JSON Web Key Set (JWKS) used to verify tokens.
`MONOCLOUD_BACKEND_METADATA_CACHE_DURATION`	Duration (in seconds) to cache the OpenID Connect discovery metadata.

Extends

MonoCloudOidcBackendClientOptions

audience

audience: string

The expected audience URI for access token validation (e.g. https://api.example.com).

cache?

optional cache: ICache

Optional cache implementation for storing validated access token claims.

clientAuthMethod?

optional clientAuthMethod: ClientAuthMethod

Client authentication method used when communicating with the token endpoint.

Default Value

"client_secret_basic";

Inherited from

MonoCloudOidcBackendClientOptions.clientAuthMethod

clientId?

optional clientId: string

Client identifier of the application registered in MonoCloud.

Inherited from

MonoCloudOidcBackendClientOptions.clientId

clientSecret?

optional clientSecret: string | Jwk

Client secret or key material used for client authentication.

When clientAuthMethod is client_secret_jwt and a plain-text secret is provided, the default signing algorithm is HS256.

To use a different algorithm, provide a symmetric JSON Web Key (JWK) (kty: "oct") with the desired algorithm specified in its alg property.

Inherited from

MonoCloudOidcBackendClientOptions.clientSecret

clockSkew?

optional clockSkew: number

Number of seconds to adjust the current time to account for clock differences.

Default Value

0;

Inherited from

MonoCloudOidcBackendClientOptions.clockSkew

clockTolerance?

optional clockTolerance: number

Additional time tolerance in seconds for time-based claim validation.

Default Value

300;

Inherited from

MonoCloudOidcBackendClientOptions.clockTolerance

fetcher()?

optional fetcher: {(input: URL | RequestInfo, init?: RequestInit): Promise<Response>; (input: string | URL | Request, init?: RequestInit): Promise<Response>; }

Optional custom fetch implementation used for network requests.

Call Signature

(input: URL | RequestInfo, init?: RequestInit): Promise<Response>

MDN Reference

Parameters

Parameter	Type
`input`	`URL` \| `RequestInfo`
`init?`	`RequestInit`

Returns

Promise<Response>

Call Signature

(input: string | URL | Request, init?: RequestInit): Promise<Response>

MDN Reference

Parameters

Parameter	Type
`input`	`string` \| `URL` \| `Request`
`init?`	`RequestInit`

Returns

Promise<Response>

Inherited from

MonoCloudOidcBackendClientOptions.fetcher

groupOptions?

optional groupOptions: IsUserInGroupOptions

Options for group membership validation applied to all token validations performed by this client.

Inherited from

MonoCloudOidcBackendClientOptions.groupOptions

introspectJwtTokens?

optional introspectJwtTokens: boolean

When true, JWT access tokens are introspected instead of locally validated.

This skips JWT signature/header/payload checks and always uses the introspection endpoint.

Default Value

false;

jwksCacheDuration?

optional jwksCacheDuration: number

Duration (in seconds) to cache the JSON Web Key Set (JWKS) retrieved from the authorization server.

Default Value

300;

Inherited from

MonoCloudOidcBackendClientOptions.jwksCacheDuration

metadataCacheDuration?

optional metadataCacheDuration: number

Duration (in seconds) to cache OpenID Connect discovery metadata.

Default Value

300;

Inherited from

MonoCloudOidcBackendClientOptions.metadataCacheDuration

tenantDomain

tenantDomain: string

The MonoCloud tenant domain URL (e.g. https://example.monocloud.dev).