Skip to main content

Import

import { createSessionToken } from '@keystoneos/node';

Usage

import { KeystoneClient } from '@keystoneos/sdk';
import { createSessionToken } from '@keystoneos/node';

const keystone = new KeystoneClient({
  clientId: process.env.KEYSTONE_CLIENT_ID,
  clientSecret: process.env.KEYSTONE_CLIENT_SECRET,
  environment: 'production',
});

// In your API route handler
app.post('/api/keystone/session', async (req, res) => {
  const session = await createSessionToken(keystone, {
    scopes: ['settlements:read', 'settlements:write'],
    metadata: { userId: req.user.id, email: req.user.email },
  });

  res.json({ token: session.sessionToken, expiresAt: session.expiresAt });
});

Parameters

ParameterTypeRequiredDescription
clientobjectYesA configured KeystoneClient or compatible object.
optionsCreateSessionTokenOptionsYesToken configuration.

CreateSessionTokenOptions

PropertyTypeRequiredDefaultDescription
scopesstring[]Yes-Permissions for the token.
expiresInnumberNo3600TTL in seconds (60 to 86400).
settlementIdsstring[]No-Restrict to specific settlements.
metadataobjectNo-Audit trail context (user ID, email, etc.).

Available Scopes

ScopeDescription
settlements:readList and view settlements.
settlements:writeCreate settlements, compliance decisions.
templates:readList and view templates.
instructions:readList and view instructions.
instructions:writeSubmit and cancel instructions.

Return Type

interface SessionTokenResponse {
  sessionToken: string;  // The JWT to pass to KeystoneProvider
  expiresAt: string;     // ISO 8601 expiry timestamp
  tokenId: string;       // Token ID for revocation
}

Scoped Tokens

Restrict a token to specific settlement IDs for least-privilege access: 
const session = await createSessionToken(keystone, {
  scopes: ['settlements:read'],
  settlementIds: [settlementId],
  metadata: { userId: req.user.id },
});
The token holder can only access the specified settlements. Other settlement requests return 403.