Skip to main content
TempAccessToken is a short-lived, single-use JWT backing record used to authenticate guest OAuth connector install flows. It is created by TempTokenService.generateTempToken() when the API issues a signed 15-minute connector-access URL and is consumed (marked used) by TempTokenService.validateAndConsume() during the OAuth callback. The table acts as a replay-prevention store: a token is valid only while expires_at > now() and used_at IS NULL. It has no workspace foreign key, no soft-delete column, and no user-editable fields β€” it is entirely system-managed.
Internal object. Not currently exposed on the public REST API. The operations below describe the intended contract.

API operations

Data model

Attributes

System-computed

  • temp_access_token_id β€” generated by the database via DEFAULT gen_random_uuid() at INSERT time (Migration20260128100000).
  • jti β€” set by the service layer using crypto.randomUUID() before persist; also embedded as the jti claim in the HS256-signed JWT returned to callers.
  • expires_at β€” computed by TempTokenService as Date.now() + 15 minutes (TOKEN_EXPIRY = 15 * 60 * 1000 ms) at generation time.
  • created_at β€” set by MikroORM onCreate hook (no database DEFAULT; application-side timestamp).
  • used_at β€” stamped by TempAccessTokenRepository.markAsUsed() exactly once upon successful validateAndConsume(). Never reset or cleared.
  • Single-use enforcement β€” findValidByJti combines three predicates: jti match + expires_at > now() + used_at IS NULL. All three must hold for the token to be considered valid.

Example

Source: apps/api/src/database/entities/TempAccessToken.ts Β· domain: platform Β· tier: Platform