For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Log inSign up
Support
GuidesReferenceClick-to-Call
GuidesReferenceClick-to-Call
  • Core
    • Overview
  • Entities
    • SignalWire
    • Address
    • Participant
    • ClientPreferences
    • SelfCapabilities
    • SelfParticipant
    • User
    • WebRTCCall
      • AddressHistory<TAddress>
      • AudioConstraintsEvent
      • AuthenticateContext
      • Call
      • CallAddress
      • CallCapabilitiesState
      • CallDiagnosticSummary
      • CallError
      • CallNetworkIssue
      • CallNetworkMetrics
      • CallOptions
      • CallParticipant
      • CallSelfParticipant
      • CallState
      • ConstraintFallbackEvent
      • CredentialNoRefreshHandlerWarning
      • CredentialProvider
      • CredentialRefreshFallbackWarning
      • DebugOptions
      • DeviceController
      • DeviceRecoveryEvent
      • DiagnosticEvent
      • DialOptions
      • Directory
      • JSONRPCErrorResponse
      • JSONRPCRequest<TParams>
      • JSONRPCSuccessResponse<TResult>
      • LayoutLayer
      • MediaDirections
      • MediaOptions
      • MediaParamsEvent
      • MemberCapabilities
      • NodeSocketAdapter
      • OnOffCapability
      • PendingRPCOptions
      • PermissionResult
      • PlatformCapabilities
      • PreflightOptions
      • PreflightResult
      • RecoveryEvent
      • SATClaims
      • SDKCredential
      • SDKLogger
      • SelectDeviceOptions
      • SessionDiagnostics
      • SessionState
      • SignalWireOptions
      • Storage
      • StoredDevicePreference
      • TextMessage<TAddress>
      • TransferOptions
      • WebRTCApiProvider
      • WebRTCMediaDevices
  • Web Components
    • Overview
    • sw-audio-level
    • sw-call-controls
    • sw-call-dialpad
    • sw-call-media
    • sw-call-provider
    • sw-call-status
    • sw-call-widget
    • sw-click-to-call
    • sw-device-selector
    • sw-directory
    • sw-local-camera
    • sw-participant-controls
    • sw-participants
    • sw-self-media
    • sw-ui-alert
    • sw-ui-background
    • sw-ui-call-layout
    • sw-ui-content-drawer
    • sw-ui-control-bar
    • sw-ui-dialpad
    • sw-ui-dropup
    • sw-ui-icon
    • sw-ui-modal
    • sw-ui-responsive-container
    • sw-ui-split-button
    • sw-ui-transcript-view
LogoLogoSignalWire Docs
Log inSign up
Support
On this page
  • Refresh precedence
  • Properties
  • Methods
  • authenticate()
EntitiesInterfaces

CredentialProvider

|View as Markdown|Open in Claude|
Was this page helpful?
Edit this page
Previous

CredentialRefreshFallbackWarning

Next
Built with

Provides authentication credentials to the SDK.

Implementors are responsible for:

  • Obtaining credentials (e.g. via API calls, user login flows, or third-party auth services).
  • Returning a valid SDKCredential with either a token or authorizationState.
  • Setting expiry_at when the credential has a known expiration so the SDK can schedule refresh.
  • Handling errors and never leaking sensitive data through error messages.

The SDK owns the credential lifecycle: it calls authenticate once during initialization and, if refresh is provided and expiry_at is set, schedules automatic refresh before expiry.

Refresh precedence

The SDK selects exactly one refresh mechanism per session, evaluated at connect time (and re-evaluated on reconnect):

refresh providedSAT carries sat:refresh scopeActive mechanism
yesyesClient Bound SAT (DPoP, internal)
yesnoDeveloper-provided refresh()
noyesClient Bound SAT (DPoP, internal)
nonoNone — session ends at expiry_at

When the SDK falls back to the developer-provided refresh() because the SAT lacked sat:refresh scope, a credential_refresh_fallback event is emitted on SignalWire.warnings$ so application code can observe the transition.

Mint a SAT via POST /api/fabric/subscribers/tokens with fingerprint and scope: ["sat:refresh"] (both currently optional on that endpoint) to enable the Client Bound SAT path; otherwise provide refresh() here.

Properties

refresh
() => Promise<SDKCredential>

Obtains fresh credentials before the current ones expire. Optional. Implementor responsibilities: - Resolve with a new SDKCredential containing an updated token (or authorizationState) and expiry_at. - Reject (throw) if refresh is not possible — the SDK will stop the refresh schedule. SDK behavior: - Only called when expiry_at was set on the previous credential AND the SAT does not carry sat:refresh scope (otherwise the SDK refreshes internally via Client Bound SAT). See the precedence table above. - Scheduled automatically before expiry; implementors do not need to manage timing. - On rejection, the refresh schedule stops and the session continues with the current credentials until they expire.

Methods

authenticate()

1authenticate(context?): Promise<SDKCredential>

Obtains the initial credentials. Called once during client initialization.

Implementor responsibilities:

  • Resolve with a valid SDKCredential on success.
  • Reject (throw) on failure — this will cause client initialization to fail.
  • When context.fingerprint is provided, forward it to the server-side token endpoint with scope: "sat:refresh" to enable automatic token refresh. Ignoring context.fingerprint causes the SDK to fall back to refresh() (if provided) or end the session at expiry.

SDK behavior:

  • Awaits this method before establishing the WebSocket connection.
  • On rejection, propagates the error to the caller of SignalWire().

Parameters

context
AuthenticateContext

Authentication context provided by the SDK at credential-request time. See AuthenticateContext.

Returns

Promise<SDKCredential>