@@ -2204,17 +2204,11 @@ export interface ProviderTokenArgs {
22042204 * Name of the BYOK provider needing a token. For the singular, whole-session
22052205 * {@link ProviderConfig} this is the implicit provider name (`"default"`); for
22062206 * {@link NamedProviderConfig} entries it is {@link NamedProviderConfig.name}.
2207+ *
2208+ * The callback closes over its own token scope/audience; the runtime is
2209+ * provider-agnostic and forwards only the provider name.
22072210 */
22082211 providerName : string ;
2209-
2210- /**
2211- * Token scope to request, exactly as configured in the provider's
2212- * {@link ProviderConfig.bearerTokenScope}. Empty when the provider did not
2213- * configure a scope — in that case the callback is responsible for supplying
2214- * the correct scope to its identity library. The bearer-token surface is
2215- * provider-agnostic; no scope default is assumed.
2216- */
2217- scope : string ;
22182212}
22192213
22202214/**
@@ -2232,10 +2226,11 @@ export interface ProviderBearerToken {
22322226 token : string ;
22332227
22342228 /**
2235- * Unix epoch time in milliseconds at which the token expires. When provided,
2236- * the runtime caches the token and only re-invokes the callback shortly
2237- * before expiry. When omitted, the runtime re-invokes the callback on every
2238- * request.
2229+ * Unix epoch time in milliseconds at which the token expires. Accepted so an
2230+ * Azure Identity `AccessToken` can be returned verbatim, but currently
2231+ * **ignored**: the runtime performs no token caching and invokes the callback
2232+ * once per outbound request, so token caching and refresh are the callback's
2233+ * responsibility (e.g. `@azure/identity` caches internally).
22392234 */
22402235 expiresOnTimestamp ?: number ;
22412236}
@@ -2244,12 +2239,11 @@ export interface ProviderBearerToken {
22442239 * Per-provider callback that resolves a bearer token on demand. The Copilot SDK
22452240 * itself takes no Azure dependency: the consumer supplies this callback backed by
22462241 * their own identity library (for example `@azure/identity`'s
2247- * `DefaultAzureCredential.getToken(scope)`), and the runtime calls it before
2248- * outbound model requests, caching and refreshing automatically based on the
2249- * returned { @link ProviderBearerToken.expiresOnTimestamp} .
2242+ * `DefaultAzureCredential.getToken(scope)`), and the runtime calls it once before
2243+ * each outbound model request. The runtime does no caching of its own, so the
2244+ * callback (or the identity library it wraps) owns token caching and refresh .
22502245 *
2251- * Returning a bare string is equivalent to returning `{ token }` with no expiry
2252- * (re-invoked every request).
2246+ * Returning a bare string is equivalent to returning `{ token }`.
22532247 *
22542248 * @experimental Part of the experimental managed-identity / bearer-token-provider
22552249 * surface and may change or be removed in future SDK or CLI releases.
@@ -2302,23 +2296,14 @@ export interface ProviderConfig {
23022296 * Per-request bearer-token provider for managed-identity / on-demand auth.
23032297 * When set, the SDK keeps this function client-side (it is never serialized)
23042298 * and the runtime calls back into this client to acquire a token before each
2305- * outbound request, caching and refreshing automatically. Mutually exclusive
2306- * with {@link apiKey} / {@link bearerToken }.
2299+ * outbound request. The runtime does no caching of its own, so the callback
2300+ * owns token caching and refresh. Mutually exclusive with {@link apiKey} /
2301+ * {@link bearerToken }.
23072302 *
23082303 * @experimental
23092304 */
23102305 getBearerToken ?: GetBearerToken ;
23112306
2312- /**
2313- * Token scope forwarded to {@link getBearerToken} as
2314- * {@link ProviderTokenArgs.scope}. Optional and provider-agnostic: when
2315- * omitted, the callback receives an empty scope and is responsible for
2316- * supplying the correct scope to its identity library.
2317- *
2318- * @experimental
2319- */
2320- bearerTokenScope ?: string ;
2321-
23222307 /**
23232308 * Azure-specific options
23242309 */
@@ -2414,23 +2399,14 @@ export interface NamedProviderConfig {
24142399 * Per-request bearer-token provider for managed-identity / on-demand auth.
24152400 * When set, the SDK keeps this function client-side (it is never serialized)
24162401 * and the runtime calls back into this client to acquire a token before each
2417- * outbound request, caching and refreshing automatically. Mutually exclusive
2418- * with {@link apiKey} / {@link bearerToken }.
2402+ * outbound request. The runtime does no caching of its own, so the callback
2403+ * owns token caching and refresh. Mutually exclusive with {@link apiKey} /
2404+ * {@link bearerToken }.
24192405 *
24202406 * @experimental
24212407 */
24222408 getBearerToken ?: GetBearerToken ;
24232409
2424- /**
2425- * Token scope forwarded to {@link getBearerToken} as
2426- * {@link ProviderTokenArgs.scope}. Optional and provider-agnostic: when
2427- * omitted, the callback receives an empty scope and is responsible for
2428- * supplying the correct scope to its identity library.
2429- *
2430- * @experimental
2431- */
2432- bearerTokenScope ?: string ;
2433-
24342410 /**
24352411 * Azure-specific options.
24362412 */
0 commit comments