@@ -2139,17 +2139,11 @@ export interface ProviderTokenArgs {
21392139 * Name of the BYOK provider needing a token. For the singular, whole-session
21402140 * {@link ProviderConfig} this is the implicit provider name (`"default"`); for
21412141 * {@link NamedProviderConfig} entries it is {@link NamedProviderConfig.name}.
2142+ *
2143+ * The callback closes over its own token scope/audience; the runtime is
2144+ * provider-agnostic and forwards only the provider name.
21422145 */
21432146 providerName : string ;
2144-
2145- /**
2146- * Token scope to request, exactly as configured in the provider's
2147- * {@link ProviderConfig.bearerTokenScope}. Empty when the provider did not
2148- * configure a scope — in that case the callback is responsible for supplying
2149- * the correct scope to its identity library. The bearer-token surface is
2150- * provider-agnostic; no scope default is assumed.
2151- */
2152- scope : string ;
21532147}
21542148
21552149/**
@@ -2167,10 +2161,11 @@ export interface ProviderBearerToken {
21672161 token : string ;
21682162
21692163 /**
2170- * Unix epoch time in milliseconds at which the token expires. When provided,
2171- * the runtime caches the token and only re-invokes the callback shortly
2172- * before expiry. When omitted, the runtime re-invokes the callback on every
2173- * request.
2164+ * Unix epoch time in milliseconds at which the token expires. Accepted so an
2165+ * Azure Identity `AccessToken` can be returned verbatim, but currently
2166+ * **ignored**: the runtime performs no token caching and invokes the callback
2167+ * once per outbound request, so token caching and refresh are the callback's
2168+ * responsibility (e.g. `@azure/identity` caches internally).
21742169 */
21752170 expiresOnTimestamp ?: number ;
21762171}
@@ -2179,12 +2174,11 @@ export interface ProviderBearerToken {
21792174 * Per-provider callback that resolves a bearer token on demand. The Copilot SDK
21802175 * itself takes no Azure dependency: the consumer supplies this callback backed by
21812176 * their own identity library (for example `@azure/identity`'s
2182- * `DefaultAzureCredential.getToken(scope)`), and the runtime calls it before
2183- * outbound model requests, caching and refreshing automatically based on the
2184- * returned { @link ProviderBearerToken.expiresOnTimestamp} .
2177+ * `DefaultAzureCredential.getToken(scope)`), and the runtime calls it once before
2178+ * each outbound model request. The runtime does no caching of its own, so the
2179+ * callback (or the identity library it wraps) owns token caching and refresh .
21852180 *
2186- * Returning a bare string is equivalent to returning `{ token }` with no expiry
2187- * (re-invoked every request).
2181+ * Returning a bare string is equivalent to returning `{ token }`.
21882182 *
21892183 * @experimental Part of the experimental managed-identity / bearer-token-provider
21902184 * surface and may change or be removed in future SDK or CLI releases.
@@ -2226,23 +2220,14 @@ export interface ProviderConfig {
22262220 * Per-request bearer-token provider for managed-identity / on-demand auth.
22272221 * When set, the SDK keeps this function client-side (it is never serialized)
22282222 * and the runtime calls back into this client to acquire a token before each
2229- * outbound request, caching and refreshing automatically. Mutually exclusive
2230- * with {@link apiKey} / {@link bearerToken }.
2223+ * outbound request. The runtime does no caching of its own, so the callback
2224+ * owns token caching and refresh. Mutually exclusive with {@link apiKey} /
2225+ * {@link bearerToken }.
22312226 *
22322227 * @experimental
22332228 */
22342229 getBearerToken ?: GetBearerToken ;
22352230
2236- /**
2237- * Token scope forwarded to {@link getBearerToken} as
2238- * {@link ProviderTokenArgs.scope}. Optional and provider-agnostic: when
2239- * omitted, the callback receives an empty scope and is responsible for
2240- * supplying the correct scope to its identity library.
2241- *
2242- * @experimental
2243- */
2244- bearerTokenScope ?: string ;
2245-
22462231 /**
22472232 * Azure-specific options
22482233 */
@@ -2338,23 +2323,14 @@ export interface NamedProviderConfig {
23382323 * Per-request bearer-token provider for managed-identity / on-demand auth.
23392324 * When set, the SDK keeps this function client-side (it is never serialized)
23402325 * and the runtime calls back into this client to acquire a token before each
2341- * outbound request, caching and refreshing automatically. Mutually exclusive
2342- * with {@link apiKey} / {@link bearerToken }.
2326+ * outbound request. The runtime does no caching of its own, so the callback
2327+ * owns token caching and refresh. Mutually exclusive with {@link apiKey} /
2328+ * {@link bearerToken }.
23432329 *
23442330 * @experimental
23452331 */
23462332 getBearerToken ?: GetBearerToken ;
23472333
2348- /**
2349- * Token scope forwarded to {@link getBearerToken} as
2350- * {@link ProviderTokenArgs.scope}. Optional and provider-agnostic: when
2351- * omitted, the callback receives an empty scope and is responsible for
2352- * supplying the correct scope to its identity library.
2353- *
2354- * @experimental
2355- */
2356- bearerTokenScope ?: string ;
2357-
23582334 /**
23592335 * Azure-specific options.
23602336 */
0 commit comments