[![npm-version]][npm] [![test-ci-img]][test-ci-url] [![test-cov-img]][test-cov-url] [![snyk-vulnerabilities]][snyk]

[23andme](https://api.23andme.com) | [500px](https://github.com/500px/api-documentation) | [acton](https://developer.act-on.com) | [acuityscheduling](https://developers.acuityscheduling.com) | [adobe](https://www.adobe.io) | [aha](https://www.aha.io/api) | [alchemer](https://apihelp.alchemer.com) | [amazon](https://login.amazon.com/documentation) | [angellist](https://angel.co/api) | [apple](https://developer.apple.com) | [arcgis](https://developers.arcgis.com) | [asana](https://asana.com/developers) | [assembla](https://api-docs.assembla.cc) | [atlassian](https://developer.atlassian.com) | [auth0](https://auth0.com/docs) | [authentiq](https://www.authentiq.com/developers) | [authing](https://www.authing.cn/developer) | [autodesk](https://forge.autodesk.com) | [aweber](https://api.aweber.com) | [axosoft](https://developer.axosoft.com) | [baidu](https://developer.baidu.com) | [basecamp](https://github.com/basecamp/bc3-api) | [battlenet](https://develop.battle.net) | [beatport](https://oauth-api.beatport.com) | [bitbucket](https://developer.atlassian.com/bitbucket/api/2/reference/) | [bitly](https://dev.bitly.com) | [box](https://developer.box.com) | [buffer](https://buffer.com/developers) | [campaignmonitor](https://www.campaignmonitor.com/api) | [cas](https://apereo.github.io/cas/) | [cheddar](https://cheddarapp.com/developer) | [clio](https://app.clio.com/api/v4/documentation) | [cognito](https://aws.amazon.com/cognito/) | [coinbase](https://developers.coinbase.com) | [concur](https://developer.concur.com) | [constantcontact](https://developer.constantcontact.com) | [coursera](https://building.coursera.org) | [crossid](https://developer.crossid.io) | [dailymotion](https://developer.dailymotion.com) | [deezer](https://developers.deezer.com) | [delivery](https://developers.delivery.com) | [deputy](https://www.deputy.com/api-doc/) | [deviantart](https://www.deviantart.com/developers/) | [digitalocean](https://developers.digitalocean.com) | [discogs](https://www.discogs.com/developers/) | [discord](https://discord.com/developers/docs/intro) | [disqus](https://disqus.com/api/docs) | [docusign](https://developers.docusign.com) | [dribbble](https://developer.dribbble.com) | [dropbox](https://www.dropbox.com/developers) | [ebay](https://developer.ebay.com) | [echosign](https://secure.echosign.com/public/docs/restapi/v3) | [ecwid](https://developers.ecwid.com) | [edmodo](https://partnerships.edmodo.com) | [egnyte](https://developers.egnyte.com) | [etsy](https://www.etsy.com/developers) | [eventbrite](https://www.eventbrite.com/platform) | [evernote](https://dev.evernote.com) | [eyeem](https://github.com/eyeem/Public-API) | [facebook](https://developers.facebook.com) | [familysearch](https://www.familysearch.org/developers/) | [feedly](https://developer.feedly.com) | [figma](https://www.figma.com/developers) | [fitbit](https://dev.fitbit.com) | [flattr](http://developers.flattr.net) | [flickr](https://www.flickr.com/services) | [flowdock](https://www.flowdock.com/api) | [formstack](https://developers.formstack.com) | [foursquare](https://developer.foursquare.com) | [freeagent](https://dev.freeagent.com) | [freelancer](https://developers.freelancer.com) | [freshbooks](https://www.freshbooks.com/developers) | [fusionauth](https://fusionauth.io/docs/) | [garmin](https://developer.garmin.com) | [geeklist](http://hackers.geekli.st) | [genius](https://docs.genius.com) | [getbase](https://developers.getbase.com) | [getpocket](https://getpocket.com/developer) | [gitbook](https://developer.gitbook.com) | [github](https://docs.github.com/developers) | [gitlab](https://docs.gitlab.com/ce/api/) | [gitter](https://developer.gitter.im) | [goodreads](https://www.goodreads.com/api) | [google](https://developers.google.com) | [groove](https://www.groovehq.com/docs) | [gumroad](https://gumroad.com/api) | [harvest](https://help.getharvest.com/api-v2/) | [hellosign](https://www.hellosign.com/api) | [heroku](https://devcenter.heroku.com/categories/platform-api) | [homeaway](https://www.homeaway.com/platform) | [hootsuite](https://developer.hootsuite.com) | [huddle](https://www.huddle.com/huddle-api/) | [ibm](https://ibm.biz/provisioner) | [iconfinder](https://developer.iconfinder.com) | [idme](https://developer.id.me) | [idonethis](https://i-done-this.readme.io/docs) | [imgur](https://apidocs.imgur.com) | [infusionsoft](https://developer.infusionsoft.com) | [instagram](https://instagram.com/developer) | [intuit](https://developer.intuit.com) | [jamendo](https://devportal.jamendo.com/) | [jumplead](https://developer.jumplead.com) | [kakao](https://developers.kakao.com) | [keycloak](https://www.keycloak.org) | [line](https://developers.line.biz) | [linkedin](https://www.linkedin.com/developers) | [live](https://docs.microsoft.com/en-us/onedrive/developer/rest-api/getting-started/msa-oauth?view=odsp-graph-online) | [livechat](https://developers.livechatinc.com) | [logingov](https://developers.login.gov) | [lyft](https://developer.lyft.com) | [mailchimp](https://developer.mailchimp.com) | [mailup](http://help.mailup.com/display/mailupapi/REST+API) | [mailxpert](https://dev.mailxpert.ch) | [mapmyfitness](https://developer.underarmour.com) | [mastodon](https://docs.joinmastodon.org/) | [medium](https://developers.medium.com) | [meetup](https://www.meetup.com/meetup_api/) | [mendeley](https://dev.mendeley.com) | [mention](https://dev.mention.com) | [microsoft](https://developer.microsoft.com/en-us/graph) | [mixcloud](https://www.mixcloud.com/developers) | [moxtra](https://developer.moxtra.com) | [myob](https://developer.myob.com) | [naver](https://developers.naver.com) | [nest](https://developers.nest.com) | [netlify](https://docs.netlify.com) | [nokotime](https://developer.nokotime.com) | [notion](https://developers.notion.com) | [nylas](https://docs.nylas.com) | [okta](https://developer.okta.com/) | [onelogin](https://developers.onelogin.com) | [openstreetmap](https://wiki.openstreetmap.org/wiki/API_v0.6) | [optimizely](https://developers.optimizely.com) | [patreon](https://docs.patreon.com) | [paypal](https://developer.paypal.com) | [phantauth](https://www.phantauth.net) | [pinterest](https://developers.pinterest.com) | [plurk](https://www.plurk.com/API) | [podio](https://developers.podio.com) | [procore](https://developers.procore.com) | [producthunt](https://api.producthunt.com/v2/docs) | [projectplace](https://service.projectplace.com/apidocs) | [pushbullet](https://docs.pushbullet.com) | [qq](https://wiki.connect.qq.com/%E5%87%86%E5%A4%87%E5%B7%A5%E4%BD%9C_oauth2-0) | [ravelry](https://www.ravelry.com/api) | [redbooth](https://redbooth.com/api) | [reddit](https://www.reddit.com/dev/api) | [runkeeper](https://runkeeper.com/developer/healthgraph/) | [salesforce](https://developer.salesforce.com) | [sellsy](https://api.sellsy.com) | [shoeboxed](https://github.com/Shoeboxed/api) | [shopify](https://developers.shopify.com) | [skyrock](https://www.skyrock.com/developer) | [slack](https://api.slack.com) | [slice](https://developer.slice.com) | [smartsheet](https://smartsheet-platform.github.io/api-docs) | [smugmug](https://api.smugmug.com) | [snapchat](https://kit.snapchat.com) | [snowflake](https://docs.snowflake.com) | [socialpilot](https://developer.socialpilot.co) | [socrata](https://dev.socrata.com) | [soundcloud](https://developers.soundcloud.com) | [spotify](https://developer.spotify.com) | [square](https://squareup.com/developers) | [stackexchange](https://api.stackexchange.com) | [stocktwits](https://api.stocktwits.com/developers) | [stormz](https://developer.stormz.me) | [storyblok](https://www.storyblok.com/docs/guide/introduction) | [strava](https://developers.strava.com) | [stripe](https://stripe.com/docs) | [surveymonkey](https://developer.surveymonkey.com) | [surveysparrow](https://surveysparrow.com/developer) | [thingiverse](https://www.thingiverse.com/developers) | [ticketbud](https://api.ticketbud.com) | [tiktok](https://developers.tiktok.com/) | [timelyapp](https://dev.timelyapp.com) | [todoist](https://developer.todoist.com) | [trakt](https://trakt.docs.apiary.io) | [traxo](https://developer.traxo.com) | [trello](https://developers.trello.com) | [tripit](https://www.tripit.com/developer) | [trustpilot](https://developers.trustpilot.com) | [tumblr](https://www.tumblr.com/docs/en/api/v2) | [twitch](https://dev.twitch.tv) | [twitter](https://developer.twitter.com) | [typeform](https://developer.typeform.com) | [uber](https://developer.uber.com) | [unbounce](https://developer.unbounce.com) | [underarmour](https://developer.underarmour.com) | [unsplash](https://unsplash.com/documentation) | [untappd](https://untappd.com/api/docs) | [upwork](https://developers.upwork.com) | [uservoice](https://developer.uservoice.com) | [vend](https://developers.vendhq.com) | [venmo](https://developers.braintreepayments.com/guides/venmo/overview/) | [vercel](https://vercel.com/docs) | [verticalresponse](http://developers.verticalresponse.com) | [viadeo](https://partners.viadeo.com) | [vimeo](https://developer.vimeo.com) | [visualstudio](https://docs.microsoft.com/en-us/vsts/integrate/get-started/authentication/oauth?view=vsts) | [vk](https://vk.com/dev) | [wechat](https://mp.weixin.qq.com) | [weekdone](https://weekdone.com/developer) | [weibo](https://open.weibo.com) | [withings](http://developer.withings.com) | [wordpress](https://developer.wordpress.com) | [wrike](https://developers.wrike.com) | [xero](https://developer.xero.com) | [xing](https://dev.xing.com) | [yahoo](https://developer.yahoo.com) | [yammer](https://developer.yammer.com/docs) | [yandex](https://tech.yandex.com) | [zendesk](https://developer.zendesk.com) | [zoom](https://marketplace.zoom.us/docs)

- Providers

- Handlers

  - Express / Koa / Hapi / Fastify

  - AWS Lambda / Azure Function / Google Cloud Function / Vercel

- Configuration

  - Basics / Description / Values / Scopes

- Connect

  - Origin / Prefix / Redirect URI / Custom Parameters / OpenID Connect / PKCE / Static Overrides

- Callback

  - Data / Transport / Response / Session

- Dynamic Configuration

  - Instance / State / HTTP / OAuth Proxy

- Misc

  - Configuration / Handlers / Request / Types / OAuth Quirks

- Examples

  - [express][examples] / [koa][examples] / [hapi][examples] / [fastify][examples] / [aws][grant-aws] / [azure][grant-azure] / [gcloud][grant-gcloud] / [vercel][grant-vercel]

- [Changelog][changelog]

- defaults - default configuration for all providers

  - origin - where your client server can be reached http://localhost:3000 | https://site.com ...

  - transport - a transport used to deliver the response data in yourcallback route

  - state - generate random state string

- provider - any supported providergoogle | twitter ...

  - key - consumer_key or client_id of your OAuth app

  - secret - consumer_secret or client_secret of your OAuth app

  - scope - array of OAuth scopes to request

  - nonce - generate random nonce string (OpenID Connect only)

  - custom_params - custom authorization parameters

  - callback - relative route or absolute URL to receive the response data /hello | https://site.com/hey ...

Key | Location | Description

:-| :-: | :-

Authorization Server |

request_url | [oauth.json] | OAuth 1.0a only, first step

authorize_url | [oauth.json] | OAuth 2.0 first step, OAuth 1.0a second step

access_url | [oauth.json] | OAuth 2.0 second step, OAuth 1.0a third step

oauth | [oauth.json] | OAuth version number

scope_delimiter | [oauth.json] | String delimiter used for concatenating multiple scopes

token_endpoint_auth_method | [provider] | Authentication method for the token endpoint

token_endpoint_auth_signing_alg | [provider] | Signing algorithm for the token endpoint

Client Server |

origin | defaults | Where your client server can be reached

prefix | defaults | Path prefix for the Grant internal routes

state | defaults | Random state string for OAuth 2.0

nonce | defaults | Random nonce string for OpenID Connect

pkce | defaults | Toggle PKCE support

response | defaults | Response data to receive

transport | defaults | A way to deliver the response data

callback | [provider] | Relative or absolute URL to receive the response data

overrides | [provider] | Static configuration overrides for a provider

dynamic | [provider] | Configuration keys that can be overridden dynamically over HTTP

Client App |

key client_id consumer_key | [provider] | The client_id or consumer_key of your OAuth app

secret client_secret  consumer_secret | [provider] | The client_secret or consumer_secret of your OAuth app

scope | [provider] | List of scopes to request

custom_params | [provider] | Custom authorization parameters and their values

subdomain | [provider] | String to embed into the authorization server URLs

public_key | [provider] | Public PEM or JWK

private_key | [provider] | Private PEM or JWK

redirect_uri | generated | Absolute redirect URL of the OAuth app

Grant |

name | generated | Provider's name

[provider] | generated | Provider's name as key

profile_url | [profile.json] | User profile URL

Key | Location | Value

:- | :-: | :-:

Authorization Server |

request_url | [oauth.json] | 'https://api.twitter.com/oauth/request_token'

authorize_url | [oauth.json] | 'https://api.twitter.com/oauth/authenticate'

access_url | [oauth.json] | 'https://api.twitter.com/oauth/access_token'

oauth | [oauth.json] | 2 1

scope_delimiter | [oauth.json] | ',' ' '

token_endpoint_auth_method | [provider] | 'client_secret_post' 'client_secret_basic' 'private_key_jwt'

token_endpoint_auth_signing_alg | [provider] | 'RS256' 'ES256' 'PS256'

Client Server |

origin | defaults | 'http://localhost:3000' https://site.com

prefix | defaults | '/connect' /oauth ''

state | defaults | true

nonce | defaults | true

pkce | defaults | true

response | defaults | ['tokens', 'raw', 'jwt', 'profile']

transport | defaults | 'querystring' 'session' 'state'

callback | [provider] | '/hello' 'https://site.com/hi'

overrides | [provider] | {something: {scope: ['..']}}

dynamic | [provider] | ['scope', 'subdomain']

Client App |

key client_id consumer_key | [provider] | '123'

secret client_secret  consumer_secret | [provider] | '123'

scope | [provider] | ['openid', '..']

custom_params | [provider] | {access_type: 'offline'}

subdomain | [provider] | 'myorg'

public_key | [provider] | '..PEM..' '{..JWK..}'

private_key | [provider] | '..PEM..' '{..JWK..}'

redirect_uri |generated | 'http://localhost:3000/connect/twitter/callback'

Grant |

name |generated | name: 'twitter'

[provider] |generated | twitter: true

profile_url | [profile.json] | 'https://api.twitter.com/1.1/users/show.json'

Grant relies on configuration gathered from 6 different places:

1. The first place Grant looks for configuration is the built-in [oauth.json] file located in the config folder.

2. The second place Grant looks for configuration is the defaults key, specified in the user's configuration. These defaults are applied for every provider in the user's configuration.

3. The third place for configuration is the provider itself. All providers in the user's configuration inherit every option defined for them in the [oauth.json] file, and all options defined inside the defaults key. Having [oauth.json] file and a defaults configuration is only a convenience. You can define all available options directly for a provider.

4. The fourth place for configuration are the provider's [overrides](#connect-static-overrides). The static overrides inherit their parent provider, essentially creating new provider of the same type.

5. The fifth place for configuration is the dynamic state override. The request/response lifecycle state of your HTTP framework of choice can be used to dynamically override configuration.

6. The sixth place for configuration, that _potentially_ can override all of the above, and make all of the above optional, is the [dynamic](#dynamic-http) HTTP override.

The origin is where your client server can be reached:

You login by navigating to the /connect/:provider route where :provider is a key in your configuration, usually one of the officially supported ones, but you can define your own as well. Additionally you can login through a static override defined for that provider by navigating to the/connect/:provider/:override? route.

By default Grant operates on the following two routes:

However, the default /connect prefix can be configured:

The [redirect_uri](#misc-redirect-uri) of your OAuth app should follow this format:

Where [origin](#connect-origin) and [prefix](#connect-prefix) have to match the ones set in your configuration, and [provider](#grant) is a provider key found in your configuration.

For example: http://localhost:3000/connect/google/callback

This redirect URI is used internally by Grant. Depending on the [transport](#callback-transport) being used you will receive the response data in the [callback](#callback-data) route or absolute URL configured for that provider.

Some providers may employ custom authorization parameters that you can configure using the custom_params key:

The openid scope is required, and generating a random nonce string is optional but recommended:

Grant does not verify the signature of the returned id_token by default.

However, the following two claims of the id_token are being validated:

1. aud - is the token intended for my OAuth app?

2. nonce - does it tie to a request of my own?

PKCE can be enabled for all providers or for a specific provider only:

Providers that do not support PKCE will ignore the additional parameters being sent.

Provider sub configurations can be configured using the overrides key:

Navigate to:

- /connect/github to request the public_repo scope

- /connect/github/notifications to request the notifications scope using another OAuth App (key and secret)

- /connect/github/all to request a bunch of scopes and also receive the response data in another callback route

By default the response data will be returned in your callback route or absolute URL encoded as querystring.

Depending on the [transport](#callback-transport) being used the response data can be returned in the session or in the state object instead.

The amount of the returned data can be controlled using the [response](#callback-response) configuration.

The refresh_token is optional. The id_token is returned only for OpenID Connect providers requesting theopenid scope.

By default Grant will encode the OAuth response data asquerystring in your callback route or absolute URL:

This is useful when using Grant as OAuth Proxy. However this finalhttps://site.com/hello?access_token=... redirect may potentially leak private data in your server logs, especially when sitting behind a reverse proxy.

For local callback routes the session transport is recommended:

This will make the OAuth response data available in thesession object instead:

The request/response lifecycle state can be used as well:

In this case a callback route is not needed, and it will be ignored if provided. The response data will be available in the request/response lifecycle state object instead:

By default Grant returns all of the available tokens and the raw response data returned by the Authorization server:

When using the querystring [transport](#callback-transport) it might be a good idea to limit the response data:

This will return only the tokens available, without the raw response data.

This is useful when using Grant as OAuth Proxy. Encoding potentially large amounts of data as querystring can lead to incompatibility issues with some servers and browsers, and generally is considered a bad practice.

Using the session [transport](#callback-transport) is generally safer, but it also depends on the implementation of your session store.

In case your session store encodes the entire session in a cookie, not just the session ID, some servers may reject the HTTP request because of HTTP headers size being too big.

This will return only the tokens available, without the raw response data.

Grant can also return even larger response data by including the decoded JWT for OpenID Connect providers that returnid_token:

This will make the decoded JWT available in the response data:

Make sure you include all of the response keys that you want to be returned when configuring the response data explicitly.

Outside of the regular OAuth flow, Grant can also request the user profile:

Additionaly a profile key will be available in the response data:

The profile key contains either the raw response data returned by the user profile endpoint or an error message.

Not all of the supported providers have their profile_url set, and some of them might require custom parameters. Usually the user profile endpoint is accessible only when certain scopes were requested.

Grant uses session to persist state between HTTP redirects occurring during the OAuth flow. This session, however, was never meant to be used as persistent storage, even though that's totally possible.

Once you receive the response data in yourcallback route you are free to destroy that session.

However, there are a few session keys returned in your callback route, that you may find useful:

Key        | Availability            | Description

:--        | :--                     | :--

provider | Always              | The provider name used for this authorization

override | Depends on URL          | The static override name used for this authorization

dynamic  | Depends on request type | The dynamic override configuration passed to this authorization

state    | OAuth 2.0 only          | OAuth 2.0 state string that was generated

nonce    | OpenID Connect only     | OpenID Connect nonce string that was generated

code_verifier | PKCE only     | The code verifier that was generated for PKCE

request  | OAuth 1.0a only         | Data returned from the first request of the OAuth 1.0a flow

response | Depends on transport used | The final response data

Every Grant instance have a config property attached to it:

You can use the config property to alter the Grant's behavior during runtime without having to restart your server.

This property contains the generated configuration used internally by Grant, and changes made to that configuration affects the entire Grant instance!

The request/response lifecycle state can be used to alter configuration on every request:

This is useful in cases when you want to configure Grant dynamically with potentially sensitive data that you don't want to send over HTTP.

The request/response lifecycle state is not controlled by the [dynamic](#dynamic-http) configuration, meaning that you can override any configuration key.

Any allowed [dynamic](#dynamic-http) configuration key sent through HTTP GET/POST request will override the identical one set using a state override.

The dynamic configuration allows certain configuration keys to be set dynamically over HTTP GET/POST request.

For example shopify requires your shop name to be embedded into the OAuth URLs, so it makes sense to allow the [subdomain](#subdomain-urls) configuration key to be set dynamically:

Then you can have a web form on your website allowing the user to specify the shop name:

Making POST request to the /connect/:provider/:override? route requires a form body parser middleware:

Alternatively you can make a GET request to the /connect/:provider/:override? route:

Any dynamic configuration sent over HTTP GET/POST request overrides any other configuration.

In case you really want to, you can allow dynamic configuration override of every configuration key for a provider:

And the most extreme case is allowing even non preconfigured providers to be used dynamically:

Essentially Grant is a completely transparent [OAuth Proxy][oauth-like-a-boss].

The [origin](#connect-origin) and the [prefix](#connect-prefix) configuration is used to generate the correct [redirect_uri](#connect-redirect-uri) that Grant expects:

The above configuration is identical to:

Explicitly specifying the redirect_uri overrides the one generated by default.

You can define your own provider by adding a key for it in your configuration. In this case all of the required configuration keys have to be specified:

Take a look at the [oauth.json] file on how various providers are being configured.

You can document your configuration by adding custom keys to it:

Note that meta is arbitrary key, but it cannot be one of the [reserved keys][reserved-keys].

Grant supports different ways of instantiation:

Using the new keyword is optional:

Additionally Hapi accepts the configuration in two different ways:

You can mount Grant under specific path prefix:

In this case the [prefix](#connect-prefix) configuration should reflect that + any other path parts that you may have:

In this case you login by navigating to: http://localhost:3000/oauth/login/:provider

And the [redirect_uri](#connect-redirect-uri) of your OAuth app should be http://localhost:3000/oauth/login/:provider/callback

Optionally you can prefix your [callback](#callback) routes as well:

The underlying [HTTP client] can be configured using the request option:

Fancy [request logs] are available too:

Import Grant in your .mjs files:

Importing a .json file may require additional flag:

Grant ships with extensive [type definitions][type-definitions] for TypeScript. Additonal type definitions and examples can be found [here][grant-types].

Some providers have dynamic URLs containing bits of user information embedded into them. Inside the main [oauth.json] configuration file such URLs contain a [subdomain] token embedded in them.

The subdomain option can be used to specify your company name, server region etc:

Then Grant will generate the correct OAuth URLs:

Alternatively you can override the entire authorize_url and access_url in your configuration.

Some providers may have Sandbox URLs to use while developing your app. To use them just override the entire request_url, authorize_url and access_url in your configuration (notice the sandbox bits):

Very rarely you may need to override the [redirect_uri](#connect-redirect-uri) that Grant generates for you.

For example Feedly supports only http://localhost as redirect URI of their Sandbox OAuth app, and it won't allow the correct http://localhost/connect/feedly/callback URL:

In this case you'll have to redirect the user to the [origin][prefix]/[provider]/callback route that Grant uses to execute the last step of the OAuth flow:

As usual you will receive the response data in your final [callback](#callback) route.

Set the Redirect URI of your OAuth app as usual [origin][prefix]/[provider]/callback. Then Ebay will generate a special string called RuName (eBay Redirect URL name) that you need to set as redirect_uri in Grant:

Some providers are using custom authorization parameter to pass the requested scopes - Flickr perms, Freelancer advanced_scopes, Optimizely scopes, but you can use the regular scope option instead:

Mastodon requires the entire domain of your server to be embedded in the OAuth URLs. However you should use the subdomain option:

Set your Mashery user name as key and your application key as api_key:

Twitter OAuth 1.0a custom scope parameter can be specified in two ways:

Twitter OAuth 2.0 applications have to use the twitter2 provider:

Set your Client Secret as secret not the App Secret:

  [npm-version]: https://img.shields.io/npm/v/grant.svg?style=flat-square (NPM Version)

  [test-ci-img]: https://img.shields.io/travis/simov/grant/master.svg?style=flat-square (Build Status)

  [test-cov-img]: https://img.shields.io/coveralls/simov/grant.svg?style=flat-square (Test Coverage)

  [snyk-vulnerabilities]: https://img.shields.io/snyk/vulnerabilities/npm/grant.svg?style=flat-square (Vulnerabilities)

  [npm]: https://www.npmjs.com/package/grant

  [test-ci-url]: https://github.com/simov/grant/actions/workflows/test.yml

  [test-cov-url]: https://coveralls.io/r/simov/grant?branch=master

  [snyk]: https://snyk.io/test/npm/grant

  [grant-oauth]: https://grant.outofindex.com

  [oauth-like-a-boss]: https://dev.to/simov/oauth-like-a-boss-2m3b

  [http client]: https://github.com/simov/request-compose

  [request logs]: https://github.com/simov/request-logs

  [oauth.json]: https://github.com/simov/grant/blob/master/config/oauth.json

  [profile.json]: https://github.com/simov/grant/blob/master/config/profile.json

  [reserved-keys]: https://github.com/simov/grant/blob/master/config/reserved.json

  [examples]: https://github.com/simov/grant/tree/master/examples

  [changelog]: https://github.com/simov/grant/blob/master/CHANGELOG.md

  [migration]: https://github.com/simov/grant/blob/master/MIGRATION.md

  [grant-aws]: https://github.com/simov/grant-aws

  [grant-azure]: https://github.com/simov/grant-azure

  [grant-gcloud]: https://github.com/simov/grant-gcloud

  [grant-vercel]: https://github.com/simov/grant-vercel

  [grant-types]: https://github.com/simov/grant-types

  [type-definitions]: https://github.com/simov/grant/blob/master/grant.d.ts