Arctic

Mastodon

OAuth 2.0 provider for Mastodon.

Also see the OAuth 2.0 with PKCE guide.

Initialization

The baseURL parameter is the full URL where the Mastodon instance is hosted.

import * as arctic from "arctic";

const baseURL = "https://mastodon.social";
const mastodon = new arctic.Mastodon(baseURL, clientId, clientSecret, redirectURI);

Create authorization URL

import * as arctic from "arctic";

const state = arctic.generateState();
const codeVerifier = arctic.generateCodeVerifier();
const scopes = ["read", "write"];
const url = mastodon.createAuthorizationURL(state, codeVerifier, scopes);

Validate authorization code

validateAuthorizationCode() will either return an OAuth2Tokens, or throw one of OAuth2RequestError, ArcticFetchError, UnexpectedResponseError, or UnexpectedErrorResponseBodyError. Mastodon will only return an access token (no expiration).

import * as arctic from "arctic";

try {
	const tokens = await mastodon.validateAuthorizationCode(code, codeVerifier);
	const accessToken = tokens.accessToken();
} catch (e) {
	if (e instanceof arctic.OAuth2RequestError) {
		// Invalid authorization code, credentials, or redirect URI
		const code = e.code;
		// ...
	}
	if (e instanceof arctic.ArcticFetchError) {
		// Failed to call `fetch()`
		const cause = e.cause;
		// ...
	}
	// Parse error
}

Revoke tokens

Use revokeToken() to revoke a token. This can throw the same errors as validateAuthorizationCode().

try {
	await mastodon.revokeToken(token);
} catch (e) {
	if (e instanceof arctic.OAuth2RequestError) {
		// Invalid authorization code, credentials, or redirect URI
	}
	if (e instanceof arctic.ArcticFetchError) {
		// Failed to call `fetch()`
	}
	// Parse error
}