An encoded DPoP key pair. The encoding is opaque to callers and is
interpreted only by the DPoPSigner that produced it, so a signer backed
by a keystore may return handles/references rather than raw key material.
Caches the most recent DPoP nonce per URL origin (RFC 9449 §8). The
authorization server and the PDS have distinct origins, so their nonces
never collide — fixing the refresh/API nonce ping-pong.
Generates DPoP key pairs and signs DPoP proof JWTs (RFC 9449). Inject a
custom implementation to sign with a platform keystore / non-extractable
key. The DPoPKeyPair strings are opaque to everyone but the signer.
Default HTTP-based IdentityResolver:
handle→DID via com.atproto.identity.resolveHandle, DID document via the
PLC directory (did:plc) or well-known/path location (did:web), then the
#atproto_pds service endpoint. When starting from a handle, verifies the
DID document claims the handle back through alsoKnownAs.
Owns an OAuth session's lifecycle for API use: builds DPoP Authorization
headers per request (nonce cached per origin) and refreshes the access
token before it expires or on a 401. atproto_core delegates to this.
Persists OAuthSessions keyed by account sub (DID). Inject a secure
implementation (e.g. platform keychain) to persist across restarts —
sessions contain the DPoP private key and tokens.
Persists per-authorization OAuthContext between authorize and
callback, keyed by the OAuth state parameter. Inject a durable
implementation to support callbacks that arrive after an app restart.
Thrown when a refresh fails with invalid_grant or the session has been
revoked. The session has been removed from the session store; callers
should route the user back through authorize.