# ๐ `@saptools/cf-xsuaa`
**Stop copy-pasting XSUAA tokens from the BTP cockpit.**
Fetch XSUAA credentials and OAuth2 access tokens from SAP BTP Cloud Foundry apps โ straight from your terminal, with intelligent caching built in.
[](https://www.npmjs.com/package/@saptools/cf-xsuaa)
[](./LICENSE)
[](https://nodejs.org)
[](https://packagephobia.com/result?p=@saptools/cf-xsuaa)
[](https://www.typescriptlang.org)
[Install](#-install) โข [Quick Start](#-quick-start) โข [CLI](#-cli) โข [API](#-programmatic-usage) โข [FAQ](#-faq)
---
## โจ Features
- ๐ **Zero-config OAuth2** โ fetches `client_credentials` tokens straight from the XSUAA binding of any CF app
- ๐พ **Smart caching** โ reuses tokens until they expire so you do not hand out stale JWTs
- ๐งฉ **CLI & API** โ drop into shell scripts, Node pipelines, or your favorite test runner
- ๐ **CF-aware** โ resolves CF API endpoints from region keys via `@saptools/cf-sync`, no manual URLs
- ๐ **Type-safe** โ shipped with full TypeScript definitions
- ๐ชถ **Tiny** โ one dependency (`commander`) and zero runtime magic
---
## ๐ฆ Install
```bash
# Global CLI
npm install -g @saptools/cf-xsuaa
# Or as a dependency
npm install @saptools/cf-xsuaa
# pnpm add @saptools/cf-xsuaa
# yarn add @saptools/cf-xsuaa
```
> [!NOTE]
> Requires **Node.js โฅ 20** and the **`cf` CLI** on `PATH`. For the first secret fetch, set `SAP_EMAIL` and `SAP_PASSWORD`.
---
## ๐ Quick Start
```bash
# 1. Tell cf-xsuaa who you are (only needed for the first secret fetch)
export SAP_EMAIL="you@company.com"
export SAP_PASSWORD="your-sap-password"
# 2. Grab a token (auto-fetches the XSUAA binding on first call, caches it forever)
cf-xsuaa get-token-cached \
--region ap10 --org my-org --space dev --app my-srv
```
That's it. Copy the printed JWT into `curl`, `Postman`, `bruno`, or wherever you need it. Next call reuses the cached token until it expires.
---
## ๐งฐ CLI
Every command identifies an app with the same four flags:
| Flag | Description | Example |
| --- | --- | --- |
| `-r, --region ` | CF region key | `ap10`, `eu10`, `us10` |
| `-o, --org ` | CF org name | `my-org` |
| `-s, --space ` | CF space name | `dev` |
| `-a, --app ` | CF app name | `my-srv` |
### ๐ `cf-xsuaa fetch-secret`
Pull the XSUAA client credentials out of the app's `VCAP_SERVICES` and cache them to disk. Run this once per app, or whenever the binding rotates.
```bash
cf-xsuaa fetch-secret --region ap10 --org my-org --space dev --app my-srv
```
### ๐๏ธ `cf-xsuaa get-token`
Fetch a **fresh** OAuth2 `client_credentials` token and print the JWT to stdout. Auto-runs `fetch-secret` first if the binding isn't cached yet.
```bash
cf-xsuaa get-token --region ap10 --org my-org --space dev --app my-srv
```
### โก `cf-xsuaa get-token-cached`
Return the cached token if it's still valid, otherwise fetch a new one. **This is what you want 99% of the time.**
```bash
TOKEN=$(cf-xsuaa get-token-cached --region ap10 --org my-org --space dev --app my-srv)
curl -H "Authorization: Bearer $TOKEN" https://my-srv.cfapps.ap10.hana.ondemand.com/api/health
```
> [!TIP]
> Cached tokens are refreshed before they become stale, so callers do not receive a JWT that is about to expire.
---
## ๐งโ๐ป Programmatic Usage
```ts
import {
fetchSecret,
getToken,
getTokenCached,
readStore,
xsuaaDataPath,
} from "@saptools/cf-xsuaa";
const ref = {
region: "ap10",
org: "my-org",
space: "dev",
app: "my-srv",
} as const;
// One-time: cache the client credentials
await fetchSecret(ref);
// Every call: reuse a cached token when possible
const token = await getTokenCached(ref);
// Or: force a fresh token
const freshToken = await getToken(ref);
// Introspect the cache
const store = await readStore();
console.log(`${store.entries.length} apps cached in ${xsuaaDataPath()}`);
```
### ๐งช Dependency injection (great for tests)
```ts
await getToken(ref, {
fetchCredentials: async () => ({
clientId: "cid",
clientSecret: "csec",
url: "https://uaa.example.com",
}),
fetchToken: async () => "fake-jwt",
now: new Date("2026-04-18T00:00:00Z"),
});
```
๐ Full export list
| Export | Description |
| --- | --- |
| `fetchSecret(ref)` | Cache a freshly-fetched XSUAA binding |
| `getToken(ref)` | Force a new OAuth2 token |
| `getTokenCached(ref)` | Reuse cache, fall through on expiry |
| `readStore()` / `writeStore(store)` | Read / write the on-disk store |
| `findEntry(store, ref)` | Look up a single entry |
| `upsertSecret(store, ref, creds)` | Merge credentials into a store |
| `upsertToken(store, ref, token)` | Merge a token into a store |
| `fetchClientCredentialsToken(creds)` | Low-level UAA call |
| `parseXsuaaFromVcap(stdout)` | Parse `cf env` output |
| `decodeJwtPayload(jwt)` | Decode the JWT payload without verification |
| `computeExpiryIso(jwt)` / `isExpired(iso)` | Expiry math |
| `xsuaaDataPath()` / `saptoolsDir()` | Resolve on-disk paths |
---
## ๐ Output File
All state lives in a single JSON file under your home directory:
```text
~/.saptools/xsuaa-data.json
```
๐ฌ Shape of xsuaa-data.json
```jsonc
{
"version": 1,
"entries": [
{
"region": "ap10",
"org": "my-org",
"space": "dev",
"app": "my-srv",
"credentials": {
"clientId": "sb-xsappname!t123",
"clientSecret": "",
"url": "https://my-org.authentication.ap10.hana.ondemand.com",
"xsappname": "my-app!t123"
},
"token": {
"accessToken": "eyJhbGciOi...",
"expiresAt": "2026-04-18T12:34:56.000Z"
},
"fetchedAt": "2026-04-18T12:20:00.000Z"
}
]
}
```
> [!IMPORTANT]
> Prefer the CLI or exported APIs over parsing this file directly โ the on-disk format is an implementation detail.
---
## โ FAQ
Do I need SAP_EMAIL / SAP_PASSWORD on every call?
No. Those are only read when `cf-xsuaa` has to refresh the VCAP-bound **client secret**. Once the secret is cached, token refreshes go straight to the UAA with `client_credentials` โ no SAP user credentials required.
How is this different from cf oauth-token?
`cf oauth-token` returns **your personal UAA token**. `cf-xsuaa` returns the **app's own service token** (issued to the XSUAA `clientId` in `VCAP_SERVICES`), which is what you actually need when calling the app's protected endpoints.
Is the cached token safe to commit?
**No.** `~/.saptools/xsuaa-data.json` contains `clientSecret` and live JWTs. It lives under your home directory and should never be checked into git.
How do I invalidate a cached secret?
Run `cf-xsuaa fetch-secret` again with the same `--region/--org/--space/--app` flags and the entry will be overwritten.
---
## ๐ ๏ธ Development
From the monorepo root:
```bash
pnpm install
pnpm --filter @saptools/cf-xsuaa build
pnpm --filter @saptools/cf-xsuaa typecheck
pnpm --filter @saptools/cf-xsuaa test:unit
pnpm --filter @saptools/cf-xsuaa test:e2e
```
The e2e suite **auto-discovers** a real CF app with an `xsuaa` service binding by scoring candidates from `~/.saptools/cf-structure.json`. To pin a specific target:
```bash
export E2E_TARGET="ap10/my-org/my-space/my-srv"
```
---
## ๐ Related
- ๐ฆ [`@saptools/cf-sync`](https://www.npmjs.com/package/@saptools/cf-sync) โ sync the CF `region โ org โ space โ app` tree to disk
- ๐๏ธ [saptools monorepo](https://github.com/dongitran/saptools) โ the full toolbox
---
## ๐จโ๐ป Author
**dongtran** โจ
## ๐ License
MIT
---
Made with โค๏ธ to make your work life easier!