Access tokens (opaque, hashed at rest). May be Bearer or DPoP-bound.
| Name | Type | Default | Nullable | Children | Parents | Comment |
|---|---|---|---|---|---|---|
| audience | text[] | true | Optional audience constraint (array of URIs). | |||
| client_id | uuid | false | public.oauth_clients | Client that owns this token. | ||
| created_at | timestamp with time zone | now() | false | Creation timestamp. | ||
| digest | bytea | false | Hashed token value; plaintext only exists at issuance time. | |||
| dpop_jkt | text | true | When DPoP, RFC 7638 JWK thumbprint bound to this token. | |||
| expires_at | timestamp with time zone | false | Expiration time. | |||
| jti | uuid | gen_random_uuid() | false | Unique token identifier for logs/trace. | ||
| metadata | jsonb | ‘{}’::jsonb | false | Free-form JSON: device, ip, hints. | ||
| scopes | text[] | ‘{}’::text[] | false | Scopes granted to this access token. | ||
| token_type | token_type | ‘Bearer’::token_type | false | Bearer (no sender constraint) or DPoP (sender-constrained). | ||
| updated_at | timestamp with time zone | now() | false | Last update timestamp (maintained by trigger). | ||
| user_id | uuid | true | public.users | Subject (end-user) on whose behalf the token was issued; NULL for client-only flows. |
| Name | Type | Definition |
|---|---|---|
| access_token_dpop_consistency_chk | CHECK | CHECK ((((token_type = ‘Bearer’::token_type) AND (dpop_jkt IS NULL)) OR ((token_type = ‘DPoP’::token_type) AND (dpop_jkt IS NOT NULL) AND ((length(dpop_jkt) >= 43) AND (length(dpop_jkt) <= 128))))) |
| audience_uris_valid | CHECK | CHECK (are_valid_oauth_uris_or_null(audience)) |
| oauth_access_tokens_client_id_fkey | FOREIGN KEY | FOREIGN KEY (client_id) REFERENCES oauth_clients(id) ON DELETE CASCADE |
| oauth_access_tokens_client_id_not_null | n | NOT NULL client_id |
| oauth_access_tokens_created_at_not_null | n | NOT NULL created_at |
| oauth_access_tokens_digest_not_null | n | NOT NULL digest |
| oauth_access_tokens_expires_at_not_null | n | NOT NULL expires_at |
| oauth_access_tokens_jti_not_null | n | NOT NULL jti |
| oauth_access_tokens_metadata_not_null | n | NOT NULL metadata |
| oauth_access_tokens_pkey | PRIMARY KEY | PRIMARY KEY (digest) |
| oauth_access_tokens_scopes_not_null | n | NOT NULL scopes |
| oauth_access_tokens_token_type_not_null | n | NOT NULL token_type |
| oauth_access_tokens_updated_at_not_null | n | NOT NULL updated_at |
| oauth_access_tokens_user_id_fkey | FOREIGN KEY | FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE |
| scopes_token_chars | CHECK | CHECK (scopes_all_valid(scopes)) |
| Name | Definition | Comment |
|---|---|---|
| idx_oauth_access_tokens_expires_at | CREATE INDEX idx_oauth_access_tokens_expires_at ON public.oauth_access_tokens USING btree (expires_at) | Speeds eviction and queries by token expiration. |
| idx_oauth_access_tokens_user_client | CREATE INDEX idx_oauth_access_tokens_user_client ON public.oauth_access_tokens USING btree (user_id, client_id) | Speeds per-user/per-client token lookups. |
| oauth_access_tokens_pkey | CREATE UNIQUE INDEX oauth_access_tokens_pkey ON public.oauth_access_tokens USING btree (digest) |
| Name | Definition |
|---|---|
| set_timestamp_oauth_access_tokens | CREATE TRIGGER set_timestamp_oauth_access_tokens BEFORE UPDATE ON public.oauth_access_tokens FOR EACH ROW EXECUTE FUNCTION trigger_set_timestamp() |
Generated by tbls