What does this release signal mean?

Cloudflare (Workers AI) published cloudflare/workers-oauth-provider v0.8.1 (cloudflare/workers-oauth-provider). This release signal is evidence of what shipped, changed, or was packaged for users. High-signal details: OAuth provider library for Cloudflare Workers. · v0.8.1 Repository: cloudflare/workers-oauth-provider Tag: v0.8.1 Published: 2026-06-19T18:37:46Z Prerelease: no Release notes: Patch Changes -.... onlylabs links this event to 1 captured evidence page and 6 related release signals.

Cloudflare (Workers AI) Release: cloudflare/workers-oauth-provider v0.8.1

Captured source

source ↗

GitHub/github.com/cloudflare/workers-oauth-provider

cloudflare/workers-oauth-provider v0.8.1

Source ↗

published Jun 19, 2026seen 6dcaptured 6dhttp 200method plain

v0.8.1

Repository: cloudflare/workers-oauth-provider

Tag: v0.8.1

Published: 2026-06-19T18:37:46Z

Prerelease: no

Release notes:

Patch Changes

#234 `7b4ba3a` Thanks @threepointone! - Fix uncaught 500 when refreshing a near-expiry grant. A refresh arriving in the final

<60s of a grant's life previously passed the expiry check and then crashed with "KV PUT failed: 400 Invalid expiration" because Cloudflare KV rejects absolute expirations less than 60 seconds in the future. Such grants are now treated as expired (returning invalid_grant).

The refresh handler also re-checks expiry after the tokenExchangeCallback runs, so a slow callback (e.g. an upstream network refresh) that pushes the grant under the 60-second threshold mid-request is rejected cleanly instead of crashing when writing the rotated grant or the new access token (whose TTL is clamped to the grant's remaining lifetime). As defense-in-depth, saveGrantWithTTL also clamps the absolute expiration to KV's 60-second minimum (plus a small margin so writes stay storable under clock skew / write latency).

The token exchange grant (RFC 8693) shared the same root cause: the issued token's TTL is clamped to the subject token's remaining lifetime, so a subject token in its final <60s (or a expires_in/accessTokenTTL below 60) produced an unstorable token. The exchange now rejects a subject token with under 60s remaining (invalid_grant) and a requested lifetime below 60s (invalid_request) instead of crashing.

More broadly, any access token lifetime below KV's 60-second minimum is now caught instead of crashing with an opaque KV 400:

accessTokenTTL is validated at OAuthProvider construction (must be an integer of at

least 60 seconds).

A tokenExchangeCallback returning an accessTokenTTL below 60 on the authorization code

or refresh grant is rejected with invalid_request.

The enterprise-managed authorization (ID-JAG) grant rejects a mapper-supplied access token

TTL below 60 (invalid_grant, "Invalid access token TTL").

Notability

notability 3.0/10

Minor version of non-AI OAuth provider repo