feat(docs): update JS SDK examples to interceptor auth pattern

[marythought]

Summary

Updates all JavaScript/TypeScript code examples across SDK documentation to use the new Connect RPC interceptor-based authentication pattern with built-in token provider factories, replacing the deprecated AuthProvider approach and manual token fetching.

• Depends on: feat(sdk): deprecate AuthProvider in favor of Interceptor pattern web-sdk#899 (interceptor pattern) and feat(sdk): add TokenProvider factory functions for common OIDC flows web-sdk#906 (token provider factories) — both must be released first
• 16 files updated across docs and code samples
• Go and Java examples unchanged

What changed

• Manual getAccessToken() implementations → clientCredentialsTokenProvider(), refreshTokenProvider(), externalJwtTokenProvider() factory functions
• AuthProviders.clientSecretAuthProvider() → authTokenInterceptor() with token provider factories as the primary JS auth pattern
• "Define once, pass everywhere" idiom: create an auth config object once, reuse for OpenTDF, PlatformClient, and standalone functions
• Removed all await client.ready — no longer needed with interceptors (the DPoP ordering footgun is gone)
• AuthProvider examples preserved in "Legacy" sections for backwards compatibility
• DPoP section updated to show authTokenDPoPInterceptor() with clientCredentialsTokenProvider()
• Authentication decision guide updated to reference new factory functions

Files modified

Docs:

• docs/sdks/authentication.mdx — all 4 auth patterns + new DPoP section + legacy section
• docs/sdks/quickstart/javascript.mdx — all step-by-step examples
• docs/sdks/discovery.mdx — standalone function calls
• docs/sdks/tdf.mdx — encrypt/decrypt examples
• docs/sdks/authorization.mdx — flipped interceptors to primary, AuthProvider to legacy
• docs/sdks/platform-client.mdx — init pattern, removed ready guidance
• docs/sdks/policy.mdx — all PlatformClient construction
• docs/sdks/troubleshooting.mdx — token refresh + validateAttributes
• docs/guides/authentication-guide.mdx — decision guide references to factory functions

Code samples:

• All 7 files in code_samples/policy_code/

Test plan

• Verify Surge preview renders correctly after CI deploys
• Spot-check JS code blocks in each updated page for syntax correctness
• Confirm Go and Java tabs are unchanged
• Merge after feat(sdk): deprecate AuthProvider in favor of Interceptor pattern web-sdk#899 and feat(sdk): add TokenProvider factory functions for common OIDC flows web-sdk#906 both land

🤖 Generated with Claude Code

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 94cd86f7-a2bc-4d6e-8615-716031f632ee

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/docs-interceptor-auth-pattern

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates the JavaScript SDK documentation to replace the deprecated AuthProvider interface with a new interceptor-based authentication model. Changes include updating code samples across multiple files to use authTokenInterceptor, introducing authTokenDPoPInterceptor, and adding a SortDirection enum to the policy OpenAPI specification. Reviewer feedback focuses on improving the provided getAccessToken examples by recommending the use of URLSearchParams for more robust request body encoding and emphasizing the need for token caching in production environments to prevent performance issues.

[github-actions]

📄 Preview deployed to https://opentdf-docs-pr-270.surge.sh

[eugenioenko]

Changes look great!

Left a small inline comment, which gemini has something among the same line we can look into later

[eugenioenko]

interceptors: [authTokenInterceptor(clientCredentialsTokenProvider({
    clientId: 'opentdf', clientSecret: 'secret',
    oidcOrigin: 'http://localhost:8080/auth/realms/opentdf',
  }))],

The nice thing about this example is that it's self-contained. Thats powerful.
Copy/past and it works. 10 of out 10 honestly.

The one thing that raises a small concern for me is that it's a private client credentials flow. We're adding multiple examples of it, but this goes against the nature of Web SDK being for the Browser.

I'm torn a little, one on side, this is self-contained, on the other side it gives an example of how to use WebSDK in the wrong environment or the wrong way. We probably would need to add comments to all examples // don't use this in production/browser and that would defeat the purpose of self-contained example

A compromise. Can we define that only once (instead of on each example) and have something like this on the funciton

The examples below use clientCredentialsTokenProvider for brevity. This requires a client secret and is intended for server-side use only. In browser applications, replace with your OIDC library's token