Interface GrantContext

The authenticated client established by clientAuthMw before grant dispatch on /token. Grant handlers that bind tokens to client identity (authorization code, refresh, token-exchange) MUST use this field rather than body.client_id — the body is attacker-controlled and bypasses RFC 6749 §2.3 authentication.

null when the grant is invoked outside the standard /token route (custom wiring, direct unit-test invocation). Handlers that rely on a client identity SHOULD reject null with invalid_client 401.

Readonly property — wholesale ctx.session = {…} replacement is rejected at compile time. Field-level mutation (ctx.session.isAuthenticated = …) is intentionally still allowed because handlers write through Express's req.session object; SessionData mirrors that mutable surface.