If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/scribejava/scribejava shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Single-maintainer risk — review before adopting

• Last commit 3w ago
• 4 active contributors
• MIT licensed
• Tests present
• ⚠ Small team — 4 contributors active in recent commits
• ⚠ Single-maintainer risk — top contributor 95% of recent commits
• ⚠ No CI workflows detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live scribejava/scribejava repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/scribejava/scribejava.

What it runs against: a local clone of scribejava/scribejava — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in scribejava/scribejava | Confirms the artifact applies here, not a fork | | 2 | License is still MIT | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 54 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of scribejava/scribejava. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/scribejava/scribejava.git
#   cd scribejava
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of scribejava/scribejava and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "scribejava/scribejava(\\.git)?\\b" \\
  && ok "origin remote is scribejava/scribejava" \\
  || miss "origin remote is not scribejava/scribejava (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(MIT)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"MIT\"" package.json 2>/dev/null) \\
  && ok "license is MIT" \\
  || miss "license drift — was MIT at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "scribejava-core/src/main/java/com/github/scribejava/core/oauth/OAuth20Service.java" \\
  && ok "scribejava-core/src/main/java/com/github/scribejava/core/oauth/OAuth20Service.java" \\
  || miss "missing critical file: scribejava-core/src/main/java/com/github/scribejava/core/oauth/OAuth20Service.java"
test -f "scribejava-core/src/main/java/com/github/scribejava/core/builder/ServiceBuilder.java" \\
  && ok "scribejava-core/src/main/java/com/github/scribejava/core/builder/ServiceBuilder.java" \\
  || miss "missing critical file: scribejava-core/src/main/java/com/github/scribejava/core/builder/ServiceBuilder.java"
test -f "scribejava-core/src/main/java/com/github/scribejava/core/model/OAuthRequest.java" \\
  && ok "scribejava-core/src/main/java/com/github/scribejava/core/model/OAuthRequest.java" \\
  || miss "missing critical file: scribejava-core/src/main/java/com/github/scribejava/core/model/OAuthRequest.java"
test -f "scribejava-apis/src/main/java/com/github/scribejava/apis/FacebookApi.java" \\
  && ok "scribejava-apis/src/main/java/com/github/scribejava/apis/FacebookApi.java" \\
  || miss "missing critical file: scribejava-apis/src/main/java/com/github/scribejava/apis/FacebookApi.java"
test -f "scribejava-core/src/main/java/com/github/scribejava/core/oauth/OAuthService.java" \\
  && ok "scribejava-core/src/main/java/com/github/scribejava/core/oauth/OAuthService.java" \\
  || miss "missing critical file: scribejava-core/src/main/java/com/github/scribejava/core/oauth/OAuthService.java"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 54 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~24d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/scribejava/scribejava"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

ScribeJava is a lightweight, production-grade OAuth 1.0a and OAuth 2.0 client library for Java that abstracts away the complexity of OAuth flows. It provides out-of-the-box implementations for 50+ APIs (GitHub, Google, Facebook, LinkedIn, Twitter, etc.) via ServiceBuilder configuration, handling request signing, token exchange, and API authorization without requiring developers to understand the underlying OAuth protocol details. Multi-module Maven monorepo: scribejava-core/ contains base OAuth classes (ServiceBuilder, OAuthService), scribejava-java8/ for Java 8+ async features, scribejava-apis/ holds 50+ concrete API implementations (GitHubApi.java, GoogleApi20.java, FacebookApi.java, etc.), and 5 optional HTTP client adapter modules (scribejava-httpclient-*). Examples live in scribejava-apis/src/test/java/com/github/scribejava/apis/examples/.

Java backend developers and Android app developers building integrations with third-party OAuth-protected services (social login, API access). They need to authenticate users or call APIs on their behalf without writing boilerplate OAuth negotiation code. Enterprise teams maintaining legacy Java 7+ systems who cannot upgrade to modern OAuth libraries.

Highly mature and production-ready. Version 8.3.4-SNAPSHOT with MIT license, maintained GitHub repo (scribejava/scribejava) showing active development. Comprehensive test coverage visible in examples directory (Google20Example.java, FacebookAsyncNingExample.java, etc.), multi-module Maven structure with 8+ modules for different HTTP clients, and strong Maven Central distribution. Last meaningful development appears recent given snapshot version and multiple active modules.

Low risk for standard OAuth flows but requires careful dependency management: supports 5+ different HTTP client libraries (ning, ahc, okhttp, apache, armeria) as optional modules, creating potential version conflicts if not managed. Single maintainer (Stanislav Gromov, kullfar@gmail.com) is a concentration risk. Library is stable but adding new OAuth providers requires extending base classes—no risk of breaking changes for existing integrations, though undocumented APIs could change.

Unable to determine from provided file structure alone—no git log, PR list, or issue tracker visible. Based on version string (8.3.4-SNAPSHOT) and active multi-module structure, development is likely focused on bug fixes, new API provider additions to scribejava-apis/, and maintaining compatibility across HTTP client versions.

git clone https://github.com/scribejava/scribejava.git
cd scribejava
mvn clean install
# To run OAuth examples:
cd scribejava-apis
mvn test

Daily commands: This is a library, not a runnable app. To test: mvn clean test from root. To use in your project, add dependency to pom.xml: <dependency><groupId>com.github.scribejava</groupId><artifactId>scribejava-core</artifactId><version>8.3.3</version></dependency> plus your chosen HTTP client module (e.g., scribejava-httpclient-okhttp). Then instantiate via new ServiceBuilder(clientId).apiSecret(secret).build(ApiInstance.instance()).

• scribejava-core/src/main/java/com/github/scribejava/core/oauth/OAuth20Service.java — Core OAuth 2.0 service implementation; all OAuth2 flows route through this class
• scribejava-core/src/main/java/com/github/scribejava/core/builder/ServiceBuilder.java — Entry point DSL for configuring and building OAuth services; every integration starts here
• scribejava-core/src/main/java/com/github/scribejava/core/model/OAuthRequest.java — Wrapper for HTTP requests with OAuth signature and token injection; critical for all API calls
• scribejava-apis/src/main/java/com/github/scribejava/apis/FacebookApi.java — Reference implementation of a complete API integration; demonstrates extension patterns
• scribejava-core/src/main/java/com/github/scribejava/core/oauth/OAuthService.java — Base interface defining OAuth service contract; all OAuth implementations implement this
• pom.xml — Maven multi-module build configuration; declares all submodules and shared dependencies

Add a new OAuth2 API integration

1. Create a new API class in scribejava-apis/src/main/java/com/github/scribejava/apis/ extending DefaultApi20 (scribejava-apis/src/main/java/com/github/scribejava/apis/FacebookApi.java)
2. Define getAccessTokenEndpoint(), getAuthorizationBaseUrl(), and getProtectedResourceUrl() methods (scribejava-apis/src/main/java/com/github/scribejava/apis/FacebookApi.java)
3. Create a custom token extractor if the API returns non-standard JSON (extend JsonTokenExtractor or implement TokenExtractor) (scribejava-apis/src/main/java/com/github/scribejava/apis/facebook/FacebookAccessTokenJsonExtractor.java)
4. Override getAccessTokenExtractor() in your API class to return the custom extractor (scribejava-apis/src/main/java/com/github/scribejava/apis/FacebookApi.java)
5. Add example usage in scribejava-apis/src/test/java/com/github/scribejava/apis/examples/ demonstrating getAuthorizationUrl() and getAccessToken() (scribejava-apis/src/test/java/com/github/scribejava/apis/examples)

Configure and use an OAuth service

1. Use ServiceBuilder to instantiate a service with your API credentials (scribejava-core/src/main/java/com/github/scribejava/core/builder/ServiceBuilder.java)
2. Call getAuthorizationUrl() on the service to obtain the OAuth authorization redirect URL (scribejava-core/src/main/java/com/github/scribejava/core/oauth/OAuth20Service.java)
3. After user authorization, exchange the callback code for an access token using getAccessToken() (scribejava-core/src/main/java/com/github/scribejava/core/oauth/OAuth20Service.java)
4. Create OAuthRequest objects and call signRequest() to inject the token, then execute the HTTP request (scribejava-core/src/main/java/com/github/scribejava/core/model/OAuthRequest.java)

Customize token response handling

1. Create a token extractor class in scribejava-apis/src/main/java/com/github/scribejava/apis/<api-name>/ extending JsonTokenExtractor (scribejava-apis/src/main/java/com/github/scribejava/apis/slack/SlackJsonTokenExtractor.java)
2. Override extractToken() to parse API-specific JSON fields into an OAuth2AccessToken (scribejava-apis/src/main/java/com/github/scribejava/apis/slack/SlackJsonTokenExtractor.java)
3. Override getAccessTokenExtractor() in your API class to return the custom extractor instance (scribejava-apis/src/main/java/com/github/scribejava/apis/SlackApi.java)

• OAuth 1.0a & 2.0 protocols — Industry-standard authentication mechanisms; required to integrate with 80+ external APIs
• Java with fluent builder pattern — Simple, discoverable API; developers configure with minimal boilerplate (one-liner shown in README)
• JSON token extractors — Each API provider returns tokens in slightly different formats; custom extractors normalize parsing
• HTTP request wrapper (OAuthRequest) — Transparent signature injection and token header management across all OAuth flows

• Pre-built API definitions for 80+ services vs. generic OAuth framework

  • Why: Developers need minimal code to integrate; each API has quirks (token format, endpoints, scopes)
  • Consequence: Large scribejava-apis module with many similar but slightly different integrations; maintenance burden for API changes

• Synchronous request model (no async/reactive by default)

  • Why: OAuth flow is inherently synchronous (user redirect → authorization → token exchange); simpler mental model
  • Consequence: Thread-blocking calls; may need custom adapters for reactive frameworks (scribejava-java8 module adds some async support)

• Separate core (scribejava-core) and APIs (scribejava-apis) modules

  • Why: Developers only need core for custom integrations; pre-built APIs are optional dependency
  • Consequence: Two Maven artifacts to manage; API integrations must wait for core releases

• Does not handle user credential storage or session management (OAuth token exchange only)
• Does not provide a web UI or HTTP server (library only; developer integrates with their framework)
• Does not implement OIDC or other identity protocols (OAuth 1.0a and 2.0 only)
• Does not handle rate limiting or API client libraries (token acquisition only)

No build-time secret injection required, but runtime examples need actual OAuth credentials (clientId/clientSecret) to work—test examples will fail without valid keys. Java 9+ required to compile from source despite Java 7 runtime support. Each HTTP client adapter module is optional; depending on wrong module causes classpath issues. OAuth 1.0a signature generation is sensitive to character encoding and parameter ordering—easy to get wrong in custom integrations. Async variants (scribejava-java8) use CompletableFuture; blocking code mixing will deadlock in thread pools.

• OAuth 2.0 Authorization Code Flow — The dominant OAuth 2.0 flow for server-side apps; ScribeJava implements this via getAuthorizationBaseUrl() → redirect → token exchange pattern
• OAuth 1.0a Request Signing — Legacy but still-used flow (Twitter, LinkedIn v1) using HMAC-SHA1 signatures on requests; ScribeJava handles nonce generation and parameter ordering
• Token Refresh & Expiry Management — OAuth 2.0 access tokens expire; ScribeJava abstracts refresh token handling and automatic token renewal for long-lived integrations
• Pluggable HTTP Client Abstraction — ScribeJava supports 5+ HTTP client backends (okhttp, apache, ning, ahc, armeria) via optional modules; allows teams to use their existing HTTP stack without rewriting
• PKCE (Proof Key for Public Clients) — OAuth 2.0 extension securing authorization code flow for mobile/SPA apps via challenge-response codes; ScribeJava supports this for native Android clients
• Fluent Builder Pattern — ServiceBuilder uses method chaining for configuration (clientId → apiSecret → scope → build); reduces boilerplate vs constructor overloading
• CompletableFuture Async Model — Java 8+ optional module uses CompletableFuture for non-blocking OAuth token/API calls; critical for high-concurrency backend services

• spring-projects/spring-security-oauth — Spring's OAuth 2.0 authorization server and resource server implementations; complementary for server-side OAuth providers
• pac4j/pac4j — Multi-protocol authentication library (OAuth 1.0a, 2.0, SAML, OpenID) supporting many more providers but with heavier configuration
• FusionAuth/fusionauth-client-java — Client library for FusionAuth (standalone OAuth/OIDC server); represents the 'provider' side vs ScribeJava's 'consumer' role
• googleapis/google-auth-library-java — Google's official OAuth client library; ScribeJava's GoogleApi20 is a third-party wrapper around similar flows
• twitter/twitter-java — Twitter's official Java SDK with built-in OAuth 2.0 handling; competing approach to ScribeJava's abstraction

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add comprehensive integration tests for OAuth 1.0 vs OAuth 2.0 API implementations

The repo has 60+ API implementations (FacebookApi, TwitterApi, GitHubApi, etc.) but the file structure shows no dedicated test directory for scribejava-apis. With both OAuth 1.0 (TwitterApi, FlickrApi) and OAuth 2.0 (GoogleApi20, LinkedInApi20) implementations coexisting, integration tests would catch regressions when APIs update their endpoints or auth flows. This is high-value since OAuth providers frequently change requirements.

• [ ] Create scribejava-apis/src/test/java directory structure mirroring main
• [ ] Add parameterized tests covering OAuth 1.0 flow: TwitterApi, FlickrApi, TumblrApi
• [ ] Add parameterized tests covering OAuth 2.0 flow: GoogleApi20, GitHubApi, LinkedInApi20
• [ ] Test authorization URL generation, token exchange, and access token refresh for each variant
• [ ] Reference checkstyle.xml and pmd.xml for code style compliance

Create GitHub Actions CI workflow for matrix testing across HTTP client implementations

The repo has 5+ HTTP client implementations (scribejava-httpclient-okhttp, scribejava-httpclient-apache, scribejava-httpclient-armeria, etc.) but no visible CI workflow in .github/. Testing against all client implementations would catch compatibility regressions early. Current FUNDING.yml suggests active maintenance, making CI essential.

• [ ] Create .github/workflows/maven-test.yml with matrix strategy
• [ ] Include Java versions: 8, 11, 17, 21 (matching likely support matrix)
• [ ] Matrix test against each HTTP client module: okhttp, apache, ahc, ning, armeria
• [ ] Add checkstyle validation against checkstyle.xml
• [ ] Add PMD analysis against pmd.xml
• [ ] Run maven verify for all modules including scribejava-core and scribejava-apis

Add API endpoint validation and documentation for deprecated OAuth providers

The APIs list includes older services (DiggApi, FoursquareApi vs Foursquare2Api, SinaWeiboApi vs SinaWeiboApi20) suggesting some APIs are deprecated or updated. Create a maintenance matrix documenting endpoint status, last API version verified, and deprecation warnings. This prevents users from integrating with broken endpoints.

• [ ] Create docs/API_MAINTENANCE_STATUS.md documenting each API in scribejava-apis/src/main/java/com/github/scribejava/apis/
• [ ] Include columns: API Name, OAuth Version, Last Verified Date, Endpoint URL, Status (Active/Deprecated/Unmaintained)
• [ ] Add deprecation notices to JavaDoc of superseded classes (e.g., FoursquareApi with reference to Foursquare2Api)
• [ ] Update README.md with link to maintenance status document
• [ ] Flag APIs needing verification (DiggApi, ViadeoApi, UcozApi, etc.) for community verification

• Add missing OAuth provider: Many modern services (Auth0, Twitch, Discord) lack native provider classes—create TwitchApi.java in scribejava-apis/src/main/java/com/github/scribejava/apis/ extending DefaultApi20, document endpoints in README.
• Write integration tests for HTTP client adapters: scribejava-httpclient-okhttp/, scribejava-httpclient-apache/ modules exist but likely lack comprehensive test coverage—add parameterized tests verifying request/response handling across all 5 HTTP clients.
• Document async examples: scribejava-java8/ supports CompletableFuture but examples folder only shows blocking patterns—add Google20AsyncExample.java, Facebook20AsyncExample.java showing .executeAsync() usage with proper error handling.

• High · Incomplete Dependency Information — pom.xml - dependencies section. The pom.xml file shows truncated dependency declaration for Jackson (com.fasterxml.jackson.core). The version is not visible in the provided snippet, which could indicate use of outdated or vulnerable Jackson library versions. Jackson has had multiple security vulnerabilities in past versions, particularly in deserialization. Fix: Ensure Jackson dependencies are explicitly versioned to the latest stable version (3.x or latest 2.x). Use dependency management to control all Jackson versions across the project. Run 'mvn dependency:tree' and check against CVE databases for known vulnerabilities.
• High · OAuth Token Handling in Multiple API Implementations — scribejava-apis/src/main/java/com/github/scribejava/apis/*/. The codebase contains 70+ API implementation files with custom token extraction logic (FacebookAccessTokenJsonExtractor, FitBitJsonTokenExtractor, InstagramAccessTokenJsonExtractor, etc.). These custom extractors may not properly validate token responses or handle security-sensitive data, increasing risk of token injection or improper token storage. Fix: Implement standardized token validation and extraction following OAuth 2.0 Security Best Current Practices (RFC 6819). Ensure tokens are never logged, and are handled as sensitive data. Consider using a centralized, audited token extraction mechanism rather than per-API implementations.
• Medium · Potential Plaintext Credential Handling — README.md - example code. The README shows the API secret being passed directly to the ServiceBuilder in plaintext: '.apiSecret(YOUR_CLIENT_SECRET)'. While this is example code, it demonstrates a pattern that could encourage insecure credential handling by users of this library. The library may not enforce secure credential storage patterns. Fix: Document best practices for credential management. Recommend users store secrets in environment variables or secure vaults, not in source code. Consider adding utility methods for loading credentials from secure sources. Add warnings in the documentation about secure credential handling.
• Medium · Multiple HTTP Client Implementations Without Unified Security — pom.xml - modules list (scribejava-httpclient-*). The project includes multiple HTTP client implementations (scribejava-httpclient-ahc, okhttp, apache, armeria, ning). Each HTTP client may have different default SSL/TLS configurations, certificate validation policies, and timeout settings. Inconsistent security configurations across implementations could lead to vulnerabilities. Fix: Implement unified security configuration defaults across all HTTP client implementations. Enforce certificate validation, TLS 1.2+, proper timeout values, and request size limits uniformly. Create integration tests to verify security properties work identically across all implementations.
• Medium · No Visible Input Validation Framework — scribejava-apis/src/main/java/com/github/scribejava/apis/. With 70+ API implementations handling diverse OAuth provider responses, there's high risk of insufficient input validation on API responses. The custom JSON extractors could be vulnerable to malformed or malicious responses from OAuth providers or Man-in-the-Middle attacks. Fix: Implement schema validation for all OAuth provider responses using a library like JSON Schema. Add strict validation for critical fields (access_token, expires_in, etc.). Implement response size limits. Add comprehensive error handling for malformed responses.
• Low · Deprecated OAuth 1.0 Support — scribejava-apis/src/main/java/com/github/scribejava/apis/ - multiple legacy API implementations. The codebase appears to support both OAuth 1.0 and OAuth 2.0 (multiple Api vs Api20 classes). OAuth 1.0 is deprecated and has known security issues. Continued support may encourage users to use insecure authentication methods. Fix: Deprecate OAuth 1.0 implementations with clear warnings. Plan removal in a major version update. Document migration path to OAuth 2.0 for users still using OAuth 1.0 providers. Consider marking legacy APIs with @Deprecated annotation.
• Low · Missing Security Headers Configuration Documentation — Documentation and examples. No visible configuration for security headers (HSTS, X-Frame-Options, CSP, etc.) in the provided codebase structure. While this is a library, users may not know to implement these headers when using the OAuth service. Fix: Add documentation and examples showing how to properly configure security headers in applications using

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.