breaking : Remove redundant constructors from SecureCredentialsManager

[pmathew92]

Changes

This PR removes two redundant constructors from SecureCredentialsManager class making it less confusing for users while instantiating the class .
AuthenticationAPIClient already holds a reference to the Auth0 object, so passing both was always duplication.
Removing Auth0 also makes advanced client configuration like DPoP a natural part of setup: callers configure the client before passing it in, and the manager inherits that configuration automatically.

Testing

Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. Since this library has unit testing, tests should be added for new functionality and existing tests should complete without errors.

• This change adds unit test coverage

• This change adds integration test coverage

• This change has been tested on the latest version of the platform/language or why not

Checklist

• I have read the Auth0 general contribution guidelines

• I have read the Auth0 Code of Conduct

• All existing and new tests complete without errors

[utkrishtsahu]

PR Review: Remove redundant constructors from SecureCredentialsManager

Summary

This PR removes the two Auth0-based constructors from SecureCredentialsManager, leaving only the AuthenticationAPIClient-based ones. The motivation is sound — AuthenticationAPIClient already holds an Auth0 reference, so accepting both was pure duplication, and this change makes DPoP configuration via useDPoP() a natural part of setup flow.

The documentation updates (migration guide, examples) are thorough and the new concurrency tests are a welcome addition.

---

Issues

1. Bundled behavioral change in CredentialsManager (medium concern)

The CredentialsManager public constructor (CredentialsManager.kt line ~45) was changed from:

Executors.newSingleThreadExecutor()  // each instance gets its own executor

to:

authenticationClient.executor  // shared executor from Auth0 instance

This is a separate behavioral change from the stated constructor removal. Previously, each CredentialsManager instance had an independent executor. Now, all CredentialsManager and SecureCredentialsManager instances sharing the same Auth0 object also share a single-thread executor, serializing all credential operations globally.

While the new test shouldSerializeGetCredentialsCallsAcrossCredentialsManagerAndSecureCredentialsManager validates this is intentional, this is a meaningful behavior change that:

• Could degrade performance if multiple credential managers are used concurrently (operations queue behind each other)
• Should be called out explicitly in the PR description and migration guide since it changes runtime behavior

Consider documenting this behavioral change separately, or splitting it into its own commit/PR so it's reviewable on its own merit.

2. ** Imp:** KDoc formatting (SecureCredentialsManager.kt)

The new doc comments use ** Imp:** This method is not thread safe (lines ~117, ~162). This uses markdown bold syntax inside KDoc, which may not render correctly in all documentation generators (e.g., Dokka). Consider using **Important:** This method is not thread safe or @implNote This method is not thread safe for better cross-tool compatibility.

3. @Throws(CredentialsManagerException::class) added to saveApiCredentials

A new @Throws annotation was added to saveApiCredentials (line ~171). This seems correct since the method uses CryptoUtil.encrypt() which can throw, but this annotation addition is unrelated to the constructor refactoring and should be called out.

---

Nits

• Line 991-992: The ?: existingCredentials.type was moved to the next line. While fine stylistically, this is an unrelated formatting change.
• PR title: breaking : has a space before the colon — minor convention issue, should be breaking:.
• Import ordering (AuthenticationAPIClient.kt): java.util.concurrent.Executor was added between androidx and com.auth0 imports. Verify this matches the project's import ordering convention (typically java.* imports go after other imports in Kotlin Android projects, but this varies).

---

What looks good

• Migration guide section is comprehensive with clear before/after examples for both Kotlin and Java
• EXAMPLES.md updates are thorough — all code samples correctly updated
• 4 new concurrency tests covering: multi-instance renewal, single-instance renewal, valid credential access, and cross-manager serialization — well thought out
• Sample app updated consistently
• Clean removal of the auth0 field from test setup (SecureCredentialsManagerTest)
• The internal val executor on AuthenticationAPIClient is appropriately scoped

Verdict

The constructor removal itself is clean and well-documented. The main concern is the bundled executor-sharing change in CredentialsManager which changes runtime behavior beyond what the PR title suggests. Consider either:

1. Splitting the executor change into a separate PR, or
2. Updating the PR description and migration guide to explicitly document the new shared-executor behavior and its implications.