@adobe/aio-commerce-lib-auth 0.8.1 → 1.0.1

package/dist/cjs/index.cjs

@@ -1 +1,765 @@
-const require_chunk=require(`./chunk-YD6SZpHm.cjs`);let _adobe_aio_commerce_lib_core_headers=require(`@adobe/aio-commerce-lib-core/headers`),valibot=require(`valibot`);valibot=require_chunk.n(valibot);let _adobe_aio_commerce_lib_core_error=require(`@adobe/aio-commerce-lib-core/error`),_adobe_aio_lib_ims=require(`@adobe/aio-lib-ims`);_adobe_aio_lib_ims=require_chunk.n(_adobe_aio_lib_ims);let crypto=require(`crypto`);crypto=require_chunk.n(crypto);let oauth_1_0a=require(`oauth-1.0a`);oauth_1_0a=require_chunk.n(oauth_1_0a);let _adobe_aio_commerce_lib_core_params=require(`@adobe/aio-commerce-lib-core/params`);function stringValueSchema(name){return valibot.string(`Expected a string value for '${name}'`)}function parseOrThrow(schema,input,message){let result=valibot.safeParse(schema,input);if(!result.success)throw new _adobe_aio_commerce_lib_core_error.CommerceSdkValidationError(message??`Invalid input`,{issues:result.issues});return result.output}const imsAuthParameter=name=>(0,valibot.pipe)((0,valibot.string)(`Expected a string value for the IMS auth parameter ${name}`),(0,valibot.nonEmpty)(`Expected a non-empty string value for the IMS auth parameter ${name}`)),stringArray=(name,minimumLength)=>(0,valibot.pipe)((0,valibot.array)((0,valibot.string)(),`Expected a string array value for the IMS auth parameter ${name}`),(0,valibot.minLength)(minimumLength,`Expected at least ${minimumLength} items for the IMS auth parameter ${name}`)),StringArrayTransformSchema=name=>(0,valibot.pipe)((0,valibot.union)([stringArray(name,1),(0,valibot.pipe)((0,valibot.string)(),(0,valibot.rawTransform)(({dataset:{value:v},addIssue,NEVER})=>{if(v.startsWith(`[`)&&v.endsWith(`]`))try{let parsed=JSON.parse(v);return Array.isArray(parsed)?parsed:(addIssue({received:v,message:`Expected a valid JSON array for the IMS auth parameter ${name}: ${v}`}),NEVER)}catch(error){let errorMessage=error.message;return addIssue({received:v,message:`Expected a valid JSON array for the IMS auth parameter ${name}: ${errorMessage}`}),NEVER}return[v]}))]),stringArray(`value`,1)),ImsAuthEnvSchema=(0,valibot.picklist)([`prod`,`stage`]),ImsAuthParamsSchema=(0,valibot.object)({clientId:imsAuthParameter(`clientId`),clientSecrets:stringArray(`clientSecrets`,1),technicalAccountId:imsAuthParameter(`technicalAccountId`),technicalAccountEmail:(0,valibot.pipe)((0,valibot.string)(`Expected a string value for the IMS auth parameter technicalAccountEmail`),(0,valibot.email)(`Expected a valid email format for technicalAccountEmail`)),imsOrgId:imsAuthParameter(`imsOrgId`),environment:(0,valibot.pipe)((0,valibot.optional)(ImsAuthEnvSchema)),context:(0,valibot.pipe)((0,valibot.optional)((0,valibot.string)())),scopes:stringArray(`scopes`,1)});function __transformStringArray(name,value){if(value===void 0)return;let result=(0,valibot.safeParse)(StringArrayTransformSchema(name),value);if(!result.success)throw new _adobe_aio_commerce_lib_core_error.CommerceSdkValidationError(`Invalid ImsAuthProvider configuration`,{issues:result.issues});return result.output}function __parseImsAuthParams(config){let result=(0,valibot.safeParse)(ImsAuthParamsSchema,config);if(!result.success)throw new _adobe_aio_commerce_lib_core_error.CommerceSdkValidationError(`Invalid ImsAuthProvider configuration`,{issues:result.issues});return result.output}function assertImsAuthParams(config){__parseImsAuthParams(config)}function resolveImsAuthParams(params){return __parseImsAuthParams({clientId:params.AIO_COMMERCE_AUTH_IMS_CLIENT_ID,clientSecrets:__transformStringArray(`AIO_COMMERCE_AUTH_IMS_CLIENT_SECRETS`,params.AIO_COMMERCE_AUTH_IMS_CLIENT_SECRETS),technicalAccountId:params.AIO_COMMERCE_AUTH_IMS_TECHNICAL_ACCOUNT_ID,technicalAccountEmail:params.AIO_COMMERCE_AUTH_IMS_TECHNICAL_ACCOUNT_EMAIL,imsOrgId:params.AIO_COMMERCE_AUTH_IMS_ORG_ID,scopes:__transformStringArray(`AIO_COMMERCE_AUTH_IMS_SCOPES`,params.AIO_COMMERCE_AUTH_IMS_SCOPES),environment:params.AIO_COMMERCE_AUTH_IMS_ENVIRONMENT,context:params.AIO_COMMERCE_AUTH_IMS_CONTEXT})}function buildImsHeaders(accessToken,apiKey){let imsHeaders={Authorization:`Bearer ${accessToken}`};return apiKey&&(imsHeaders[`x-api-key`]=apiKey),imsHeaders}const IMS_AUTH_TOKEN_PARAM=`AIO_COMMERCE_AUTH_IMS_TOKEN`,IMS_AUTH_API_KEY_PARAM=`AIO_COMMERCE_AUTH_IMS_API_KEY`,ImsAuthParamsInputSchema=valibot.looseObject({[IMS_AUTH_TOKEN_PARAM]:stringValueSchema(IMS_AUTH_TOKEN_PARAM),[IMS_AUTH_API_KEY_PARAM]:valibot.optional(stringValueSchema(IMS_AUTH_API_KEY_PARAM))}),ForwardedImsAuthSourceSchema=valibot.variant(`from`,[valibot.object({from:valibot.literal(`headers`),headers:valibot.record(valibot.string(),valibot.optional(valibot.string()))}),valibot.object({from:valibot.literal(`getter`),getHeaders:valibot.custom(input=>typeof input==`function`,`Expected a function for getHeaders`)}),valibot.object({from:valibot.literal(`params`),params:ImsAuthParamsInputSchema})]);function getForwardedImsAuthProvider(source){let validatedSource=parseOrThrow(ForwardedImsAuthSourceSchema,source,`Invalid forwarded IMS auth source`);switch(validatedSource.from){case`headers`:{let{authorization}=(0,_adobe_aio_commerce_lib_core_headers.createHeaderAccessor)(validatedSource.headers,[`Authorization`]),apiKey=(0,_adobe_aio_commerce_lib_core_headers.getHeader)(validatedSource.headers,`x-api-key`),{token}=(0,_adobe_aio_commerce_lib_core_headers.parseBearerToken)(authorization);return{getAccessToken:()=>token,getHeaders:()=>buildImsHeaders(token,apiKey)}}case`getter`:return{getHeaders:validatedSource.getHeaders,getAccessToken:async()=>{let{token}=(0,_adobe_aio_commerce_lib_core_headers.parseBearerToken)((await validatedSource.getHeaders()).Authorization);return token}};case`params`:{let{params}=validatedSource,accessToken=params[IMS_AUTH_TOKEN_PARAM],apiKey=params[IMS_AUTH_API_KEY_PARAM];return{getAccessToken:()=>accessToken,getHeaders:()=>buildImsHeaders(accessToken,apiKey)}}}}function forwardImsAuthProviderFromRequest(params){return getForwardedImsAuthProvider({from:`headers`,headers:(0,_adobe_aio_commerce_lib_core_headers.getHeadersFromParams)(params)})}function forwardImsAuthProviderFromParams(params){return getForwardedImsAuthProvider({from:`params`,params:parseOrThrow(ImsAuthParamsInputSchema,params,`Missing AIO_COMMERCE_AUTH_IMS_TOKEN in params`)})}function forwardImsAuthProvider(params){try{return forwardImsAuthProviderFromParams(params)}catch{}try{return forwardImsAuthProviderFromRequest(params)}catch{}throw Error(`Can't forward IMS authentication from the given params. Make sure your params contain an AIO_COMMERCE_AUTH_IMS_TOKEN input or an Authorization header with an IMS token.`)}const{context,getToken}=_adobe_aio_lib_ims.default;function toImsAuthConfig(config){return{scopes:config.scopes,env:config?.environment??`prod`,context:config.context??`aio-commerce-lib-auth-creds`,client_id:config.clientId,client_secrets:config.clientSecrets,technical_account_id:config.technicalAccountId,technical_account_email:config.technicalAccountEmail,ims_org_id:config.imsOrgId}}function isImsAuthProvider(provider){return typeof provider==`object`&&!!provider&&`getAccessToken`in provider&&`getHeaders`in provider&&typeof provider.getAccessToken==`function`&&typeof provider.getHeaders==`function`}function getImsAuthProvider(authParams){let getAccessToken=async()=>{let imsAuthConfig=toImsAuthConfig(authParams);return await context.set(imsAuthConfig.context,imsAuthConfig),getToken(imsAuthConfig.context,{})};return{getAccessToken,getHeaders:async()=>buildImsHeaders(await getAccessToken(),authParams.clientId)}}const integrationAuthParameter=name=>(0,valibot.pipe)((0,valibot.string)(`Expected a string value for the Commerce Integration parameter ${name}`),(0,valibot.nonEmpty)(`Expected a non-empty string value for the Commerce Integration parameter ${name}`)),BaseUrlSchema=(0,valibot.pipe)((0,valibot.string)(`Expected a string for the Adobe Commerce endpoint`),(0,valibot.nonEmpty)(`Expected a non-empty string for the Adobe Commerce endpoint`),(0,valibot.url)(`Expected a valid url for the Adobe Commerce endpoint`)),UrlSchema=(0,valibot.pipe)((0,valibot.union)([BaseUrlSchema,(0,valibot.instance)(URL)]),(0,valibot.transform)(url=>url instanceof URL?url.toString():url)),IntegrationAuthParamsSchema=(0,valibot.nonOptional)((0,valibot.object)({consumerKey:integrationAuthParameter(`consumerKey`),consumerSecret:integrationAuthParameter(`consumerSecret`),accessToken:integrationAuthParameter(`accessToken`),accessTokenSecret:integrationAuthParameter(`accessTokenSecret`)}));function isIntegrationAuthProvider(provider){return typeof provider==`object`&&!!provider&&`getHeaders`in provider&&typeof provider.getHeaders==`function`}function getIntegrationAuthProvider(authParams){let oauth=new oauth_1_0a.default({consumer:{key:authParams.consumerKey,secret:authParams.consumerSecret},signature_method:`HMAC-SHA256`,hash_function:(baseString,key)=>crypto.default.createHmac(`sha256`,key).update(baseString).digest(`base64`)}),oauthToken={key:authParams.accessToken,secret:authParams.accessTokenSecret};return{getHeaders:(method,url)=>{let urlString=(0,valibot.parse)(UrlSchema,url);return oauth.toHeader(oauth.authorize({url:urlString,method},oauthToken))}}}function __parseIntegrationAuthParams(config){let result=(0,valibot.safeParse)(IntegrationAuthParamsSchema,config);if(!result.success)throw new _adobe_aio_commerce_lib_core_error.CommerceSdkValidationError(`Invalid IntegrationAuthProvider configuration`,{issues:result.issues});return result.output}function assertIntegrationAuthParams(config){__parseIntegrationAuthParams(config)}function resolveIntegrationAuthParams(params){return __parseIntegrationAuthParams({consumerKey:params.AIO_COMMERCE_AUTH_INTEGRATION_CONSUMER_KEY,consumerSecret:params.AIO_COMMERCE_AUTH_INTEGRATION_CONSUMER_SECRET,accessToken:params.AIO_COMMERCE_AUTH_INTEGRATION_ACCESS_TOKEN,accessTokenSecret:params.AIO_COMMERCE_AUTH_INTEGRATION_ACCESS_TOKEN_SECRET})}const IMS_AUTH_PARAMS=[`AIO_COMMERCE_AUTH_IMS_CLIENT_ID`,`AIO_COMMERCE_AUTH_IMS_CLIENT_SECRETS`,`AIO_COMMERCE_AUTH_IMS_TECHNICAL_ACCOUNT_ID`,`AIO_COMMERCE_AUTH_IMS_TECHNICAL_ACCOUNT_EMAIL`,`AIO_COMMERCE_AUTH_IMS_ORG_ID`,`AIO_COMMERCE_AUTH_IMS_SCOPES`],INTEGRATION_AUTH_PARAMS=[`AIO_COMMERCE_AUTH_INTEGRATION_CONSUMER_KEY`,`AIO_COMMERCE_AUTH_INTEGRATION_CONSUMER_SECRET`,`AIO_COMMERCE_AUTH_INTEGRATION_ACCESS_TOKEN`,`AIO_COMMERCE_AUTH_INTEGRATION_ACCESS_TOKEN_SECRET`];function resolveAuthParams(params){if((0,_adobe_aio_commerce_lib_core_params.allNonEmpty)(params,IMS_AUTH_PARAMS))return{...resolveImsAuthParams(params),strategy:`ims`};if((0,_adobe_aio_commerce_lib_core_params.allNonEmpty)(params,INTEGRATION_AUTH_PARAMS))return{...resolveIntegrationAuthParams(params),strategy:`integration`};throw Error(`Can't resolve authentication options for the given params. Please provide either IMS options (${IMS_AUTH_PARAMS.join(`, `)}) or Commerce integration options (${INTEGRATION_AUTH_PARAMS.join(`, `)}).`)}exports.assertImsAuthParams=assertImsAuthParams,exports.assertIntegrationAuthParams=assertIntegrationAuthParams,exports.forwardImsAuthProvider=forwardImsAuthProvider,exports.getForwardedImsAuthProvider=getForwardedImsAuthProvider,exports.getImsAuthProvider=getImsAuthProvider,exports.getIntegrationAuthProvider=getIntegrationAuthProvider,exports.isImsAuthProvider=isImsAuthProvider,exports.isIntegrationAuthProvider=isIntegrationAuthProvider,exports.resolveAuthParams=resolveAuthParams;
+/**
+ * @license
+ *
+ * Copyright 2026 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_chunk = require('./chunk-DS2yp5vX.cjs');
+let _adobe_aio_commerce_lib_core_headers = require("@adobe/aio-commerce-lib-core/headers");
+let valibot = require("valibot");
+valibot = require_chunk.__toESM(valibot);
+let _adobe_aio_commerce_lib_core_error = require("@adobe/aio-commerce-lib-core/error");
+let _adobe_aio_lib_ims = require("@adobe/aio-lib-ims");
+_adobe_aio_lib_ims = require_chunk.__toESM(_adobe_aio_lib_ims);
+let crypto = require("crypto");
+crypto = require_chunk.__toESM(crypto);
+let oauth_1_0a = require("oauth-1.0a");
+oauth_1_0a = require_chunk.__toESM(oauth_1_0a);
+let _adobe_aio_commerce_lib_core_params = require("@adobe/aio-commerce-lib-core/params");
+
+//#region ../../packages-private/common-utils/source/valibot/schemas.ts
+/**
+* A schema for a string value.
+* @param name The name of the field this schema refers to.
+*/
+function stringValueSchema(name) {
+	return valibot.string(`Expected a string value for '${name}'`);
+}
+
+//#endregion
+//#region ../../packages-private/common-utils/source/valibot/utils.ts
+/**
+* Parses the input using the provided schema and throws a {@link CommerceSdkValidationError} error if the input is invalid.
+* @param schema - The schema to use for parsing.
+* @param input - The input to parse.
+* @param message - Optional custom error message for the validation error.
+*/
+function parseOrThrow(schema, input, message) {
+	const result = valibot.safeParse(schema, input);
+	if (!result.success) throw new _adobe_aio_commerce_lib_core_error.CommerceSdkValidationError(message ?? "Invalid input", { issues: result.issues });
+	return result.output;
+}
+
+//#endregion
+//#region source/lib/ims-auth/schema.ts
+/**
+* Creates a validation schema for a required IMS auth string parameter.
+* @param name The name of the parameter for error messages.
+* @returns A validation pipeline that ensures the parameter is a non-empty string.
+*/
+const imsAuthParameter = (name) => (0, valibot.pipe)((0, valibot.string)(`Expected a string value for the IMS auth parameter ${name}`), (0, valibot.nonEmpty)(`Expected a non-empty string value for the IMS auth parameter ${name}`));
+/**
+* Creates a validation schema for an IMS auth string array parameter.
+* @param name The name of the parameter for error messages.
+* @param minimumLength The minimum length of the array.
+* @returns A validation pipeline that ensures the parameter is an array of strings.
+*/
+const stringArray = (name, minimumLength) => {
+	return (0, valibot.pipe)((0, valibot.array)((0, valibot.string)(), `Expected a string array value for the IMS auth parameter ${name}`), (0, valibot.minLength)(minimumLength, `Expected at least ${minimumLength} items for the IMS auth parameter ${name}`));
+};
+/**
+* Schema for transforming a value that may be a JSON string array or a single string into an array.
+* This schema handles the transformation of App Builder action inputs that may come as JSON strings.
+*/
+const StringArrayTransformSchema = (name) => (0, valibot.pipe)((0, valibot.union)([stringArray(name, 1), (0, valibot.pipe)((0, valibot.string)(), (0, valibot.rawTransform)(({ dataset: { value: v }, addIssue, NEVER }) => {
+	if (v.startsWith("[") && v.endsWith("]")) try {
+		const parsed = JSON.parse(v);
+		if (!Array.isArray(parsed)) {
+			addIssue({
+				received: v,
+				message: `Expected a valid JSON array for the IMS auth parameter ${name}: ${v}`
+			});
+			return NEVER;
+		}
+		return parsed;
+	} catch (error) {
+		const errorMessage = error.message;
+		addIssue({
+			received: v,
+			message: `Expected a valid JSON array for the IMS auth parameter ${name}: ${errorMessage}`
+		});
+		return NEVER;
+	}
+	return [v];
+}))]), stringArray("value", 1));
+/** Validation schema for IMS auth environment values. */
+const ImsAuthEnvSchema = (0, valibot.picklist)(["prod", "stage"]);
+/** Defines the schema to validate the necessary parameters for the IMS auth service. */
+const ImsAuthParamsSchema = (0, valibot.object)({
+	clientId: imsAuthParameter("clientId"),
+	clientSecrets: stringArray("clientSecrets", 1),
+	technicalAccountId: imsAuthParameter("technicalAccountId"),
+	technicalAccountEmail: (0, valibot.pipe)((0, valibot.string)("Expected a string value for the IMS auth parameter technicalAccountEmail"), (0, valibot.email)("Expected a valid email format for technicalAccountEmail")),
+	imsOrgId: imsAuthParameter("imsOrgId"),
+	environment: (0, valibot.pipe)((0, valibot.optional)(ImsAuthEnvSchema)),
+	context: (0, valibot.pipe)((0, valibot.optional)((0, valibot.string)())),
+	scopes: stringArray("scopes", 1)
+});
+
+//#endregion
+//#region source/lib/ims-auth/utils.ts
+/**
+* Transforms a value using the string array transformation schema.
+* @param value - The value to transform (may be a JSON string, single string, or array).
+* @throws {CommerceSdkValidationError} If the transformation fails.
+*
+* @internal
+*/
+function __transformStringArray(name, value) {
+	if (value === void 0) return;
+	const result = (0, valibot.safeParse)(StringArrayTransformSchema(name), value);
+	if (!result.success) throw new _adobe_aio_commerce_lib_core_error.CommerceSdkValidationError("Invalid ImsAuthProvider configuration", { issues: result.issues });
+	return result.output;
+}
+/**
+* Parses the provided configuration for an {@link ImsAuthProvider}.
+* @param config - The configuration to parse.
+* @throws {CommerceSdkValidationError} If the configuration is invalid.
+*
+* @internal
+*/
+function __parseImsAuthParams(config) {
+	const result = (0, valibot.safeParse)(ImsAuthParamsSchema, config);
+	if (!result.success) throw new _adobe_aio_commerce_lib_core_error.CommerceSdkValidationError("Invalid ImsAuthProvider configuration", { issues: result.issues });
+	return result.output;
+}
+/**
+* Asserts the provided configuration for an {@link ImsAuthProvider}.
+* @param config The configuration to validate.
+* @throws {CommerceSdkValidationError} If the configuration is invalid.
+* @example
+* ```typescript
+* const config = {
+*   clientId: "your-client-id",
+*   clientSecrets: ["your-client-secret"],
+*   technicalAccountId: "your-technical-account-id",
+*   technicalAccountEmail: "your-account@example.com",
+*   imsOrgId: "your-ims-org-id@AdobeOrg",
+*   scopes: ["AdobeID", "openid"],
+*   environment: "prod", // or "stage"
+*   context: "my-app-context"
+* };
+*
+* // This will validate the config and throw if invalid
+* assertImsAuthParams(config);
+*```
+* @example
+* ```typescript
+* // Example of a failing assert:
+* try {
+*   assertImsAuthParams({
+*     clientId: "valid-client-id",
+*     // Missing required fields like clientSecrets, technicalAccountId, etc.
+*   });
+* } catch (error) {
+*   console.error(error.message); // "Invalid ImsAuthProvider configuration"
+*   console.error(error.issues); // Array of validation issues
+* }
+* ```
+*/
+function assertImsAuthParams(config) {
+	__parseImsAuthParams(config);
+}
+/**
+* Resolves an {@link ImsAuthParams} from the given App Builder action inputs.
+* @param params The App Builder action inputs to resolve the IMS authentication parameters from.
+* @throws {CommerceSdkValidationError} If the parameters are invalid and cannot be resolved.
+*
+* @example
+* ```typescript
+* // Some App Builder runtime action that needs IMS authentication
+* export function main(params) {
+*   const imsAuthProvider = getImsAuthProvider(resolveImsAuthParams(params));
+*
+*   // Get headers for API requests
+*   const headers = await authProvider.getHeaders();
+*   const response = await fetch('https://api.adobe.io/some-endpoint', {
+*     headers: await authProvider.getHeaders()
+*   });
+* }
+* ```
+*/
+function resolveImsAuthParams(params) {
+	return __parseImsAuthParams({
+		clientId: params.AIO_COMMERCE_AUTH_IMS_CLIENT_ID,
+		clientSecrets: __transformStringArray("AIO_COMMERCE_AUTH_IMS_CLIENT_SECRETS", params.AIO_COMMERCE_AUTH_IMS_CLIENT_SECRETS),
+		technicalAccountId: params.AIO_COMMERCE_AUTH_IMS_TECHNICAL_ACCOUNT_ID,
+		technicalAccountEmail: params.AIO_COMMERCE_AUTH_IMS_TECHNICAL_ACCOUNT_EMAIL,
+		imsOrgId: params.AIO_COMMERCE_AUTH_IMS_ORG_ID,
+		scopes: __transformStringArray("AIO_COMMERCE_AUTH_IMS_SCOPES", params.AIO_COMMERCE_AUTH_IMS_SCOPES),
+		environment: params.AIO_COMMERCE_AUTH_IMS_ENVIRONMENT,
+		context: params.AIO_COMMERCE_AUTH_IMS_CONTEXT
+	});
+}
+/**
+* Shorthand to build IMS authentication headers.
+* @param accessToken - The token to use in the Authorization header.
+* @param apiKey - The API key to include in the x-api-key header (optional).
+*/
+function buildImsHeaders(accessToken, apiKey) {
+	const imsHeaders = { Authorization: `Bearer ${accessToken}` };
+	if (apiKey) imsHeaders["x-api-key"] = apiKey;
+	return imsHeaders;
+}
+
+//#endregion
+//#region source/lib/ims-auth/forwarding.ts
+const IMS_AUTH_TOKEN_PARAM = "AIO_COMMERCE_AUTH_IMS_TOKEN";
+const IMS_AUTH_API_KEY_PARAM = "AIO_COMMERCE_AUTH_IMS_API_KEY";
+const ImsAuthParamsInputSchema = valibot.looseObject({
+	[IMS_AUTH_TOKEN_PARAM]: stringValueSchema(IMS_AUTH_TOKEN_PARAM),
+	[IMS_AUTH_API_KEY_PARAM]: valibot.optional(stringValueSchema(IMS_AUTH_API_KEY_PARAM))
+});
+const ForwardedImsAuthSourceSchema = valibot.variant("from", [
+	valibot.object({
+		from: valibot.literal("headers"),
+		headers: valibot.record(valibot.string(), valibot.optional(valibot.string()))
+	}),
+	valibot.object({
+		from: valibot.literal("getter"),
+		getHeaders: valibot.custom((input) => typeof input === "function", "Expected a function for getHeaders")
+	}),
+	valibot.object({
+		from: valibot.literal("params"),
+		params: ImsAuthParamsInputSchema
+	})
+]);
+/**
+* Creates an {@link ImsAuthProvider} by forwarding authentication credentials from various sources.
+*
+* @param source The source of the credentials to forward, as a {@link ForwardedImsAuthSource}.
+* @returns An {@link ImsAuthProvider} instance that returns the forwarded access token and headers.
+*
+* @throws {CommerceSdkValidationError} If the source object is invalid.
+* @throws {CommerceSdkValidationError} If `from: "headers"` is used and the `Authorization` header is missing.
+* @throws {CommerceSdkValidationError} If `from: "headers"` is used and the `Authorization` header is not in Bearer token format.
+* @throws {CommerceSdkValidationError} If `from: "params"` is used and `AIO_COMMERCE_AUTH_IMS_TOKEN` is missing or empty.
+*
+* @example
+* ```typescript
+* import { getForwardedImsAuthProvider } from "@adobe/aio-commerce-lib-auth";
+*
+* // From raw headers (e.g. from an HTTP request).
+* const provider1 = getForwardedImsAuthProvider({
+*   from: "headers",
+*   headers: params.__ow_headers,
+* });
+*
+* // From async getter (e.g. fetch from secret manager)
+* const provider2 = getForwardedImsAuthProvider({
+*   from: "getter",
+*   getHeaders: async () => {
+*     const token = await secretManager.getSecret("ims-token");
+*     return { Authorization: `Bearer ${token}` };
+*   },
+* });
+*
+* // From a params object (using AIO_COMMERCE_AUTH_IMS_TOKEN and AIO_COMMERCE_AUTH_IMS_API_KEY keys)
+* const provider3 = getForwardedImsAuthProvider({
+*   from: "params",
+*   params: actionParams,
+* });
+*
+* // Use the provider
+* const token = await provider1.getAccessToken();
+* const headers = await provider1.getHeaders();
+* ```
+*/
+function getForwardedImsAuthProvider(source) {
+	const validatedSource = parseOrThrow(ForwardedImsAuthSourceSchema, source, "Invalid forwarded IMS auth source");
+	switch (validatedSource.from) {
+		case "headers": {
+			const { authorization } = (0, _adobe_aio_commerce_lib_core_headers.createHeaderAccessor)(validatedSource.headers, ["Authorization"]);
+			const apiKey = (0, _adobe_aio_commerce_lib_core_headers.getHeader)(validatedSource.headers, "x-api-key");
+			const { token } = (0, _adobe_aio_commerce_lib_core_headers.parseBearerToken)(authorization);
+			return {
+				getAccessToken: () => token,
+				getHeaders: () => buildImsHeaders(token, apiKey)
+			};
+		}
+		case "getter": return {
+			getHeaders: validatedSource.getHeaders,
+			getAccessToken: async () => {
+				const { token } = (0, _adobe_aio_commerce_lib_core_headers.parseBearerToken)((await validatedSource.getHeaders()).Authorization);
+				return token;
+			}
+		};
+		case "params": {
+			const { params } = validatedSource;
+			const accessToken = params[IMS_AUTH_TOKEN_PARAM];
+			const apiKey = params[IMS_AUTH_API_KEY_PARAM];
+			return {
+				getAccessToken: () => accessToken,
+				getHeaders: () => buildImsHeaders(accessToken, apiKey)
+			};
+		}
+	}
+}
+/**
+* Creates an {@link ImsAuthProvider} by forwarding authentication credentials from incoming
+* runtime action request headers.
+*
+* This is a convenience wrapper around {@link getForwardedImsAuthProvider} for the common case
+* of forwarding credentials from Adobe I/O Runtime action parameters.
+*
+* @param params The runtime action parameters containing the `__ow_headers` object with authentication headers.
+* @returns An {@link ImsAuthProvider} instance that returns the forwarded access token and headers.
+*
+* @throws {Error} If the `Authorization` header is missing from the request headers.
+* @throws {Error} If the `Authorization` header is not in the correct Bearer token format.
+*
+* @example
+* ```typescript
+* import { forwardImsAuthProviderFromRequest } from "@adobe/aio-commerce-lib-auth";
+*
+* // In an Adobe I/O Runtime action
+* async function main(params) {
+*   // params.__ow_headers contains: { Authorization: "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9..."}
+*
+*   // Forward the authentication from the incoming request
+*   const authProvider = forwardImsAuthProviderFromRequest(params);
+*
+*   // Get the forwarded access token
+*   const token = await authProvider.getAccessToken();
+*   console.log(token); // "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9..."
+*
+*   // Get headers for downstream API requests
+*   const headers = await authProvider.getHeaders();
+*   console.log(headers);
+*   // {
+*   //   Authorization: "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...",
+*   //   "x-api-key": "client-id-from-request" // Only if present in original request
+*   // }
+*
+*   // Use the forwarded credentials in downstream API calls
+*   const response = await fetch('...', {
+*     headers: await authProvider.getHeaders()
+*   });
+*
+*   return { statusCode: 200, body: await response.json() };
+* }
+* ```
+*/
+function forwardImsAuthProviderFromRequest(params) {
+	return getForwardedImsAuthProvider({
+		from: "headers",
+		headers: (0, _adobe_aio_commerce_lib_core_headers.getHeadersFromParams)(params)
+	});
+}
+/**
+* Creates an {@link ImsAuthProvider} by forwarding authentication credentials from a params object.
+*
+* This is a convenience wrapper around {@link getForwardedImsAuthProvider} for the common case
+* of forwarding credentials from runtime action parameters. It reads:
+* - `AIO_COMMERCE_AUTH_IMS_TOKEN` for the access token (required)
+* - `AIO_COMMERCE_AUTH_IMS_API_KEY` for the API key (optional)
+*
+* @param params The params object containing the authentication credentials.
+* @returns An {@link ImsAuthProvider} instance that returns the access token and headers from the params.
+*
+* @throws {CommerceSdkValidationError} If `AIO_COMMERCE_AUTH_IMS_TOKEN` is not set or is empty.
+*
+* @example
+* ```typescript
+* import { forwardImsAuthProviderFromParams } from "@adobe/aio-commerce-lib-auth";
+*
+* // In an Adobe I/O Runtime action
+* async function main(params) {
+*   // params contains: { AIO_COMMERCE_AUTH_IMS_TOKEN: "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9..." }
+*   const authProvider = forwardImsAuthProviderFromParams(params);
+*
+*   // Get the access token
+*   const token = await authProvider.getAccessToken();
+*
+*   // Get headers for downstream API requests
+*   const headers = await authProvider.getHeaders();
+*   // {
+*   //   Authorization: "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...",
+*   //   "x-api-key": "my-api-key" // Only if AIO_COMMERCE_AUTH_IMS_API_KEY is set
+*   // }
+* }
+* ```
+*/
+function forwardImsAuthProviderFromParams(params) {
+	return getForwardedImsAuthProvider({
+		from: "params",
+		params: parseOrThrow(ImsAuthParamsInputSchema, params, "Missing AIO_COMMERCE_AUTH_IMS_TOKEN in params")
+	});
+}
+/**
+* Creates an {@link ImsAuthProvider} by forwarding authentication credentials from runtime action parameters.
+*
+* This function automatically detects the source of credentials by trying multiple strategies in order:
+* 1. **Params token** - Looks for `AIO_COMMERCE_AUTH_IMS_TOKEN` (and optionally `AIO_COMMERCE_AUTH_IMS_API_KEY`) in the params object
+* 2. **HTTP headers** - Falls back to extracting the `Authorization` header from `__ow_headers`
+*
+* Use this function when building actions that receive authenticated requests and need to forward
+* those credentials to downstream services (proxy pattern).
+*
+* @param params The runtime action parameters object. Can contain either:
+*   - `AIO_COMMERCE_AUTH_IMS_TOKEN` and optionally `AIO_COMMERCE_AUTH_IMS_API_KEY` for direct token forwarding
+*   - `__ow_headers` with an `Authorization` header for HTTP request forwarding
+* @returns An {@link ImsAuthProvider} instance that returns the forwarded access token and headers.
+*
+* @throws {Error} If neither a valid token param nor Authorization header is found.
+*
+* @example
+* ```typescript
+* import { forwardImsAuthProvider } from "@adobe/aio-commerce-lib-auth";
+*
+* export async function main(params: Record<string, unknown>) {
+*   // Automatically detects credentials from params or headers
+*   const authProvider = forwardImsAuthProvider(params);
+*
+*   // Get the access token
+*   const token = await authProvider.getAccessToken();
+*
+*   // Get headers for downstream API requests
+*   const headers = await authProvider.getHeaders();
+*   // {
+*   //   Authorization: "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...",
+*   //   "x-api-key": "my-api-key" // Only if available
+*   // }
+*
+*   // Use the forwarded credentials in downstream API calls
+*   const response = await fetch("https://api.adobe.io/some-endpoint", {
+*     headers,
+*   });
+*
+*   return { statusCode: 200, body: await response.json() };
+* }
+* ```
+*/
+function forwardImsAuthProvider(params) {
+	try {
+		return forwardImsAuthProviderFromParams(params);
+	} catch {}
+	try {
+		return forwardImsAuthProviderFromRequest(params);
+	} catch {}
+	throw new Error("Can't forward IMS authentication from the given params. Make sure your params contain an AIO_COMMERCE_AUTH_IMS_TOKEN input or an Authorization header with an IMS token.");
+}
+
+//#endregion
+//#region source/lib/ims-auth/provider.ts
+const { context, getToken } = _adobe_aio_lib_ims.default;
+/**
+* Converts IMS auth configuration properties to snake_case format.
+* @param config The IMS auth configuration with camelCase properties.
+* @returns The configuration with snake_case properties.
+*/
+function toImsAuthConfig(config) {
+	return {
+		scopes: config.scopes,
+		env: config?.environment ?? "prod",
+		context: config.context ?? "aio-commerce-lib-auth-creds",
+		client_id: config.clientId,
+		client_secrets: config.clientSecrets,
+		technical_account_id: config.technicalAccountId,
+		technical_account_email: config.technicalAccountEmail,
+		ims_org_id: config.imsOrgId
+	};
+}
+/**
+* Type guard to check if a value is an ImsAuthProvider instance.
+*
+* @param provider The value to check.
+* @returns `true` if the value is an ImsAuthProvider, `false` otherwise.
+*
+* @example
+* ```typescript
+* import { getImsAuthProvider, isImsAuthProvider } from "@adobe/aio-commerce-lib-auth";
+*
+* // Imagine you have an object that it's not strictly typed as ImsAuthProvider.
+* const provider = getImsAuthProvider({ ... }) as unknown;
+*
+* if (isImsAuthProvider(provider)) {
+*   // TypeScript knows provider is ImsAuthProvider
+*   const token = await provider.getAccessToken();
+* }
+* ```
+*/
+function isImsAuthProvider(provider) {
+	return typeof provider === "object" && provider !== null && "getAccessToken" in provider && "getHeaders" in provider && typeof provider.getAccessToken === "function" && typeof provider.getHeaders === "function";
+}
+/**
+* Creates an {@link ImsAuthProvider} based on the provided configuration.
+* @param authParams An {@link ImsAuthParams} parameter that contains the configuration for the {@link ImsAuthProvider}.
+* @returns An {@link ImsAuthProvider} instance that can be used to get access token and auth headers.
+* @example
+* ```typescript
+* const config = {
+*   clientId: "your-client-id",
+*   clientSecrets: ["your-client-secret"],
+*   technicalAccountId: "your-technical-account-id",
+*   technicalAccountEmail: "your-account@example.com",
+*   imsOrgId: "your-ims-org-id@AdobeOrg",
+*   scopes: ["AdobeID", "openid"],
+*   environment: "prod",
+*   context: "my-app-context"
+* };
+*
+* const authProvider = getImsAuthProvider(config);
+*
+* // Get access token
+* const token = await authProvider.getAccessToken();
+* console.log(token); // "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9..."
+*
+* // Get headers for API requests
+* const headers = await authProvider.getHeaders();
+* console.log(headers);
+* // {
+* //   Authorization: "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...",
+* //   "x-api-key": "your-client-id"
+* // }
+*
+* // Use headers in API calls
+* const response = await fetch('https://api.adobe.io/some-endpoint', {
+*   headers: await authProvider.getHeaders()
+* });
+* ```
+*/
+function getImsAuthProvider(authParams) {
+	const getAccessToken = async () => {
+		const imsAuthConfig = toImsAuthConfig(authParams);
+		await context.set(imsAuthConfig.context, imsAuthConfig);
+		return getToken(imsAuthConfig.context, {});
+	};
+	const getHeaders = async () => {
+		return buildImsHeaders(await getAccessToken(), authParams.clientId);
+	};
+	return {
+		getAccessToken,
+		getHeaders
+	};
+}
+
+//#endregion
+//#region source/lib/integration-auth/schema.ts
+/**
+* Creates a validation schema for a required Commerce Integration string parameter.
+* @param name The name of the parameter for error messages.
+* @returns A validation pipeline that ensures the parameter is a non-empty string.
+*/
+const integrationAuthParameter = (name) => (0, valibot.pipe)((0, valibot.string)(`Expected a string value for the Commerce Integration parameter ${name}`), (0, valibot.nonEmpty)(`Expected a non-empty string value for the Commerce Integration parameter ${name}`));
+/** Validation schema for the Adobe Commerce endpoint base URL. */
+const BaseUrlSchema = (0, valibot.pipe)((0, valibot.string)("Expected a string for the Adobe Commerce endpoint"), (0, valibot.nonEmpty)("Expected a non-empty string for the Adobe Commerce endpoint"), (0, valibot.url)("Expected a valid url for the Adobe Commerce endpoint"));
+/** Validation schema that accepts either a URL string or URL instance and normalizes to string. */
+const UrlSchema = (0, valibot.pipe)((0, valibot.union)([BaseUrlSchema, (0, valibot.instance)(URL)]), (0, valibot.transform)((url) => {
+	if (url instanceof URL) return url.toString();
+	return url;
+}));
+/**
+* The schema for the Commerce Integration parameters.
+* This is used to validate the parameters passed to the Commerce Integration provider.
+*/
+const IntegrationAuthParamsSchema = (0, valibot.nonOptional)((0, valibot.object)({
+	consumerKey: integrationAuthParameter("consumerKey"),
+	consumerSecret: integrationAuthParameter("consumerSecret"),
+	accessToken: integrationAuthParameter("accessToken"),
+	accessTokenSecret: integrationAuthParameter("accessTokenSecret")
+}));
+
+//#endregion
+//#region source/lib/integration-auth/provider.ts
+/**
+* Type guard to check if a value is an IntegrationAuthProvider instance.
+*
+* @param provider The value to check.
+* @returns `true` if the value is an IntegrationAuthProvider, `false` otherwise.
+*
+* @example
+* ```typescript
+* import { getIntegrationAuthProvider, isIntegrationAuthProvider } from "@adobe/aio-commerce-lib-auth";
+*
+* // Imagine you have an object that it's not strictly typed as IntegrationAuthProvider.
+* const provider = getIntegrationAuthProvider({ ... }) as unknown;
+*
+* if (isIntegrationAuthProvider(provider)) {
+*   // TypeScript knows provider is IntegrationAuthProvider
+*   const headers = provider.getHeaders("GET", "https://api.example.com");
+* }
+* ```
+*/
+function isIntegrationAuthProvider(provider) {
+	return typeof provider === "object" && provider !== null && "getHeaders" in provider && typeof provider.getHeaders === "function";
+}
+/**
+* Creates an {@link IntegrationAuthProvider} based on the provided configuration.
+* @param authParams The configuration for the integration.
+* @returns An {@link IntegrationAuthProvider} instance that can be used to get auth headers.
+* @example
+* ```typescript
+* const config = {
+*   consumerKey: "your-consumer-key",
+*   consumerSecret: "your-consumer-secret",
+*   accessToken: "your-access-token",
+*   accessTokenSecret: "your-access-token-secret"
+* };
+*
+* const authProvider = getIntegrationAuthProvider(config);
+*
+* // Get OAuth headers for a REST API call
+* const headers = authProvider.getHeaders("GET", "https://your-store.com/rest/V1/products");
+* console.log(headers); // { Authorization: "OAuth oauth_consumer_key=..., oauth_signature=..." }
+*
+* // Can also be used with URL objects
+* const url = new URL("https://your-store.com/rest/V1/customers");
+* const postHeaders = authProvider.getHeaders("POST", url);
+* ```
+*/
+function getIntegrationAuthProvider(authParams) {
+	const oauth = new oauth_1_0a.default({
+		consumer: {
+			key: authParams.consumerKey,
+			secret: authParams.consumerSecret
+		},
+		signature_method: "HMAC-SHA256",
+		hash_function: (baseString, key) => crypto.default.createHmac("sha256", key).update(baseString).digest("base64")
+	});
+	const oauthToken = {
+		key: authParams.accessToken,
+		secret: authParams.accessTokenSecret
+	};
+	return { getHeaders: (method, url) => {
+		const urlString = (0, valibot.parse)(UrlSchema, url);
+		return oauth.toHeader(oauth.authorize({
+			url: urlString,
+			method
+		}, oauthToken));
+	} };
+}
+
+//#endregion
+//#region source/lib/integration-auth/utils.ts
+/**
+* Parses the provided configuration for an {@link IntegrationAuthProvider}.
+* @param config - The configuration to parse.
+* @throws {CommerceSdkValidationError} If the configuration is invalid.
+*
+* @internal
+*/
+function __parseIntegrationAuthParams(config) {
+	const result = (0, valibot.safeParse)(IntegrationAuthParamsSchema, config);
+	if (!result.success) throw new _adobe_aio_commerce_lib_core_error.CommerceSdkValidationError("Invalid IntegrationAuthProvider configuration", { issues: result.issues });
+	return result.output;
+}
+/**
+* Asserts the provided configuration for an Adobe Commerce {@link IntegrationAuthProvider}.
+* @param config The configuration to validate.
+* @throws {CommerceSdkValidationError} If the configuration is invalid.
+* @example
+* ```typescript
+* const config = {
+*   consumerKey: "your-consumer-key",
+*   consumerSecret: "your-consumer-secret",
+*   accessToken: "your-access-token",
+*   accessTokenSecret: "your-access-token-secret"
+* };
+*
+* // This will validate the config and throw if invalid
+* assertIntegrationAuthParams(config);
+* ```
+* @example
+* ```typescript
+* // Example of a failing assert:
+* try {
+*   assertIntegrationAuthParams({
+*     consumerKey: "valid-consumer-key",
+*     // Missing required fields like consumerSecret, accessToken, accessTokenSecret
+*   });
+* } catch (error) {
+*   console.error(error.message); // "Invalid IntegrationAuthProvider configuration"
+*   console.error(error.issues); // Array of validation issues
+* }
+* ```
+*/
+function assertIntegrationAuthParams(config) {
+	__parseIntegrationAuthParams(config);
+}
+/**
+* Resolves an {@link IntegrationAuthParams} from the given App Builder action inputs.
+* @param params The App Builder action inputs to resolve the Integration authentication parameters from.
+* @throws {CommerceSdkValidationError} If the parameters are invalid and cannot be resolved.
+*
+* @example
+* ```typescript
+* export function main(params) {
+*   const resolvedParams = resolveIntegrationAuthParams(params);
+*   console.log(resolvedParams); // { consumerKey: "your-consumer-key", consumerSecret: "your-consumer-secret", accessToken: "your-access-token", accessTokenSecret: "your-access-token-secret" }
+* }
+* ```
+*/
+function resolveIntegrationAuthParams(params) {
+	return __parseIntegrationAuthParams({
+		consumerKey: params.AIO_COMMERCE_AUTH_INTEGRATION_CONSUMER_KEY,
+		consumerSecret: params.AIO_COMMERCE_AUTH_INTEGRATION_CONSUMER_SECRET,
+		accessToken: params.AIO_COMMERCE_AUTH_INTEGRATION_ACCESS_TOKEN,
+		accessTokenSecret: params.AIO_COMMERCE_AUTH_INTEGRATION_ACCESS_TOKEN_SECRET
+	});
+}
+
+//#endregion
+//#region source/lib/utils.ts
+const IMS_AUTH_PARAMS = [
+	"AIO_COMMERCE_AUTH_IMS_CLIENT_ID",
+	"AIO_COMMERCE_AUTH_IMS_CLIENT_SECRETS",
+	"AIO_COMMERCE_AUTH_IMS_TECHNICAL_ACCOUNT_ID",
+	"AIO_COMMERCE_AUTH_IMS_TECHNICAL_ACCOUNT_EMAIL",
+	"AIO_COMMERCE_AUTH_IMS_ORG_ID",
+	"AIO_COMMERCE_AUTH_IMS_SCOPES"
+];
+const INTEGRATION_AUTH_PARAMS = [
+	"AIO_COMMERCE_AUTH_INTEGRATION_CONSUMER_KEY",
+	"AIO_COMMERCE_AUTH_INTEGRATION_CONSUMER_SECRET",
+	"AIO_COMMERCE_AUTH_INTEGRATION_ACCESS_TOKEN",
+	"AIO_COMMERCE_AUTH_INTEGRATION_ACCESS_TOKEN_SECRET"
+];
+/**
+* Automatically detects and resolves authentication parameters from App Builder action inputs.
+* Attempts to resolve IMS authentication first, then falls back to Integration authentication.
+*
+* @param params The App Builder action inputs containing authentication parameters.
+* @throws {CommerceSdkValidationError} If the parameters are invalid.
+* @throws {Error} If neither IMS nor Integration authentication parameters can be resolved.
+* @example
+* ```typescript
+* // Automatic detection (will use IMS if IMS params are present, otherwise Integration)
+* export function main(params) {
+*   const authProvider = resolveAuthParams(params);
+*   console.log(authProvider.strategy); // "ims" or "integration"
+* }
+* ```
+*/
+function resolveAuthParams(params) {
+	if ((0, _adobe_aio_commerce_lib_core_params.allNonEmpty)(params, IMS_AUTH_PARAMS)) return {
+		...resolveImsAuthParams(params),
+		strategy: "ims"
+	};
+	if ((0, _adobe_aio_commerce_lib_core_params.allNonEmpty)(params, INTEGRATION_AUTH_PARAMS)) return {
+		...resolveIntegrationAuthParams(params),
+		strategy: "integration"
+	};
+	throw new Error(`Can't resolve authentication options for the given params. Please provide either IMS options (${IMS_AUTH_PARAMS.join(", ")}) or Commerce integration options (${INTEGRATION_AUTH_PARAMS.join(", ")}).`);
+}
+
+//#endregion
+exports.assertImsAuthParams = assertImsAuthParams;
+exports.assertIntegrationAuthParams = assertIntegrationAuthParams;
+exports.forwardImsAuthProvider = forwardImsAuthProvider;
+exports.getForwardedImsAuthProvider = getForwardedImsAuthProvider;
+exports.getImsAuthProvider = getImsAuthProvider;
+exports.getIntegrationAuthProvider = getIntegrationAuthProvider;
+exports.isImsAuthProvider = isImsAuthProvider;
+exports.isIntegrationAuthProvider = isIntegrationAuthProvider;
+exports.resolveAuthParams = resolveAuthParams;
+exports.resolveImsAuthParams = resolveImsAuthParams;