@agentpress/sdk 0.2.114 → 0.3.0

package/dist/index.d.mts

@@ -11,11 +11,106 @@ interface AgentPressOptions {
   timeout?: number;
   /** Organization identifier sent with requests. @default "default-org" */
   org?: string;
+  /**
+   * Partner MCP Spec v1 configuration. Required only if you call
+   * {@link PartnersClient.verifyToken} or {@link WebhooksClient.verifyKeyRotation}.
+   *
+   * Each environment (staging / production) needs its own {@link AgentPress}
+   * instance with its own `partnerMcp` block — never share a client between
+   * environments. JWKS cache state is per-instance, so side-by-side staging
+   * and prod clients have no cross-talk.
+   */
+  partnerMcp?: PartnerMcpOptions;
   /** Hook called before every outbound HTTP request (useful for logging/tracing). */
   onRequest?: (url: string, init: RequestInit) => void;
   /** Hook called after every HTTP response is received. */
   onResponse?: (url: string, response: Response) => void;
 }
+/** Partner MCP Spec v1 configuration. See {@link AgentPressOptions.partnerMcp}. */
+interface PartnerMcpOptions {
+  /**
+   * Full URL to the issuing AgentPress org's JWKS.
+   * Per-org as of Partner MCP Spec v1 (per-org signing keys), e.g.
+   * `https://api.agent.press/orgs/<org-slug>/.well-known/jwks.json`.
+   * The org admin who registered you as a partner will give you the
+   * exact URL along with their `<org-slug>`.
+   */
+  jwksUrl: string;
+  /**
+   * Exact match for the JWT `iss` claim. Per-org scoped, e.g.
+   * `https://api.agent.press/orgs/<org-slug>`. The JWKS URL above is
+   * always `<issuer>/.well-known/jwks.json`.
+   */
+  issuer: string;
+  /** Exact match for the JWT `aud` claim — your partner MCP's stable URL. */
+  audience: string;
+  /** Required value for the `ext_provider` claim, e.g. `"localfalcon"`. */
+  expectedExtProvider: string;
+  /**
+   * Clock skew tolerance for `iat` / `exp` validation. Accepts a jose duration
+   * string (`"30s"`, `"1m"`) or a number of seconds.
+   * @default "30s"
+   */
+  clockTolerance?: string | number;
+  /**
+   * JWKS cache max age in milliseconds. Cache is per-instance, not module-global.
+   * @default 3_600_000 (1 hour)
+   */
+  jwksCacheMaxAgeMs?: number;
+}
+/** A verified Partner MCP Spec v1 JWT claim set. */
+interface PartnerTokenClaims {
+  /** The external user id (verified non-empty). */
+  sub: string;
+  /** Space-separated scope string, per RFC 8693. May be empty but always present. */
+  scope: string;
+  /** External auth provider name; verified against {@link PartnerMcpOptions.expectedExtProvider}. */
+  ext_provider: string;
+  /** Unique token id. Non-empty. Partners build replay caches keyed by this. */
+  jti: string;
+  /** Already validated against {@link PartnerMcpOptions.issuer}; returned for audit logs. */
+  iss: string;
+  /** Already validated against {@link PartnerMcpOptions.audience}; returned for audit logs. */
+  aud: string;
+  /** Unix seconds. */
+  iat: number;
+  /** Unix seconds. */
+  exp: number;
+  /** AgentPress org identifier, optional. */
+  org_id?: string;
+  /** AgentPress thread identifier, optional. */
+  thread_id?: string;
+  /** Reserved for multi-tenant partner flows. */
+  settings_id?: string;
+  /** Forward-compat: any additional claims pass through. */
+  [key: string]: unknown;
+}
+/** Parameters for {@link WebhooksClient.verifyKeyRotation}. */
+interface KeyRotationVerifyParams {
+  /** Raw request body (string or Buffer) — must not be parsed/modified. */
+  payload: string | Buffer;
+  /**
+   * Incoming HTTP headers. Accepts plain `Record<string, string | undefined>`
+   * so Hono / Fastify / Express / Fetch / Worker all work interchangeably.
+   * Must include `x-agentpress-signature` and `x-agentpress-timestamp`.
+   */
+  headers: Record<string, string | undefined>;
+}
+/** A verified `signing_key_rotation` webhook payload. */
+interface KeyRotationEvent {
+  event: "signing_key_rotation";
+  type: "scheduled" | "emergency";
+  retiredKid: string;
+  newCurrentKid: string;
+  /** ISO 8601 timestamp. */
+  retiredAt: string;
+  /** ISO 8601 timestamp. */
+  effectiveAt: string;
+  /** Matches the configured partner JWKS URL. */
+  jwksUrl: string;
+  /** Present only on `type: "emergency"` rotations. */
+  reason?: string;
+}
 /** Parameters for {@link WebhooksClient.send}. */
 interface WebhookSendParams {
   /** Webhook action name (matches an action rule on the server). */
@@ -219,9 +314,19 @@ interface ResolvedOptions {
   org: string;
   webhookSecret?: string;
   apiKey?: string;
+  partnerMcp?: ResolvedPartnerMcpOptions;
   onRequest?: AgentPressOptions["onRequest"];
   onResponse?: AgentPressOptions["onResponse"];
 }
+/** @internal Resolved (validated, defaulted) partner MCP options. */
+interface ResolvedPartnerMcpOptions {
+  jwksUrl: string;
+  issuer: string;
+  audience: string;
+  expectedExtProvider: string;
+  clockTolerance: string | number;
+  jwksCacheMaxAgeMs: number;
+}
 //#endregion
 //#region src/http.d.ts
 /**
@@ -291,6 +396,44 @@ declare class ActionsClient {
   private manage;
 }
 //#endregion
+//#region src/partners/client.d.ts
+/**
+ * Client for Partner MCP Spec v1 helpers. Created automatically when
+ * {@link AgentPressOptions.partnerMcp} is provided.
+ *
+ * State (JWKS cache) is per-instance, NOT module-global, so staging and
+ * production clients can run side-by-side without cross-talk.
+ */
+declare class PartnersClient {
+  private readonly options;
+  private readonly partnerMcp;
+  private jwks;
+  private jwksKeyFn;
+  constructor(options: ResolvedOptions);
+  /**
+   * Verify an inbound Partner MCP Spec v1 JWT against AgentPress's JWKS.
+   *
+   * Enforces the full spec: `algorithms: ["EdDSA"]` pinned; `iss`, `aud`,
+   * `ext_provider` validated; `sub`, `jti`, `scope` required and non-empty;
+   * `kid` header required; `exp` / `iat` validated with ±30s skew (configurable).
+   *
+   * @param token - Bare JWT string (no `Bearer ` prefix).
+   * @returns Typed {@link PartnerTokenClaims}.
+   * @throws {PartnerTokenError} with a typed `reason` for RFC 6750 mapping.
+   * @throws {ConfigurationError} if `partnerMcp` is not configured.
+   */
+  verifyToken(token: string): Promise<PartnerTokenClaims>;
+  /**
+   * Force the JWKS cache to refetch immediately. Call this from your
+   * `signing_key_rotation` webhook handler after verifying the webhook —
+   * otherwise the cache picks up new keys on the next `kid` miss (which
+   * works, but with one failed verify latency penalty).
+   */
+  refreshJwks(): Promise<void>;
+  private requireConfig;
+  private getJwks;
+}
+//#endregion
 //#region src/userApprovals/client.d.ts
 /**
  * Client for managing per-user auto-approval rules — the SDK equivalent of the
@@ -406,6 +549,16 @@ declare class WebhooksClient {
    * @throws AgentPressError if payload is not valid JSON
    */
   constructEvent(params: WebhookVerifyParams): ActionCallbackPayload;
+  /**
+   * Verify an inbound `signing_key_rotation` webhook (HMAC-SHA256 + timestamp
+   * + typed payload) from AgentPress. See the Partner MCP Spec v1 for the
+   * full contract.
+   *
+   * @throws {KeyRotationVerifyError} with a typed `reason` for HTTP mapping
+   *   (401 for signature errors, 400 for malformed payload, 413 for oversize).
+   * @throws {ConfigurationError} if `webhookSecret` is not configured.
+   */
+  verifyKeyRotation(params: KeyRotationVerifyParams): KeyRotationEvent;
 }
 //#endregion
 //#region src/client.d.ts
@@ -431,6 +584,8 @@ declare class AgentPress {
   readonly actions: ActionsClient;
   /** Per-user auto-approval rules (read / create / update / delete). */
   readonly userApprovals: UserApprovalsClient;
+  /** Partner MCP Spec v1 helpers (inbound JWT verification, JWKS refresh). */
+  readonly partners: PartnersClient;
   /**
    * @param options - SDK configuration. All fields are optional with sensible defaults.
    * @throws {ConfigurationError} If `timeout` is non-positive or `webhookSecret` has an invalid prefix.
@@ -475,6 +630,27 @@ declare class TimeoutError extends AgentPressError {
 declare class WebhookSignatureError extends AgentPressError {
   constructor(message: string);
 }
+/** Reason codes for {@link PartnerTokenError}. Maps 1:1 to RFC 6750 `error_description` values. */
+type PartnerTokenErrorReason = "signature_invalid" | "issuer_mismatch" | "audience_mismatch" | "expired" | "not_yet_valid" | "missing_claim" | "ext_provider_mismatch" | "algorithm_not_allowed" | "kid_missing_or_unknown" | "malformed";
+/**
+ * Thrown by {@link PartnersClient.verifyToken} when a Partner MCP Spec v1 JWT
+ * fails verification. Partners map `reason` to their RFC 6750 `WWW-Authenticate`
+ * response (`401 invalid_token` for all reasons in this class).
+ */
+declare class PartnerTokenError extends AgentPressError {
+  readonly reason: PartnerTokenErrorReason;
+  constructor(reason: PartnerTokenErrorReason, message: string);
+}
+/** Reason codes for {@link KeyRotationVerifyError}. */
+type KeyRotationVerifyErrorReason = "invalid_signature" | "invalid_signature_format" | "timestamp_out_of_window" | "invalid_timestamp" | "payload_too_large" | "malformed_payload";
+/**
+ * Thrown by {@link WebhooksClient.verifyKeyRotation} when a `signing_key_rotation`
+ * webhook fails HMAC / timestamp / payload validation.
+ */
+declare class KeyRotationVerifyError extends AgentPressError {
+  readonly reason: KeyRotationVerifyErrorReason;
+  constructor(reason: KeyRotationVerifyErrorReason, message: string);
+}
 //#endregion
-export { type ActionCallbackPayload, type ActionEventType, type ActionManageResponse, type ActionStatus, ActionsClient, AgentPress, AgentPressError, type AgentPressOptions, type AgentResponse, type ApprovalMode, type ApproveActionParams, ConfigurationError, type CreateUserApprovalParams, type DeleteUserApprovalParams, HttpError, type ListUserApprovalsParams, type ListUserApprovalsResponse, type RejectActionParams, type StagedToolCall, TimeoutError, type ToolCallResult, type UpdateUserApprovalParams, UserApprovalsClient, type UserToolApproval, type WebhookResponse, type WebhookSendParams, WebhookSignatureError, type WebhookVerifyParams };
+export { type ActionCallbackPayload, type ActionEventType, type ActionManageResponse, type ActionStatus, ActionsClient, AgentPress, AgentPressError, type AgentPressOptions, type AgentResponse, type ApprovalMode, type ApproveActionParams, ConfigurationError, type CreateUserApprovalParams, type DeleteUserApprovalParams, HttpError, type KeyRotationEvent, KeyRotationVerifyError, type KeyRotationVerifyErrorReason, type KeyRotationVerifyParams, type ListUserApprovalsParams, type ListUserApprovalsResponse, type PartnerMcpOptions, type PartnerTokenClaims, PartnerTokenError, type PartnerTokenErrorReason, PartnersClient, type RejectActionParams, type StagedToolCall, TimeoutError, type ToolCallResult, type UpdateUserApprovalParams, UserApprovalsClient, type UserToolApproval, type WebhookResponse, type WebhookSendParams, WebhookSignatureError, type WebhookVerifyParams, WebhooksClient };
 //# sourceMappingURL=index.d.mts.map

package/dist/index.d.mts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.mts","names":[],"sources":["../src/types.ts","../src/http.ts","../src/actions/client.ts","../src/userApprovals/client.ts","../src/webhooks/client.ts","../src/client.ts","../src/errors.ts"],"mappings":";;UACiB,iBAAA;EAAiB;EAEhC,aAAA;EAY6C;EAV7C,MAAA;EAAA;EAEA,OAAA;EAEA;EAAA,OAAA;EAIA;EAFA,GAAA;EAEgC;EAAhC,SAAA,IAAa,GAAA,UAAa,IAAA,EAAM,WAAA;EAEhC;EAAA,UAAA,IAAc,GAAA,UAAa,QAAA,EAAU,QAAA;AAAA;;UAItB,iBAAA;EAJ8B;EAM7C,MAAA;EAFgC;EAIhC,OAAA,EAAS,MAAA;AAAA;;UAIM,mBAAA;EAJN;EAMT,OAAA,WAAkB,MAAA;EANH;EAQf,OAAA;IACE,SAAA;IACA,gBAAA;IACA,gBAAA;EAAA;AAAA;;UAKa,eAAA;EACf,OAAA;EANE;EAQF,QAAA;EARkB;EAUlB,aAAA;EACA,OAAA;EACA,IAAA,GAAO,MAAA;AAAA;;KAMG,eAAA;;UASK,cAAA;EACf,QAAA;EACA,UAAA;EACA,SAAA,EAAW,MAAA;AAAA;AAZb;AAAA,UAgBiB,mBAAA;;EAEf,MAAA;EAlByB;EAoBzB,cAAA;IACE,QAAA;IACA,SAAA,EAAW,MAAA;EAAA;EAZb;;;;;;AAMF;;EAgBE,QAAA;AAAA;;UAIe,kBAAA;EAfb;EAiBF,MAAA;EAhBa;EAkBb,MAAA;AAAA;;UAIe,oBAAA;EACf,OAAA;EACA,QAAA;EACA,MAAA,EAAQ,YAAA;AAAA;AAHV;AAAA,KASY,YAAA;;UAUK,cAAA;EACf,QAAA;EACA,SAAA,EAAW,MAAA;EACX,MAAA;AAAA;;UAIe,aAAA;EAjBL;EAmBV,IAAA;;EAEA,SAAA,EAAW,cAAA;AAAA;AAXb;;;;AAAA,UAkBiB,qBAAA;EACf,QAAA;EACA,MAAA,EAAQ,YAAA;EACR,UAAA;EAlBM;EAoBN,SAAA,EAAW,eAAA;EAhBI;EAkBf,aAAA;;EAEA,cAAA,EAAgB,cAAA;EAlBhB;EAoBA,WAAA;EAlBW;EAoBX,UAAA,EAAY,MAAA;EApBa;EAsBzB,UAAA;EAfoC;EAiBpC,MAAA;EAfQ;EAiBR,QAAA;EAVgB;EAYhB,aAAA,EAAe,aAAA;EAAA;EAEf,YAAA;EAF4B;EAI5B,eAAA;EAvBA;EAAA,CAyBC,GAAA;AAAA;;KAMS,YAAA;;;;;;UAOK,gBAAA;EACf,EAAA;EACA,KAAA;EACA,MAAA;EACA,eAAA;EACA,QAAA;EACA,IAAA,EAAM,YAAA;EArBN;EAuBA,SAAA;EArBY;EAuBZ,SAAA;EAjBU;EAmBV,SAAA;AAAA;;UAIe,uBAAA;EAhBA;EAkBf,iBAAA;;;;;;EAMA,MAAA;EAnBA;;;;;EAyBA,YAAA;AAAA;;UAIe,yBAAA;EACf,SAAA,EAAW,gBAAA;AAAA;;UAII,wBAAA;EAff;EAiBA,iBAAA;EAXY;;AAId;;;EAaE,MAAA;EAZ2B;AAI7B;;;;;EAeE,YAAA;EAAA;EAEA,eAAA;EAEA;EAAA,QAAA;EAEO;EAAP,IAAA,GAAO,YAAA;EAEK;EAAZ,SAAA,GAAY,IAAA;AAAA;AAId;AAAA,UAAiB,wBAAA;;EAEf,iBAAA;EACA,IAAA,GAAO,YAAA;EACP,SAAA,GAAY,IAAA;AAAA;;UAIG,wBAAA;EAJC;EAMhB,iBAAA;AAAA;;UAIe,eAAA;EACf,OAAA;EACA,OAAA;EACA,GAAA;EACA,aAAA;EACA,MAAA;EACA,SAAA,GAAY,iBAAA;EACZ,UAAA,GAAa,iBAAA;AAAA;;;AAnQf;;;;;AAAA,cCOa,UAAA;EAAA,iBACM,OAAA;EAAA,iBACA,OAAA;EAAA,iBACA,SAAA;EAAA,iBACA,UAAA;cAEL,OAAA,EAAS,eAAA;EDDW;;;;;;;;AAMlC;ECWQ,OAAA,GAAA,CAAW,IAAA,UAAc,IAAA,EAAM,WAAA,GAAc,OAAA,CAAQ,CAAA;AAAA;;;;;;;;;;;;;;;;;;;;;ADX7D;;cEYa,aAAA;EAAA,iBACM,OAAA;EAAA,iBACA,IAAA;cAEL,OAAA,EAAS,eAAA,EAAiB,IAAA,EAAM,UAAA;EFZnC;;;AAIX;;;;EEoBQ,OAAA,CACJ,QAAA,UACA,MAAA,EAAQ,mBAAA,GACP,OAAA,CAAQ,oBAAA;EFrBO;;;;;;;EEuCZ,MAAA,CACJ,QAAA,UACA,MAAA,EAAQ,kBAAA,GACP,OAAA,CAAQ,oBAAA;EAAA,QAMG,MAAA;AAAA;;;;;;;;;;;;;;;;;;;;;AF1DhB;;;;;;;;;AAQA;;;cGiBa,mBAAA;EAAA,iBACM,OAAA;EAAA,iBACA,IAAA;cAEL,OAAA,EAAS,eAAA,EAAiB,IAAA,EAAM,UAAA;EHhB1C;;;;;AAOJ;;EGqBQ,IAAA,CACJ,MAAA,EAAQ,uBAAA,GACP,OAAA,CAAQ,yBAAA;EHhBE;;;;;;;;;EGqCP,MAAA,CAAO,MAAA,EAAQ,wBAAA,GAA2B,OAAA,CAAQ,gBAAA;EH/B/B;;;;AAS3B;;;EGiDQ,MAAA,CACJ,EAAA,UACA,MAAA,EAAQ,wBAAA,GACP,OAAA,CAAQ,gBAAA;EHnDX;;;;;;AAMF;;EGmEQ,MAAA,CACJ,EAAA,UACA,MAAA,EAAQ,wBAAA,GACP,OAAA;IAAU,OAAA;EAAA;EHlEb;EAAA,QG2Ec,IAAA;AAAA;;;cCnIH,cAAA;EAAA,iBACM,OAAA;EAAA,iBACA,IAAA;cAEL,OAAA,EAAS,eAAA,EAAiB,IAAA,EAAM,UAAA;EJf5C;;;;;;;;EI4BM,IAAA,CAAK,MAAA,EAAQ,iBAAA,GAAoB,OAAA,CAAQ,eAAA;EJlBjC;;;;;AAIhB;EI4CE,MAAA,CAAO,MAAA,EAAQ,mBAAA;;;;;;;;EAqBf,aAAA,CAAc,MAAA,EAAQ,mBAAA;EJzDY;;;;;;;;;EIwElC,cAAA,CAAe,MAAA,EAAQ,mBAAA,GAAsB,qBAAA;AAAA;;;;;;;;;;;;;;;;;;cC7ElC,UAAA;ELHI;EAAA,SKKC,QAAA,EAAU,cAAA;;WAEV,OAAA,EAAS,aAAA;ELLzB;EAAA,SKOgB,aAAA,EAAe,mBAAA;ELLtB;;;AAIX;cKOc,OAAA,GAAS,iBAAA;AAAA;;;;ALjCvB;;;cMGa,eAAA,SAAwB,KAAA;cACvB,OAAA;AAAA;;;;;cAWD,kBAAA,SAA2B,eAAA;cAC1B,OAAA;AAAA;;;;;;;ANEd;;cMaa,SAAA,SAAkB,eAAA;EAAA,SACb,UAAA;EAAA,SACA,YAAA;EAAA,SACA,GAAA;cAEJ,UAAA,UAAoB,YAAA,UAAsB,GAAA;AAAA;;cAW3C,YAAA,SAAqB,eAAA;cACpB,GAAA,UAAa,OAAA;AAAA;;cAQd,qBAAA,SAA8B,eAAA;cAC7B,OAAA;AAAA"}
+{"version":3,"file":"index.d.mts","names":[],"sources":["../src/types.ts","../src/http.ts","../src/actions/client.ts","../src/partners/client.ts","../src/userApprovals/client.ts","../src/webhooks/client.ts","../src/client.ts","../src/errors.ts"],"mappings":";;UACiB,iBAAA;EAAiB;EAEhC,aAAA;EAkBa;EAhBb,MAAA;EAoBqC;EAlBrC,OAAA;EAkB6C;EAhB7C,OAAA;EAJA;EAMA,GAAA;EAFA;;;;;;;;;EAYA,UAAA,GAAa,iBAAA;EAIwB;EAFrC,SAAA,IAAa,GAAA,UAAa,IAAA,EAAM,WAAA;EAEa;EAA7C,UAAA,IAAc,GAAA,UAAa,QAAA,EAAU,QAAA;AAAA;;UAItB,iBAAA;EAAiB;;;;;;;EAQhC,OAAA;EAqBiB;AAInB;;;;EAnBE,MAAA;EAuBA;EArBA,QAAA;EAyBA;EAvBA,mBAAA;EA2BA;;;;;EArBA,cAAA;EAiCC;;;AAIH;EAhCE,iBAAA;AAAA;;UAIe,kBAAA;EA8BG;EA5BlB,GAAA;EAkCS;EAhCT,KAAA;EAgCe;EA9Bf,YAAA;EAkC+B;EAhC/B,GAAA;EAgC+B;EA9B/B,GAAA;EAgCA;EA9BA,GAAA;EAgCA;EA9BA,GAAA;EAkCA;EAhCA,GAAA;EAoCA;EAlCA,MAAA;EAkCM;EAhCN,SAAA;EAoCgC;EAlChC,WAAA;EAsCe;EAAA,CApCd,GAAA;AAAA;;UAIc,uBAAA;EAgCA;EA9Bf,OAAA,WAAkB,MAAA;EAkCgB;;;;;EA5BlC,OAAA,EAAS,MAAA;AAAA;;UAIM,gBAAA;EACf,KAAA;EACA,IAAA;EACA,UAAA;EACA,aAAA;;EAEA,SAAA;EA+BA;EA7BA,WAAA;EAiCA;EA/BA,OAAA;EAiCA;EA/BA,MAAA;AAAA;;UAIe,iBAAA;EAiCU;EA/BzB,MAAA;EA+ByB;EA7BzB,OAAA,EAAS,MAAA;AAAA;;UAIM,mBAAA;EAqCE;EAnCjB,OAAA,WAAkB,MAAA;EAkClB;EAhCA,OAAA;IACE,SAAA;IACA,gBAAA;IACA,gBAAA;EAAA;AAAA;;UAKa,eAAA;EACf,OAAA;EAgCA;EA9BA,QAAA;EAgCE;EA9BF,aAAA;EACA,OAAA;EACA,IAAA,GAAO,MAAA;AAAA;AA0CT;AAAA,KApCY,eAAA;;UASK,cAAA;EACf,QAAA;EACA,UAAA;EACA,SAAA,EAAW,MAAA;AAAA;;UAII,mBAAA;EA8Bf;EA5BA,MAAA;EA6BQ;EA3BR,cAAA;IACE,QAAA;IACA,SAAA,EAAW,MAAA;EAAA;;;;AAyCf;;;;;EA/BE,QAAA;AAAA;;UAIe,kBAAA;EA8BT;EA5BN,MAAA;EAgC4B;EA9B5B,MAAA;AAAA;;UAIe,oBAAA;EACf,OAAA;EACA,QAAA;EACA,MAAA,EAAQ,YAAA;AAAA;;KAME,YAAA;;UAUK,cAAA;EACf,QAAA;EACA,SAAA,EAAW,MAAA;EACX,MAAA;AAAA;;UAIe,aAAA;EAaf;EAXA,IAAA;EAYA;EAVA,SAAA,EAAW,cAAA;AAAA;;;;;UAOI,qBAAA;EACf,QAAA;EACA,MAAA,EAAQ,YAAA;EACR,UAAA;EAgBA;EAdA,SAAA,EAAW,eAAA;EAgBI;EAdf,aAAA;EAkBA;EAhBA,cAAA,EAAgB,cAAA;EAkBJ;EAhBZ,WAAA;EAsBU;EApBV,UAAA,EAAY,MAAA;;EAEZ,UAAA;EAkBsB;EAhBtB,MAAA;EAuB+B;EArB/B,QAAA;EA2BkB;EAzBlB,aAAA,EAAe,aAAA;EAqBf;EAnBA,YAAA;EAqBA;EAnBA,eAAA;EAqBA;EAAA,CAnBC,GAAA;AAAA;;KAMS,YAAA;;;AAuBZ;;;UAhBiB,gBAAA;EACf,EAAA;EACA,KAAA;EACA,MAAA;EACA,eAAA;EACA,QAAA;EACA,IAAA,EAAM,YAAA;EA4BkC;EA1BxC,SAAA;EA2BA;EAzBA,SAAA;EA6Be;EA3Bf,SAAA;AAAA;;UAIe,uBAAA;EA+Bf;EA7BA,iBAAA;EAsCA;;;;;EAhCA,MAAA;EAsCgB;;AAIlB;;;EApCE,YAAA;AAAA;;UAIe,yBAAA;EACf,SAAA,EAAW,gBAAA;AAAA;;UAII,wBAAA;EAmCA;EAjCf,iBAAA;;;;AAuCF;;EAjCE,MAAA;EAuCa;;;;;;EAhCb,YAAA;EA6BA;EA3BA,eAAA;EA6BA;EA3BA,QAAA;EA4Ba;EA1Bb,IAAA,GAAO,YAAA;EA2BK;EAzBZ,SAAA,GAAY,IAAA;AAAA;;UAIG,wBAAA;EA0BA;EAxBf,iBAAA;EACA,IAAA,GAAO,YAAA;EACP,SAAA,GAAY,IAAA;AAAA;;UAIG,wBAAA;EAsBf;EApBA,iBAAA;AAAA;;UAIe,eAAA;EACf,OAAA;EACA,OAAA;EACA,GAAA;EACA,aAAA;EACA,MAAA;EACA,UAAA,GAAa,yBAAA;EACb,SAAA,GAAY,iBAAA;EACZ,UAAA,GAAa,iBAAA;AAAA;;UAIE,yBAAA;EACf,OAAA;EACA,MAAA;EACA,QAAA;EACA,mBAAA;EACA,cAAA;EACA,iBAAA;AAAA;;;AAjXF;;;;;AAAA,cCOa,UAAA;EAAA,iBACM,OAAA;EAAA,iBACA,OAAA;EAAA,iBACA,SAAA;EAAA,iBACA,UAAA;cAEL,OAAA,EAAS,eAAA;EDLrB;;;;;;;;;ECqBM,OAAA,GAAA,CAAW,IAAA,UAAc,IAAA,EAAM,WAAA,GAAc,OAAA,CAAQ,CAAA;AAAA;;;;;;;;;;;;;;;;;;;;;;;cCChD,aAAA;EAAA,iBACM,OAAA;EAAA,iBACA,IAAA;cAEL,OAAA,EAAS,eAAA,EAAiB,IAAA,EAAM,UAAA;EFN7B;;;;;;;EEkBT,OAAA,CACJ,QAAA,UACA,MAAA,EAAQ,mBAAA,GACP,OAAA,CAAQ,oBAAA;EFGX;;;;AASF;;;EEMQ,MAAA,CACJ,QAAA,UACA,MAAA,EAAQ,kBAAA,GACP,OAAA,CAAQ,oBAAA;EAAA,QAMG,MAAA;AAAA;;;AF5EhB;;;;;;;AAAA,cGwBa,cAAA;EAAA,iBACM,OAAA;EAAA,iBACA,UAAA;EAAA,QACT,IAAA;EAAA,QACA,SAAA;cAEI,OAAA,EAAS,eAAA;EHVrB;;;;;;;;;;;;EG2BM,WAAA,CAAY,KAAA,WAAgB,OAAA,CAAQ,kBAAA;EHnBV;;;;;;EG+G1B,WAAA,CAAA,GAAe,OAAA;EAAA,QASb,aAAA;EAAA,QASA,OAAA;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;AHjIV;;;;;;cIea,mBAAA;EAAA,iBACM,OAAA;EAAA,iBACA,IAAA;cAEL,OAAA,EAAS,eAAA,EAAiB,IAAA,EAAM,UAAA;EJU3B;;AAInB;;;;;EIFQ,IAAA,CACJ,MAAA,EAAQ,uBAAA,GACP,OAAA,CAAQ,yBAAA;EJMX;;;;;;;;;EIeM,MAAA,CAAO,MAAA,EAAQ,wBAAA,GAA2B,OAAA,CAAQ,gBAAA;EJG5C;;AAId;;;;;EIoBQ,MAAA,CACJ,EAAA,UACA,MAAA,EAAQ,wBAAA,GACP,OAAA,CAAQ,gBAAA;EJfX;;;;AAIF;;;;EIiCQ,MAAA,CACJ,EAAA,UACA,MAAA,EAAQ,wBAAA,GACP,OAAA;IAAU,OAAA;EAAA;EJhCb;EAAA,QIyCc,IAAA;AAAA;;;cChIH,cAAA;EAAA,iBACM,OAAA;EAAA,iBACA,IAAA;cAEL,OAAA,EAAS,eAAA,EAAiB,IAAA,EAAM,UAAA;ELEP;;;;;;;;EKW/B,IAAA,CAAK,MAAA,EAAQ,iBAAA,GAAoB,OAAA,CAAQ,eAAA;ELflC;;;;;;EK6Cb,MAAA,CAAO,MAAA,EAAQ,mBAAA;ELzCsB;;;;AAIvC;;;EK0DE,aAAA,CAAc,MAAA,EAAQ,mBAAA;ELlDtB;;;;;;;;AAyBF;EKwCE,cAAA,CAAe,MAAA,EAAQ,mBAAA,GAAsB,qBAAA;;;;;;;;;;EAsB7C,iBAAA,CAAkB,MAAA,EAAQ,uBAAA,GAA0B,gBAAA;AAAA;;;;;;;;;;;;;;;;;;cCjGzC,UAAA;ENFG;EAAA,SMIE,QAAA,EAAU,cAAA;ENJC;EAAA,SMMX,OAAA,EAAS,aAAA;ENNoB;EAAA,SMQ7B,aAAA,EAAe,mBAAA;ENJC;EAAA,SMMhB,QAAA,EAAU,cAAA;ENNM;;;;cMYpB,OAAA,GAAS,iBAAA;AAAA;;;;ANxCvB;;;cOGa,eAAA,SAAwB,KAAA;cACvB,OAAA;AAAA;;;;;cAWD,kBAAA,SAA2B,eAAA;cAC1B,OAAA;AAAA;;;;;;;;;cAeD,SAAA,SAAkB,eAAA;EAAA,SACb,UAAA;EAAA,SACA,YAAA;EAAA,SACA,GAAA;cAEJ,UAAA,UAAoB,YAAA,UAAsB,GAAA;AAAA;;cAW3C,YAAA,SAAqB,eAAA;cACpB,GAAA,UAAa,OAAA;AAAA;;cAQd,qBAAA,SAA8B,eAAA;cAC7B,OAAA;AAAA;;KAQF,uBAAA;APJZ;;;;;AAAA,cOqBa,iBAAA,SAA0B,eAAA;EAAA,SACrB,MAAA,EAAQ,uBAAA;cAEZ,MAAA,EAAQ,uBAAA,EAAyB,OAAA;AAAA;;KASnC,4BAAA;;;;;cAYC,sBAAA,SAA+B,eAAA;EAAA,SAC1B,MAAA,EAAQ,4BAAA;cAEZ,MAAA,EAAQ,4BAAA,EAA8B,OAAA;AAAA"}

package/dist/index.mjs

@@ -1,4 +1,5 @@
 import { createHmac, randomUUID, timingSafeEqual } from "node:crypto";
+import { createRemoteJWKSet, errors, jwtVerify } from "jose";
 //#region src/errors.ts
 /**
 * Base error class for all SDK errors. Catch this to handle any error
@@ -59,6 +60,33 @@ var WebhookSignatureError = class extends AgentPressError {
 		Object.setPrototypeOf(this, new.target.prototype);
 	}
 };
+/**
+* Thrown by {@link PartnersClient.verifyToken} when a Partner MCP Spec v1 JWT
+* fails verification. Partners map `reason` to their RFC 6750 `WWW-Authenticate`
+* response (`401 invalid_token` for all reasons in this class).
+*/
+var PartnerTokenError = class extends AgentPressError {
+	reason;
+	constructor(reason, message) {
+		super(message);
+		this.name = "PartnerTokenError";
+		this.reason = reason;
+		Object.setPrototypeOf(this, new.target.prototype);
+	}
+};
+/**
+* Thrown by {@link WebhooksClient.verifyKeyRotation} when a `signing_key_rotation`
+* webhook fails HMAC / timestamp / payload validation.
+*/
+var KeyRotationVerifyError = class extends AgentPressError {
+	reason;
+	constructor(reason, message) {
+		super(message);
+		this.name = "KeyRotationVerifyError";
+		this.reason = reason;
+		Object.setPrototypeOf(this, new.target.prototype);
+	}
+};
 //#endregion
 //#region src/utils.ts
 function randomMessageId() {
@@ -66,7 +94,7 @@ function randomMessageId() {
 }
 //#endregion
 //#region src/webhooks/signing.ts
-const SIGNATURE_PREFIX = "v1,";
+const SIGNATURE_PREFIX$1 = "v1,";
 const DEFAULT_TOLERANCE_SECONDS = 300;
 /**
 * Sign a webhook payload using Svix-compatible HMAC-SHA256.
@@ -80,7 +108,7 @@ const DEFAULT_TOLERANCE_SECONDS = 300;
 function sign(secret, msgId, timestamp, body) {
 	const secretBytes = Buffer.from(secret.replace(/^whsec_/, ""), "base64");
 	const message = `${msgId}.${timestamp}.${body}`;
-	return `${SIGNATURE_PREFIX}${createHmac("sha256", secretBytes).update(message).digest("base64")}`;
+	return `${SIGNATURE_PREFIX$1}${createHmac("sha256", secretBytes).update(message).digest("base64")}`;
 }
 /**
 * Verify a Svix webhook signature.
@@ -233,6 +261,121 @@ var HttpClient = class {
 	}
 };
 //#endregion
+//#region src/partners/client.ts
+const ALGORITHMS = ["EdDSA"];
+/**
+* Client for Partner MCP Spec v1 helpers. Created automatically when
+* {@link AgentPressOptions.partnerMcp} is provided.
+*
+* State (JWKS cache) is per-instance, NOT module-global, so staging and
+* production clients can run side-by-side without cross-talk.
+*/
+var PartnersClient = class {
+	options;
+	partnerMcp;
+	jwks = null;
+	jwksKeyFn = null;
+	constructor(options) {
+		this.options = options;
+		this.partnerMcp = options.partnerMcp;
+	}
+	/**
+	* Verify an inbound Partner MCP Spec v1 JWT against AgentPress's JWKS.
+	*
+	* Enforces the full spec: `algorithms: ["EdDSA"]` pinned; `iss`, `aud`,
+	* `ext_provider` validated; `sub`, `jti`, `scope` required and non-empty;
+	* `kid` header required; `exp` / `iat` validated with ±30s skew (configurable).
+	*
+	* @param token - Bare JWT string (no `Bearer ` prefix).
+	* @returns Typed {@link PartnerTokenClaims}.
+	* @throws {PartnerTokenError} with a typed `reason` for RFC 6750 mapping.
+	* @throws {ConfigurationError} if `partnerMcp` is not configured.
+	*/
+	async verifyToken(token) {
+		const cfg = this.requireConfig();
+		const jwks = this.getJwks();
+		let payload;
+		let protectedHeader;
+		try {
+			const result = await jwtVerify(token, jwks, {
+				algorithms: [...ALGORITHMS],
+				issuer: cfg.issuer,
+				audience: cfg.audience,
+				clockTolerance: cfg.clockTolerance
+			});
+			payload = result.payload;
+			protectedHeader = result.protectedHeader;
+		} catch (err) {
+			throw mapJoseError(err);
+		}
+		if (!protectedHeader.kid || typeof protectedHeader.kid !== "string") throw new PartnerTokenError("kid_missing_or_unknown", "JWT header missing required 'kid'");
+		const claims = payload;
+		if (typeof claims.iat !== "number" || !Number.isFinite(claims.iat)) throw new PartnerTokenError("missing_claim", "'iat' claim must be a number");
+		const toleranceSeconds = toSeconds(cfg.clockTolerance);
+		const nowSec = Math.floor(Date.now() / 1e3);
+		if (claims.iat - nowSec > toleranceSeconds) throw new PartnerTokenError("not_yet_valid", `'iat' is ${claims.iat - nowSec}s in the future, beyond ${toleranceSeconds}s tolerance`);
+		if (typeof claims.sub !== "string" || claims.sub.length === 0) throw new PartnerTokenError("missing_claim", "'sub' claim is required");
+		if (typeof claims.jti !== "string" || claims.jti.length === 0) throw new PartnerTokenError("missing_claim", "'jti' claim is required");
+		if (typeof claims.scope !== "string") throw new PartnerTokenError("missing_claim", "'scope' claim must be a string");
+		if (typeof claims.ext_provider !== "string" || claims.ext_provider.length === 0) throw new PartnerTokenError("missing_claim", "'ext_provider' claim is required");
+		if (claims.ext_provider !== cfg.expectedExtProvider) throw new PartnerTokenError("ext_provider_mismatch", `ext_provider '${claims.ext_provider}' does not match expected '${cfg.expectedExtProvider}'`);
+		return claims;
+	}
+	/**
+	* Force the JWKS cache to refetch immediately. Call this from your
+	* `signing_key_rotation` webhook handler after verifying the webhook —
+	* otherwise the cache picks up new keys on the next `kid` miss (which
+	* works, but with one failed verify latency penalty).
+	*/
+	async refreshJwks() {
+		const anyJwks = this.getJwks();
+		if (typeof anyJwks.reload === "function") await anyJwks.reload();
+	}
+	requireConfig() {
+		if (!this.partnerMcp) throw new ConfigurationError("partnerMcp options are required for partner token operations");
+		return this.partnerMcp;
+	}
+	getJwks() {
+		const cfg = this.requireConfig();
+		if (!this.jwks) {
+			this.jwks = createRemoteJWKSet(new URL(cfg.jwksUrl), {
+				cacheMaxAge: cfg.jwksCacheMaxAgeMs,
+				cooldownDuration: 3e4
+			});
+			this.jwksKeyFn = this.jwks;
+		}
+		return this.jwks;
+	}
+};
+function toSeconds(tolerance) {
+	if (typeof tolerance === "number") return tolerance;
+	const match = tolerance.trim().match(/^(\d+)\s*(s|m|h)$/i);
+	if (!match) return 30;
+	const n = Number.parseInt(match[1], 10);
+	const unit = match[2].toLowerCase();
+	if (unit === "s") return n;
+	if (unit === "m") return n * 60;
+	if (unit === "h") return n * 3600;
+	return 30;
+}
+function mapJoseError(err) {
+	if (err instanceof PartnerTokenError) return err;
+	if (err instanceof errors.JWSSignatureVerificationFailed) return new PartnerTokenError("signature_invalid", "JWT signature verification failed");
+	if (err instanceof errors.JWKSNoMatchingKey) return new PartnerTokenError("kid_missing_or_unknown", "No JWKS key matches the JWT 'kid' header");
+	if (err instanceof errors.JOSEAlgNotAllowed) return new PartnerTokenError("algorithm_not_allowed", "JWT 'alg' is not EdDSA");
+	if (err instanceof errors.JWTExpired) return new PartnerTokenError("expired", "JWT has expired");
+	if (err instanceof errors.JWTClaimValidationFailed) {
+		const claim = err.claim;
+		if (claim === "iss") return new PartnerTokenError("issuer_mismatch", "JWT 'iss' does not match expected issuer");
+		if (claim === "aud") return new PartnerTokenError("audience_mismatch", "JWT 'aud' does not match expected audience");
+		if (claim === "iat") return new PartnerTokenError("not_yet_valid", "JWT 'iat' is in the future beyond clock tolerance");
+		return new PartnerTokenError("missing_claim", err.message || "Claim validation failed");
+	}
+	if (err instanceof errors.JWTInvalid || err instanceof errors.JWSInvalid) return new PartnerTokenError("malformed", err.message || "Malformed JWT");
+	if (err instanceof Error) return new PartnerTokenError("malformed", err.message);
+	return new PartnerTokenError("malformed", String(err));
+}
+//#endregion
 //#region src/userApprovals/client.ts
 /**
 * Client for managing per-user auto-approval rules — the SDK equivalent of the
@@ -348,6 +491,74 @@ var UserApprovalsClient = class {
 	}
 };
 //#endregion
+//#region src/webhooks/keyRotation.ts
+const MAX_PAYLOAD_BYTES = 8 * 1024;
+const TIMESTAMP_SKEW_SECONDS = 300;
+const SIGNATURE_PREFIX = "sha256=";
+/**
+* Verify a `signing_key_rotation` webhook signed by AgentPress with
+* HMAC-SHA256 over the raw request body. Returns the typed
+* {@link KeyRotationEvent} payload.
+*
+* @throws {KeyRotationVerifyError} with a typed `reason` for HTTP mapping.
+* @throws {ConfigurationError} if `webhookSecret` is not configured.
+*/
+function verifyKeyRotation(secret, params) {
+	if (!secret) throw new ConfigurationError("webhookSecret is required for key rotation webhook verification");
+	const body = typeof params.payload === "string" ? params.payload : params.payload.toString("utf-8");
+	if ((typeof params.payload === "string" ? Buffer.byteLength(params.payload, "utf-8") : params.payload.length) > MAX_PAYLOAD_BYTES) throw new KeyRotationVerifyError("payload_too_large", `Payload exceeds ${MAX_PAYLOAD_BYTES} bytes`);
+	const signatureHeader = readHeader(params.headers, "x-agentpress-signature");
+	const timestampHeader = readHeader(params.headers, "x-agentpress-timestamp");
+	if (!signatureHeader?.startsWith(SIGNATURE_PREFIX)) throw new KeyRotationVerifyError("invalid_signature_format", `Signature header missing or does not start with '${SIGNATURE_PREFIX}'`);
+	const providedHex = signatureHeader.slice(7).toLowerCase();
+	if (!/^[0-9a-f]+$/.test(providedHex)) throw new KeyRotationVerifyError("invalid_signature_format", "Signature is not a hex string");
+	if (!timestampHeader) throw new KeyRotationVerifyError("invalid_timestamp", "x-agentpress-timestamp header is required");
+	const timestamp = Number.parseInt(timestampHeader, 10);
+	if (!Number.isFinite(timestamp) || String(timestamp) !== timestampHeader.trim()) throw new KeyRotationVerifyError("invalid_timestamp", "x-agentpress-timestamp is not a valid unix seconds integer");
+	const now = Math.floor(Date.now() / 1e3);
+	if (Math.abs(now - timestamp) > TIMESTAMP_SKEW_SECONDS) throw new KeyRotationVerifyError("timestamp_out_of_window", `Timestamp skew ${Math.abs(now - timestamp)}s exceeds ${TIMESTAMP_SKEW_SECONDS}s tolerance`);
+	const expectedHex = createHmac("sha256", secret).update(body).digest("hex");
+	const providedBuf = Buffer.from(providedHex, "hex");
+	const expectedBuf = Buffer.from(expectedHex, "hex");
+	if (providedBuf.length !== expectedBuf.length || !timingSafeEqual(providedBuf, expectedBuf)) throw new KeyRotationVerifyError("invalid_signature", "HMAC signature mismatch");
+	let parsed;
+	try {
+		parsed = JSON.parse(body);
+	} catch {
+		throw new KeyRotationVerifyError("malformed_payload", "Payload is not valid JSON");
+	}
+	return validatePayload(parsed);
+}
+function readHeader(headers, name) {
+	const lowered = name.toLowerCase();
+	for (const [k, v] of Object.entries(headers)) if (k.toLowerCase() === lowered && typeof v === "string" && v.length > 0) return v;
+}
+function validatePayload(raw) {
+	if (!raw || typeof raw !== "object") throw new KeyRotationVerifyError("malformed_payload", "Payload must be a JSON object");
+	const obj = raw;
+	if (obj.event !== "signing_key_rotation") throw new KeyRotationVerifyError("malformed_payload", `Unexpected event '${String(obj.event)}'`);
+	if (obj.type !== "scheduled" && obj.type !== "emergency") throw new KeyRotationVerifyError("malformed_payload", "'type' must be 'scheduled' or 'emergency'");
+	for (const key of [
+		"retiredKid",
+		"newCurrentKid",
+		"retiredAt",
+		"effectiveAt",
+		"jwksUrl"
+	]) if (typeof obj[key] !== "string" || obj[key].length === 0) throw new KeyRotationVerifyError("malformed_payload", `'${key}' must be a non-empty string`);
+	if (obj.reason !== void 0 && typeof obj.reason !== "string") throw new KeyRotationVerifyError("malformed_payload", "'reason' must be a string when present");
+	const event = {
+		event: "signing_key_rotation",
+		type: obj.type,
+		retiredKid: obj.retiredKid,
+		newCurrentKid: obj.newCurrentKid,
+		retiredAt: obj.retiredAt,
+		effectiveAt: obj.effectiveAt,
+		jwksUrl: obj.jwksUrl
+	};
+	if (typeof obj.reason === "string") event.reason = obj.reason;
+	return event;
+}
+//#endregion
 //#region src/webhooks/client.ts
 var WebhooksClient = class {
 	options;
@@ -419,6 +630,18 @@ var WebhooksClient = class {
 			throw new AgentPressError("Webhook payload is not valid JSON");
 		}
 	}
+	/**
+	* Verify an inbound `signing_key_rotation` webhook (HMAC-SHA256 + timestamp
+	* + typed payload) from AgentPress. See the Partner MCP Spec v1 for the
+	* full contract.
+	*
+	* @throws {KeyRotationVerifyError} with a typed `reason` for HTTP mapping
+	*   (401 for signature errors, 400 for malformed payload, 413 for oversize).
+	* @throws {ConfigurationError} if `webhookSecret` is not configured.
+	*/
+	verifyKeyRotation(params) {
+		return verifyKeyRotation(this.options.webhookSecret, params);
+	}
 };
 //#endregion
 //#region src/client.ts
@@ -444,6 +667,8 @@ var AgentPress = class {
 	actions;
 	/** Per-user auto-approval rules (read / create / update / delete). */
 	userApprovals;
+	/** Partner MCP Spec v1 helpers (inbound JWT verification, JWKS refresh). */
+	partners;
 	/**
 	* @param options - SDK configuration. All fields are optional with sensible defaults.
 	* @throws {ConfigurationError} If `timeout` is non-positive or `webhookSecret` has an invalid prefix.
@@ -454,6 +679,7 @@ var AgentPress = class {
 		this.webhooks = new WebhooksClient(resolved, http);
 		this.actions = new ActionsClient(resolved, http);
 		this.userApprovals = new UserApprovalsClient(resolved, http);
+		this.partners = new PartnersClient(resolved);
 	}
 };
 function resolveOptions(options) {
@@ -468,11 +694,35 @@ function resolveOptions(options) {
 		org,
 		webhookSecret: options.webhookSecret,
 		apiKey: options.apiKey,
+		partnerMcp: resolvePartnerMcp(options.partnerMcp),
 		onRequest: options.onRequest,
 		onResponse: options.onResponse
 	};
 }
+function resolvePartnerMcp(options) {
+	if (!options) return void 0;
+	if (typeof options.jwksUrl !== "string" || options.jwksUrl.length === 0) throw new ConfigurationError("partnerMcp.jwksUrl is required");
+	try {
+		new URL(options.jwksUrl);
+	} catch {
+		throw new ConfigurationError("partnerMcp.jwksUrl must be a valid URL");
+	}
+	if (typeof options.issuer !== "string" || options.issuer.length === 0) throw new ConfigurationError("partnerMcp.issuer is required");
+	if (typeof options.audience !== "string" || options.audience.length === 0) throw new ConfigurationError("partnerMcp.audience is required");
+	if (typeof options.expectedExtProvider !== "string" || options.expectedExtProvider.length === 0) throw new ConfigurationError("partnerMcp.expectedExtProvider is required");
+	const clockTolerance = options.clockTolerance ?? "30s";
+	const jwksCacheMaxAgeMs = options.jwksCacheMaxAgeMs ?? 36e5;
+	if (jwksCacheMaxAgeMs <= 0 || !Number.isFinite(jwksCacheMaxAgeMs)) throw new ConfigurationError("partnerMcp.jwksCacheMaxAgeMs must be a positive number");
+	return {
+		jwksUrl: options.jwksUrl,
+		issuer: options.issuer,
+		audience: options.audience,
+		expectedExtProvider: options.expectedExtProvider,
+		clockTolerance,
+		jwksCacheMaxAgeMs
+	};
+}
 //#endregion
-export { ActionsClient, AgentPress, AgentPressError, ConfigurationError, HttpError, TimeoutError, UserApprovalsClient, WebhookSignatureError };
+export { ActionsClient, AgentPress, AgentPressError, ConfigurationError, HttpError, KeyRotationVerifyError, PartnerTokenError, PartnersClient, TimeoutError, UserApprovalsClient, WebhookSignatureError, WebhooksClient };
 
 //# sourceMappingURL=index.mjs.map