@atcute/oauth-types 0.1.0

package/lib/build-client-metadata.ts

@@ -0,0 +1,72 @@
+import type { Keyset } from '@atcute/oauth-keyset';
+
+import { FALLBACK_ALG } from './constants.js';
+import {
+	confidentialClientMetadataSchema,
+	type ConfidentialClientMetadata,
+} from './schemas/atcute-confidential-client-metadata.js';
+import type { OAuthClientMetadata } from './schemas/oauth-client-metadata.js';
+
+/**
+ * builds an atproto client metadata
+ *
+ *
+ * @param input client metadata
+ * @param keyset available keys
+ * @returns built client metadata
+ */
+export const buildClientMetadata = (
+	input: ConfidentialClientMetadata,
+	keyset: Keyset,
+): OAuthClientMetadata => {
+	// validate user-facing schema is correct
+	const conf = confidentialClientMetadataSchema.parse(input, { mode: 'passthrough' });
+
+	// build full OAuth client metadata (atproto defaults and requirements)
+	const metadata: OAuthClientMetadata = {
+		client_id: conf.client_id,
+		client_name: conf.client_name,
+		client_uri: conf.client_uri,
+		policy_uri: conf.policy_uri,
+		tos_uri: conf.tos_uri,
+		logo_uri: conf.logo_uri,
+		redirect_uris: conf.redirect_uris,
+		scope: Array.isArray(conf.scope) ? conf.scope.join(' ') : conf.scope,
+
+		application_type: 'web',
+		subject_type: 'public',
+		response_types: ['code'],
+		grant_types: ['authorization_code', 'refresh_token'],
+
+		token_endpoint_auth_method: 'private_key_jwt',
+		token_endpoint_auth_signing_alg: FALLBACK_ALG,
+		dpop_bound_access_tokens: true,
+
+		jwks_uri: conf.jwks_uri,
+		jwks: conf.jwks_uri ? undefined : (keyset.publicJwks as OAuthClientMetadata['jwks']),
+	};
+
+	// ensure at least one key supports the fallback algorithm
+	const signingKeys = Array.from(keyset);
+	if (!signingKeys.some((key) => key.alg === FALLBACK_ALG)) {
+		throw new TypeError(`"private_key_jwt" requires at least one "${FALLBACK_ALG}" signing key`);
+	}
+
+	// if jwks provided inline, ensure ALL signing keys are present
+	if (metadata.jwks) {
+		const jwksKids = new Set(
+			metadata.jwks.keys
+				.filter((k) => !k.revoked)
+				.map((k) => k.kid)
+				.filter(Boolean),
+		);
+
+		for (const key of signingKeys) {
+			if (!jwksKids.has(key.kid)) {
+				throw new TypeError(`signing key "${key.kid}" not found in jwks`);
+			}
+		}
+	}
+
+	return metadata;
+};

package/lib/constants.ts

@@ -0,0 +1,5 @@
+/** default algorithm per atproto spec */
+export const FALLBACK_ALG = 'ES256';
+
+/** JWT bearer assertion type for `private_key_jwt` authentication */
+export const CLIENT_ASSERTION_TYPE_JWT_BEARER = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer';

package/lib/index.ts

@@ -0,0 +1,116 @@
+export { buildClientMetadata } from './build-client-metadata.js';
+export { CLIENT_ASSERTION_TYPE_JWT_BEARER, FALLBACK_ALG } from './constants.js';
+
+export * as scope from './scope.js';
+
+// schemas
+export {
+	confidentialClientMetadataSchema,
+	type ConfidentialClientMetadata,
+} from './schemas/atcute-confidential-client-metadata.js';
+export {
+	atprotoOAuthScopeSchema,
+	ATPROTO_SCOPE_VALUE,
+	DEFAULT_ATPROTO_OAUTH_SCOPE,
+	type AtprotoOAuthScope,
+} from './schemas/atproto-oauth-scope.js';
+export {
+	jwkPubSchema,
+	jwkSchema,
+	keyUsageSchema,
+	publicKeyUsageSchema,
+	type Jwk,
+	type JwkPub,
+	type KeyUsage,
+} from './schemas/jwk.js';
+export { jwksPubSchema, jwksSchema, type Jwks, type JwksPub } from './schemas/jwks.js';
+export { oauthClientIdDiscoverableSchema } from './schemas/oauth-client-id-discoverable.js';
+export { oauthClientIdSchema, type OAuthClientId } from './schemas/oauth-client-id.js';
+export { oauthClientMetadataSchema, type OAuthClientMetadata } from './schemas/oauth-client-metadata.js';
+export {
+	oauthEndpointAuthMethodSchema,
+	type OAuthEndpointAuthMethod,
+} from './schemas/oauth-endpoint-auth-method.js';
+export { oauthGrantTypeSchema, type OAuthGrantType } from './schemas/oauth-grant-type.js';
+export {
+	loopbackRedirectUriSchema,
+	oauthRedirectUriSchema,
+	type LoopbackRedirectUri,
+	type OAuthRedirectUri,
+} from './schemas/oauth-redirect-uri.js';
+export { oauthResponseTypeSchema, type OAuthResponseType } from './schemas/oauth-response-type.js';
+export {
+	isOAuthScope,
+	OAUTH_SCOPE_REGEXP,
+	oauthScopeSchema,
+	type OAuthScope,
+} from './schemas/oauth-scope.js';
+export {
+	httpsUriSchema,
+	loopbackUriSchema,
+	nonLocalWebUriSchema,
+	privateUseUriSchema,
+	urlSchema,
+	webUriSchema,
+} from './schemas/uri.js';
+export {
+	extractUrlPath,
+	isHostnameIP,
+	isLastOccurrence,
+	isLocalHostname,
+	isLoopbackHost,
+	isSpaceSeparatedValue,
+} from './schemas/utils.js';
+
+// token schemas
+export { oauthTokenTypeSchema, type OAuthTokenType } from './schemas/oauth-token-type.js';
+export { oauthTokenResponseSchema, type OAuthTokenResponse } from './schemas/oauth-token-response.js';
+export {
+	atprotoOAuthTokenResponseSchema,
+	type AtprotoOAuthTokenResponse,
+} from './schemas/atproto-oauth-token-response.js';
+
+// PAR schemas
+export { oauthParResponseSchema, type OAuthParResponse } from './schemas/oauth-par-response.js';
+export {
+	oauthCodeChallengeMethodSchema,
+	type OAuthCodeChallengeMethod,
+} from './schemas/oauth-code-challenge-method.js';
+export { oauthResponseModeSchema, type OAuthResponseMode } from './schemas/oauth-response-mode.js';
+export { oauthPromptSchema, type OAuthPrompt } from './schemas/oauth-prompt.js';
+
+// authorization details
+export {
+	oauthAuthorizationDetailSchema,
+	oauthAuthorizationDetailsSchema,
+	type OAuthAuthorizationDetail,
+	type OAuthAuthorizationDetails,
+} from './schemas/oauth-authorization-details.js';
+
+// server metadata
+export {
+	oauthIssuerIdentifierSchema,
+	type OAuthIssuerIdentifier,
+} from './schemas/oauth-issuer-identifier.js';
+export {
+	oauthAuthorizationServerMetadataSchema,
+	oauthAuthorizationServerMetadataValidator,
+	type OAuthAuthorizationServerMetadata,
+} from './schemas/oauth-authorization-server-metadata.js';
+export {
+	atprotoAuthorizationServerMetadataValidator,
+	type AtprotoAuthorizationServerMetadata,
+} from './schemas/atproto-authorization-server-metadata.js';
+
+// protected resource metadata
+export {
+	oauthBearerMethodSchema,
+	oauthProtectedResourceMetadataSchema,
+	oauthProtectedResourceMetadataValidator,
+	type OAuthBearerMethod,
+	type OAuthProtectedResourceMetadata,
+} from './schemas/oauth-protected-resource-metadata.js';
+export {
+	atprotoProtectedResourceMetadataValidator,
+	type AtprotoProtectedResourceMetadata,
+} from './schemas/atproto-protected-resource-metadata.js';

package/lib/schemas/atcute-confidential-client-metadata.ts

@@ -0,0 +1,139 @@
+import * as v from '@badrap/valita';
+
+import { atprotoOAuthScopeSchema } from './atproto-oauth-scope.js';
+import { oauthClientIdDiscoverableSchema } from './oauth-client-id-discoverable.js';
+import { httpsUriSchema, nonLocalWebUriSchema, webUriSchema } from './uri.js';
+import { isLocalHostname } from './utils.js';
+
+const SINGLE_SCOPE_RE = /^[\x21\x23-\x5B\x5D-\x7E]+$/;
+
+const singleScopeSchema = v.string().assert((input) => SINGLE_SCOPE_RE.test(input), `invalid OAuth scope`);
+
+/**
+ * user-facing client metadata for configuring a confidential OAuth client.
+ *
+ * this is a lean subset of OAuth client metadata, focused on what you actually provide.
+ * the library will fill in atproto-required values like `dpop_bound_access_tokens`,
+ * `token_endpoint_auth_method`, and default `grant_types` / `response_types`.
+ */
+export const confidentialClientMetadataSchema = v
+	.object({
+		/** discoverable https client_id URL (where metadata is hosted) */
+		client_id: oauthClientIdDiscoverableSchema,
+
+		/** redirect URIs for authorization responses (must be https) */
+		redirect_uris: v
+			.array(httpsUriSchema)
+			.assert((arr) => arr.length > 0, `must have at least one redirect URI`)
+			.assert((arr) => {
+				for (const uri of arr) {
+					const url = new URL(uri);
+					if (url.username || url.password) {
+						return false;
+					}
+				}
+				return true;
+			}, `redirect URIs must not contain credentials`),
+
+		/**
+		 * OAuth scope - either:
+		 * - a space-separated string (must include "atproto")
+		 * - an array of scope strings ('atproto' is added automatically)
+		 */
+		scope: v.union(
+			atprotoOAuthScopeSchema.chain((input) => {
+				const scopes = input.split(/\s+/);
+
+				for (let i = 0, len = scopes.length; i < len; i++) {
+					const aka = scopes[i];
+
+					for (let j = 0; j < i; j++) {
+						if (aka === scopes[j]) {
+							return v.err(`duplicate "${aka}" scope`);
+						}
+					}
+				}
+
+				return v.ok(input);
+			}),
+			v.array(singleScopeSchema).chain((input) => {
+				if (!input.includes('atproto')) {
+					input = ['atproto', ...input];
+				}
+
+				for (let i = 0, len = input.length; i < len; i++) {
+					const aka = input[i];
+
+					for (let j = 0; j < i; j++) {
+						if (aka === input[j]) {
+							return v.err(`duplicate "${aka}" scope`);
+						}
+					}
+				}
+
+				return v.ok(input);
+			}),
+		),
+
+		/** optional client homepage */
+		client_uri: webUriSchema.optional(),
+		/** optional display name */
+		client_name: v.string().optional(),
+		/** optional policy url */
+		policy_uri: nonLocalWebUriSchema.optional(),
+		/** optional terms of service url */
+		tos_uri: nonLocalWebUriSchema.optional(),
+		/** optional logo url */
+		logo_uri: nonLocalWebUriSchema.optional(),
+
+		/** optional JWKS URL; if omitted, the library will inline jwks from the keyset */
+		jwks_uri: httpsUriSchema.optional(),
+	})
+	.chain((input) => {
+		const clientIdUrl = new URL(input.client_id);
+		if (isLocalHostname(clientIdUrl.hostname)) {
+			return v.err({ message: `client_id hostname is invalid`, path: ['client_id'] });
+		}
+
+		if (input.jwks_uri) {
+			const jwksUrl = new URL(input.jwks_uri);
+
+			if (jwksUrl.username || jwksUrl.password) {
+				return v.err({ message: `jwks_uri must not contain credentials`, path: ['jwks_uri'] });
+			}
+
+			if (isLocalHostname(jwksUrl.hostname)) {
+				return v.err({ message: `jwks_uri hostname is invalid`, path: ['jwks_uri'] });
+			}
+		}
+
+		// for discoverable clients, client_uri (if provided) must be same-origin parent of client_id
+		if (input.client_uri) {
+			const clientUriUrl = new URL(input.client_uri);
+
+			if (isLocalHostname(clientUriUrl.hostname)) {
+				return v.err({ message: `client_uri hostname is invalid`, path: ['client_uri'] });
+			}
+
+			if (clientUriUrl.origin !== clientIdUrl.origin) {
+				return v.err({
+					message: `client_uri must have the same origin as the client_id`,
+					path: ['client_uri'],
+				});
+			}
+
+			if (clientIdUrl.pathname !== clientUriUrl.pathname) {
+				const prefix = clientUriUrl.pathname.endsWith('/')
+					? clientUriUrl.pathname
+					: `${clientUriUrl.pathname}/`;
+
+				if (!clientIdUrl.pathname.startsWith(prefix)) {
+					return v.err({ message: `client_uri must be a parent URL of the client_id`, path: ['client_uri'] });
+				}
+			}
+		}
+
+		return v.ok(input);
+	});
+
+export type ConfidentialClientMetadata = v.Infer<typeof confidentialClientMetadataSchema>;

package/lib/schemas/atproto-authorization-server-metadata.ts

@@ -0,0 +1,32 @@
+import * as v from '@badrap/valita';
+
+import { oauthAuthorizationServerMetadataValidator } from './oauth-authorization-server-metadata.js';
+
+/**
+ * AT Protocol authorization server metadata with required fields and assertions.
+ *
+ * @see {@link https://atproto.com/specs/oauth}
+ */
+export const atprotoAuthorizationServerMetadataValidator = oauthAuthorizationServerMetadataValidator.chain(
+	(data) => {
+		// atproto requires client_id_metadata_document support
+		if (data.client_id_metadata_document_supported !== true) {
+			return v.err({
+				message: `atproto requires client_id_metadata_document_supported to be true`,
+				path: ['client_id_metadata_document_supported'],
+			});
+		}
+
+		// atproto requires PAR
+		if (!data.pushed_authorization_request_endpoint) {
+			return v.err({
+				message: `atproto requires pushed_authorization_request_endpoint to be true`,
+				path: ['pushed_authorization_request_endpoint'],
+			});
+		}
+
+		return v.ok(data as typeof data & { pushed_authorization_request_endpoint: string });
+	},
+);
+
+export type AtprotoAuthorizationServerMetadata = v.Infer<typeof atprotoAuthorizationServerMetadataValidator>;

package/lib/schemas/atproto-oauth-scope.ts

@@ -0,0 +1,18 @@
+import * as v from '@badrap/valita';
+
+import { isOAuthScope } from './oauth-scope.js';
+import { isSpaceSeparatedValue } from './utils.js';
+
+export const ATPROTO_SCOPE_VALUE = 'atproto';
+
+const isAtprotoOAuthScope = (input: string): boolean => {
+	return isOAuthScope(input) && isSpaceSeparatedValue(ATPROTO_SCOPE_VALUE, input);
+};
+
+/** atproto OAuth scope (must include "atproto") */
+export const atprotoOAuthScopeSchema = v.string().assert(isAtprotoOAuthScope, `invalid atproto OAuth scope`);
+
+export type AtprotoOAuthScope = v.Infer<typeof atprotoOAuthScopeSchema>;
+
+/** default scope is for reading identity (did) only */
+export const DEFAULT_ATPROTO_OAUTH_SCOPE: AtprotoOAuthScope = ATPROTO_SCOPE_VALUE;

package/lib/schemas/atproto-oauth-token-response.ts

@@ -0,0 +1,20 @@
+import { isAtprotoDid } from '@atcute/identity';
+
+import * as v from '@badrap/valita';
+
+import { atprotoOAuthScopeSchema } from './atproto-oauth-scope.js';
+import { oauthAuthorizationDetailsSchema } from './oauth-authorization-details.js';
+
+export const atprotoOAuthTokenResponseSchema = v.object({
+	access_token: v.string(),
+	token_type: v.literal('DPoP'),
+	sub: v.string().assert(isAtprotoDid, `must be a did:plc or did:web`),
+	scope: atprotoOAuthScopeSchema,
+	refresh_token: v.string().optional(),
+	expires_in: v.number().optional(),
+	// https://datatracker.ietf.org/doc/html/rfc9396#name-enriched-authorization-deta
+	authorization_details: oauthAuthorizationDetailsSchema.optional(),
+	// OpenID is not compatible with atproto identities
+});
+
+export type AtprotoOAuthTokenResponse = v.Infer<typeof atprotoOAuthTokenResponseSchema>;

package/lib/schemas/atproto-protected-resource-metadata.ts

@@ -0,0 +1,24 @@
+import * as v from '@badrap/valita';
+
+import { oauthProtectedResourceMetadataValidator } from './oauth-protected-resource-metadata.js';
+
+/**
+ * AT Protocol protected resource metadata with required fields.
+ *
+ * @see {@link https://atproto.com/specs/oauth}
+ */
+export const atprotoProtectedResourceMetadataValidator = oauthProtectedResourceMetadataValidator.chain(
+	(data) => {
+		// atproto requires exactly one authorization server
+		if (data.authorization_servers?.length !== 1) {
+			return v.err({
+				message: `atproto requires exactly one authorization server`,
+				path: ['authorization_servers'],
+			});
+		}
+
+		return v.ok(data as typeof data & { authorization_servers: [string] });
+	},
+);
+
+export type AtprotoProtectedResourceMetadata = v.Infer<typeof atprotoProtectedResourceMetadataValidator>;

package/lib/schemas/jwk.ts

@@ -0,0 +1,189 @@
+import * as v from '@badrap/valita';
+
+import { isLastOccurrence } from './utils.js';
+
+// key usage constants
+const PUBLIC_KEY_USAGE = ['verify', 'encrypt', 'wrapKey'] as const;
+const PRIVATE_KEY_USAGE = ['sign', 'decrypt', 'unwrapKey', 'deriveKey', 'deriveBits'] as const;
+const KEY_USAGE = [...PRIVATE_KEY_USAGE, ...PUBLIC_KEY_USAGE] as const;
+
+type InternalKeyUsage = (typeof KEY_USAGE)[number];
+
+const isPublicKeyUsage = (usage: unknown): usage is (typeof PUBLIC_KEY_USAGE)[number] => {
+	return (PUBLIC_KEY_USAGE as readonly unknown[]).includes(usage);
+};
+
+const isPrivateKeyUsage = (usage: unknown): usage is (typeof PRIVATE_KEY_USAGE)[number] => {
+	return (PRIVATE_KEY_USAGE as readonly unknown[]).includes(usage);
+};
+
+const isSigKeyUsage = (v: InternalKeyUsage): boolean => v === 'verify';
+const isEncKeyUsage = (v: InternalKeyUsage): boolean => v === 'encrypt' || v === 'wrapKey';
+
+export const keyUsageSchema = v.union(
+	v.literal('verify'),
+	v.literal('encrypt'),
+	v.literal('wrapKey'),
+	v.literal('sign'),
+	v.literal('decrypt'),
+	v.literal('unwrapKey'),
+	v.literal('deriveKey'),
+	v.literal('deriveBits'),
+);
+
+export const publicKeyUsageSchema = v.union(v.literal('verify'), v.literal('encrypt'), v.literal('wrapKey'));
+
+const jwkBaseSchema = v.object({
+	kty: v.string(),
+	alg: v.string().optional(),
+	kid: v.string().optional(),
+	use: v.union(v.literal('sig'), v.literal('enc')).optional(),
+	key_ops: v.array(keyUsageSchema).optional(),
+
+	// X.509
+	x5c: v.array(v.string()).optional(),
+	x5t: v.string().optional(),
+	'x5t#S256': v.string().optional(),
+	x5u: v.string().optional(),
+
+	// WebCrypto
+	ext: v.boolean().optional(),
+
+	// Federation Historical Keys Response
+	iat: v.number().optional(),
+	exp: v.number().optional(),
+	nbf: v.number().optional(),
+	revoked: v
+		.object({
+			revoked_at: v.number(),
+			reason: v.string().optional(),
+		})
+		.optional(),
+});
+
+const jwkRsaKeySchema = jwkBaseSchema.extend({
+	kty: v.literal('RSA'),
+	alg: v
+		.union(
+			v.literal('RS256'),
+			v.literal('RS384'),
+			v.literal('RS512'),
+			v.literal('PS256'),
+			v.literal('PS384'),
+			v.literal('PS512'),
+		)
+		.optional(),
+	n: v.string(),
+	e: v.string(),
+	d: v.string().optional(),
+	p: v.string().optional(),
+	q: v.string().optional(),
+	dp: v.string().optional(),
+	dq: v.string().optional(),
+	qi: v.string().optional(),
+	oth: v
+		.array(
+			v.object({
+				r: v.string().optional(),
+				d: v.string().optional(),
+				t: v.string().optional(),
+			}),
+		)
+		.optional(),
+});
+
+const jwkEcKeySchema = jwkBaseSchema.extend({
+	kty: v.literal('EC'),
+	alg: v.union(v.literal('ES256'), v.literal('ES384'), v.literal('ES512')).optional(),
+	crv: v.union(v.literal('P-256'), v.literal('P-384'), v.literal('P-521')),
+	x: v.string(),
+	y: v.string(),
+	d: v.string().optional(),
+});
+
+const jwkEcSecp256k1KeySchema = jwkBaseSchema.extend({
+	kty: v.literal('EC'),
+	alg: v.literal('ES256K').optional(),
+	crv: v.literal('secp256k1'),
+	x: v.string(),
+	y: v.string(),
+	d: v.string().optional(),
+});
+
+const jwkOkpKeySchema = jwkBaseSchema.extend({
+	kty: v.literal('OKP'),
+	alg: v.literal('EdDSA').optional(),
+	crv: v.union(v.literal('Ed25519'), v.literal('Ed448')),
+	x: v.string(),
+	d: v.string().optional(),
+});
+
+const jwkSymKeySchema = jwkBaseSchema.extend({
+	kty: v.literal('oct'),
+	alg: v.union(v.literal('HS256'), v.literal('HS384'), v.literal('HS512')).optional(),
+	k: v.string(),
+});
+
+const hasPrivateSecret = <J extends object>(jwk: J): boolean => {
+	return ('d' in jwk && jwk.d != null) || ('k' in jwk && jwk.k != null);
+};
+
+const isPublicJwk = <J extends object>(jwk: J): boolean => {
+	return !hasPrivateSecret(jwk);
+};
+
+/** JWK schema for known key types */
+export const jwkSchema = v
+	.union(jwkRsaKeySchema, jwkEcKeySchema, jwkEcSecp256k1KeySchema, jwkOkpKeySchema, jwkSymKeySchema)
+	.chain((k) => {
+		// "use" can only be used with public keys
+		if (k.use != null && !isPublicJwk(k)) {
+			return v.err({ message: `"use" can only be used with public keys`, path: ['use'] });
+		}
+
+		// private key usage not allowed for public keys
+		if (k.key_ops?.some(isPrivateKeyUsage) && isPublicJwk(k)) {
+			return v.err({ message: `private key usage not allowed for public keys`, path: ['key_ops'] });
+		}
+
+		// key_ops must not contain duplicates
+		if (k.key_ops && !k.key_ops.every(isLastOccurrence)) {
+			return v.err({ message: `key_ops must not contain duplicates`, path: ['key_ops'] });
+		}
+
+		// "use" and "key_ops" must be consistent
+		if (k.use != null && k.key_ops != null) {
+			const consistent =
+				(k.use === 'sig' && k.key_ops.every(isSigKeyUsage)) ||
+				(k.use === 'enc' && k.key_ops.every(isEncKeyUsage));
+			if (!consistent) {
+				return v.err({ message: `"key_ops" must be consistent with "use"`, path: ['key_ops'] });
+			}
+		}
+
+		return v.ok(k);
+	});
+
+/** public JWK schema (kid required, no private keys) */
+export const jwkPubSchema = jwkSchema.chain((k) => {
+	if (k.kid == null) {
+		return v.err({ message: `"kid" is required`, path: ['kid'] });
+	}
+
+	if (!isPublicJwk(k)) {
+		return v.err({ message: `private key not allowed` });
+	}
+
+	if (k.key_ops && !k.key_ops.every(isPublicKeyUsage)) {
+		return v.err({
+			message: `"key_ops" must not contain private key usage for public keys`,
+			path: ['key_ops'],
+		});
+	}
+
+	return v.ok(k);
+});
+
+export type KeyUsage = v.Infer<typeof keyUsageSchema>;
+export type Jwk = v.Infer<typeof jwkSchema>;
+export type JwkPub = v.Infer<typeof jwkPubSchema>;

package/lib/schemas/jwks.ts

@@ -0,0 +1,45 @@
+import * as v from '@badrap/valita';
+
+import { jwkPubSchema, jwkSchema, type Jwk, type JwkPub } from './jwk.js';
+
+/** JWKS (JSON Web Key Set) */
+export const jwksSchema = v.object({
+	keys: v.array(v.unknown()).chain((input, options) => {
+		// implementations SHOULD ignore JWKs within a JWK Set that use "kty"
+		// values that are not understood, are missing required members, or
+		// have values out of the supported ranges.
+		const keys: Jwk[] = [];
+
+		for (const item of input) {
+			const result = jwkSchema.try(item, options);
+			if (!result.ok) {
+				continue;
+			}
+
+			keys.push(result.value);
+		}
+
+		return v.ok(keys);
+	}),
+});
+
+/** public JWKS (JSON Web Key Set with only public keys) */
+export const jwksPubSchema = v.object({
+	keys: v.array(v.unknown()).chain((input, options) => {
+		const keys: JwkPub[] = [];
+
+		for (const item of input) {
+			const result = jwkPubSchema.try(item, options);
+			if (!result.ok) {
+				continue;
+			}
+
+			keys.push(result.value);
+		}
+
+		return v.ok(keys);
+	}),
+});
+
+export type Jwks = v.Infer<typeof jwksSchema>;
+export type JwksPub = v.Infer<typeof jwksPubSchema>;