@atproto/oauth-types 0.1.0

package/dist/oauth-client-metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-client-metadata.d.ts","sourceRoot":"","sources":["../src/oauth-client-metadata.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AASvB,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IA4CpC;;;;;;OAMG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAWH,CAAA;AAEF,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAA;AAC3E,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAA"}

package/dist/oauth-client-metadata.js

@@ -0,0 +1,70 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.oauthClientMetadataSchema = void 0;
+const jwk_1 = require("@atproto/jwk");
+const zod_1 = require("zod");
+const oauth_client_id_js_1 = require("./oauth-client-id.js");
+const oauth_endpoint_auth_method_js_1 = require("./oauth-endpoint-auth-method.js");
+const oauth_grant_type_js_1 = require("./oauth-grant-type.js");
+const oauth_response_type_js_1 = require("./oauth-response-type.js");
+// https://openid.net/specs/openid-connect-registration-1_0.html
+// https://datatracker.ietf.org/doc/html/rfc7591
+exports.oauthClientMetadataSchema = zod_1.z.object({
+    redirect_uris: zod_1.z.array(zod_1.z.string().url()).nonempty(),
+    response_types: zod_1.z
+        .array(oauth_response_type_js_1.oauthResponseTypeSchema)
+        .nonempty()
+        // > If omitted, the default is that the client will use only the "code"
+        // > response type.
+        .default(['code']),
+    grant_types: zod_1.z
+        .array(oauth_grant_type_js_1.oauthGrantTypeSchema)
+        .nonempty()
+        // > If omitted, the default behavior is that the client will use only the
+        // > "authorization_code" Grant Type.
+        .default(['authorization_code']),
+    scope: zod_1.z.string().optional(),
+    token_endpoint_auth_method: oauth_endpoint_auth_method_js_1.oauthEndpointAuthMethod
+        .default('none')
+        .optional(),
+    token_endpoint_auth_signing_alg: zod_1.z.string().optional(),
+    introspection_endpoint_auth_method: oauth_endpoint_auth_method_js_1.oauthEndpointAuthMethod.optional(),
+    introspection_endpoint_auth_signing_alg: zod_1.z.string().optional(),
+    revocation_endpoint_auth_method: oauth_endpoint_auth_method_js_1.oauthEndpointAuthMethod.optional(),
+    revocation_endpoint_auth_signing_alg: zod_1.z.string().optional(),
+    pushed_authorization_request_endpoint_auth_method: oauth_endpoint_auth_method_js_1.oauthEndpointAuthMethod.optional(),
+    pushed_authorization_request_endpoint_auth_signing_alg: zod_1.z.string().optional(),
+    userinfo_signed_response_alg: zod_1.z.string().optional(),
+    userinfo_encrypted_response_alg: zod_1.z.string().optional(),
+    jwks_uri: zod_1.z.string().url().optional(),
+    jwks: jwk_1.jwksPubSchema.optional(),
+    application_type: zod_1.z.enum(['web', 'native']).default('web').optional(), // default, per spec, is "web"
+    subject_type: zod_1.z.enum(['public', 'pairwise']).default('public').optional(),
+    request_object_signing_alg: zod_1.z.string().optional(),
+    id_token_signed_response_alg: zod_1.z.string().optional(),
+    authorization_signed_response_alg: zod_1.z.string().default('RS256').optional(),
+    authorization_encrypted_response_enc: zod_1.z.enum(['A128CBC-HS256']).optional(),
+    authorization_encrypted_response_alg: zod_1.z.string().optional(),
+    client_id: oauth_client_id_js_1.oauthClientIdSchema.optional(),
+    client_name: zod_1.z.string().optional(),
+    client_uri: zod_1.z.string().url().optional(),
+    policy_uri: zod_1.z.string().url().optional(),
+    tos_uri: zod_1.z.string().url().optional(),
+    logo_uri: zod_1.z.string().url().optional(),
+    /**
+     * Default Maximum Authentication Age. Specifies that the End-User MUST be
+     * actively authenticated if the End-User was authenticated longer ago than
+     * the specified number of seconds. The max_age request parameter overrides
+     * this default value. If omitted, no default Maximum Authentication Age is
+     * specified.
+     */
+    default_max_age: zod_1.z.number().optional(),
+    require_auth_time: zod_1.z.boolean().optional(),
+    contacts: zod_1.z.array(zod_1.z.string().email()).optional(),
+    tls_client_certificate_bound_access_tokens: zod_1.z.boolean().optional(),
+    // https://datatracker.ietf.org/doc/html/rfc9449#section-5.2
+    dpop_bound_access_tokens: zod_1.z.boolean().optional(),
+    // https://datatracker.ietf.org/doc/html/rfc9396#section-14.5
+    authorization_details_types: zod_1.z.array(zod_1.z.string()).optional(),
+});
+//# sourceMappingURL=oauth-client-metadata.js.map

package/dist/oauth-client-metadata.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-client-metadata.js","sourceRoot":"","sources":["../src/oauth-client-metadata.ts"],"names":[],"mappings":";;;AAAA,sCAA4C;AAC5C,6BAAuB;AAEvB,6DAA0D;AAC1D,mFAAyE;AACzE,+DAA4D;AAC5D,qEAAkE;AAElE,gEAAgE;AAChE,gDAAgD;AACnC,QAAA,yBAAyB,GAAG,OAAC,CAAC,MAAM,CAAC;IAChD,aAAa,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,QAAQ,EAAE;IACnD,cAAc,EAAE,OAAC;SACd,KAAK,CAAC,gDAAuB,CAAC;SAC9B,QAAQ,EAAE;QACX,wEAAwE;QACxE,mBAAmB;SAClB,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC;IACpB,WAAW,EAAE,OAAC;SACX,KAAK,CAAC,0CAAoB,CAAC;SAC3B,QAAQ,EAAE;QACX,0EAA0E;QAC1E,qCAAqC;SACpC,OAAO,CAAC,CAAC,oBAAoB,CAAC,CAAC;IAClC,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,0BAA0B,EAAE,uDAAuB;SAChD,OAAO,CAAC,MAAM,CAAC;SACf,QAAQ,EAAE;IACb,+BAA+B,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACtD,kCAAkC,EAAE,uDAAuB,CAAC,QAAQ,EAAE;IACtE,uCAAuC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC9D,+BAA+B,EAAE,uDAAuB,CAAC,QAAQ,EAAE;IACnE,oCAAoC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC3D,iDAAiD,EAC/C,uDAAuB,CAAC,QAAQ,EAAE;IACpC,sDAAsD,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7E,4BAA4B,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACnD,+BAA+B,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACtD,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACrC,IAAI,EAAE,mBAAa,CAAC,QAAQ,EAAE;IAC9B,gBAAgB,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,QAAQ,EAAE,EAAE,8BAA8B;IACrG,YAAY,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,QAAQ,EAAE;IACzE,0BAA0B,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjD,4BAA4B,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACnD,iCAAiC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE;IACzE,oCAAoC,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,QAAQ,EAAE;IAC1E,oCAAoC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC3D,SAAS,EAAE,wCAAmB,CAAC,QAAQ,EAAE;IACzC,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACvC,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACvC,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACpC,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAErC;;;;;;OAMG;IACH,eAAe,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACtC,iBAAiB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACzC,QAAQ,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC,QAAQ,EAAE;IAChD,0CAA0C,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAElE,4DAA4D;IAC5D,wBAAwB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAEhD,6DAA6D;IAC7D,2BAA2B,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CAC5D,CAAC,CAAA"}

package/dist/oauth-endpoint-auth-method.d.ts

@@ -0,0 +1,4 @@
+import { z } from 'zod';
+export declare const oauthEndpointAuthMethod: z.ZodEnum<["client_secret_basic", "client_secret_jwt", "client_secret_post", "none", "private_key_jwt", "self_signed_tls_client_auth", "tls_client_auth"]>;
+export type OauthEndpointAuthMethod = z.infer<typeof oauthEndpointAuthMethod>;
+//# sourceMappingURL=oauth-endpoint-auth-method.d.ts.map

package/dist/oauth-endpoint-auth-method.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-endpoint-auth-method.d.ts","sourceRoot":"","sources":["../src/oauth-endpoint-auth-method.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,eAAO,MAAM,uBAAuB,4JAQlC,CAAA;AAEF,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAA"}

package/dist/oauth-endpoint-auth-method.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.oauthEndpointAuthMethod = void 0;
+const zod_1 = require("zod");
+exports.oauthEndpointAuthMethod = zod_1.z.enum([
+    'client_secret_basic',
+    'client_secret_jwt',
+    'client_secret_post',
+    'none',
+    'private_key_jwt',
+    'self_signed_tls_client_auth',
+    'tls_client_auth',
+]);
+//# sourceMappingURL=oauth-endpoint-auth-method.js.map

package/dist/oauth-endpoint-auth-method.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-endpoint-auth-method.js","sourceRoot":"","sources":["../src/oauth-endpoint-auth-method.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEV,QAAA,uBAAuB,GAAG,OAAC,CAAC,IAAI,CAAC;IAC5C,qBAAqB;IACrB,mBAAmB;IACnB,oBAAoB;IACpB,MAAM;IACN,iBAAiB;IACjB,6BAA6B;IAC7B,iBAAiB;CAClB,CAAC,CAAA"}

package/dist/oauth-endpoint-name.d.ts

@@ -0,0 +1,2 @@
+export type OAuthEndpointName = 'token' | 'revocation' | 'introspection' | 'pushed_authorization_request';
+//# sourceMappingURL=oauth-endpoint-name.d.ts.map

package/dist/oauth-endpoint-name.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-endpoint-name.d.ts","sourceRoot":"","sources":["../src/oauth-endpoint-name.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,iBAAiB,GACzB,OAAO,GACP,YAAY,GACZ,eAAe,GACf,8BAA8B,CAAA"}

package/dist/oauth-endpoint-name.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=oauth-endpoint-name.js.map

package/dist/oauth-endpoint-name.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-endpoint-name.js","sourceRoot":"","sources":["../src/oauth-endpoint-name.ts"],"names":[],"mappings":""}

package/dist/oauth-grant-type.d.ts

@@ -0,0 +1,4 @@
+import { z } from 'zod';
+export declare const oauthGrantTypeSchema: z.ZodEnum<["authorization_code", "implicit", "refresh_token", "password", "client_credentials", "urn:ietf:params:oauth:grant-type:jwt-bearer", "urn:ietf:params:oauth:grant-type:saml2-bearer"]>;
+export type OAuthGrantType = z.infer<typeof oauthGrantTypeSchema>;
+//# sourceMappingURL=oauth-grant-type.d.ts.map

package/dist/oauth-grant-type.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-grant-type.d.ts","sourceRoot":"","sources":["../src/oauth-grant-type.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,eAAO,MAAM,oBAAoB,kMAQ/B,CAAA;AAEF,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAA"}

package/dist/oauth-grant-type.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.oauthGrantTypeSchema = void 0;
+const zod_1 = require("zod");
+exports.oauthGrantTypeSchema = zod_1.z.enum([
+    'authorization_code',
+    'implicit',
+    'refresh_token',
+    'password', // Not part of OAuth 2.1
+    'client_credentials',
+    'urn:ietf:params:oauth:grant-type:jwt-bearer',
+    'urn:ietf:params:oauth:grant-type:saml2-bearer',
+]);
+//# sourceMappingURL=oauth-grant-type.js.map

package/dist/oauth-grant-type.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-grant-type.js","sourceRoot":"","sources":["../src/oauth-grant-type.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEV,QAAA,oBAAoB,GAAG,OAAC,CAAC,IAAI,CAAC;IACzC,oBAAoB;IACpB,UAAU;IACV,eAAe;IACf,UAAU,EAAE,wBAAwB;IACpC,oBAAoB;IACpB,6CAA6C;IAC7C,+CAA+C;CAChD,CAAC,CAAA"}

package/dist/oauth-issuer-identifier.d.ts

@@ -0,0 +1,3 @@
+import { z } from 'zod';
+export declare const oauthIssuerIdentifierSchema: z.ZodEffects<z.ZodString, string, string>;
+//# sourceMappingURL=oauth-issuer-identifier.d.ts.map

package/dist/oauth-issuer-identifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-issuer-identifier.d.ts","sourceRoot":"","sources":["../src/oauth-issuer-identifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAavB,eAAO,MAAM,2BAA2B,2CA+CpC,CAAA"}

package/dist/oauth-issuer-identifier.js

@@ -0,0 +1,59 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.oauthIssuerIdentifierSchema = void 0;
+const zod_1 = require("zod");
+// try/catch to support running in a browser, including when process.env is
+// shimmed (e.g. by webpack)
+const ALLOW_INSECURE = (() => {
+    try {
+        const env = process.env.NODE_ENV;
+        return env === 'development' || env === 'test';
+    }
+    catch {
+        return false;
+    }
+})();
+exports.oauthIssuerIdentifierSchema = zod_1.z
+    .string()
+    .url()
+    .superRefine((value, ctx) => {
+    // Validate the issuer (MIX-UP attacks)
+    if (value.endsWith('/')) {
+        ctx.addIssue({
+            code: zod_1.z.ZodIssueCode.custom,
+            message: 'Issuer URL must not end with a slash',
+        });
+    }
+    const url = new URL(value);
+    if (url.protocol !== 'https:') {
+        if (ALLOW_INSECURE && url.protocol === 'http:') {
+            // We'll allow HTTP in development mode
+        }
+        else {
+            ctx.addIssue({
+                code: zod_1.z.ZodIssueCode.custom,
+                message: 'Issuer must be an HTTPS URL',
+            });
+        }
+    }
+    if (url.username || url.password) {
+        ctx.addIssue({
+            code: zod_1.z.ZodIssueCode.custom,
+            message: 'Issuer URL must not contain a username or password',
+        });
+    }
+    if (url.hash || url.search) {
+        ctx.addIssue({
+            code: zod_1.z.ZodIssueCode.custom,
+            message: 'Issuer URL must not contain a query or fragment',
+        });
+    }
+    const canonicalValue = url.pathname === '/' ? url.origin : url.href;
+    if (value !== canonicalValue) {
+        ctx.addIssue({
+            code: zod_1.z.ZodIssueCode.custom,
+            message: 'Issuer URL must be in the canonical form',
+        });
+    }
+});
+//# sourceMappingURL=oauth-issuer-identifier.js.map

package/dist/oauth-issuer-identifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-issuer-identifier.js","sourceRoot":"","sources":["../src/oauth-issuer-identifier.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEvB,2EAA2E;AAC3E,4BAA4B;AAC5B,MAAM,cAAc,GAAG,CAAC,GAAG,EAAE;IAC3B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAA;QAChC,OAAO,GAAG,KAAK,aAAa,IAAI,GAAG,KAAK,MAAM,CAAA;IAChD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC,CAAC,EAAE,CAAA;AAES,QAAA,2BAA2B,GAAG,OAAC;KACzC,MAAM,EAAE;KACR,GAAG,EAAE;KACL,WAAW,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;IAC1B,uCAAuC;IAEvC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACxB,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;YAC3B,OAAO,EAAE,sCAAsC;SAChD,CAAC,CAAA;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAA;IAE1B,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC9B,IAAI,cAAc,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YAC/C,uCAAuC;QACzC,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,OAAO,EAAE,6BAA6B;aACvC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjC,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;YAC3B,OAAO,EAAE,oDAAoD;SAC9D,CAAC,CAAA;IACJ,CAAC;IAED,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;QAC3B,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;YAC3B,OAAO,EAAE,iDAAiD;SAC3D,CAAC,CAAA;IACJ,CAAC;IAED,MAAM,cAAc,GAAG,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAA;IACnE,IAAI,KAAK,KAAK,cAAc,EAAE,CAAC;QAC7B,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;YAC3B,OAAO,EAAE,0CAA0C;SACpD,CAAC,CAAA;IACJ,CAAC;AACH,CAAC,CAAC,CAAA"}

package/dist/oauth-par-response.d.ts

@@ -0,0 +1,10 @@
+import { z } from 'zod';
+export declare const oauthParResponseSchema: z.ZodObject<{
+    request_uri: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    request_uri: string;
+}, {
+    request_uri: string;
+}>;
+export type OAuthParResponse = z.infer<typeof oauthParResponseSchema>;
+//# sourceMappingURL=oauth-par-response.d.ts.map

package/dist/oauth-par-response.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-par-response.d.ts","sourceRoot":"","sources":["../src/oauth-par-response.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,eAAO,MAAM,sBAAsB;;;;;;EAEjC,CAAA;AAEF,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAA"}

package/dist/oauth-par-response.js

@@ -0,0 +1,8 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.oauthParResponseSchema = void 0;
+const zod_1 = require("zod");
+exports.oauthParResponseSchema = zod_1.z.object({
+    request_uri: zod_1.z.string(),
+});
+//# sourceMappingURL=oauth-par-response.js.map

package/dist/oauth-par-response.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-par-response.js","sourceRoot":"","sources":["../src/oauth-par-response.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEV,QAAA,sBAAsB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC7C,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE;CACxB,CAAC,CAAA"}

package/dist/oauth-protected-resource-metadata.d.ts

@@ -0,0 +1,90 @@
+import { z } from 'zod';
+/**
+ * @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-05#name-protected-resource-metadata-r}
+ */
+export declare const oauthProtectedResourceMetadataSchema: z.ZodObject<{
+    /**
+     * REQUIRED. The protected resource's resource identifier, which is a URL that
+     * uses the https scheme and has no query or fragment components. Using these
+     * well-known resources is described in Section 3.
+     */
+    resource: z.ZodString;
+    /**
+     * OPTIONAL. JSON array containing a list of OAuth authorization server issuer
+     * identifiers, as defined in [RFC8414], for authorization servers that can be
+     * used with this protected resource. Protected resources MAY choose not to
+     * advertise some supported authorization servers even when this parameter is
+     * used. In some use cases, the set of authorization servers will not be
+     * enumerable, in which case this metadata parameter would not be used.
+     */
+    authorization_servers: z.ZodOptional<z.ZodArray<z.ZodEffects<z.ZodString, string, string>, "many">>;
+    /**
+     * OPTIONAL. URL of the protected resource's JWK Set [JWK] document. This
+     * contains public keys belonging to the protected resource, such as signing
+     * key(s) that the resource server uses to sign resource responses. This URL
+     * MUST use the https scheme. When both signing and encryption keys are made
+     * available, a use (public key use) parameter value is REQUIRED for all keys
+     * in the referenced JWK Set to indicate each key's intended usage.
+     */
+    jwks_uri: z.ZodOptional<z.ZodString>;
+    /**
+     * RECOMMENDED. JSON array containing a list of the OAuth 2.0 [RFC6749] scope
+     * values that are used in authorization requests to request access to this
+     * protected resource. Protected resources MAY choose not to advertise some
+     * scope values supported even when this parameter is used.
+     */
+    scopes_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    /**
+     * OPTIONAL. JSON array containing a list of the supported methods of sending
+     * an OAuth 2.0 Bearer Token [RFC6750] to the protected resource. Defined
+     * values are ["header", "body", "query"], corresponding to Sections 2.1, 2.2,
+     * and 2.3 of RFC 6750.
+     */
+    bearer_methods_supported: z.ZodOptional<z.ZodArray<z.ZodEnum<["header", "body", "query"]>, "many">>;
+    /**
+     * OPTIONAL. JSON array containing a list of the JWS [JWS] signing algorithms
+     * (alg values) [JWA] supported by the protected resource for signing resource
+     * responses, for instance, as described in [FAPI.MessageSigning]. No default
+     * algorithms are implied if this entry is omitted. The value none MUST NOT be
+     * used.
+     */
+    resource_signing_alg_values_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    /**
+     * OPTIONAL. URL of a page containing human-readable information that
+     * developers might want or need to know when using the protected resource
+     */
+    resource_documentation: z.ZodOptional<z.ZodString>;
+    /**
+     * OPTIONAL. URL that the protected resource provides to read about the
+     * protected resource's requirements on how the client can use the data
+     * provided by the protected resource
+     */
+    resource_policy_uri: z.ZodOptional<z.ZodString>;
+    /**
+     * OPTIONAL. URL that the protected resource provides to read about the
+     * protected resource's terms of service
+     */
+    resource_tos_uri: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    resource: string;
+    jwks_uri?: string | undefined;
+    scopes_supported?: string[] | undefined;
+    authorization_servers?: string[] | undefined;
+    bearer_methods_supported?: ("query" | "header" | "body")[] | undefined;
+    resource_signing_alg_values_supported?: string[] | undefined;
+    resource_documentation?: string | undefined;
+    resource_policy_uri?: string | undefined;
+    resource_tos_uri?: string | undefined;
+}, {
+    resource: string;
+    jwks_uri?: string | undefined;
+    scopes_supported?: string[] | undefined;
+    authorization_servers?: string[] | undefined;
+    bearer_methods_supported?: ("query" | "header" | "body")[] | undefined;
+    resource_signing_alg_values_supported?: string[] | undefined;
+    resource_documentation?: string | undefined;
+    resource_policy_uri?: string | undefined;
+    resource_tos_uri?: string | undefined;
+}>;
+export type OAuthProtectedResourceMetadata = z.infer<typeof oauthProtectedResourceMetadataSchema>;
+//# sourceMappingURL=oauth-protected-resource-metadata.d.ts.map

package/dist/oauth-protected-resource-metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-protected-resource-metadata.d.ts","sourceRoot":"","sources":["../src/oauth-protected-resource-metadata.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAIvB;;GAEG;AACH,eAAO,MAAM,oCAAoC;IAC/C;;;;OAIG;;IAGH;;;;;;;OAOG;;IAGH;;;;;;;OAOG;;IAGH;;;;;OAKG;;IAGH;;;;;OAKG;;IAKH;;;;;;OAMG;;IAGH;;;OAGG;;IAGH;;;;OAIG;;IAGH;;;OAGG;;;;;;;;;;;;;;;;;;;;;;EAEH,CAAA;AAEF,MAAM,MAAM,8BAA8B,GAAG,CAAC,CAAC,KAAK,CAClD,OAAO,oCAAoC,CAC5C,CAAA"}

package/dist/oauth-protected-resource-metadata.js

@@ -0,0 +1,75 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.oauthProtectedResourceMetadataSchema = void 0;
+const zod_1 = require("zod");
+const oauth_issuer_identifier_js_1 = require("./oauth-issuer-identifier.js");
+/**
+ * @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-05#name-protected-resource-metadata-r}
+ */
+exports.oauthProtectedResourceMetadataSchema = zod_1.z.object({
+    /**
+     * REQUIRED. The protected resource's resource identifier, which is a URL that
+     * uses the https scheme and has no query or fragment components. Using these
+     * well-known resources is described in Section 3.
+     */
+    resource: zod_1.z.string().url(),
+    /**
+     * OPTIONAL. JSON array containing a list of OAuth authorization server issuer
+     * identifiers, as defined in [RFC8414], for authorization servers that can be
+     * used with this protected resource. Protected resources MAY choose not to
+     * advertise some supported authorization servers even when this parameter is
+     * used. In some use cases, the set of authorization servers will not be
+     * enumerable, in which case this metadata parameter would not be used.
+     */
+    authorization_servers: zod_1.z.array(oauth_issuer_identifier_js_1.oauthIssuerIdentifierSchema).optional(),
+    /**
+     * OPTIONAL. URL of the protected resource's JWK Set [JWK] document. This
+     * contains public keys belonging to the protected resource, such as signing
+     * key(s) that the resource server uses to sign resource responses. This URL
+     * MUST use the https scheme. When both signing and encryption keys are made
+     * available, a use (public key use) parameter value is REQUIRED for all keys
+     * in the referenced JWK Set to indicate each key's intended usage.
+     */
+    jwks_uri: zod_1.z.string().url().optional(),
+    /**
+     * RECOMMENDED. JSON array containing a list of the OAuth 2.0 [RFC6749] scope
+     * values that are used in authorization requests to request access to this
+     * protected resource. Protected resources MAY choose not to advertise some
+     * scope values supported even when this parameter is used.
+     */
+    scopes_supported: zod_1.z.array(zod_1.z.string()).optional(),
+    /**
+     * OPTIONAL. JSON array containing a list of the supported methods of sending
+     * an OAuth 2.0 Bearer Token [RFC6750] to the protected resource. Defined
+     * values are ["header", "body", "query"], corresponding to Sections 2.1, 2.2,
+     * and 2.3 of RFC 6750.
+     */
+    bearer_methods_supported: zod_1.z
+        .array(zod_1.z.enum(['header', 'body', 'query']))
+        .optional(),
+    /**
+     * OPTIONAL. JSON array containing a list of the JWS [JWS] signing algorithms
+     * (alg values) [JWA] supported by the protected resource for signing resource
+     * responses, for instance, as described in [FAPI.MessageSigning]. No default
+     * algorithms are implied if this entry is omitted. The value none MUST NOT be
+     * used.
+     */
+    resource_signing_alg_values_supported: zod_1.z.array(zod_1.z.string()).optional(),
+    /**
+     * OPTIONAL. URL of a page containing human-readable information that
+     * developers might want or need to know when using the protected resource
+     */
+    resource_documentation: zod_1.z.string().url().optional(),
+    /**
+     * OPTIONAL. URL that the protected resource provides to read about the
+     * protected resource's requirements on how the client can use the data
+     * provided by the protected resource
+     */
+    resource_policy_uri: zod_1.z.string().url().optional(),
+    /**
+     * OPTIONAL. URL that the protected resource provides to read about the
+     * protected resource's terms of service
+     */
+    resource_tos_uri: zod_1.z.string().url().optional(),
+});
+//# sourceMappingURL=oauth-protected-resource-metadata.js.map

package/dist/oauth-protected-resource-metadata.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-protected-resource-metadata.js","sourceRoot":"","sources":["../src/oauth-protected-resource-metadata.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEvB,6EAA0E;AAE1E;;GAEG;AACU,QAAA,oCAAoC,GAAG,OAAC,CAAC,MAAM,CAAC;IAC3D;;;;OAIG;IACH,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IAE1B;;;;;;;OAOG;IACH,qBAAqB,EAAE,OAAC,CAAC,KAAK,CAAC,wDAA2B,CAAC,CAAC,QAAQ,EAAE;IAEtE;;;;;;;OAOG;IACH,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAErC;;;;;OAKG;IACH,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAEhD;;;;;OAKG;IACH,wBAAwB,EAAE,OAAC;SACxB,KAAK,CAAC,OAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;SAC1C,QAAQ,EAAE;IAEb;;;;;;OAMG;IACH,qCAAqC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAErE;;;OAGG;IACH,sBAAsB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAEnD;;;;OAIG;IACH,mBAAmB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAEhD;;;OAGG;IACH,gBAAgB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;CAC9C,CAAC,CAAA"}

package/dist/oauth-response-mode.d.ts

@@ -0,0 +1,4 @@
+import { z } from 'zod';
+export declare const oauthResponseModeSchema: z.ZodEnum<["query", "fragment", "form_post"]>;
+export type OAuthResponseMode = z.infer<typeof oauthResponseModeSchema>;
+//# sourceMappingURL=oauth-response-mode.d.ts.map

package/dist/oauth-response-mode.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-response-mode.d.ts","sourceRoot":"","sources":["../src/oauth-response-mode.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,eAAO,MAAM,uBAAuB,+CAIlC,CAAA;AAEF,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAA"}

package/dist/oauth-response-mode.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.oauthResponseModeSchema = void 0;
+const zod_1 = require("zod");
+exports.oauthResponseModeSchema = zod_1.z.enum([
+    'query',
+    'fragment',
+    'form_post',
+]);
+//# sourceMappingURL=oauth-response-mode.js.map

package/dist/oauth-response-mode.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-response-mode.js","sourceRoot":"","sources":["../src/oauth-response-mode.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEV,QAAA,uBAAuB,GAAG,OAAC,CAAC,IAAI,CAAC;IAC5C,OAAO;IACP,UAAU;IACV,WAAW;CACZ,CAAC,CAAA"}

package/dist/oauth-response-type.d.ts

@@ -0,0 +1,4 @@
+import { z } from 'zod';
+export declare const oauthResponseTypeSchema: z.ZodEnum<["code", "token", "none", "code id_token token", "code id_token", "code token", "id_token token", "id_token"]>;
+export type OAuthResponseType = z.infer<typeof oauthResponseTypeSchema>;
+//# sourceMappingURL=oauth-response-type.d.ts.map

package/dist/oauth-response-type.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-response-type.d.ts","sourceRoot":"","sources":["../src/oauth-response-type.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,eAAO,MAAM,uBAAuB,0HAYlC,CAAA;AAEF,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAA"}

package/dist/oauth-response-type.js

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.oauthResponseTypeSchema = void 0;
+const zod_1 = require("zod");
+exports.oauthResponseTypeSchema = zod_1.z.enum([
+    // OAuth
+    'code', // Authorization Code Grant
+    'token', // Implicit Grant
+    // OpenID
+    'none',
+    'code id_token token',
+    'code id_token',
+    'code token',
+    'id_token token',
+    'id_token',
+]);
+//# sourceMappingURL=oauth-response-type.js.map

package/dist/oauth-response-type.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-response-type.js","sourceRoot":"","sources":["../src/oauth-response-type.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEV,QAAA,uBAAuB,GAAG,OAAC,CAAC,IAAI,CAAC;IAC5C,QAAQ;IACR,MAAM,EAAE,2BAA2B;IACnC,OAAO,EAAE,iBAAiB;IAE1B,SAAS;IACT,MAAM;IACN,qBAAqB;IACrB,eAAe;IACf,YAAY;IACZ,gBAAgB;IAChB,UAAU;CACX,CAAC,CAAA"}

package/dist/oauth-token-response.d.ts

@@ -0,0 +1,103 @@
+import { z } from 'zod';
+/**
+ * @see {@link https://www.rfc-editor.org/rfc/rfc6749.html#section-5.1 | RFC 6749 (OAuth2), Section 5.1}
+ */
+export declare const oauthTokenResponseSchema: z.ZodObject<{
+    access_token: z.ZodString;
+    token_type: z.ZodUnion<[z.ZodEffects<z.ZodString, "DPoP", string>, z.ZodEffects<z.ZodString, "Bearer", string>]>;
+    issuer: z.ZodOptional<z.ZodString>;
+    sub: z.ZodOptional<z.ZodString>;
+    scope: z.ZodOptional<z.ZodString>;
+    id_token: z.ZodOptional<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>>;
+    refresh_token: z.ZodOptional<z.ZodString>;
+    expires_in: z.ZodOptional<z.ZodNumber>;
+    authorization_details: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        type: z.ZodString;
+        locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        identifier: z.ZodOptional<z.ZodString>;
+        privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        type: string;
+        locations?: string[] | undefined;
+        actions?: string[] | undefined;
+        datatypes?: string[] | undefined;
+        identifier?: string | undefined;
+        privileges?: string[] | undefined;
+    }, {
+        type: string;
+        locations?: string[] | undefined;
+        actions?: string[] | undefined;
+        datatypes?: string[] | undefined;
+        identifier?: string | undefined;
+        privileges?: string[] | undefined;
+    }>, "many">>;
+}, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+    access_token: z.ZodString;
+    token_type: z.ZodUnion<[z.ZodEffects<z.ZodString, "DPoP", string>, z.ZodEffects<z.ZodString, "Bearer", string>]>;
+    issuer: z.ZodOptional<z.ZodString>;
+    sub: z.ZodOptional<z.ZodString>;
+    scope: z.ZodOptional<z.ZodString>;
+    id_token: z.ZodOptional<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>>;
+    refresh_token: z.ZodOptional<z.ZodString>;
+    expires_in: z.ZodOptional<z.ZodNumber>;
+    authorization_details: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        type: z.ZodString;
+        locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        identifier: z.ZodOptional<z.ZodString>;
+        privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        type: string;
+        locations?: string[] | undefined;
+        actions?: string[] | undefined;
+        datatypes?: string[] | undefined;
+        identifier?: string | undefined;
+        privileges?: string[] | undefined;
+    }, {
+        type: string;
+        locations?: string[] | undefined;
+        actions?: string[] | undefined;
+        datatypes?: string[] | undefined;
+        identifier?: string | undefined;
+        privileges?: string[] | undefined;
+    }>, "many">>;
+}, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+    access_token: z.ZodString;
+    token_type: z.ZodUnion<[z.ZodEffects<z.ZodString, "DPoP", string>, z.ZodEffects<z.ZodString, "Bearer", string>]>;
+    issuer: z.ZodOptional<z.ZodString>;
+    sub: z.ZodOptional<z.ZodString>;
+    scope: z.ZodOptional<z.ZodString>;
+    id_token: z.ZodOptional<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>>;
+    refresh_token: z.ZodOptional<z.ZodString>;
+    expires_in: z.ZodOptional<z.ZodNumber>;
+    authorization_details: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        type: z.ZodString;
+        locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        identifier: z.ZodOptional<z.ZodString>;
+        privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        type: string;
+        locations?: string[] | undefined;
+        actions?: string[] | undefined;
+        datatypes?: string[] | undefined;
+        identifier?: string | undefined;
+        privileges?: string[] | undefined;
+    }, {
+        type: string;
+        locations?: string[] | undefined;
+        actions?: string[] | undefined;
+        datatypes?: string[] | undefined;
+        identifier?: string | undefined;
+        privileges?: string[] | undefined;
+    }>, "many">>;
+}, z.ZodTypeAny, "passthrough">>;
+/**
+ * @see {@link oauthTokenResponseSchema}
+ */
+export type OAuthTokenResponse = z.infer<typeof oauthTokenResponseSchema>;
+//# sourceMappingURL=oauth-token-response.d.ts.map

package/dist/oauth-token-response.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-token-response.d.ts","sourceRoot":"","sources":["../src/oauth-token-response.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAKvB;;GAEG;AACH,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gCAcrB,CAAA;AAEhB;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAA"}

package/dist/oauth-token-response.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.oauthTokenResponseSchema = void 0;
+const jwk_1 = require("@atproto/jwk");
+const zod_1 = require("zod");
+const oauth_authorization_details_js_1 = require("./oauth-authorization-details.js");
+const oauth_token_type_js_1 = require("./oauth-token-type.js");
+/**
+ * @see {@link https://www.rfc-editor.org/rfc/rfc6749.html#section-5.1 | RFC 6749 (OAuth2), Section 5.1}
+ */
+exports.oauthTokenResponseSchema = zod_1.z
+    .object({
+    access_token: zod_1.z.string(),
+    token_type: oauth_token_type_js_1.oauthTokenTypeSchema,
+    issuer: zod_1.z.string().url().optional(),
+    sub: zod_1.z.string().optional(),
+    scope: zod_1.z.string().optional(),
+    id_token: jwk_1.signedJwtSchema.optional(),
+    refresh_token: zod_1.z.string().optional(),
+    expires_in: zod_1.z.number().optional(),
+    authorization_details: oauth_authorization_details_js_1.oauthAuthorizationDetailsSchema.optional(),
+})
+    // https://www.rfc-editor.org/rfc/rfc6749.html#section-5.1
+    // > The client MUST ignore unrecognized value names in the response.
+    .passthrough();
+//# sourceMappingURL=oauth-token-response.js.map