@atxp/client 0.3.0 → 0.4.0

package/dist/index.js

@@ -915,8 +915,9 @@ class ZodError extends Error {
         const formErrors = [];
         for (const sub of this.issues) {
             if (sub.path.length > 0) {
-                fieldErrors[sub.path[0]] = fieldErrors[sub.path[0]] || [];
-                fieldErrors[sub.path[0]].push(mapper(sub));
+                const firstEl = sub.path[0];
+                fieldErrors[firstEl] = fieldErrors[firstEl] || [];
+                fieldErrors[firstEl].push(mapper(sub));
             }
             else {
                 formErrors.push(mapper(sub));
@@ -1000,6 +1001,8 @@ const errorMap = (issue, _ctx) => {
                 message = `String must contain ${issue.exact ? "exactly" : issue.inclusive ? `at least` : `over`} ${issue.minimum} character(s)`;
             else if (issue.type === "number")
                 message = `Number must be ${issue.exact ? `exactly equal to ` : issue.inclusive ? `greater than or equal to ` : `greater than `}${issue.minimum}`;
+            else if (issue.type === "bigint")
+                message = `Number must be ${issue.exact ? `exactly equal to ` : issue.inclusive ? `greater than or equal to ` : `greater than `}${issue.minimum}`;
             else if (issue.type === "date")
                 message = `Date must be ${issue.exact ? `exactly equal to ` : issue.inclusive ? `greater than or equal to ` : `greater than `}${new Date(Number(issue.minimum))}`;
             else
@@ -1597,6 +1600,8 @@ function isValidJWT(jwt, alg) {
         return false;
     try {
         const [header] = jwt.split(".");
+        if (!header)
+            return false;
         // Convert base64url to base64
         const base64 = header
             .replace(/-/g, "+")
@@ -4637,6 +4642,7 @@ const enumType = ZodEnum.create;
 ZodPromise.create;
 const optionalType = ZodOptional.create;
 ZodNullable.create;
+const NEVER = INVALID;
 
 const LATEST_PROTOCOL_VERSION = "2025-06-18";
 const SUPPORTED_PROTOCOL_VERSIONS = [
@@ -4798,6 +4804,24 @@ const CancelledNotificationSchema = NotificationSchema.extend({
     }),
 });
 /* Base Metadata */
+/**
+ * Icon schema for use in tools, prompts, resources, and implementations.
+ */
+const IconSchema = objectType({
+    /**
+     * URL or data URI for the icon.
+     */
+    src: stringType(),
+    /**
+     * Optional MIME type for the icon.
+     */
+    mimeType: optionalType(stringType()),
+    /**
+     * Optional string specifying icon dimensions (e.g., "48x48 96x96").
+     */
+    sizes: optionalType(stringType()),
+})
+    .passthrough();
 /**
  * Base metadata interface for common properties across resources, tools, prompts, and implementations.
  */
@@ -4821,6 +4845,19 @@ const BaseMetadataSchema = objectType({
  */
 const ImplementationSchema = BaseMetadataSchema.extend({
     version: stringType(),
+    /**
+     * An optional URL of the website for this implementation.
+     */
+    websiteUrl: optionalType(stringType()),
+    /**
+     * An optional list of icons for this implementation.
+     * This can be used by clients to display the implementation in a user interface.
+     * Each icon should have a `kind` property that specifies whether it is a data representation or a URL source, a `src` property that points to the icon file or data representation, and may also include a `mimeType` and `sizes` property.
+     * The `mimeType` property should be a valid MIME type for the icon file, such as "image/png" or "image/svg+xml".
+     * The `sizes` property should be a string that specifies one or more sizes at which the icon file can be used, such as "48x48" or "any" for scalable formats like SVG.
+     * The `sizes` property is optional, and if not provided, the client should assume that the icon can be used at any size.
+     */
+    icons: optionalType(arrayType(IconSchema)),
 });
 /**
  * Capabilities a client may support. Known capabilities are defined here, in this schema, but this is not a closed set: any client can define its own, additional capabilities.
@@ -5018,11 +5055,27 @@ const TextResourceContentsSchema = ResourceContentsSchema.extend({
      */
     text: stringType(),
 });
+/**
+ * A Zod schema for validating Base64 strings that is more performant and
+ * robust for very large inputs than the default regex-based check. It avoids
+ * stack overflows by using the native `atob` function for validation.
+ */
+const Base64Schema = stringType().refine((val) => {
+    try {
+        // atob throws a DOMException if the string contains characters
+        // that are not part of the Base64 character set.
+        atob(val);
+        return true;
+    }
+    catch (_a) {
+        return false;
+    }
+}, { message: "Invalid Base64 string" });
 const BlobResourceContentsSchema = ResourceContentsSchema.extend({
     /**
      * A base64-encoded string representing the binary data of the item.
      */
-    blob: stringType().base64(),
+    blob: Base64Schema,
 });
 /**
  * A known resource that the server is capable of reading.
@@ -5042,6 +5095,10 @@ const ResourceSchema = BaseMetadataSchema.extend({
      * The MIME type of this resource, if known.
      */
     mimeType: optionalType(stringType()),
+    /**
+     * An optional list of icons for this resource.
+     */
+    icons: optionalType(arrayType(IconSchema)),
     /**
      * See [MCP specification](https://github.com/modelcontextprotocol/modelcontextprotocol/blob/47339c03c143bb4ec01a26e721a1b8fe66634ebe/docs/specification/draft/basic/index.mdx#general-fields)
      * for notes on _meta usage.
@@ -5187,6 +5244,10 @@ const PromptSchema = BaseMetadataSchema.extend({
      * A list of arguments to use for templating the prompt.
      */
     arguments: optionalType(arrayType(PromptArgumentSchema)),
+    /**
+     * An optional list of icons for this prompt.
+     */
+    icons: optionalType(arrayType(IconSchema)),
     /**
      * See [MCP specification](https://github.com/modelcontextprotocol/modelcontextprotocol/blob/47339c03c143bb4ec01a26e721a1b8fe66634ebe/docs/specification/draft/basic/index.mdx#general-fields)
      * for notes on _meta usage.
@@ -5245,7 +5306,7 @@ const ImageContentSchema = objectType({
     /**
      * The base64-encoded image data.
      */
-    data: stringType().base64(),
+    data: Base64Schema,
     /**
      * The MIME type of the image. Different providers may support different image types.
      */
@@ -5265,7 +5326,7 @@ const AudioContentSchema = objectType({
     /**
      * The base64-encoded audio data.
      */
-    data: stringType().base64(),
+    data: Base64Schema,
     /**
      * The MIME type of the audio. Different providers may support different audio types.
      */
@@ -5414,6 +5475,10 @@ const ToolSchema = BaseMetadataSchema.extend({
      * Optional additional tool information.
      */
     annotations: optionalType(ToolAnnotationsSchema),
+    /**
+     * An optional list of icons for this tool.
+     */
+    icons: optionalType(arrayType(IconSchema)),
     /**
      * See [MCP specification](https://github.com/modelcontextprotocol/modelcontextprotocol/blob/47339c03c143bb4ec01a26e721a1b8fe66634ebe/docs/specification/draft/basic/index.mdx#general-fields)
      * for notes on _meta usage.
@@ -5906,6 +5971,7 @@ class Protocol {
         this._responseHandlers = new Map();
         this._progressHandlers = new Map();
         this._timeoutInfo = new Map();
+        this._pendingDebouncedNotifications = new Set();
         this.setNotificationHandler(CancelledNotificationSchema, (notification) => {
             const controller = this._requestHandlerAbortControllers.get(notification.params.requestId);
             controller === null || controller === void 0 ? void 0 : controller.abort(notification.params.reason);
@@ -5988,6 +6054,7 @@ class Protocol {
         const responseHandlers = this._responseHandlers;
         this._responseHandlers = new Map();
         this._progressHandlers.clear();
+        this._pendingDebouncedNotifications.clear();
         this._transport = undefined;
         (_a = this.onclose) === null || _a === void 0 ? void 0 : _a.call(this);
         const error = new McpError(ErrorCode.ConnectionClosed, "Connection closed");
@@ -6012,10 +6079,12 @@ class Protocol {
             .catch((error) => this._onerror(new Error(`Uncaught error in notification handler: ${error}`)));
     }
     _onrequest(request, extra) {
-        var _a, _b, _c, _d;
+        var _a, _b;
         const handler = (_a = this._requestHandlers.get(request.method)) !== null && _a !== void 0 ? _a : this.fallbackRequestHandler;
+        // Capture the current transport at request time to ensure responses go to the correct client
+        const capturedTransport = this._transport;
         if (handler === undefined) {
-            (_b = this._transport) === null || _b === void 0 ? void 0 : _b.send({
+            capturedTransport === null || capturedTransport === void 0 ? void 0 : capturedTransport.send({
                 jsonrpc: "2.0",
                 id: request.id,
                 error: {
@@ -6029,8 +6098,8 @@ class Protocol {
         this._requestHandlerAbortControllers.set(request.id, abortController);
         const fullExtra = {
             signal: abortController.signal,
-            sessionId: (_c = this._transport) === null || _c === void 0 ? void 0 : _c.sessionId,
-            _meta: (_d = request.params) === null || _d === void 0 ? void 0 : _d._meta,
+            sessionId: capturedTransport === null || capturedTransport === void 0 ? void 0 : capturedTransport.sessionId,
+            _meta: (_b = request.params) === null || _b === void 0 ? void 0 : _b._meta,
             sendNotification: (notification) => this.notification(notification, { relatedRequestId: request.id }),
             sendRequest: (r, resultSchema, options) => this.request(r, resultSchema, { ...options, relatedRequestId: request.id }),
             authInfo: extra === null || extra === void 0 ? void 0 : extra.authInfo,
@@ -6041,28 +6110,27 @@ class Protocol {
         Promise.resolve()
             .then(() => handler(request, fullExtra))
             .then((result) => {
-            var _a;
             if (abortController.signal.aborted) {
                 return;
             }
-            return (_a = this._transport) === null || _a === void 0 ? void 0 : _a.send({
+            return capturedTransport === null || capturedTransport === void 0 ? void 0 : capturedTransport.send({
                 result,
                 jsonrpc: "2.0",
                 id: request.id,
             });
         }, (error) => {
-            var _a, _b;
+            var _a;
             if (abortController.signal.aborted) {
                 return;
             }
-            return (_a = this._transport) === null || _a === void 0 ? void 0 : _a.send({
+            return capturedTransport === null || capturedTransport === void 0 ? void 0 : capturedTransport.send({
                 jsonrpc: "2.0",
                 id: request.id,
                 error: {
                     code: Number.isSafeInteger(error["code"])
                         ? error["code"]
                         : ErrorCode.InternalError,
-                    message: (_b = error.message) !== null && _b !== void 0 ? _b : "Internal error",
+                    message: (_a = error.message) !== null && _a !== void 0 ? _a : "Internal error",
                 },
             });
         })
@@ -6201,10 +6269,45 @@ class Protocol {
      * Emits a notification, which is a one-way message that does not expect a response.
      */
     async notification(notification, options) {
+        var _a, _b;
         if (!this._transport) {
             throw new Error("Not connected");
         }
         this.assertNotificationCapability(notification.method);
+        const debouncedMethods = (_b = (_a = this._options) === null || _a === void 0 ? void 0 : _a.debouncedNotificationMethods) !== null && _b !== void 0 ? _b : [];
+        // A notification can only be debounced if it's in the list AND it's "simple"
+        // (i.e., has no parameters and no related request ID that could be lost).
+        const canDebounce = debouncedMethods.includes(notification.method)
+            && !notification.params
+            && !(options === null || options === void 0 ? void 0 : options.relatedRequestId);
+        if (canDebounce) {
+            // If a notification of this type is already scheduled, do nothing.
+            if (this._pendingDebouncedNotifications.has(notification.method)) {
+                return;
+            }
+            // Mark this notification type as pending.
+            this._pendingDebouncedNotifications.add(notification.method);
+            // Schedule the actual send to happen in the next microtask.
+            // This allows all synchronous calls in the current event loop tick to be coalesced.
+            Promise.resolve().then(() => {
+                var _a;
+                // Un-mark the notification so the next one can be scheduled.
+                this._pendingDebouncedNotifications.delete(notification.method);
+                // SAFETY CHECK: If the connection was closed while this was pending, abort.
+                if (!this._transport) {
+                    return;
+                }
+                const jsonrpcNotification = {
+                    ...notification,
+                    jsonrpc: "2.0",
+                };
+                // Send the notification, but don't await it here to avoid blocking.
+                // Handle potential errors with a .catch().
+                (_a = this._transport) === null || _a === void 0 ? void 0 : _a.send(jsonrpcNotification, options).catch(error => this._onerror(error));
+            });
+            // Return immediately.
+            return;
+        }
         const jsonrpcNotification = {
             ...notification,
             jsonrpc: "2.0",
@@ -14102,12 +14205,29 @@ async function pkceChallenge(length) {
     };
 }
 
+/**
+ * Reusable URL validation that disallows javascript: scheme
+ */
+const SafeUrlSchema = stringType().url()
+    .superRefine((val, ctx) => {
+    if (!URL.canParse(val)) {
+        ctx.addIssue({
+            code: ZodIssueCode.custom,
+            message: "URL must be parseable",
+            fatal: true,
+        });
+        return NEVER;
+    }
+}).refine((url) => {
+    const u = new URL(url);
+    return u.protocol !== 'javascript:' && u.protocol !== 'data:' && u.protocol !== 'vbscript:';
+}, { message: "URL cannot use javascript:, data:, or vbscript: scheme" });
 /**
  * RFC 9728 OAuth Protected Resource Metadata
  */
 const OAuthProtectedResourceMetadataSchema = objectType({
     resource: stringType().url(),
-    authorization_servers: arrayType(stringType().url()).optional(),
+    authorization_servers: arrayType(SafeUrlSchema).optional(),
     jwks_uri: stringType().url().optional(),
     scopes_supported: arrayType(stringType()).optional(),
     bearer_methods_supported: arrayType(stringType()).optional(),
@@ -14127,9 +14247,9 @@ const OAuthProtectedResourceMetadataSchema = objectType({
  */
 const OAuthMetadataSchema = objectType({
     issuer: stringType(),
-    authorization_endpoint: stringType(),
-    token_endpoint: stringType(),
-    registration_endpoint: stringType().optional(),
+    authorization_endpoint: SafeUrlSchema,
+    token_endpoint: SafeUrlSchema,
+    registration_endpoint: SafeUrlSchema.optional(),
     scopes_supported: arrayType(stringType()).optional(),
     response_types_supported: arrayType(stringType()),
     response_modes_supported: arrayType(stringType()).optional(),
@@ -14137,8 +14257,8 @@ const OAuthMetadataSchema = objectType({
     token_endpoint_auth_methods_supported: arrayType(stringType()).optional(),
     token_endpoint_auth_signing_alg_values_supported: arrayType(stringType())
         .optional(),
-    service_documentation: stringType().optional(),
-    revocation_endpoint: stringType().optional(),
+    service_documentation: SafeUrlSchema.optional(),
+    revocation_endpoint: SafeUrlSchema.optional(),
     revocation_endpoint_auth_methods_supported: arrayType(stringType()).optional(),
     revocation_endpoint_auth_signing_alg_values_supported: arrayType(stringType())
         .optional(),
@@ -14150,11 +14270,65 @@ const OAuthMetadataSchema = objectType({
     code_challenge_methods_supported: arrayType(stringType()).optional(),
 })
     .passthrough();
+/**
+ * OpenID Connect Discovery 1.0 Provider Metadata
+ * see: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+ */
+const OpenIdProviderMetadataSchema = objectType({
+    issuer: stringType(),
+    authorization_endpoint: SafeUrlSchema,
+    token_endpoint: SafeUrlSchema,
+    userinfo_endpoint: SafeUrlSchema.optional(),
+    jwks_uri: SafeUrlSchema,
+    registration_endpoint: SafeUrlSchema.optional(),
+    scopes_supported: arrayType(stringType()).optional(),
+    response_types_supported: arrayType(stringType()),
+    response_modes_supported: arrayType(stringType()).optional(),
+    grant_types_supported: arrayType(stringType()).optional(),
+    acr_values_supported: arrayType(stringType()).optional(),
+    subject_types_supported: arrayType(stringType()),
+    id_token_signing_alg_values_supported: arrayType(stringType()),
+    id_token_encryption_alg_values_supported: arrayType(stringType()).optional(),
+    id_token_encryption_enc_values_supported: arrayType(stringType()).optional(),
+    userinfo_signing_alg_values_supported: arrayType(stringType()).optional(),
+    userinfo_encryption_alg_values_supported: arrayType(stringType()).optional(),
+    userinfo_encryption_enc_values_supported: arrayType(stringType()).optional(),
+    request_object_signing_alg_values_supported: arrayType(stringType()).optional(),
+    request_object_encryption_alg_values_supported: arrayType(stringType())
+        .optional(),
+    request_object_encryption_enc_values_supported: arrayType(stringType())
+        .optional(),
+    token_endpoint_auth_methods_supported: arrayType(stringType()).optional(),
+    token_endpoint_auth_signing_alg_values_supported: arrayType(stringType())
+        .optional(),
+    display_values_supported: arrayType(stringType()).optional(),
+    claim_types_supported: arrayType(stringType()).optional(),
+    claims_supported: arrayType(stringType()).optional(),
+    service_documentation: stringType().optional(),
+    claims_locales_supported: arrayType(stringType()).optional(),
+    ui_locales_supported: arrayType(stringType()).optional(),
+    claims_parameter_supported: booleanType().optional(),
+    request_parameter_supported: booleanType().optional(),
+    request_uri_parameter_supported: booleanType().optional(),
+    require_request_uri_registration: booleanType().optional(),
+    op_policy_uri: SafeUrlSchema.optional(),
+    op_tos_uri: SafeUrlSchema.optional(),
+})
+    .passthrough();
+/**
+ * OpenID Connect Discovery metadata that may include OAuth 2.0 fields
+ * This schema represents the real-world scenario where OIDC providers
+ * return a mix of OpenID Connect and OAuth 2.0 metadata fields
+ */
+const OpenIdProviderDiscoveryMetadataSchema = OpenIdProviderMetadataSchema.merge(OAuthMetadataSchema.pick({
+    code_challenge_methods_supported: true,
+}));
 /**
  * OAuth 2.1 token response
  */
 const OAuthTokensSchema = objectType({
     access_token: stringType(),
+    id_token: stringType().optional(), // Optional for OAuth 2.1, but necessary in OpenID Connect
     token_type: stringType(),
     expires_in: numberType().optional(),
     scope: stringType().optional(),
@@ -14164,7 +14338,7 @@ const OAuthTokensSchema = objectType({
 /**
  * OAuth 2.1 error response
  */
-objectType({
+const OAuthErrorResponseSchema = objectType({
     error: stringType(),
     error_description: stringType().optional(),
     error_uri: stringType().optional(),
@@ -14173,18 +14347,18 @@ objectType({
  * RFC 7591 OAuth 2.0 Dynamic Client Registration metadata
  */
 const OAuthClientMetadataSchema = objectType({
-    redirect_uris: arrayType(stringType()).refine((uris) => uris.every((uri) => URL.canParse(uri)), { message: "redirect_uris must contain valid URLs" }),
+    redirect_uris: arrayType(SafeUrlSchema),
     token_endpoint_auth_method: stringType().optional(),
     grant_types: arrayType(stringType()).optional(),
     response_types: arrayType(stringType()).optional(),
     client_name: stringType().optional(),
-    client_uri: stringType().optional(),
-    logo_uri: stringType().optional(),
+    client_uri: SafeUrlSchema.optional(),
+    logo_uri: SafeUrlSchema.optional(),
     scope: stringType().optional(),
     contacts: arrayType(stringType()).optional(),
-    tos_uri: stringType().optional(),
+    tos_uri: SafeUrlSchema.optional(),
     policy_uri: stringType().optional(),
-    jwks_uri: stringType().optional(),
+    jwks_uri: SafeUrlSchema.optional(),
     jwks: anyType().optional(),
     software_id: stringType().optional(),
     software_version: stringType().optional(),
@@ -14262,22 +14436,313 @@ function checkResourceAllowed({ requestedResource, configuredResource }) {
     return requestedPath.startsWith(configuredPath);
 }
 
+/**
+ * Base class for all OAuth errors
+ */
+class OAuthError extends Error {
+    constructor(message, errorUri) {
+        super(message);
+        this.errorUri = errorUri;
+        this.name = this.constructor.name;
+    }
+    /**
+     * Converts the error to a standard OAuth error response object
+     */
+    toResponseObject() {
+        const response = {
+            error: this.errorCode,
+            error_description: this.message
+        };
+        if (this.errorUri) {
+            response.error_uri = this.errorUri;
+        }
+        return response;
+    }
+    get errorCode() {
+        return this.constructor.errorCode;
+    }
+}
+/**
+ * Invalid request error - The request is missing a required parameter,
+ * includes an invalid parameter value, includes a parameter more than once,
+ * or is otherwise malformed.
+ */
+class InvalidRequestError extends OAuthError {
+}
+InvalidRequestError.errorCode = "invalid_request";
+/**
+ * Invalid client error - Client authentication failed (e.g., unknown client, no client
+ * authentication included, or unsupported authentication method).
+ */
+class InvalidClientError extends OAuthError {
+}
+InvalidClientError.errorCode = "invalid_client";
+/**
+ * Invalid grant error - The provided authorization grant or refresh token is
+ * invalid, expired, revoked, does not match the redirection URI used in the
+ * authorization request, or was issued to another client.
+ */
+class InvalidGrantError extends OAuthError {
+}
+InvalidGrantError.errorCode = "invalid_grant";
+/**
+ * Unauthorized client error - The authenticated client is not authorized to use
+ * this authorization grant type.
+ */
+class UnauthorizedClientError extends OAuthError {
+}
+UnauthorizedClientError.errorCode = "unauthorized_client";
+/**
+ * Unsupported grant type error - The authorization grant type is not supported
+ * by the authorization server.
+ */
+class UnsupportedGrantTypeError extends OAuthError {
+}
+UnsupportedGrantTypeError.errorCode = "unsupported_grant_type";
+/**
+ * Invalid scope error - The requested scope is invalid, unknown, malformed, or
+ * exceeds the scope granted by the resource owner.
+ */
+class InvalidScopeError extends OAuthError {
+}
+InvalidScopeError.errorCode = "invalid_scope";
+/**
+ * Access denied error - The resource owner or authorization server denied the request.
+ */
+class AccessDeniedError extends OAuthError {
+}
+AccessDeniedError.errorCode = "access_denied";
+/**
+ * Server error - The authorization server encountered an unexpected condition
+ * that prevented it from fulfilling the request.
+ */
+class ServerError extends OAuthError {
+}
+ServerError.errorCode = "server_error";
+/**
+ * Temporarily unavailable error - The authorization server is currently unable to
+ * handle the request due to a temporary overloading or maintenance of the server.
+ */
+class TemporarilyUnavailableError extends OAuthError {
+}
+TemporarilyUnavailableError.errorCode = "temporarily_unavailable";
+/**
+ * Unsupported response type error - The authorization server does not support
+ * obtaining an authorization code using this method.
+ */
+class UnsupportedResponseTypeError extends OAuthError {
+}
+UnsupportedResponseTypeError.errorCode = "unsupported_response_type";
+/**
+ * Unsupported token type error - The authorization server does not support
+ * the requested token type.
+ */
+class UnsupportedTokenTypeError extends OAuthError {
+}
+UnsupportedTokenTypeError.errorCode = "unsupported_token_type";
+/**
+ * Invalid token error - The access token provided is expired, revoked, malformed,
+ * or invalid for other reasons.
+ */
+class InvalidTokenError extends OAuthError {
+}
+InvalidTokenError.errorCode = "invalid_token";
+/**
+ * Method not allowed error - The HTTP method used is not allowed for this endpoint.
+ * (Custom, non-standard error)
+ */
+class MethodNotAllowedError extends OAuthError {
+}
+MethodNotAllowedError.errorCode = "method_not_allowed";
+/**
+ * Too many requests error - Rate limit exceeded.
+ * (Custom, non-standard error based on RFC 6585)
+ */
+class TooManyRequestsError extends OAuthError {
+}
+TooManyRequestsError.errorCode = "too_many_requests";
+/**
+ * Invalid client metadata error - The client metadata is invalid.
+ * (Custom error for dynamic client registration - RFC 7591)
+ */
+class InvalidClientMetadataError extends OAuthError {
+}
+InvalidClientMetadataError.errorCode = "invalid_client_metadata";
+/**
+ * Insufficient scope error - The request requires higher privileges than provided by the access token.
+ */
+class InsufficientScopeError extends OAuthError {
+}
+InsufficientScopeError.errorCode = "insufficient_scope";
+/**
+ * A full list of all OAuthErrors, enabling parsing from error responses
+ */
+const OAUTH_ERRORS = {
+    [InvalidRequestError.errorCode]: InvalidRequestError,
+    [InvalidClientError.errorCode]: InvalidClientError,
+    [InvalidGrantError.errorCode]: InvalidGrantError,
+    [UnauthorizedClientError.errorCode]: UnauthorizedClientError,
+    [UnsupportedGrantTypeError.errorCode]: UnsupportedGrantTypeError,
+    [InvalidScopeError.errorCode]: InvalidScopeError,
+    [AccessDeniedError.errorCode]: AccessDeniedError,
+    [ServerError.errorCode]: ServerError,
+    [TemporarilyUnavailableError.errorCode]: TemporarilyUnavailableError,
+    [UnsupportedResponseTypeError.errorCode]: UnsupportedResponseTypeError,
+    [UnsupportedTokenTypeError.errorCode]: UnsupportedTokenTypeError,
+    [InvalidTokenError.errorCode]: InvalidTokenError,
+    [MethodNotAllowedError.errorCode]: MethodNotAllowedError,
+    [TooManyRequestsError.errorCode]: TooManyRequestsError,
+    [InvalidClientMetadataError.errorCode]: InvalidClientMetadataError,
+    [InsufficientScopeError.errorCode]: InsufficientScopeError,
+};
+
 class UnauthorizedError extends Error {
     constructor(message) {
         super(message !== null && message !== void 0 ? message : "Unauthorized");
     }
 }
+/**
+ * Determines the best client authentication method to use based on server support and client configuration.
+ *
+ * Priority order (highest to lowest):
+ * 1. client_secret_basic (if client secret is available)
+ * 2. client_secret_post (if client secret is available)
+ * 3. none (for public clients)
+ *
+ * @param clientInformation - OAuth client information containing credentials
+ * @param supportedMethods - Authentication methods supported by the authorization server
+ * @returns The selected authentication method
+ */
+function selectClientAuthMethod(clientInformation, supportedMethods) {
+    const hasClientSecret = clientInformation.client_secret !== undefined;
+    // If server doesn't specify supported methods, use RFC 6749 defaults
+    if (supportedMethods.length === 0) {
+        return hasClientSecret ? "client_secret_post" : "none";
+    }
+    // Try methods in priority order (most secure first)
+    if (hasClientSecret && supportedMethods.includes("client_secret_basic")) {
+        return "client_secret_basic";
+    }
+    if (hasClientSecret && supportedMethods.includes("client_secret_post")) {
+        return "client_secret_post";
+    }
+    if (supportedMethods.includes("none")) {
+        return "none";
+    }
+    // Fallback: use what we have
+    return hasClientSecret ? "client_secret_post" : "none";
+}
+/**
+ * Applies client authentication to the request based on the specified method.
+ *
+ * Implements OAuth 2.1 client authentication methods:
+ * - client_secret_basic: HTTP Basic authentication (RFC 6749 Section 2.3.1)
+ * - client_secret_post: Credentials in request body (RFC 6749 Section 2.3.1)
+ * - none: Public client authentication (RFC 6749 Section 2.1)
+ *
+ * @param method - The authentication method to use
+ * @param clientInformation - OAuth client information containing credentials
+ * @param headers - HTTP headers object to modify
+ * @param params - URL search parameters to modify
+ * @throws {Error} When required credentials are missing
+ */
+function applyClientAuthentication(method, clientInformation, headers, params) {
+    const { client_id, client_secret } = clientInformation;
+    switch (method) {
+        case "client_secret_basic":
+            applyBasicAuth(client_id, client_secret, headers);
+            return;
+        case "client_secret_post":
+            applyPostAuth(client_id, client_secret, params);
+            return;
+        case "none":
+            applyPublicAuth(client_id, params);
+            return;
+        default:
+            throw new Error(`Unsupported client authentication method: ${method}`);
+    }
+}
+/**
+ * Applies HTTP Basic authentication (RFC 6749 Section 2.3.1)
+ */
+function applyBasicAuth(clientId, clientSecret, headers) {
+    if (!clientSecret) {
+        throw new Error("client_secret_basic authentication requires a client_secret");
+    }
+    const credentials = btoa(`${clientId}:${clientSecret}`);
+    headers.set("Authorization", `Basic ${credentials}`);
+}
+/**
+ * Applies POST body authentication (RFC 6749 Section 2.3.1)
+ */
+function applyPostAuth(clientId, clientSecret, params) {
+    params.set("client_id", clientId);
+    if (clientSecret) {
+        params.set("client_secret", clientSecret);
+    }
+}
+/**
+ * Applies public client authentication (RFC 6749 Section 2.1)
+ */
+function applyPublicAuth(clientId, params) {
+    params.set("client_id", clientId);
+}
+/**
+ * Parses an OAuth error response from a string or Response object.
+ *
+ * If the input is a standard OAuth2.0 error response, it will be parsed according to the spec
+ * and an instance of the appropriate OAuthError subclass will be returned.
+ * If parsing fails, it falls back to a generic ServerError that includes
+ * the response status (if available) and original content.
+ *
+ * @param input - A Response object or string containing the error response
+ * @returns A Promise that resolves to an OAuthError instance
+ */
+async function parseErrorResponse(input) {
+    const statusCode = input instanceof Response ? input.status : undefined;
+    const body = input instanceof Response ? await input.text() : input;
+    try {
+        const result = OAuthErrorResponseSchema.parse(JSON.parse(body));
+        const { error, error_description, error_uri } = result;
+        const errorClass = OAUTH_ERRORS[error] || ServerError;
+        return new errorClass(error_description || '', error_uri);
+    }
+    catch (error) {
+        // Not a valid OAuth error response, but try to inform the user of the raw data anyway
+        const errorMessage = `${statusCode ? `HTTP ${statusCode}: ` : ''}Invalid OAuth error response: ${error}. Raw body: ${body}`;
+        return new ServerError(errorMessage);
+    }
+}
 /**
  * Orchestrates the full auth flow with a server.
  *
  * This can be used as a single entry point for all authorization functionality,
  * instead of linking together the other lower-level functions in this module.
  */
-async function auth(provider, { serverUrl, authorizationCode, scope, resourceMetadataUrl }) {
+async function auth(provider, options) {
+    var _a, _b;
+    try {
+        return await authInternal(provider, options);
+    }
+    catch (error) {
+        // Handle recoverable error types by invalidating credentials and retrying
+        if (error instanceof InvalidClientError || error instanceof UnauthorizedClientError) {
+            await ((_a = provider.invalidateCredentials) === null || _a === void 0 ? void 0 : _a.call(provider, 'all'));
+            return await authInternal(provider, options);
+        }
+        else if (error instanceof InvalidGrantError) {
+            await ((_b = provider.invalidateCredentials) === null || _b === void 0 ? void 0 : _b.call(provider, 'tokens'));
+            return await authInternal(provider, options);
+        }
+        // Throw otherwise
+        throw error;
+    }
+}
+async function authInternal(provider, { serverUrl, authorizationCode, scope, resourceMetadataUrl, fetchFn, }) {
     let resourceMetadata;
-    let authorizationServerUrl = serverUrl;
+    let authorizationServerUrl;
     try {
-        resourceMetadata = await discoverOAuthProtectedResourceMetadata(serverUrl, { resourceMetadataUrl });
+        resourceMetadata = await discoverOAuthProtectedResourceMetadata(serverUrl, { resourceMetadataUrl }, fetchFn);
         if (resourceMetadata.authorization_servers && resourceMetadata.authorization_servers.length > 0) {
             authorizationServerUrl = resourceMetadata.authorization_servers[0];
         }
@@ -14285,8 +14750,17 @@ async function auth(provider, { serverUrl, authorizationCode, scope, resourceMet
     catch (_a) {
         // Ignore errors and fall back to /.well-known/oauth-authorization-server
     }
+    /**
+     * If we don't get a valid authorization server metadata from protected resource metadata,
+     * fallback to the legacy MCP spec's implementation (version 2025-03-26): MCP server acts as the Authorization server.
+     */
+    if (!authorizationServerUrl) {
+        authorizationServerUrl = serverUrl;
+    }
     const resource = await selectResourceURL(serverUrl, provider, resourceMetadata);
-    const metadata = await discoverOAuthMetadata(authorizationServerUrl);
+    const metadata = await discoverAuthorizationServerMetadata(authorizationServerUrl, {
+        fetchFn,
+    });
     // Handle client registration if needed
     let clientInformation = await Promise.resolve(provider.clientInformation());
     if (!clientInformation) {
@@ -14299,6 +14773,7 @@ async function auth(provider, { serverUrl, authorizationCode, scope, resourceMet
         const fullInformation = await registerClient(authorizationServerUrl, {
             metadata,
             clientMetadata: provider.clientMetadata,
+            fetchFn,
         });
         await provider.saveClientInformation(fullInformation);
         clientInformation = fullInformation;
@@ -14313,6 +14788,8 @@ async function auth(provider, { serverUrl, authorizationCode, scope, resourceMet
             codeVerifier,
             redirectUri: provider.redirectUrl,
             resource,
+            addClientAuthentication: provider.addClientAuthentication,
+            fetchFn: fetchFn,
         });
         await provider.saveTokens(tokens);
         return "AUTHORIZED";
@@ -14327,12 +14804,19 @@ async function auth(provider, { serverUrl, authorizationCode, scope, resourceMet
                 clientInformation,
                 refreshToken: tokens.refresh_token,
                 resource,
+                addClientAuthentication: provider.addClientAuthentication,
+                fetchFn,
             });
             await provider.saveTokens(newTokens);
             return "AUTHORIZED";
         }
-        catch (_b) {
-            // Could not refresh OAuth tokens
+        catch (error) {
+            // If this is a ServerError, or an unknown type, log it out and try to continue. Otherwise, escalate so we can fix things and retry.
+            if (!(error instanceof OAuthError) || error instanceof ServerError) ;
+            else {
+                // Refresh failed for another reason, re-throw
+                throw error;
+            }
         }
     }
     const state = provider.state ? await provider.state() : undefined;
@@ -14396,33 +14880,12 @@ function extractResourceMetadataUrl(res) {
  * If the server returns a 404 for the well-known endpoint, this function will
  * return `undefined`. Any other errors will be thrown as exceptions.
  */
-async function discoverOAuthProtectedResourceMetadata(serverUrl, opts) {
-    var _a;
-    let url;
-    if (opts === null || opts === void 0 ? void 0 : opts.resourceMetadataUrl) {
-        url = new URL(opts === null || opts === void 0 ? void 0 : opts.resourceMetadataUrl);
-    }
-    else {
-        url = new URL("/.well-known/oauth-protected-resource", serverUrl);
-    }
-    let response;
-    try {
-        response = await fetch(url, {
-            headers: {
-                "MCP-Protocol-Version": (_a = opts === null || opts === void 0 ? void 0 : opts.protocolVersion) !== null && _a !== void 0 ? _a : LATEST_PROTOCOL_VERSION
-            }
-        });
-    }
-    catch (error) {
-        // CORS errors come back as TypeError
-        if (error instanceof TypeError) {
-            response = await fetch(url);
-        }
-        else {
-            throw error;
-        }
-    }
-    if (response.status === 404) {
+async function discoverOAuthProtectedResourceMetadata(serverUrl, opts, fetchFn = fetch) {
+    const response = await discoverMetadataWithFallback(serverUrl, 'oauth-protected-resource', fetchFn, {
+        protocolVersion: opts === null || opts === void 0 ? void 0 : opts.protocolVersion,
+        metadataUrl: opts === null || opts === void 0 ? void 0 : opts.resourceMetadataUrl,
+    });
+    if (!response || response.status === 404) {
         throw new Error(`Resource server does not implement OAuth 2.0 Protected Resource Metadata.`);
     }
     if (!response.ok) {
@@ -14433,15 +14896,15 @@ async function discoverOAuthProtectedResourceMetadata(serverUrl, opts) {
 /**
  * Helper function to handle fetch with CORS retry logic
  */
-async function fetchWithCorsRetry(url, headers) {
+async function fetchWithCorsRetry(url, headers, fetchFn = fetch) {
     try {
-        return await fetch(url, { headers });
+        return await fetchFn(url, { headers });
     }
     catch (error) {
         if (error instanceof TypeError) {
             if (headers) {
                 // CORS errors come back as TypeError, retry without headers
-                return fetchWithCorsRetry(url);
+                return fetchWithCorsRetry(url, undefined, fetchFn);
             }
             else {
                 // We're getting CORS errors on retry too, return undefined
@@ -14452,57 +14915,162 @@ async function fetchWithCorsRetry(url, headers) {
     }
 }
 /**
- * Constructs the well-known path for OAuth metadata discovery
+ * Constructs the well-known path for auth-related metadata discovery
  */
-function buildWellKnownPath(pathname) {
-    let wellKnownPath = `/.well-known/oauth-authorization-server${pathname}`;
+function buildWellKnownPath(wellKnownPrefix, pathname = '', options = {}) {
+    // Strip trailing slash from pathname to avoid double slashes
     if (pathname.endsWith('/')) {
-        // Strip trailing slash from pathname to avoid double slashes
-        wellKnownPath = wellKnownPath.slice(0, -1);
+        pathname = pathname.slice(0, -1);
     }
-    return wellKnownPath;
+    return options.prependPathname
+        ? `${pathname}/.well-known/${wellKnownPrefix}`
+        : `/.well-known/${wellKnownPrefix}${pathname}`;
 }
 /**
  * Tries to discover OAuth metadata at a specific URL
  */
-async function tryMetadataDiscovery(url, protocolVersion) {
+async function tryMetadataDiscovery(url, protocolVersion, fetchFn = fetch) {
     const headers = {
         "MCP-Protocol-Version": protocolVersion
     };
-    return await fetchWithCorsRetry(url, headers);
+    return await fetchWithCorsRetry(url, headers, fetchFn);
 }
 /**
  * Determines if fallback to root discovery should be attempted
  */
 function shouldAttemptFallback(response, pathname) {
-    return !response || response.status === 404 && pathname !== '/';
+    return !response || (response.status >= 400 && response.status < 500) && pathname !== '/';
 }
 /**
- * Looks up RFC 8414 OAuth 2.0 Authorization Server Metadata.
- *
- * If the server returns a 404 for the well-known endpoint, this function will
- * return `undefined`. Any other errors will be thrown as exceptions.
+ * Generic function for discovering OAuth metadata with fallback support
  */
-async function discoverOAuthMetadata(authorizationServerUrl, opts) {
-    var _a;
-    const issuer = new URL(authorizationServerUrl);
-    const protocolVersion = (_a = void 0 ) !== null && _a !== void 0 ? _a : LATEST_PROTOCOL_VERSION;
-    // Try path-aware discovery first (RFC 8414 compliant)
-    const wellKnownPath = buildWellKnownPath(issuer.pathname);
-    const pathAwareUrl = new URL(wellKnownPath, issuer);
-    let response = await tryMetadataDiscovery(pathAwareUrl, protocolVersion);
-    // If path-aware discovery fails with 404, try fallback to root discovery
-    if (shouldAttemptFallback(response, issuer.pathname)) {
-        const rootUrl = new URL("/.well-known/oauth-authorization-server", issuer);
-        response = await tryMetadataDiscovery(rootUrl, protocolVersion);
+async function discoverMetadataWithFallback(serverUrl, wellKnownType, fetchFn, opts) {
+    var _a, _b;
+    const issuer = new URL(serverUrl);
+    const protocolVersion = (_a = opts === null || opts === void 0 ? void 0 : opts.protocolVersion) !== null && _a !== void 0 ? _a : LATEST_PROTOCOL_VERSION;
+    let url;
+    if (opts === null || opts === void 0 ? void 0 : opts.metadataUrl) {
+        url = new URL(opts.metadataUrl);
     }
-    if (!response || response.status === 404) {
-        return undefined;
+    else {
+        // Try path-aware discovery first
+        const wellKnownPath = buildWellKnownPath(wellKnownType, issuer.pathname);
+        url = new URL(wellKnownPath, (_b = opts === null || opts === void 0 ? void 0 : opts.metadataServerUrl) !== null && _b !== void 0 ? _b : issuer);
+        url.search = issuer.search;
     }
-    if (!response.ok) {
-        throw new Error(`HTTP ${response.status} trying to load well-known OAuth metadata`);
+    let response = await tryMetadataDiscovery(url, protocolVersion, fetchFn);
+    // If path-aware discovery fails with 404 and we're not already at root, try fallback to root discovery
+    if (!(opts === null || opts === void 0 ? void 0 : opts.metadataUrl) && shouldAttemptFallback(response, issuer.pathname)) {
+        const rootUrl = new URL(`/.well-known/${wellKnownType}`, issuer);
+        response = await tryMetadataDiscovery(rootUrl, protocolVersion, fetchFn);
     }
-    return OAuthMetadataSchema.parse(await response.json());
+    return response;
+}
+/**
+ * Builds a list of discovery URLs to try for authorization server metadata.
+ * URLs are returned in priority order:
+ * 1. OAuth metadata at the given URL
+ * 2. OAuth metadata at root (if URL has path)
+ * 3. OIDC metadata endpoints
+ */
+function buildDiscoveryUrls(authorizationServerUrl) {
+    const url = typeof authorizationServerUrl === 'string' ? new URL(authorizationServerUrl) : authorizationServerUrl;
+    const hasPath = url.pathname !== '/';
+    const urlsToTry = [];
+    if (!hasPath) {
+        // Root path: https://example.com/.well-known/oauth-authorization-server
+        urlsToTry.push({
+            url: new URL('/.well-known/oauth-authorization-server', url.origin),
+            type: 'oauth'
+        });
+        // OIDC: https://example.com/.well-known/openid-configuration
+        urlsToTry.push({
+            url: new URL(`/.well-known/openid-configuration`, url.origin),
+            type: 'oidc'
+        });
+        return urlsToTry;
+    }
+    // Strip trailing slash from pathname to avoid double slashes
+    let pathname = url.pathname;
+    if (pathname.endsWith('/')) {
+        pathname = pathname.slice(0, -1);
+    }
+    // 1. OAuth metadata at the given URL
+    // Insert well-known before the path: https://example.com/.well-known/oauth-authorization-server/tenant1
+    urlsToTry.push({
+        url: new URL(`/.well-known/oauth-authorization-server${pathname}`, url.origin),
+        type: 'oauth'
+    });
+    // Root path: https://example.com/.well-known/oauth-authorization-server
+    urlsToTry.push({
+        url: new URL('/.well-known/oauth-authorization-server', url.origin),
+        type: 'oauth'
+    });
+    // 3. OIDC metadata endpoints
+    // RFC 8414 style: Insert /.well-known/openid-configuration before the path
+    urlsToTry.push({
+        url: new URL(`/.well-known/openid-configuration${pathname}`, url.origin),
+        type: 'oidc'
+    });
+    // OIDC Discovery 1.0 style: Append /.well-known/openid-configuration after the path
+    urlsToTry.push({
+        url: new URL(`${pathname}/.well-known/openid-configuration`, url.origin),
+        type: 'oidc'
+    });
+    return urlsToTry;
+}
+/**
+ * Discovers authorization server metadata with support for RFC 8414 OAuth 2.0 Authorization Server Metadata
+ * and OpenID Connect Discovery 1.0 specifications.
+ *
+ * This function implements a fallback strategy for authorization server discovery:
+ * 1. Attempts RFC 8414 OAuth metadata discovery first
+ * 2. If OAuth discovery fails, falls back to OpenID Connect Discovery
+ *
+ * @param authorizationServerUrl - The authorization server URL obtained from the MCP Server's
+ *                                 protected resource metadata, or the MCP server's URL if the
+ *                                 metadata was not found.
+ * @param options - Configuration options
+ * @param options.fetchFn - Optional fetch function for making HTTP requests, defaults to global fetch
+ * @param options.protocolVersion - MCP protocol version to use, defaults to LATEST_PROTOCOL_VERSION
+ * @returns Promise resolving to authorization server metadata, or undefined if discovery fails
+ */
+async function discoverAuthorizationServerMetadata(authorizationServerUrl, { fetchFn = fetch, protocolVersion = LATEST_PROTOCOL_VERSION, } = {}) {
+    var _a;
+    const headers = { 'MCP-Protocol-Version': protocolVersion };
+    // Get the list of URLs to try
+    const urlsToTry = buildDiscoveryUrls(authorizationServerUrl);
+    // Try each URL in order
+    for (const { url: endpointUrl, type } of urlsToTry) {
+        const response = await fetchWithCorsRetry(endpointUrl, headers, fetchFn);
+        if (!response) {
+            /**
+             * CORS error occurred - don't throw as the endpoint may not allow CORS,
+             * continue trying other possible endpoints
+             */
+            continue;
+        }
+        if (!response.ok) {
+            // Continue looking for any 4xx response code.
+            if (response.status >= 400 && response.status < 500) {
+                continue; // Try next URL
+            }
+            throw new Error(`HTTP ${response.status} trying to load ${type === 'oauth' ? 'OAuth' : 'OpenID provider'} metadata from ${endpointUrl}`);
+        }
+        // Parse and validate based on type
+        if (type === 'oauth') {
+            return OAuthMetadataSchema.parse(await response.json());
+        }
+        else {
+            const metadata = OpenIdProviderDiscoveryMetadataSchema.parse(await response.json());
+            // MCP spec requires OIDC providers to support S256 PKCE
+            if (!((_a = metadata.code_challenge_methods_supported) === null || _a === void 0 ? void 0 : _a.includes('S256'))) {
+                throw new Error(`Incompatible OIDC provider at ${endpointUrl}: does not support S256 code challenge method required by MCP specification`);
+            }
+            return metadata;
+        }
+    }
+    return undefined;
 }
 /**
  * Begins the authorization flow with the given server, by generating a PKCE challenge and constructing the authorization URL.
@@ -14539,6 +15107,12 @@ async function startAuthorization(authorizationServerUrl, { metadata, clientInfo
     if (scope) {
         authorizationUrl.searchParams.set("scope", scope);
     }
+    if (scope === null || scope === void 0 ? void 0 : scope.includes("offline_access")) {
+        // if the request includes the OIDC-only "offline_access" scope,
+        // we need to set the prompt to "consent" to ensure the user is prompted to grant offline access
+        // https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
+        authorizationUrl.searchParams.append("prompt", "consent");
+    }
     if (resource) {
         authorizationUrl.searchParams.set("resource", resource.href);
     }
@@ -14546,50 +15120,73 @@ async function startAuthorization(authorizationServerUrl, { metadata, clientInfo
 }
 /**
  * Exchanges an authorization code for an access token with the given server.
+ *
+ * Supports multiple client authentication methods as specified in OAuth 2.1:
+ * - Automatically selects the best authentication method based on server support
+ * - Falls back to appropriate defaults when server metadata is unavailable
+ *
+ * @param authorizationServerUrl - The authorization server's base URL
+ * @param options - Configuration object containing client info, auth code, etc.
+ * @returns Promise resolving to OAuth tokens
+ * @throws {Error} When token exchange fails or authentication is invalid
  */
-async function exchangeAuthorization(authorizationServerUrl, { metadata, clientInformation, authorizationCode, codeVerifier, redirectUri, resource, }) {
+async function exchangeAuthorization(authorizationServerUrl, { metadata, clientInformation, authorizationCode, codeVerifier, redirectUri, resource, addClientAuthentication, fetchFn, }) {
+    var _a;
     const grantType = "authorization_code";
-    let tokenUrl;
-    if (metadata) {
-        tokenUrl = new URL(metadata.token_endpoint);
-        if (metadata.grant_types_supported &&
-            !metadata.grant_types_supported.includes(grantType)) {
-            throw new Error(`Incompatible auth server: does not support grant type ${grantType}`);
-        }
-    }
-    else {
-        tokenUrl = new URL("/token", authorizationServerUrl);
+    const tokenUrl = (metadata === null || metadata === void 0 ? void 0 : metadata.token_endpoint)
+        ? new URL(metadata.token_endpoint)
+        : new URL("/token", authorizationServerUrl);
+    if ((metadata === null || metadata === void 0 ? void 0 : metadata.grant_types_supported) &&
+        !metadata.grant_types_supported.includes(grantType)) {
+        throw new Error(`Incompatible auth server: does not support grant type ${grantType}`);
     }
     // Exchange code for tokens
+    const headers = new Headers({
+        "Content-Type": "application/x-www-form-urlencoded",
+        "Accept": "application/json",
+    });
     const params = new URLSearchParams({
         grant_type: grantType,
-        client_id: clientInformation.client_id,
         code: authorizationCode,
         code_verifier: codeVerifier,
         redirect_uri: String(redirectUri),
     });
-    if (clientInformation.client_secret) {
-        params.set("client_secret", clientInformation.client_secret);
+    if (addClientAuthentication) {
+        addClientAuthentication(headers, params, authorizationServerUrl, metadata);
+    }
+    else {
+        // Determine and apply client authentication method
+        const supportedMethods = (_a = metadata === null || metadata === void 0 ? void 0 : metadata.token_endpoint_auth_methods_supported) !== null && _a !== void 0 ? _a : [];
+        const authMethod = selectClientAuthMethod(clientInformation, supportedMethods);
+        applyClientAuthentication(authMethod, clientInformation, headers, params);
     }
     if (resource) {
         params.set("resource", resource.href);
     }
-    const response = await fetch(tokenUrl, {
+    const response = await (fetchFn !== null && fetchFn !== void 0 ? fetchFn : fetch)(tokenUrl, {
         method: "POST",
-        headers: {
-            "Content-Type": "application/x-www-form-urlencoded",
-        },
+        headers,
         body: params,
     });
     if (!response.ok) {
-        throw new Error(`Token exchange failed: HTTP ${response.status}`);
+        throw await parseErrorResponse(response);
     }
     return OAuthTokensSchema.parse(await response.json());
 }
 /**
  * Exchange a refresh token for an updated access token.
+ *
+ * Supports multiple client authentication methods as specified in OAuth 2.1:
+ * - Automatically selects the best authentication method based on server support
+ * - Preserves the original refresh token if a new one is not returned
+ *
+ * @param authorizationServerUrl - The authorization server's base URL
+ * @param options - Configuration object containing client info, refresh token, etc.
+ * @returns Promise resolving to OAuth tokens (preserves original refresh_token if not replaced)
+ * @throws {Error} When token refresh fails or authentication is invalid
  */
-async function refreshAuthorization(authorizationServerUrl, { metadata, clientInformation, refreshToken, resource, }) {
+async function refreshAuthorization(authorizationServerUrl, { metadata, clientInformation, refreshToken, resource, addClientAuthentication, fetchFn, }) {
+    var _a;
     const grantType = "refresh_token";
     let tokenUrl;
     if (metadata) {
@@ -14603,33 +15200,39 @@ async function refreshAuthorization(authorizationServerUrl, { metadata, clientIn
         tokenUrl = new URL("/token", authorizationServerUrl);
     }
     // Exchange refresh token
+    const headers = new Headers({
+        "Content-Type": "application/x-www-form-urlencoded",
+    });
     const params = new URLSearchParams({
         grant_type: grantType,
-        client_id: clientInformation.client_id,
         refresh_token: refreshToken,
     });
-    if (clientInformation.client_secret) {
-        params.set("client_secret", clientInformation.client_secret);
+    if (addClientAuthentication) {
+        addClientAuthentication(headers, params, authorizationServerUrl, metadata);
+    }
+    else {
+        // Determine and apply client authentication method
+        const supportedMethods = (_a = metadata === null || metadata === void 0 ? void 0 : metadata.token_endpoint_auth_methods_supported) !== null && _a !== void 0 ? _a : [];
+        const authMethod = selectClientAuthMethod(clientInformation, supportedMethods);
+        applyClientAuthentication(authMethod, clientInformation, headers, params);
     }
     if (resource) {
         params.set("resource", resource.href);
     }
-    const response = await fetch(tokenUrl, {
+    const response = await (fetchFn !== null && fetchFn !== void 0 ? fetchFn : fetch)(tokenUrl, {
         method: "POST",
-        headers: {
-            "Content-Type": "application/x-www-form-urlencoded",
-        },
+        headers,
         body: params,
     });
     if (!response.ok) {
-        throw new Error(`Token refresh failed: HTTP ${response.status}`);
+        throw await parseErrorResponse(response);
     }
     return OAuthTokensSchema.parse({ refresh_token: refreshToken, ...(await response.json()) });
 }
 /**
  * Performs OAuth 2.0 Dynamic Client Registration according to RFC 7591.
  */
-async function registerClient(authorizationServerUrl, { metadata, clientMetadata, }) {
+async function registerClient(authorizationServerUrl, { metadata, clientMetadata, fetchFn, }) {
     let registrationUrl;
     if (metadata) {
         if (!metadata.registration_endpoint) {
@@ -14640,7 +15243,7 @@ async function registerClient(authorizationServerUrl, { metadata, clientMetadata
     else {
         registrationUrl = new URL("/register", authorizationServerUrl);
     }
-    const response = await fetch(registrationUrl, {
+    const response = await (fetchFn !== null && fetchFn !== void 0 ? fetchFn : fetch)(registrationUrl, {
         method: "POST",
         headers: {
             "Content-Type": "application/json",
@@ -14648,7 +15251,7 @@ async function registerClient(authorizationServerUrl, { metadata, clientMetadata
         body: JSON.stringify(clientMetadata),
     });
     if (!response.ok) {
-        throw new Error(`Dynamic client registration failed: HTTP ${response.status}`);
+        throw await parseErrorResponse(response);
     }
     return OAuthClientInformationFullSchema.parse(await response.json());
 }
@@ -14743,7 +15346,7 @@ function splitLines(chunk) {
     const crIndex = chunk.indexOf("\r", searchIndex), lfIndex = chunk.indexOf(`
 `, searchIndex);
     let lineEnd = -1;
-    if (crIndex !== -1 && lfIndex !== -1 ? lineEnd = Math.min(crIndex, lfIndex) : crIndex !== -1 ? lineEnd = crIndex : lfIndex !== -1 && (lineEnd = lfIndex), lineEnd === -1) {
+    if (crIndex !== -1 && lfIndex !== -1 ? lineEnd = Math.min(crIndex, lfIndex) : crIndex !== -1 ? crIndex === chunk.length - 1 ? lineEnd = -1 : lineEnd = crIndex : lfIndex !== -1 && (lineEnd = lfIndex), lineEnd === -1) {
       incompleteLine = chunk.slice(searchIndex);
       break;
     } else {
@@ -14814,7 +15417,7 @@ class StreamableHTTPClientTransport {
         }
         let result;
         try {
-            result = await auth(this._authProvider, { serverUrl: this._url, resourceMetadataUrl: this._resourceMetadataUrl });
+            result = await auth(this._authProvider, { serverUrl: this._url, resourceMetadataUrl: this._resourceMetadataUrl, fetchFn: this._fetch });
         }
         catch (error) {
             (_a = this.onerror) === null || _a === void 0 ? void 0 : _a.call(this, error);
@@ -14875,7 +15478,7 @@ class StreamableHTTPClientTransport {
                 }
                 throw new StreamableHTTPError(response.status, `Failed to open SSE stream: ${response.statusText}`);
             }
-            this._handleSseStream(response.body, options);
+            this._handleSseStream(response.body, options, true);
         }
         catch (error) {
             (_c = this.onerror) === null || _c === void 0 ? void 0 : _c.call(this, error);
@@ -14935,7 +15538,7 @@ class StreamableHTTPClientTransport {
             });
         }, delay);
     }
-    _handleSseStream(stream, options) {
+    _handleSseStream(stream, options, isReconnectable) {
         if (!stream) {
             return;
         }
@@ -14979,19 +15582,19 @@ class StreamableHTTPClientTransport {
                 // Handle stream errors - likely a network disconnect
                 (_c = this.onerror) === null || _c === void 0 ? void 0 : _c.call(this, new Error(`SSE stream disconnected: ${error}`));
                 // Attempt to reconnect if the stream disconnects unexpectedly and we aren't closing
-                if (this._abortController && !this._abortController.signal.aborted) {
+                if (isReconnectable &&
+                    this._abortController &&
+                    !this._abortController.signal.aborted) {
                     // Use the exponential backoff reconnection strategy
-                    if (lastEventId !== undefined) {
-                        try {
-                            this._scheduleReconnection({
-                                resumptionToken: lastEventId,
-                                onresumptiontoken,
-                                replayMessageId
-                            }, 0);
-                        }
-                        catch (error) {
-                            (_d = this.onerror) === null || _d === void 0 ? void 0 : _d.call(this, new Error(`Failed to reconnect: ${error instanceof Error ? error.message : String(error)}`));
-                        }
+                    try {
+                        this._scheduleReconnection({
+                            resumptionToken: lastEventId,
+                            onresumptiontoken,
+                            replayMessageId
+                        }, 0);
+                    }
+                    catch (error) {
+                        (_d = this.onerror) === null || _d === void 0 ? void 0 : _d.call(this, new Error(`Failed to reconnect: ${error instanceof Error ? error.message : String(error)}`));
                     }
                 }
             }
@@ -15011,7 +15614,7 @@ class StreamableHTTPClientTransport {
         if (!this._authProvider) {
             throw new UnauthorizedError("No auth provider");
         }
-        const result = await auth(this._authProvider, { serverUrl: this._url, authorizationCode, resourceMetadataUrl: this._resourceMetadataUrl });
+        const result = await auth(this._authProvider, { serverUrl: this._url, authorizationCode, resourceMetadataUrl: this._resourceMetadataUrl, fetchFn: this._fetch });
         if (result !== "AUTHORIZED") {
             throw new UnauthorizedError("Failed to authorize");
         }
@@ -15050,7 +15653,7 @@ class StreamableHTTPClientTransport {
             if (!response.ok) {
                 if (response.status === 401 && this._authProvider) {
                     this._resourceMetadataUrl = extractResourceMetadataUrl(response);
-                    const result = await auth(this._authProvider, { serverUrl: this._url, resourceMetadataUrl: this._resourceMetadataUrl });
+                    const result = await auth(this._authProvider, { serverUrl: this._url, resourceMetadataUrl: this._resourceMetadataUrl, fetchFn: this._fetch });
                     if (result !== "AUTHORIZED") {
                         throw new UnauthorizedError();
                     }
@@ -15080,7 +15683,7 @@ class StreamableHTTPClientTransport {
                     // Handle SSE stream responses for requests
                     // We use the same handler as standalone streams, which now supports
                     // reconnection with the last event ID
-                    this._handleSseStream(response.body, { onresumptiontoken });
+                    this._handleSseStream(response.body, { onresumptiontoken }, false);
                 }
                 else if (contentType === null || contentType === void 0 ? void 0 : contentType.includes("application/json")) {
                     // For non-streaming servers, we might get direct JSON responses