@aura-stack/jose 0.3.0 → 0.4.0

package/dist/assert.js

@@ -4,8 +4,8 @@ import {
   isInvalidPayload,
   isInvalidSecretError,
   isObject
-} from "./chunk-ZHFHDRQH.js";
-import "./chunk-BMXFAB6Q.js";
+} from "./chunk-MWFJ4CA5.js";
+import "./chunk-NGBYHSRN.js";
 export {
   isAuraJoseError,
   isFalsy,

package/dist/{chunk-SES6WQL3.js → chunk-FCUM7BTG.js}

@@ -1,9 +1,12 @@
 import {
   isObject
-} from "./chunk-ZHFHDRQH.js";
+} from "./chunk-MWFJ4CA5.js";
+import {
+  encoder
+} from "./chunk-RQFUZSWH.js";
 import {
   InvalidSecretError
-} from "./chunk-BMXFAB6Q.js";
+} from "./chunk-NGBYHSRN.js";
 
 // src/secret.ts
 var MIN_SECRET_ENTROPY_BITS = 4.5;
@@ -26,7 +29,8 @@ var getEntropy = (secret) => {
 var createSecret = (secret, length = 32) => {
   if (!Boolean(secret)) throw new InvalidSecretError("Secret is required");
   if (typeof secret === "string") {
-    const byteLength = new TextEncoder().encode(secret).byteLength;
+    const encoded = encoder.encode(secret);
+    const byteLength = encoded.byteLength;
     if (byteLength < length) {
       throw new InvalidSecretError(`Secret string must be at least ${length} bytes long`);
     }
@@ -36,9 +40,15 @@ var createSecret = (secret, length = 32) => {
         `Secret string must have an entropy of at least ${MIN_SECRET_ENTROPY_BITS} bits per character`
       );
     }
-    return new Uint8Array(Buffer.from(secret, "utf-8"));
+    return encoded;
+  }
+  if (secret instanceof CryptoKey || secret instanceof Uint8Array) {
+    if (secret instanceof Uint8Array && secret.byteLength < length) {
+      throw new InvalidSecretError(`Secret must be at least ${length} bytes long`);
+    }
+    return secret;
   }
-  return secret;
+  throw new InvalidSecretError("Secret must be a string, Uint8Array, or CryptoKey");
 };
 var getSecrets = (secret) => {
   const jwsSecret = isObject(secret) && "jws" in secret ? secret.jws : secret;

package/dist/{chunk-ZHFHDRQH.js → chunk-MWFJ4CA5.js}

@@ -1,7 +1,7 @@
 import {
   AuraJoseError,
   InvalidSecretError
-} from "./chunk-BMXFAB6Q.js";
+} from "./chunk-NGBYHSRN.js";
 
 // src/assert.ts
 var isAuraJoseError = (error) => {

package/dist/{chunk-BMXFAB6Q.js → chunk-NGBYHSRN.js}

@@ -33,6 +33,9 @@ var JWEEncryptionError = class extends AuraJoseError {
 var InvalidSecretError = class extends AuraJoseError {
   static code = "ERR_INVALID_SECRET";
 };
+var KeyDerivationError = class extends AuraJoseError {
+  static code = "ERR_KEY_DERIVATION";
+};
 
 export {
   AuraJoseError,
@@ -43,5 +46,6 @@ export {
   JWSSigningError,
   JWEDecryptionError,
   JWEEncryptionError,
-  InvalidSecretError
+  InvalidSecretError,
+  KeyDerivationError
 };

package/dist/chunk-OG4QRUXH.js

@@ -0,0 +1,47 @@
+import {
+  createSecret
+} from "./chunk-FCUM7BTG.js";
+import {
+  encoder,
+  getSubtleCrypto
+} from "./chunk-RQFUZSWH.js";
+import {
+  KeyDerivationError
+} from "./chunk-NGBYHSRN.js";
+
+// src/deriveKey.ts
+var deriveKey = async (secret, salt, info, length = 32) => {
+  try {
+    const subtle = getSubtleCrypto();
+    const secretBuffer = secret.buffer.slice(secret.byteOffset, secret.byteOffset + secret.byteLength);
+    const baseKey = await subtle.importKey("raw", secretBuffer, "HKDF", false, ["deriveBits"]);
+    const saltBuffer = typeof salt === "string" ? encoder.encode(salt) : salt;
+    const infoBuffer = typeof info === "string" ? encoder.encode(info) : info;
+    const derivedBits = await subtle.deriveBits(
+      {
+        name: "HKDF",
+        hash: "SHA-256",
+        salt: saltBuffer,
+        info: infoBuffer
+      },
+      baseKey,
+      length << 3
+    );
+    return new Uint8Array(derivedBits);
+  } catch (error) {
+    throw new KeyDerivationError("Failed to create a derived key (HKDF)", { cause: error });
+  }
+};
+var createDeriveKey = async (secret, salt, info, length = 32) => {
+  const secretKey = createSecret(secret);
+  if (secretKey instanceof CryptoKey) {
+    throw new KeyDerivationError("Cannot derive key from CryptoKey. Use Uint8Array or string secret instead.");
+  }
+  const key = await deriveKey(secretKey, salt ?? "Aura Jose secret salt", info ?? "Aura Jose secret derivation", length);
+  return key;
+};
+
+export {
+  deriveKey,
+  createDeriveKey
+};

package/dist/{chunk-URDLFFH3.js → chunk-Q2LAK6W2.js}

@@ -1,27 +1,29 @@
 import {
   createSecret
-} from "./chunk-SES6WQL3.js";
+} from "./chunk-FCUM7BTG.js";
 import {
   isAuraJoseError,
   isFalsy
-} from "./chunk-ZHFHDRQH.js";
+} from "./chunk-MWFJ4CA5.js";
+import {
+  getRandomBytes
+} from "./chunk-RQFUZSWH.js";
 import {
   InvalidPayloadError,
   JWEDecryptionError,
   JWEEncryptionError
-} from "./chunk-BMXFAB6Q.js";
+} from "./chunk-NGBYHSRN.js";
 
 // src/encrypt.ts
-import crypto from "crypto";
-import { EncryptJWT, jwtDecrypt } from "jose";
+import { base64url, EncryptJWT, jwtDecrypt } from "jose";
 var encryptJWE = async (payload, secret, options) => {
   try {
     if (isFalsy(payload)) {
       throw new InvalidPayloadError("The payload must be a non-empty string");
     }
     const secretKey = createSecret(secret);
-    const jti = crypto.randomBytes(32).toString("base64url");
-    return new EncryptJWT({ payload }).setProtectedHeader({ alg: "dir", enc: "A256GCM", typ: "JWT", cty: "JWT" }).setIssuedAt().setNotBefore(options?.nbf ?? "0s").setExpirationTime(options?.exp ?? "15d").setJti(jti).encrypt(secretKey);
+    const jti = base64url.encode(getRandomBytes(32));
+    return await new EncryptJWT({ payload }).setProtectedHeader({ alg: "dir", enc: "A256GCM", typ: "JWT", cty: "JWT" }).setIssuedAt().setNotBefore(options?.nbf ?? "0s").setExpirationTime(options?.exp ?? "15d").setJti(jti).encrypt(secretKey);
   } catch (error) {
     if (isAuraJoseError(error)) {
       throw error;

package/dist/chunk-RQFUZSWH.js

@@ -0,0 +1,19 @@
+// src/crypto.ts
+var encoder = new TextEncoder();
+var decoder = new TextDecoder();
+var getRandomBytes = (size) => {
+  return globalThis.crypto.getRandomValues(new Uint8Array(size));
+};
+var getSubtleCrypto = () => {
+  if (globalThis.crypto?.subtle) {
+    return globalThis.crypto.subtle;
+  }
+  throw new Error("SubtleCrypto is not available in this runtime");
+};
+
+export {
+  encoder,
+  decoder,
+  getRandomBytes,
+  getSubtleCrypto
+};

package/dist/{chunk-EX3NULRX.js → chunk-WXGX6PJ5.js}

@@ -1,28 +1,30 @@
 import {
   createSecret
-} from "./chunk-SES6WQL3.js";
+} from "./chunk-FCUM7BTG.js";
 import {
   isAuraJoseError,
   isFalsy,
   isInvalidPayload
-} from "./chunk-ZHFHDRQH.js";
+} from "./chunk-MWFJ4CA5.js";
+import {
+  getRandomBytes
+} from "./chunk-RQFUZSWH.js";
 import {
   InvalidPayloadError,
   JWSSigningError,
   JWSVerificationError
-} from "./chunk-BMXFAB6Q.js";
+} from "./chunk-NGBYHSRN.js";
 
 // src/sign.ts
-import crypto from "crypto";
-import { jwtVerify, SignJWT } from "jose";
+import { base64url, jwtVerify, SignJWT } from "jose";
 var signJWS = async (payload, secret) => {
   try {
     if (isInvalidPayload(payload)) {
       throw new InvalidPayloadError("The payload must be a non-empty object");
     }
     const secretKey = createSecret(secret);
-    const jti = crypto.randomBytes(32).toString("base64url");
-    return new SignJWT(payload).setProtectedHeader({ alg: "HS256", typ: "JWT" }).setIssuedAt().setNotBefore(payload.nbf ?? "0s").setExpirationTime(payload.exp ?? "15d").setJti(jti).sign(secretKey);
+    const jti = base64url.encode(getRandomBytes(32));
+    return await new SignJWT(payload).setProtectedHeader({ alg: "HS256", typ: "JWT" }).setIssuedAt().setNotBefore(payload.nbf ?? "0s").setExpirationTime(payload.exp ?? "15d").setJti(jti).sign(secretKey);
   } catch (error) {
     if (isAuraJoseError(error)) {
       throw error;

package/dist/crypto.cjs

@@ -0,0 +1,46 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/crypto.ts
+var crypto_exports = {};
+__export(crypto_exports, {
+  decoder: () => decoder,
+  encoder: () => encoder,
+  getRandomBytes: () => getRandomBytes,
+  getSubtleCrypto: () => getSubtleCrypto
+});
+module.exports = __toCommonJS(crypto_exports);
+var encoder = new TextEncoder();
+var decoder = new TextDecoder();
+var getRandomBytes = (size) => {
+  return globalThis.crypto.getRandomValues(new Uint8Array(size));
+};
+var getSubtleCrypto = () => {
+  if (globalThis.crypto?.subtle) {
+    return globalThis.crypto.subtle;
+  }
+  throw new Error("SubtleCrypto is not available in this runtime");
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  decoder,
+  encoder,
+  getRandomBytes,
+  getSubtleCrypto
+});

package/dist/crypto.d.ts

@@ -0,0 +1,19 @@
+declare const encoder: TextEncoder;
+declare const decoder: TextDecoder;
+/**
+ * Generate random bytes using the Web Crypto API
+ * Works in Node.js 15+, Deno, Bun, and browsers
+ *
+ * @param size - Number of random bytes to generate with a max value of 65 bytes
+ * @returns Uint8Array containing random bytes
+ */
+declare const getRandomBytes: (size: number) => Uint8Array;
+/**
+ * Get a unified source of entropy - prefers crypto.subtle but falls back if needed
+ * All modern runtimes support globalThis.crypto.subtle
+ *
+ * @returns SubtleCrypto interface for cryptographic operations
+ */
+declare const getSubtleCrypto: () => SubtleCrypto;
+
+export { decoder, encoder, getRandomBytes, getSubtleCrypto };

package/dist/crypto.js

@@ -0,0 +1,12 @@
+import {
+  decoder,
+  encoder,
+  getRandomBytes,
+  getSubtleCrypto
+} from "./chunk-RQFUZSWH.js";
+export {
+  decoder,
+  encoder,
+  getRandomBytes,
+  getSubtleCrypto
+};

package/dist/deriveKey.cjs

@@ -24,7 +24,6 @@ __export(deriveKey_exports, {
   deriveKey: () => deriveKey
 });
 module.exports = __toCommonJS(deriveKey_exports);
-var import_crypto = require("crypto");
 
 // src/errors.ts
 var AuraJoseError = class extends Error {
@@ -40,6 +39,19 @@ var AuraJoseError = class extends Error {
 var InvalidSecretError = class extends AuraJoseError {
   static code = "ERR_INVALID_SECRET";
 };
+var KeyDerivationError = class extends AuraJoseError {
+  static code = "ERR_KEY_DERIVATION";
+};
+
+// src/crypto.ts
+var encoder = new TextEncoder();
+var decoder = new TextDecoder();
+var getSubtleCrypto = () => {
+  if (globalThis.crypto?.subtle) {
+    return globalThis.crypto.subtle;
+  }
+  throw new Error("SubtleCrypto is not available in this runtime");
+};
 
 // src/secret.ts
 var MIN_SECRET_ENTROPY_BITS = 4.5;
@@ -62,7 +74,8 @@ var getEntropy = (secret) => {
 var createSecret = (secret, length = 32) => {
   if (!Boolean(secret)) throw new InvalidSecretError("Secret is required");
   if (typeof secret === "string") {
-    const byteLength = new TextEncoder().encode(secret).byteLength;
+    const encoded = encoder.encode(secret);
+    const byteLength = encoded.byteLength;
     if (byteLength < length) {
       throw new InvalidSecretError(`Secret string must be at least ${length} bytes long`);
     }
@@ -72,27 +85,47 @@ var createSecret = (secret, length = 32) => {
         `Secret string must have an entropy of at least ${MIN_SECRET_ENTROPY_BITS} bits per character`
       );
     }
-    return new Uint8Array(Buffer.from(secret, "utf-8"));
+    return encoded;
   }
-  return secret;
+  if (secret instanceof CryptoKey || secret instanceof Uint8Array) {
+    if (secret instanceof Uint8Array && secret.byteLength < length) {
+      throw new InvalidSecretError(`Secret must be at least ${length} bytes long`);
+    }
+    return secret;
+  }
+  throw new InvalidSecretError("Secret must be a string, Uint8Array, or CryptoKey");
 };
 
 // src/deriveKey.ts
-var deriveKey = (secret, salt, info, length = 32) => {
+var deriveKey = async (secret, salt, info, length = 32) => {
   try {
-    const key = (0, import_crypto.hkdfSync)("SHA256", secret, salt, info, length);
-    const derivedKey = Buffer.from(key);
-    return {
-      key,
-      derivedKey
-    };
+    const subtle = getSubtleCrypto();
+    const secretBuffer = secret.buffer.slice(secret.byteOffset, secret.byteOffset + secret.byteLength);
+    const baseKey = await subtle.importKey("raw", secretBuffer, "HKDF", false, ["deriveBits"]);
+    const saltBuffer = typeof salt === "string" ? encoder.encode(salt) : salt;
+    const infoBuffer = typeof info === "string" ? encoder.encode(info) : info;
+    const derivedBits = await subtle.deriveBits(
+      {
+        name: "HKDF",
+        hash: "SHA-256",
+        salt: saltBuffer,
+        info: infoBuffer
+      },
+      baseKey,
+      length << 3
+    );
+    return new Uint8Array(derivedBits);
   } catch (error) {
-    throw new Error("Failed to create a derived key (HKDF)", { cause: error });
+    throw new KeyDerivationError("Failed to create a derived key (HKDF)", { cause: error });
   }
 };
-var createDeriveKey = (secret, salt, info, length = 32) => {
+var createDeriveKey = async (secret, salt, info, length = 32) => {
   const secretKey = createSecret(secret);
-  return deriveKey(secretKey, salt ?? "Aura Jose secret salt", info ?? "Aura Jose secret derivation", length);
+  if (secretKey instanceof CryptoKey) {
+    throw new KeyDerivationError("Cannot derive key from CryptoKey. Use Uint8Array or string secret instead.");
+  }
+  const key = await deriveKey(secretKey, salt ?? "Aura Jose secret salt", info ?? "Aura Jose secret derivation", length);
+  return key;
 };
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {

package/dist/deriveKey.d.ts

@@ -1,3 +1,3 @@
-import 'crypto';
-export { m as createDeriveKey, l as deriveKey } from './sign.js';
+export { i as createDeriveKey, l as deriveKey } from './sign.js';
 import 'jose';
+import './crypto.js';

package/dist/deriveKey.js

@@ -1,10 +1,11 @@
 import {
   createDeriveKey,
   deriveKey
-} from "./chunk-CXN54JNY.js";
-import "./chunk-SES6WQL3.js";
-import "./chunk-ZHFHDRQH.js";
-import "./chunk-BMXFAB6Q.js";
+} from "./chunk-OG4QRUXH.js";
+import "./chunk-FCUM7BTG.js";
+import "./chunk-MWFJ4CA5.js";
+import "./chunk-RQFUZSWH.js";
+import "./chunk-NGBYHSRN.js";
 export {
   createDeriveKey,
   deriveKey

package/dist/encrypt.cjs

@@ -1,9 +1,7 @@
 "use strict";
-var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -17,14 +15,6 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/encrypt.ts
@@ -35,7 +25,6 @@ __export(encrypt_exports, {
   encryptJWE: () => encryptJWE
 });
 module.exports = __toCommonJS(encrypt_exports);
-var import_crypto = __toESM(require("crypto"), 1);
 var import_jose = require("jose");
 
 // src/errors.ts
@@ -70,6 +59,13 @@ var isFalsy = (value) => {
   return value === null || value === void 0 || value === false || value === 0 || value === "" || Number.isNaN(value);
 };
 
+// src/crypto.ts
+var encoder = new TextEncoder();
+var decoder = new TextDecoder();
+var getRandomBytes = (size) => {
+  return globalThis.crypto.getRandomValues(new Uint8Array(size));
+};
+
 // src/secret.ts
 var MIN_SECRET_ENTROPY_BITS = 4.5;
 var getEntropy = (secret) => {
@@ -91,7 +87,8 @@ var getEntropy = (secret) => {
 var createSecret = (secret, length = 32) => {
   if (!Boolean(secret)) throw new InvalidSecretError("Secret is required");
   if (typeof secret === "string") {
-    const byteLength = new TextEncoder().encode(secret).byteLength;
+    const encoded = encoder.encode(secret);
+    const byteLength = encoded.byteLength;
     if (byteLength < length) {
       throw new InvalidSecretError(`Secret string must be at least ${length} bytes long`);
     }
@@ -101,9 +98,15 @@ var createSecret = (secret, length = 32) => {
         `Secret string must have an entropy of at least ${MIN_SECRET_ENTROPY_BITS} bits per character`
       );
     }
-    return new Uint8Array(Buffer.from(secret, "utf-8"));
+    return encoded;
+  }
+  if (secret instanceof CryptoKey || secret instanceof Uint8Array) {
+    if (secret instanceof Uint8Array && secret.byteLength < length) {
+      throw new InvalidSecretError(`Secret must be at least ${length} bytes long`);
+    }
+    return secret;
   }
-  return secret;
+  throw new InvalidSecretError("Secret must be a string, Uint8Array, or CryptoKey");
 };
 
 // src/encrypt.ts
@@ -113,8 +116,8 @@ var encryptJWE = async (payload, secret, options) => {
       throw new InvalidPayloadError("The payload must be a non-empty string");
     }
     const secretKey = createSecret(secret);
-    const jti = import_crypto.default.randomBytes(32).toString("base64url");
-    return new import_jose.EncryptJWT({ payload }).setProtectedHeader({ alg: "dir", enc: "A256GCM", typ: "JWT", cty: "JWT" }).setIssuedAt().setNotBefore(options?.nbf ?? "0s").setExpirationTime(options?.exp ?? "15d").setJti(jti).encrypt(secretKey);
+    const jti = import_jose.base64url.encode(getRandomBytes(32));
+    return await new import_jose.EncryptJWT({ payload }).setProtectedHeader({ alg: "dir", enc: "A256GCM", typ: "JWT", cty: "JWT" }).setIssuedAt().setNotBefore(options?.nbf ?? "0s").setExpirationTime(options?.exp ?? "15d").setJti(jti).encrypt(secretKey);
   } catch (error) {
     if (isAuraJoseError(error)) {
       throw error;

package/dist/encrypt.d.ts

@@ -1,3 +1,3 @@
 export { JWTDecryptOptions } from 'jose';
-export { a as EncryptOptions, E as EncryptedPayload, c as createJWE, d as decryptJWE, e as encryptJWE } from './sign.js';
-import 'crypto';
+export { E as EncryptOptions, a as EncryptedPayload, c as createJWE, d as decryptJWE, e as encryptJWE } from './sign.js';
+import './crypto.js';

package/dist/encrypt.js

@@ -2,10 +2,11 @@ import {
   createJWE,
   decryptJWE,
   encryptJWE
-} from "./chunk-URDLFFH3.js";
-import "./chunk-SES6WQL3.js";
-import "./chunk-ZHFHDRQH.js";
-import "./chunk-BMXFAB6Q.js";
+} from "./chunk-Q2LAK6W2.js";
+import "./chunk-FCUM7BTG.js";
+import "./chunk-MWFJ4CA5.js";
+import "./chunk-RQFUZSWH.js";
+import "./chunk-NGBYHSRN.js";
 export {
   createJWE,
   decryptJWE,

package/dist/errors.cjs

@@ -28,7 +28,8 @@ __export(errors_exports, {
   JWSSigningError: () => JWSSigningError,
   JWSVerificationError: () => JWSVerificationError,
   JWTDecodingError: () => JWTDecodingError,
-  JWTEncodingError: () => JWTEncodingError
+  JWTEncodingError: () => JWTEncodingError,
+  KeyDerivationError: () => KeyDerivationError
 });
 module.exports = __toCommonJS(errors_exports);
 var AuraJoseError = class extends Error {
@@ -65,6 +66,9 @@ var JWEEncryptionError = class extends AuraJoseError {
 var InvalidSecretError = class extends AuraJoseError {
   static code = "ERR_INVALID_SECRET";
 };
+var KeyDerivationError = class extends AuraJoseError {
+  static code = "ERR_KEY_DERIVATION";
+};
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   AuraJoseError,
@@ -75,5 +79,6 @@ var InvalidSecretError = class extends AuraJoseError {
   JWSSigningError,
   JWSVerificationError,
   JWTDecodingError,
-  JWTEncodingError
+  JWTEncodingError,
+  KeyDerivationError
 });

package/dist/errors.d.ts

@@ -30,5 +30,8 @@ declare class JWEEncryptionError extends AuraJoseError {
 declare class InvalidSecretError extends AuraJoseError {
     static code: string;
 }
+declare class KeyDerivationError extends AuraJoseError {
+    static code: string;
+}
 
-export { AuraJoseError, InvalidPayloadError, InvalidSecretError, JWEDecryptionError, JWEEncryptionError, JWSSigningError, JWSVerificationError, JWTDecodingError, JWTEncodingError };
+export { AuraJoseError, InvalidPayloadError, InvalidSecretError, JWEDecryptionError, JWEEncryptionError, JWSSigningError, JWSVerificationError, JWTDecodingError, JWTEncodingError, KeyDerivationError };

package/dist/errors.js

@@ -7,8 +7,9 @@ import {
   JWSSigningError,
   JWSVerificationError,
   JWTDecodingError,
-  JWTEncodingError
-} from "./chunk-BMXFAB6Q.js";
+  JWTEncodingError,
+  KeyDerivationError
+} from "./chunk-NGBYHSRN.js";
 export {
   AuraJoseError,
   InvalidPayloadError,
@@ -18,5 +19,6 @@ export {
   JWSSigningError,
   JWSVerificationError,
   JWTDecodingError,
-  JWTEncodingError
+  JWTEncodingError,
+  KeyDerivationError
 };

package/dist/index.cjs

@@ -1,9 +1,7 @@
 "use strict";
-var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -17,14 +15,6 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/index.ts
@@ -37,19 +27,22 @@ __export(index_exports, {
   createJWT: () => createJWT,
   createSecret: () => createSecret,
   decodeJWT: () => decodeJWT,
+  decoder: () => decoder,
   decryptJWE: () => decryptJWE,
   deriveKey: () => deriveKey,
   encodeJWT: () => encodeJWT,
+  encoder: () => encoder,
   encryptJWE: () => encryptJWE,
   getEntropy: () => getEntropy,
+  getRandomBytes: () => getRandomBytes,
   getSecrets: () => getSecrets,
+  getSubtleCrypto: () => getSubtleCrypto,
   signJWS: () => signJWS,
   verifyJWS: () => verifyJWS
 });
 module.exports = __toCommonJS(index_exports);
 
 // src/sign.ts
-var import_crypto = __toESM(require("crypto"), 1);
 var import_jose = require("jose");
 
 // src/errors.ts
@@ -87,6 +80,9 @@ var JWEEncryptionError = class extends AuraJoseError {
 var InvalidSecretError = class extends AuraJoseError {
   static code = "ERR_INVALID_SECRET";
 };
+var KeyDerivationError = class extends AuraJoseError {
+  static code = "ERR_KEY_DERIVATION";
+};
 
 // src/assert.ts
 var isAuraJoseError = (error) => {
@@ -102,6 +98,19 @@ var isInvalidPayload = (payload) => {
   return isFalsy(payload) || !isObject(payload) || typeof payload === "object" && payload !== null && !Array.isArray(payload) && Object.keys(payload).length === 0;
 };
 
+// src/crypto.ts
+var encoder = new TextEncoder();
+var decoder = new TextDecoder();
+var getRandomBytes = (size) => {
+  return globalThis.crypto.getRandomValues(new Uint8Array(size));
+};
+var getSubtleCrypto = () => {
+  if (globalThis.crypto?.subtle) {
+    return globalThis.crypto.subtle;
+  }
+  throw new Error("SubtleCrypto is not available in this runtime");
+};
+
 // src/secret.ts
 var MIN_SECRET_ENTROPY_BITS = 4.5;
 var getEntropy = (secret) => {
@@ -123,7 +132,8 @@ var getEntropy = (secret) => {
 var createSecret = (secret, length = 32) => {
   if (!Boolean(secret)) throw new InvalidSecretError("Secret is required");
   if (typeof secret === "string") {
-    const byteLength = new TextEncoder().encode(secret).byteLength;
+    const encoded = encoder.encode(secret);
+    const byteLength = encoded.byteLength;
     if (byteLength < length) {
       throw new InvalidSecretError(`Secret string must be at least ${length} bytes long`);
     }
@@ -133,9 +143,15 @@ var createSecret = (secret, length = 32) => {
         `Secret string must have an entropy of at least ${MIN_SECRET_ENTROPY_BITS} bits per character`
       );
     }
-    return new Uint8Array(Buffer.from(secret, "utf-8"));
+    return encoded;
+  }
+  if (secret instanceof CryptoKey || secret instanceof Uint8Array) {
+    if (secret instanceof Uint8Array && secret.byteLength < length) {
+      throw new InvalidSecretError(`Secret must be at least ${length} bytes long`);
+    }
+    return secret;
   }
-  return secret;
+  throw new InvalidSecretError("Secret must be a string, Uint8Array, or CryptoKey");
 };
 var getSecrets = (secret) => {
   const jwsSecret = isObject(secret) && "jws" in secret ? secret.jws : secret;
@@ -153,8 +169,8 @@ var signJWS = async (payload, secret) => {
       throw new InvalidPayloadError("The payload must be a non-empty object");
     }
     const secretKey = createSecret(secret);
-    const jti = import_crypto.default.randomBytes(32).toString("base64url");
-    return new import_jose.SignJWT(payload).setProtectedHeader({ alg: "HS256", typ: "JWT" }).setIssuedAt().setNotBefore(payload.nbf ?? "0s").setExpirationTime(payload.exp ?? "15d").setJti(jti).sign(secretKey);
+    const jti = import_jose.base64url.encode(getRandomBytes(32));
+    return await new import_jose.SignJWT(payload).setProtectedHeader({ alg: "HS256", typ: "JWT" }).setIssuedAt().setNotBefore(payload.nbf ?? "0s").setExpirationTime(payload.exp ?? "15d").setJti(jti).sign(secretKey);
   } catch (error) {
     if (isAuraJoseError(error)) {
       throw error;
@@ -185,7 +201,6 @@ var createJWS = (secret) => {
 };
 
 // src/encrypt.ts
-var import_crypto2 = __toESM(require("crypto"), 1);
 var import_jose2 = require("jose");
 var encryptJWE = async (payload, secret, options) => {
   try {
@@ -193,8 +208,8 @@ var encryptJWE = async (payload, secret, options) => {
       throw new InvalidPayloadError("The payload must be a non-empty string");
     }
     const secretKey = createSecret(secret);
-    const jti = import_crypto2.default.randomBytes(32).toString("base64url");
-    return new import_jose2.EncryptJWT({ payload }).setProtectedHeader({ alg: "dir", enc: "A256GCM", typ: "JWT", cty: "JWT" }).setIssuedAt().setNotBefore(options?.nbf ?? "0s").setExpirationTime(options?.exp ?? "15d").setJti(jti).encrypt(secretKey);
+    const jti = import_jose2.base64url.encode(getRandomBytes(32));
+    return await new import_jose2.EncryptJWT({ payload }).setProtectedHeader({ alg: "dir", enc: "A256GCM", typ: "JWT", cty: "JWT" }).setIssuedAt().setNotBefore(options?.nbf ?? "0s").setExpirationTime(options?.exp ?? "15d").setJti(jti).encrypt(secretKey);
   } catch (error) {
     if (isAuraJoseError(error)) {
       throw error;
@@ -225,22 +240,35 @@ var createJWE = (secret) => {
 };
 
 // src/deriveKey.ts
-var import_crypto3 = require("crypto");
-var deriveKey = (secret, salt, info, length = 32) => {
+var deriveKey = async (secret, salt, info, length = 32) => {
   try {
-    const key = (0, import_crypto3.hkdfSync)("SHA256", secret, salt, info, length);
-    const derivedKey = Buffer.from(key);
-    return {
-      key,
-      derivedKey
-    };
+    const subtle = getSubtleCrypto();
+    const secretBuffer = secret.buffer.slice(secret.byteOffset, secret.byteOffset + secret.byteLength);
+    const baseKey = await subtle.importKey("raw", secretBuffer, "HKDF", false, ["deriveBits"]);
+    const saltBuffer = typeof salt === "string" ? encoder.encode(salt) : salt;
+    const infoBuffer = typeof info === "string" ? encoder.encode(info) : info;
+    const derivedBits = await subtle.deriveBits(
+      {
+        name: "HKDF",
+        hash: "SHA-256",
+        salt: saltBuffer,
+        info: infoBuffer
+      },
+      baseKey,
+      length << 3
+    );
+    return new Uint8Array(derivedBits);
   } catch (error) {
-    throw new Error("Failed to create a derived key (HKDF)", { cause: error });
+    throw new KeyDerivationError("Failed to create a derived key (HKDF)", { cause: error });
   }
 };
-var createDeriveKey = (secret, salt, info, length = 32) => {
+var createDeriveKey = async (secret, salt, info, length = 32) => {
   const secretKey = createSecret(secret);
-  return deriveKey(secretKey, salt ?? "Aura Jose secret salt", info ?? "Aura Jose secret derivation", length);
+  if (secretKey instanceof CryptoKey) {
+    throw new KeyDerivationError("Cannot derive key from CryptoKey. Use Uint8Array or string secret instead.");
+  }
+  const key = await deriveKey(secretKey, salt ?? "Aura Jose secret salt", info ?? "Aura Jose secret derivation", length);
+  return key;
 };
 
 // src/index.ts
@@ -274,8 +302,8 @@ var decodeJWT = async (token, secret, options) => {
 };
 var createJWT = (secret) => {
   return {
-    encodeJWT: async (payload) => encodeJWT(payload, secret),
-    decodeJWT: async (token) => decodeJWT(token, secret)
+    encodeJWT: async (payload) => await encodeJWT(payload, secret),
+    decodeJWT: async (token, options) => await decodeJWT(token, secret, options)
   };
 };
 // Annotate the CommonJS export names for ESM import in node:
@@ -287,12 +315,16 @@ var createJWT = (secret) => {
   createJWT,
   createSecret,
   decodeJWT,
+  decoder,
   decryptJWE,
   deriveKey,
   encodeJWT,
+  encoder,
   encryptJWE,
   getEntropy,
+  getRandomBytes,
   getSecrets,
+  getSubtleCrypto,
   signJWS,
   verifyJWS
 });

package/dist/index.d.ts

@@ -1,3 +1,3 @@
 export { JWTDecryptOptions, JWTVerifyOptions } from 'jose';
-import 'crypto';
-export { h as DecodedJWTPayloadOptions, D as DerivedKeyInput, a as EncryptOptions, E as EncryptedPayload, M as MIN_SECRET_ENTROPY_BITS, S as SecretInput, m as createDeriveKey, c as createJWE, createJWS, k as createJWT, b as createSecret, j as decodeJWT, d as decryptJWE, l as deriveKey, i as encodeJWT, e as encryptJWE, g as getEntropy, f as getSecrets, signJWS, verifyJWS } from './sign.js';
+export { D as DecodedJWTPayloadOptions, h as DerivedKeyInput, E as EncryptOptions, a as EncryptedPayload, M as MIN_SECRET_ENTROPY_BITS, P as Prettify, S as SecretInput, T as TypedJWTPayload, i as createDeriveKey, c as createJWE, createJWS, j as createJWT, b as createSecret, k as decodeJWT, d as decryptJWE, l as deriveKey, m as encodeJWT, e as encryptJWE, g as getEntropy, f as getSecrets, signJWS, verifyJWS } from './sign.js';
+export { decoder, encoder, getRandomBytes, getSubtleCrypto } from './crypto.js';

package/dist/index.js

@@ -1,30 +1,36 @@
+import {
+  createJWS,
+  signJWS,
+  verifyJWS
+} from "./chunk-WXGX6PJ5.js";
 import {
   createDeriveKey,
   deriveKey
-} from "./chunk-CXN54JNY.js";
+} from "./chunk-OG4QRUXH.js";
 import {
   createJWE,
   decryptJWE,
   encryptJWE
-} from "./chunk-URDLFFH3.js";
-import {
-  createJWS,
-  signJWS,
-  verifyJWS
-} from "./chunk-EX3NULRX.js";
+} from "./chunk-Q2LAK6W2.js";
 import {
   MIN_SECRET_ENTROPY_BITS,
   createSecret,
   getEntropy,
   getSecrets
-} from "./chunk-SES6WQL3.js";
+} from "./chunk-FCUM7BTG.js";
 import {
   isAuraJoseError
-} from "./chunk-ZHFHDRQH.js";
+} from "./chunk-MWFJ4CA5.js";
+import {
+  decoder,
+  encoder,
+  getRandomBytes,
+  getSubtleCrypto
+} from "./chunk-RQFUZSWH.js";
 import {
   JWTDecodingError,
   JWTEncodingError
-} from "./chunk-BMXFAB6Q.js";
+} from "./chunk-NGBYHSRN.js";
 
 // src/index.ts
 var encodeJWT = async (token, secret) => {
@@ -57,8 +63,8 @@ var decodeJWT = async (token, secret, options) => {
 };
 var createJWT = (secret) => {
   return {
-    encodeJWT: async (payload) => encodeJWT(payload, secret),
-    decodeJWT: async (token) => decodeJWT(token, secret)
+    encodeJWT: async (payload) => await encodeJWT(payload, secret),
+    decodeJWT: async (token, options) => await decodeJWT(token, secret, options)
   };
 };
 export {
@@ -69,12 +75,16 @@ export {
   createJWT,
   createSecret,
   decodeJWT,
+  decoder,
   decryptJWE,
   deriveKey,
   encodeJWT,
+  encoder,
   encryptJWE,
   getEntropy,
+  getRandomBytes,
   getSecrets,
+  getSubtleCrypto,
   signJWS,
   verifyJWS
 };

package/dist/secret.cjs

@@ -47,6 +47,10 @@ var isObject = (value) => {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 };
 
+// src/crypto.ts
+var encoder = new TextEncoder();
+var decoder = new TextDecoder();
+
 // src/secret.ts
 var MIN_SECRET_ENTROPY_BITS = 4.5;
 var getEntropy = (secret) => {
@@ -68,7 +72,8 @@ var getEntropy = (secret) => {
 var createSecret = (secret, length = 32) => {
   if (!Boolean(secret)) throw new InvalidSecretError("Secret is required");
   if (typeof secret === "string") {
-    const byteLength = new TextEncoder().encode(secret).byteLength;
+    const encoded = encoder.encode(secret);
+    const byteLength = encoded.byteLength;
     if (byteLength < length) {
       throw new InvalidSecretError(`Secret string must be at least ${length} bytes long`);
     }
@@ -78,9 +83,15 @@ var createSecret = (secret, length = 32) => {
         `Secret string must have an entropy of at least ${MIN_SECRET_ENTROPY_BITS} bits per character`
       );
     }
-    return new Uint8Array(Buffer.from(secret, "utf-8"));
+    return encoded;
+  }
+  if (secret instanceof CryptoKey || secret instanceof Uint8Array) {
+    if (secret instanceof Uint8Array && secret.byteLength < length) {
+      throw new InvalidSecretError(`Secret must be at least ${length} bytes long`);
+    }
+    return secret;
   }
-  return secret;
+  throw new InvalidSecretError("Secret must be a string, Uint8Array, or CryptoKey");
 };
 var getSecrets = (secret) => {
   const jwsSecret = isObject(secret) && "jws" in secret ? secret.jws : secret;

package/dist/secret.d.ts

@@ -1,3 +1,3 @@
-import 'crypto';
 export { M as MIN_SECRET_ENTROPY_BITS, b as createSecret, g as getEntropy, f as getSecrets } from './sign.js';
 import 'jose';
+import './crypto.js';

package/dist/secret.js

@@ -3,9 +3,10 @@ import {
   createSecret,
   getEntropy,
   getSecrets
-} from "./chunk-SES6WQL3.js";
-import "./chunk-ZHFHDRQH.js";
-import "./chunk-BMXFAB6Q.js";
+} from "./chunk-FCUM7BTG.js";
+import "./chunk-MWFJ4CA5.js";
+import "./chunk-RQFUZSWH.js";
+import "./chunk-NGBYHSRN.js";
 export {
   MIN_SECRET_ENTROPY_BITS,
   createSecret,

package/dist/sign.cjs

@@ -1,9 +1,7 @@
 "use strict";
-var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -17,14 +15,6 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/sign.ts
@@ -35,7 +25,6 @@ __export(sign_exports, {
   verifyJWS: () => verifyJWS
 });
 module.exports = __toCommonJS(sign_exports);
-var import_crypto = __toESM(require("crypto"), 1);
 var import_jose = require("jose");
 
 // src/errors.ts
@@ -76,6 +65,13 @@ var isInvalidPayload = (payload) => {
   return isFalsy(payload) || !isObject(payload) || typeof payload === "object" && payload !== null && !Array.isArray(payload) && Object.keys(payload).length === 0;
 };
 
+// src/crypto.ts
+var encoder = new TextEncoder();
+var decoder = new TextDecoder();
+var getRandomBytes = (size) => {
+  return globalThis.crypto.getRandomValues(new Uint8Array(size));
+};
+
 // src/secret.ts
 var MIN_SECRET_ENTROPY_BITS = 4.5;
 var getEntropy = (secret) => {
@@ -97,7 +93,8 @@ var getEntropy = (secret) => {
 var createSecret = (secret, length = 32) => {
   if (!Boolean(secret)) throw new InvalidSecretError("Secret is required");
   if (typeof secret === "string") {
-    const byteLength = new TextEncoder().encode(secret).byteLength;
+    const encoded = encoder.encode(secret);
+    const byteLength = encoded.byteLength;
     if (byteLength < length) {
       throw new InvalidSecretError(`Secret string must be at least ${length} bytes long`);
     }
@@ -107,9 +104,15 @@ var createSecret = (secret, length = 32) => {
         `Secret string must have an entropy of at least ${MIN_SECRET_ENTROPY_BITS} bits per character`
       );
     }
-    return new Uint8Array(Buffer.from(secret, "utf-8"));
+    return encoded;
+  }
+  if (secret instanceof CryptoKey || secret instanceof Uint8Array) {
+    if (secret instanceof Uint8Array && secret.byteLength < length) {
+      throw new InvalidSecretError(`Secret must be at least ${length} bytes long`);
+    }
+    return secret;
   }
-  return secret;
+  throw new InvalidSecretError("Secret must be a string, Uint8Array, or CryptoKey");
 };
 
 // src/sign.ts
@@ -119,8 +122,8 @@ var signJWS = async (payload, secret) => {
       throw new InvalidPayloadError("The payload must be a non-empty object");
     }
     const secretKey = createSecret(secret);
-    const jti = import_crypto.default.randomBytes(32).toString("base64url");
-    return new import_jose.SignJWT(payload).setProtectedHeader({ alg: "HS256", typ: "JWT" }).setIssuedAt().setNotBefore(payload.nbf ?? "0s").setExpirationTime(payload.exp ?? "15d").setJti(jti).sign(secretKey);
+    const jti = import_jose.base64url.encode(getRandomBytes(32));
+    return await new import_jose.SignJWT(payload).setProtectedHeader({ alg: "HS256", typ: "JWT" }).setIssuedAt().setNotBefore(payload.nbf ?? "0s").setExpirationTime(payload.exp ?? "15d").setJti(jti).sign(secretKey);
   } catch (error) {
     if (isAuraJoseError(error)) {
       throw error;

package/dist/sign.d.ts

@@ -1,7 +1,6 @@
-import * as crypto from 'crypto';
-import { KeyObject, BinaryLike } from 'crypto';
 import { JWTPayload, JWTVerifyOptions, JWTDecryptOptions } from 'jose';
 export { JWTVerifyOptions } from 'jose';
+import './crypto.js';
 
 /**
  * Sign a standard JWT token with the following claims:
@@ -16,7 +15,7 @@ export { JWTVerifyOptions } from 'jose';
  * @param secret - Secret key to sign the JWT (CryptoKey, KeyObject, string or Uint8Array)
  * @returns Signed JWT string
  */
-declare const signJWS: (payload: JWTPayload, secret: SecretInput) => Promise<string>;
+declare const signJWS: <Payload extends JWTPayload>(payload: TypedJWTPayload<Partial<Payload>>, secret: SecretInput) => Promise<string>;
 /**
  * Verify the integrity of a JWT token and return the payload if valid, rejecting
  * tokens that use the "none" algorithm to prevent unsecured tokens.
@@ -27,7 +26,7 @@ declare const signJWS: (payload: JWTPayload, secret: SecretInput) => Promise<str
  * @param options - Additional JWT verification options
  * @returns verify and return the payload of the JWT
  */
-declare const verifyJWS: (token: string, secret: SecretInput, options?: JWTVerifyOptions) => Promise<JWTPayload>;
+declare const verifyJWS: <Payload extends JWTPayload>(token: string, secret: SecretInput, options?: JWTVerifyOptions) => Promise<TypedJWTPayload<Payload>>;
 /**
  * Create a JWS (JSON Web Signature) signer and verifier. It implements the `signJWS`
  * and `verifyJWS` functions of the module.
@@ -35,9 +34,9 @@ declare const verifyJWS: (token: string, secret: SecretInput, options?: JWTVerif
  * @param secret - Secret key used for signing and verifying the JWS
  * @returns signJWS and verifyJWS functions
  */
-declare const createJWS: (secret: SecretInput) => {
-    signJWS: (payload: JWTPayload) => Promise<string>;
-    verifyJWS: (payload: string, options?: JWTVerifyOptions) => Promise<JWTPayload>;
+declare const createJWS: <Payload extends JWTPayload>(secret: SecretInput) => {
+    signJWS: <SignPayload extends JWTPayload = Payload>(payload: TypedJWTPayload<Partial<SignPayload>>) => Promise<string>;
+    verifyJWS: <VerifyPayload extends JWTPayload = Payload>(payload: string, options?: JWTVerifyOptions) => Promise<TypedJWTPayload<VerifyPayload>>;
 };
 
 interface EncryptedPayload {
@@ -83,11 +82,12 @@ declare const MIN_SECRET_ENTROPY_BITS = 4.5;
 declare const getEntropy: (secret: string) => number;
 /**
  * Create a secret in Uint8Array format
+ * Uses the standard TextEncoder API for cross-runtime compatibility
  *
  * @param secret - The secret as a string or Uint8Array
  * @returns The secret in Uint8Array format
  */
-declare const createSecret: (secret: SecretInput, length?: number) => crypto.KeyObject | Uint8Array<ArrayBufferLike>;
+declare const createSecret: (secret: SecretInput, length?: number) => Uint8Array<ArrayBufferLike> | CryptoKey;
 declare const getSecrets: (secret: SecretInput | DerivedKeyInput) => {
     jwsSecret: SecretInput;
     jweSecret: SecretInput;
@@ -97,7 +97,13 @@ declare const getSecrets: (secret: SecretInput | DerivedKeyInput) => {
  * @module @aura-stack/jose
  */
 
-type SecretInput = KeyObject | Uint8Array | string;
+/**
+ * Secret input can be:
+ * - CryptoKey: W3C standard key object (works across all runtimes)
+ * - Uint8Array: Raw bytes
+ * - string: String that will be encoded to UTF-8
+ */
+type SecretInput = Uint8Array | string | CryptoKey;
 type DerivedKeyInput = {
     jws: SecretInput;
     jwe: SecretInput;
@@ -106,6 +112,10 @@ type DecodedJWTPayloadOptions = {
     jws: JWTVerifyOptions;
     jwt: JWTDecryptOptions;
 };
+type Prettify<T> = {
+    [K in keyof T]: T[K];
+} & {};
+type TypedJWTPayload<Payload extends JWTPayload> = JWTPayload & Payload;
 /**
  * Encode a JWT signed and encrypted token. The token first signed using JWS
  * and then encrypted using JWE to ensure both integrity and confidentiality.
@@ -120,7 +130,7 @@ type DecodedJWTPayloadOptions = {
  * @param secret - Secret key used for both signing and encrypting the JWT
  * @returns Promise resolving to the signed and encrypted JWT string
  */
-declare const encodeJWT: (token: JWTPayload, secret: SecretInput | DerivedKeyInput) => Promise<string>;
+declare const encodeJWT: <Payload extends JWTPayload>(token: TypedJWTPayload<Partial<Payload>>, secret: SecretInput | DerivedKeyInput) => Promise<string>;
 /**
  * Decode a JWT signed and encrypted token. The token is first decrypted using JWE
  * and then verified using JWS to ensure both confidentiality and integrity. It
@@ -133,7 +143,7 @@ declare const encodeJWT: (token: JWTPayload, secret: SecretInput | DerivedKeyInp
  * @param secret
  * @returns
  */
-declare const decodeJWT: (token: string, secret: SecretInput | DerivedKeyInput, options?: DecodedJWTPayloadOptions) => Promise<JWTPayload>;
+declare const decodeJWT: <Payload extends JWTPayload>(token: string, secret: SecretInput | DerivedKeyInput, options?: DecodedJWTPayloadOptions) => Promise<TypedJWTPayload<Payload>>;
 /**
  * Create a JWT handler with encode and decode methods to `signJWS/encryptJWE` and `verifyJWS/decryptJWE`
  * JWT tokens. The JWTs are signed and verified using JWS and encrypted and decrypted using JWE. It
@@ -142,33 +152,35 @@ declare const decodeJWT: (token: string, secret: SecretInput | DerivedKeyInput,
  * @param secret - Secret key used for signing, verifying, encrypting and decrypting the JWT
  * @returns JWT handler object with `signJWS/encryptJWE` and `verifyJWS/decryptJWE` methods
  */
-declare const createJWT: (secret: SecretInput | DerivedKeyInput) => {
-    encodeJWT: (payload: JWTPayload) => Promise<string>;
-    decodeJWT: (token: string) => Promise<JWTPayload>;
+declare const createJWT: <Payload extends JWTPayload>(secret: SecretInput | DerivedKeyInput) => {
+    encodeJWT: <EncodePayload extends JWTPayload = Payload>(payload: TypedJWTPayload<Partial<EncodePayload>>) => Promise<string>;
+    decodeJWT: <DecodePayload extends JWTPayload = Payload>(token: string, options?: DecodedJWTPayloadOptions) => Promise<TypedJWTPayload<DecodePayload>>;
 };
 
 /**
  * Generate a derived key using HKDF (HMAC-based Extract-and-Expand Key Derivation Function)
+ * Uses the Web Crypto API for cross-runtime compatibility (Node.js, Deno, Bun, Browsers)
  *
  * @param secret Value used as the input keying material
  * @param salt Cryptographic salt
  * @param info Context and application specific information
  * @param length Size of the derived key in bytes (default is 32 bytes)
- * @returns Derived key as Uint8Array and base64 encoded string
+ * @returns Derived key as Uint8Array
  */
-declare const deriveKey: (secret: SecretInput, salt: BinaryLike, info: string, length?: number) => {
-    key: ArrayBuffer;
-    derivedKey: Buffer<ArrayBuffer>;
-};
+declare const deriveKey: (secret: Uint8Array, salt: string | Uint8Array, info: string | Uint8Array, length?: number) => Promise<Uint8Array>;
 /**
  * Create a derived key from a given secret.
+ * This is an async function that works across all modern JavaScript runtimes.
+ *
+ * > [!NOTE]
+ * > If the secret is a CryptoKey, this function cannot derive keys from it.
  *
  * @param secret - The secret as a string or Uint8Array
- * @returns The secret in Uint8Array format
+ * @param salt - Optional cryptographic salt (defaults to "Aura Jose secret salt")
+ * @param info - Optional context information (defaults to "Aura Jose secret derivation")
+ * @param length - Size of the derived key in bytes (default is 32 bytes)
+ * @returns Promise resolving to the derived key as a Uint8Array
  */
-declare const createDeriveKey: (secret: SecretInput, salt?: BinaryLike, info?: string, length?: number) => {
-    key: ArrayBuffer;
-    derivedKey: Buffer<ArrayBuffer>;
-};
+declare const createDeriveKey: (secret: SecretInput, salt?: string | Uint8Array, info?: string | Uint8Array, length?: number) => Promise<Uint8Array<ArrayBufferLike>>;
 
-export { type DerivedKeyInput as D, type EncryptedPayload as E, MIN_SECRET_ENTROPY_BITS as M, type SecretInput as S, type EncryptOptions as a, createSecret as b, createJWE as c, createJWS, decryptJWE as d, encryptJWE as e, getSecrets as f, getEntropy as g, type DecodedJWTPayloadOptions as h, encodeJWT as i, decodeJWT as j, createJWT as k, deriveKey as l, createDeriveKey as m, signJWS, verifyJWS };
+export { type DecodedJWTPayloadOptions as D, type EncryptOptions as E, MIN_SECRET_ENTROPY_BITS as M, type Prettify as P, type SecretInput as S, type TypedJWTPayload as T, type EncryptedPayload as a, createSecret as b, createJWE as c, createJWS, decryptJWE as d, encryptJWE as e, getSecrets as f, getEntropy as g, type DerivedKeyInput as h, createDeriveKey as i, createJWT as j, decodeJWT as k, deriveKey as l, encodeJWT as m, signJWS, verifyJWS };

package/dist/sign.js

@@ -2,10 +2,11 @@ import {
   createJWS,
   signJWS,
   verifyJWS
-} from "./chunk-EX3NULRX.js";
-import "./chunk-SES6WQL3.js";
-import "./chunk-ZHFHDRQH.js";
-import "./chunk-BMXFAB6Q.js";
+} from "./chunk-WXGX6PJ5.js";
+import "./chunk-FCUM7BTG.js";
+import "./chunk-MWFJ4CA5.js";
+import "./chunk-RQFUZSWH.js";
+import "./chunk-NGBYHSRN.js";
 export {
   createJWS,
   signJWS,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aura-stack/jose",
-  "version": "0.3.0",
+  "version": "0.4.0",
   "private": false,
   "type": "module",
   "description": "JOSE utilities for @aura-stack/auth",
@@ -40,6 +40,11 @@
       "types": "./dist/deriveKey.d.ts",
       "require": "./dist/deriveKey.cjs",
       "import": "./dist/deriveKey.js"
+    },
+    "./crypto": {
+      "types": "./dist/crypto.d.ts",
+      "require": "./dist/crypto.cjs",
+      "import": "./dist/crypto.js"
     }
   },
   "keywords": [
@@ -57,7 +62,6 @@
     "jose": "^6.1.2"
   },
   "devDependencies": {
-    "@types/node": "^24.9.2",
     "typescript": "^5.9.2",
     "@aura-stack/tsconfig": "0.0.0",
     "@aura-stack/tsup-config": "0.0.0"

package/dist/chunk-CXN54JNY.js

@@ -1,27 +0,0 @@
-import {
-  createSecret
-} from "./chunk-SES6WQL3.js";
-
-// src/deriveKey.ts
-import { hkdfSync } from "crypto";
-var deriveKey = (secret, salt, info, length = 32) => {
-  try {
-    const key = hkdfSync("SHA256", secret, salt, info, length);
-    const derivedKey = Buffer.from(key);
-    return {
-      key,
-      derivedKey
-    };
-  } catch (error) {
-    throw new Error("Failed to create a derived key (HKDF)", { cause: error });
-  }
-};
-var createDeriveKey = (secret, salt, info, length = 32) => {
-  const secretKey = createSecret(secret);
-  return deriveKey(secretKey, salt ?? "Aura Jose secret salt", info ?? "Aura Jose secret derivation", length);
-};
-
-export {
-  deriveKey,
-  createDeriveKey
-};