@auth0/auth0-spa-js 2.18.0 → 2.18.2

package/dist/typings/Auth0Client.utils.d.ts

@@ -1,90 +1,90 @@
-import { ICache } from './cache';
-import { Auth0ClientOptions, AuthorizationParams, AuthorizeOptions, ClientAuthorizationParams, LogoutOptions } from './global';
-/**
- * @ignore
- */
-export declare const GET_TOKEN_SILENTLY_LOCK_KEY = "auth0.lock.getTokenSilently";
-/**
- * @ignore
- */
-export declare const GET_TOKEN_FROM_IFRAME_LOCK_KEY = "auth0.lock.getTokenFromIFrame";
-/**
- * @ignore
- */
-export declare const buildGetTokenSilentlyLockKey: (clientId: string, audience: string) => string;
-/**
- * @ignore
- * Builds a global lock key for iframe-based authentication flows.
- * This ensures only one iframe authorization request runs at a time per client,
- * preventing "Invalid state" errors from concurrent iframe requests overwriting
- * each other's state in the Auth0 session.
- */
-export declare const buildIframeLockKey: (clientId: string) => string;
-/**
- * @ignore
- */
-export declare const buildOrganizationHintCookieName: (clientId: string) => string;
-/**
- * @ignore
- */
-export declare const OLD_IS_AUTHENTICATED_COOKIE_NAME = "auth0.is.authenticated";
-/**
- * @ignore
- */
-export declare const buildIsAuthenticatedCookieName: (clientId: string) => string;
-/**
- * @ignore
- */
-export declare const cacheFactory: (location: string) => () => ICache;
-/**
- * @ignore
- */
-export declare const getAuthorizeParams: (clientOptions: Auth0ClientOptions & {
-    authorizationParams: ClientAuthorizationParams;
-}, scope: Record<string, string>, authorizationParams: AuthorizationParams & {
-    scope?: string | undefined;
-}, state: string, nonce: string, code_challenge: string, redirect_uri: string | undefined, response_mode: string | undefined, thumbprint: string | undefined) => AuthorizeOptions;
-/**
- * @ignore
- *
- * Function used to provide support for the deprecated onRedirect through openUrl.
- */
-export declare const patchOpenUrlWithOnRedirect: <T extends Pick<LogoutOptions, "openUrl" | "onRedirect">>(options: T) => T;
-/**
- * @ignore
- *
- * Checks if all scopes are included inside other array of scopes
- */
-export declare const allScopesAreIncluded: (scopeToInclude?: string, scopes?: string) => boolean;
-/**
- * @ignore
- *
- * Returns the scopes that are missing after a refresh
- */
-export declare const getMissingScopes: (requestedScope?: string, respondedScope?: string) => string;
-/**
- * @ignore
- *
- * For backward compatibility we are going to check if we are going to downscope while doing a refresh request
- * while MRRT is allowed. If the audience is the same for the refresh_token we are going to use and it has
- * lower scopes than the ones originally in the token, we are going to return the scopes that were stored
- * with the refresh_token in the tokenset.
- * @param useMrrt Setting that the user can activate to use MRRT in their requests
- * @param authorizationParams Contains the audience and scope that the user requested to obtain a token
- * @param cachedAudience Audience stored with the refresh_token wich we are going to use in the request
- * @param cachedScope Scope stored with the refresh_token wich we are going to use in the request
- */
-export declare const getScopeToRequest: (useMrrt: boolean | undefined, authorizationParams: {
-    audience?: string;
-    scope: string;
-}, cachedAudience?: string, cachedScope?: string) => string;
-/**
- * @ignore
- *
- * Checks if the refresh request has been done using MRRT
- * @param cachedAudience Audience from the refresh token used to refresh
- * @param cachedScope Scopes from the refresh token used to refresh
- * @param requestAudience Audience sent to the server
- * @param requestScope Scopes sent to the server
- */
-export declare const isRefreshWithMrrt: (cachedAudience: string | undefined, cachedScope: string | undefined, requestAudience: string | undefined, requestScope: string) => boolean;
+import { ICache } from './cache';
+import { Auth0ClientOptions, AuthorizationParams, AuthorizeOptions, ClientAuthorizationParams, LogoutOptions } from './global';
+/**
+ * @ignore
+ */
+export declare const GET_TOKEN_SILENTLY_LOCK_KEY = "auth0.lock.getTokenSilently";
+/**
+ * @ignore
+ */
+export declare const GET_TOKEN_FROM_IFRAME_LOCK_KEY = "auth0.lock.getTokenFromIFrame";
+/**
+ * @ignore
+ */
+export declare const buildGetTokenSilentlyLockKey: (clientId: string, audience: string) => string;
+/**
+ * @ignore
+ * Builds a global lock key for iframe-based authentication flows.
+ * This ensures only one iframe authorization request runs at a time per client,
+ * preventing "Invalid state" errors from concurrent iframe requests overwriting
+ * each other's state in the Auth0 session.
+ */
+export declare const buildIframeLockKey: (clientId: string) => string;
+/**
+ * @ignore
+ */
+export declare const buildOrganizationHintCookieName: (clientId: string) => string;
+/**
+ * @ignore
+ */
+export declare const OLD_IS_AUTHENTICATED_COOKIE_NAME = "auth0.is.authenticated";
+/**
+ * @ignore
+ */
+export declare const buildIsAuthenticatedCookieName: (clientId: string) => string;
+/**
+ * @ignore
+ */
+export declare const cacheFactory: (location: string) => () => ICache;
+/**
+ * @ignore
+ */
+export declare const getAuthorizeParams: (clientOptions: Auth0ClientOptions & {
+    authorizationParams: ClientAuthorizationParams;
+}, scope: Record<string, string>, authorizationParams: AuthorizationParams & {
+    scope?: string | undefined;
+}, state: string, nonce: string, code_challenge: string, redirect_uri: string | undefined, response_mode: string | undefined, thumbprint: string | undefined) => AuthorizeOptions;
+/**
+ * @ignore
+ *
+ * Function used to provide support for the deprecated onRedirect through openUrl.
+ */
+export declare const patchOpenUrlWithOnRedirect: <T extends Pick<LogoutOptions, "onRedirect" | "openUrl">>(options: T) => T;
+/**
+ * @ignore
+ *
+ * Checks if all scopes are included inside other array of scopes
+ */
+export declare const allScopesAreIncluded: (scopeToInclude?: string, scopes?: string) => boolean;
+/**
+ * @ignore
+ *
+ * Returns the scopes that are missing after a refresh
+ */
+export declare const getMissingScopes: (requestedScope?: string, respondedScope?: string) => string;
+/**
+ * @ignore
+ *
+ * For backward compatibility we are going to check if we are going to downscope while doing a refresh request
+ * while MRRT is allowed. If the audience is the same for the refresh_token we are going to use and it has
+ * lower scopes than the ones originally in the token, we are going to return the scopes that were stored
+ * with the refresh_token in the tokenset.
+ * @param useMrrt Setting that the user can activate to use MRRT in their requests
+ * @param authorizationParams Contains the audience and scope that the user requested to obtain a token
+ * @param cachedAudience Audience stored with the refresh_token wich we are going to use in the request
+ * @param cachedScope Scope stored with the refresh_token wich we are going to use in the request
+ */
+export declare const getScopeToRequest: (useMrrt: boolean | undefined, authorizationParams: {
+    audience?: string;
+    scope: string;
+}, cachedAudience?: string, cachedScope?: string) => string;
+/**
+ * @ignore
+ *
+ * Checks if the refresh request has been done using MRRT
+ * @param cachedAudience Audience from the refresh token used to refresh
+ * @param cachedScope Scopes from the refresh token used to refresh
+ * @param requestAudience Audience sent to the server
+ * @param requestScope Scopes sent to the server
+ */
+export declare const isRefreshWithMrrt: (cachedAudience: string | undefined, cachedScope: string | undefined, requestAudience: string | undefined, requestScope: string) => boolean;

package/dist/typings/MyAccountApiClient.d.ts

@@ -1,92 +1,92 @@
-import { AuthorizationParams } from './global';
-import { Fetcher } from './fetcher';
-interface ConnectRequest {
-    /** The name of the connection to link the account with (e.g., 'google-oauth2', 'facebook'). */
-    connection: string;
-    /** Array of scopes to request from the Identity Provider during the connect account flow. */
-    scopes?: string[];
-    /** The URI to redirect to after the connection process completes. */
-    redirect_uri: string;
-    /** An opaque value used to maintain state between the request and callback. */
-    state?: string;
-    /** The PKCE code challenge derived from the code verifier. */
-    code_challenge?: string;
-    /** The method used to derive the code challenge. Required when code_challenge is provided. */
-    code_challenge_method?: 'S256';
-    authorization_params?: AuthorizationParams;
-}
-interface ConnectResponse {
-    /** The base URI to initiate the account connection flow. */
-    connect_uri: string;
-    /** The authentication session identifier. */
-    auth_session: string;
-    /** Parameters to be used with the connect URI. */
-    connect_params: {
-        /** The ticket identifier to be used with the connection URI. */
-        ticket: string;
-    };
-    /** The number of seconds until the ticket expires. */
-    expires_in: number;
-}
-interface CompleteRequest {
-    /** The authentication session identifier */
-    auth_session: string;
-    /** The authorization code returned from the connect flow */
-    connect_code: string;
-    /** The redirect URI used in the original request */
-    redirect_uri: string;
-    /** The PKCE code verifier */
-    code_verifier?: string;
-}
-export interface CompleteResponse {
-    /** The unique identifier of the connected account */
-    id: string;
-    /** The connection name */
-    connection: string;
-    /** The access type, always 'offline' */
-    access_type: 'offline';
-    /** Array of scopes granted */
-    scopes?: string[];
-    /** ISO date string of when the connected account was created */
-    created_at: string;
-    /** ISO date string of when the refresh token expires (optional) */
-    expires_at?: string;
-}
-export interface ErrorResponse {
-    type: string;
-    status: number;
-    title: string;
-    detail: string;
-    validation_errors?: {
-        detail: string;
-        field?: string;
-        pointer?: string;
-        source?: string;
-    }[];
-}
-/**
- * Subset of the MyAccount API that handles the connect accounts flow.
- */
-export declare class MyAccountApiClient {
-    private myAccountFetcher;
-    private apiBase;
-    constructor(myAccountFetcher: Fetcher<Response>, apiBase: string);
-    /**
-     * Get a ticket for the connect account flow.
-     */
-    connectAccount(params: ConnectRequest): Promise<ConnectResponse>;
-    /**
-     * Verify the redirect from the connect account flow and complete the connecting of the account.
-     */
-    completeAccount(params: CompleteRequest): Promise<CompleteResponse>;
-    private _handleResponse;
-}
-export declare class MyAccountApiError extends Error {
-    readonly type: string;
-    readonly status: number;
-    readonly title: string;
-    readonly detail: string;
-    readonly validation_errors?: ErrorResponse['validation_errors'];
-    constructor({ type, status, title, detail, validation_errors }: ErrorResponse);
-}
-export {};
+import { AuthorizationParams } from './global';
+import { Fetcher } from './fetcher';
+interface ConnectRequest {
+    /** The name of the connection to link the account with (e.g., 'google-oauth2', 'facebook'). */
+    connection: string;
+    /** Array of scopes to request from the Identity Provider during the connect account flow. */
+    scopes?: string[];
+    /** The URI to redirect to after the connection process completes. */
+    redirect_uri: string;
+    /** An opaque value used to maintain state between the request and callback. */
+    state?: string;
+    /** The PKCE code challenge derived from the code verifier. */
+    code_challenge?: string;
+    /** The method used to derive the code challenge. Required when code_challenge is provided. */
+    code_challenge_method?: 'S256';
+    authorization_params?: AuthorizationParams;
+}
+interface ConnectResponse {
+    /** The base URI to initiate the account connection flow. */
+    connect_uri: string;
+    /** The authentication session identifier. */
+    auth_session: string;
+    /** Parameters to be used with the connect URI. */
+    connect_params: {
+        /** The ticket identifier to be used with the connection URI. */
+        ticket: string;
+    };
+    /** The number of seconds until the ticket expires. */
+    expires_in: number;
+}
+interface CompleteRequest {
+    /** The authentication session identifier */
+    auth_session: string;
+    /** The authorization code returned from the connect flow */
+    connect_code: string;
+    /** The redirect URI used in the original request */
+    redirect_uri: string;
+    /** The PKCE code verifier */
+    code_verifier?: string;
+}
+export interface CompleteResponse {
+    /** The unique identifier of the connected account */
+    id: string;
+    /** The connection name */
+    connection: string;
+    /** The access type, always 'offline' */
+    access_type: 'offline';
+    /** Array of scopes granted */
+    scopes?: string[];
+    /** ISO date string of when the connected account was created */
+    created_at: string;
+    /** ISO date string of when the refresh token expires (optional) */
+    expires_at?: string;
+}
+export interface ErrorResponse {
+    type: string;
+    status: number;
+    title: string;
+    detail: string;
+    validation_errors?: {
+        detail: string;
+        field?: string;
+        pointer?: string;
+        source?: string;
+    }[];
+}
+/**
+ * Subset of the MyAccount API that handles the connect accounts flow.
+ */
+export declare class MyAccountApiClient {
+    private myAccountFetcher;
+    private apiBase;
+    constructor(myAccountFetcher: Fetcher<Response>, apiBase: string);
+    /**
+     * Get a ticket for the connect account flow.
+     */
+    connectAccount(params: ConnectRequest): Promise<ConnectResponse>;
+    /**
+     * Verify the redirect from the connect account flow and complete the connecting of the account.
+     */
+    completeAccount(params: CompleteRequest): Promise<CompleteResponse>;
+    private _handleResponse;
+}
+export declare class MyAccountApiError extends Error {
+    readonly type: string;
+    readonly status: number;
+    readonly title: string;
+    readonly detail: string;
+    readonly validation_errors?: ErrorResponse['validation_errors'];
+    constructor({ type, status, title, detail, validation_errors }: ErrorResponse);
+}
+export {};

package/dist/typings/TokenExchange.d.ts

@@ -1,77 +1,77 @@
-/**
- * Represents the configuration options required for initiating a Custom Token Exchange request
- * following RFC 8693 specifications.
- *
- * @see {@link https://www.rfc-editor.org/rfc/rfc8693 | RFC 8693: OAuth 2.0 Token Exchange}
- */
-export type CustomTokenExchangeOptions = {
-    /**
-     * The type identifier for the subject token being exchanged
-     *
-     * @pattern
-     * - Must be a namespaced URI under your organization's control
-     * - Forbidden patterns:
-     *   - `^urn:ietf:params:oauth:*` (IETF reserved)
-     *   - `^https:\/\/auth0\.com/*` (Auth0 reserved)
-     *   - `^urn:auth0:*` (Auth0 reserved)
-     *
-     * @example
-     * "urn:acme:legacy-system-token"
-     * "https://api.yourcompany.com/token-type/v1"
-     */
-    subject_token_type: string;
-    /**
-     * The opaque token value being exchanged for Auth0 tokens
-     *
-     * @security
-     * - Must be validated in Auth0 Actions using strong cryptographic verification
-     * - Implement replay attack protection
-     * - Recommended validation libraries: `jose`, `jsonwebtoken`
-     *
-     * @example
-     * "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
-     */
-    subject_token: string;
-    /**
-     * The target audience for the requested Auth0 token
-     *
-     * @remarks
-     * Must match exactly with an API identifier configured in your Auth0 tenant.
-     * If not provided, falls back to the client's default audience.
-     *
-     * @example
-     * "https://api.your-service.com/v1"
-     */
-    audience?: string;
-    /**
-     * Space-separated list of OAuth 2.0 scopes being requested
-     *
-     * @remarks
-     * Subject to API authorization policies configured in Auth0
-     *
-     * @example
-     * "openid profile email read:data write:data"
-     */
-    scope?: string;
-    /**
-     * ID or name of the organization to use when authenticating a user.
-     * When provided, the user will be authenticated using the organization context.
-     * The organization ID will be present in the access token payload.
-     */
-    organization?: string;
-    /**
-     * Additional custom parameters for Auth0 Action processing
-     *
-     * @remarks
-     * Accessible in Action code via `event.request.body`
-     *
-     * @example
-     * ```typescript
-     * {
-     *   custom_parameter: "session_context",
-     *   device_fingerprint: "a3d8f7...",
-     * }
-     * ```
-     */
-    [key: string]: unknown;
-};
+/**
+ * Represents the configuration options required for initiating a Custom Token Exchange request
+ * following RFC 8693 specifications.
+ *
+ * @see {@link https://www.rfc-editor.org/rfc/rfc8693 | RFC 8693: OAuth 2.0 Token Exchange}
+ */
+export type CustomTokenExchangeOptions = {
+    /**
+     * The type identifier for the subject token being exchanged
+     *
+     * @pattern
+     * - Must be a namespaced URI under your organization's control
+     * - Forbidden patterns:
+     *   - `^urn:ietf:params:oauth:*` (IETF reserved)
+     *   - `^https:\/\/auth0\.com/*` (Auth0 reserved)
+     *   - `^urn:auth0:*` (Auth0 reserved)
+     *
+     * @example
+     * "urn:acme:legacy-system-token"
+     * "https://api.yourcompany.com/token-type/v1"
+     */
+    subject_token_type: string;
+    /**
+     * The opaque token value being exchanged for Auth0 tokens
+     *
+     * @security
+     * - Must be validated in Auth0 Actions using strong cryptographic verification
+     * - Implement replay attack protection
+     * - Recommended validation libraries: `jose`, `jsonwebtoken`
+     *
+     * @example
+     * "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
+     */
+    subject_token: string;
+    /**
+     * The target audience for the requested Auth0 token
+     *
+     * @remarks
+     * Must match exactly with an API identifier configured in your Auth0 tenant.
+     * If not provided, falls back to the client's default audience.
+     *
+     * @example
+     * "https://api.your-service.com/v1"
+     */
+    audience?: string;
+    /**
+     * Space-separated list of OAuth 2.0 scopes being requested
+     *
+     * @remarks
+     * Subject to API authorization policies configured in Auth0
+     *
+     * @example
+     * "openid profile email read:data write:data"
+     */
+    scope?: string;
+    /**
+     * ID or name of the organization to use when authenticating a user.
+     * When provided, the user will be authenticated using the organization context.
+     * The organization ID will be present in the access token payload.
+     */
+    organization?: string;
+    /**
+     * Additional custom parameters for Auth0 Action processing
+     *
+     * @remarks
+     * Accessible in Action code via `event.request.body`
+     *
+     * @example
+     * ```typescript
+     * {
+     *   custom_parameter: "session_context",
+     *   device_fingerprint: "a3d8f7...",
+     * }
+     * ```
+     */
+    [key: string]: unknown;
+};

package/dist/typings/api.d.ts

@@ -1,2 +1,2 @@
-import { TokenEndpointOptions, TokenEndpointResponse } from './global';
-export declare function oauthToken({ baseUrl, timeout, audience, scope, auth0Client, useFormData, useMrrt, dpop, ...options }: TokenEndpointOptions, worker?: Worker): Promise<TokenEndpointResponse>;
+import { TokenEndpointOptions, TokenEndpointResponse } from './global';
+export declare function oauthToken({ baseUrl, timeout, audience, scope, auth0Client, useFormData, useMrrt, dpop, ...options }: TokenEndpointOptions, worker?: Worker): Promise<TokenEndpointResponse>;

package/dist/typings/cache/cache-localstorage.d.ts

@@ -1,7 +1,7 @@
-import { ICache, Cacheable, MaybePromise } from './shared';
-export declare class LocalStorageCache implements ICache {
-    set<T = Cacheable>(key: string, entry: T): void;
-    get<T = Cacheable>(key: string): MaybePromise<T | undefined>;
-    remove(key: string): void;
-    allKeys(): string[];
-}
+import { ICache, Cacheable, MaybePromise } from './shared';
+export declare class LocalStorageCache implements ICache {
+    set<T = Cacheable>(key: string, entry: T): void;
+    get<T = Cacheable>(key: string): MaybePromise<T | undefined>;
+    remove(key: string): void;
+    allKeys(): string[];
+}

package/dist/typings/cache/cache-manager.d.ts

@@ -1,56 +1,56 @@
-import { CacheKeyManifest } from './key-manifest';
-import { CacheEntry, ICache, CacheKey, DecodedToken, IdTokenEntry } from './shared';
-export declare class CacheManager {
-    private cache;
-    private keyManifest?;
-    private nowProvider;
-    constructor(cache: ICache, keyManifest?: CacheKeyManifest | undefined, nowProvider?: () => number | Promise<number>);
-    setIdToken(clientId: string, idToken: string, decodedToken: DecodedToken): Promise<void>;
-    getIdToken(cacheKey: CacheKey): Promise<IdTokenEntry | undefined>;
-    get(cacheKey: CacheKey, expiryAdjustmentSeconds?: number, useMrrt?: boolean, cacheMode?: string): Promise<Partial<CacheEntry> | undefined>;
-    private modifiedCachedEntry;
-    set(entry: CacheEntry): Promise<void>;
-    remove(client_id: string, audience?: string, scope?: string): Promise<void>;
-    clear(clientId?: string): Promise<void>;
-    private wrapCacheEntry;
-    private getCacheKeys;
-    /**
-     * Returns the cache key to be used to store the id token
-     * @param clientId The client id used to link to the id token
-     * @returns The constructed cache key, as a string, to store the id token
-     */
-    private getIdTokenCacheKey;
-    /**
-     * Finds the corresponding key in the cache based on the provided cache key.
-     * The keys inside the cache are in the format {prefix}::{clientId}::{audience}::{scope}.
-     * The first key in the cache that satisfies the following conditions is returned
-     *  - `prefix` is strict equal to Auth0's internally configured `keyPrefix`
-     *  - `clientId` is strict equal to the `cacheKey.clientId`
-     *  - `audience` is strict equal to the `cacheKey.audience`
-     *  - `scope` contains at least all the `cacheKey.scope` values
-     *  *
-     * @param keyToMatch The provided cache key
-     * @param allKeys A list of existing cache keys
-     */
-    private matchExistingCacheKey;
-    /**
-     * Returns the first entry that contains a refresh_token that satisfies the following conditions
-     * The keys inside the cache are in the format {prefix}::{clientId}::{audience}::{scope}.
-     * - `prefix` is strict equal to Auth0's internally configured `keyPrefix`
-     * - `clientId` is strict equal to the `cacheKey.clientId`
-     * @param keyToMatch The provided cache key
-     * @param allKeys A list of existing cache keys
-     */
-    private getEntryWithRefreshToken;
-    /**
-     * Updates the refresh token in all cache entries that contain the old refresh token.
-     *
-     * When a refresh token is rotated, multiple cache entries (for different audiences/scopes)
-     * may share the same refresh token. This method propagates the new refresh token to all
-     * matching entries.
-     *
-     * @param oldRefreshToken The refresh token that was used and is now invalid
-     * @param newRefreshToken The new refresh token received from the server
-     */
-    updateEntry(oldRefreshToken: string, newRefreshToken: string): Promise<void>;
-}
+import { CacheKeyManifest } from './key-manifest';
+import { CacheEntry, ICache, CacheKey, DecodedToken, IdTokenEntry } from './shared';
+export declare class CacheManager {
+    private cache;
+    private keyManifest?;
+    private nowProvider;
+    constructor(cache: ICache, keyManifest?: CacheKeyManifest | undefined, nowProvider?: () => number | Promise<number>);
+    setIdToken(clientId: string, idToken: string, decodedToken: DecodedToken): Promise<void>;
+    getIdToken(cacheKey: CacheKey): Promise<IdTokenEntry | undefined>;
+    get(cacheKey: CacheKey, expiryAdjustmentSeconds?: number, useMrrt?: boolean, cacheMode?: string): Promise<Partial<CacheEntry> | undefined>;
+    private modifiedCachedEntry;
+    set(entry: CacheEntry): Promise<void>;
+    remove(client_id: string, audience?: string, scope?: string): Promise<void>;
+    clear(clientId?: string): Promise<void>;
+    private wrapCacheEntry;
+    private getCacheKeys;
+    /**
+     * Returns the cache key to be used to store the id token
+     * @param clientId The client id used to link to the id token
+     * @returns The constructed cache key, as a string, to store the id token
+     */
+    private getIdTokenCacheKey;
+    /**
+     * Finds the corresponding key in the cache based on the provided cache key.
+     * The keys inside the cache are in the format {prefix}::{clientId}::{audience}::{scope}.
+     * The first key in the cache that satisfies the following conditions is returned
+     *  - `prefix` is strict equal to Auth0's internally configured `keyPrefix`
+     *  - `clientId` is strict equal to the `cacheKey.clientId`
+     *  - `audience` is strict equal to the `cacheKey.audience`
+     *  - `scope` contains at least all the `cacheKey.scope` values
+     *  *
+     * @param keyToMatch The provided cache key
+     * @param allKeys A list of existing cache keys
+     */
+    private matchExistingCacheKey;
+    /**
+     * Returns the first entry that contains a refresh_token that satisfies the following conditions
+     * The keys inside the cache are in the format {prefix}::{clientId}::{audience}::{scope}.
+     * - `prefix` is strict equal to Auth0's internally configured `keyPrefix`
+     * - `clientId` is strict equal to the `cacheKey.clientId`
+     * @param keyToMatch The provided cache key
+     * @param allKeys A list of existing cache keys
+     */
+    private getEntryWithRefreshToken;
+    /**
+     * Updates the refresh token in all cache entries that contain the old refresh token.
+     *
+     * When a refresh token is rotated, multiple cache entries (for different audiences/scopes)
+     * may share the same refresh token. This method propagates the new refresh token to all
+     * matching entries.
+     *
+     * @param oldRefreshToken The refresh token that was used and is now invalid
+     * @param newRefreshToken The new refresh token received from the server
+     */
+    updateEntry(oldRefreshToken: string, newRefreshToken: string): Promise<void>;
+}