@auth0/auth0-spa-js 2.19.0 → 2.19.1

package/dist/typings/Auth0Client.d.ts

@@ -1,476 +1,476 @@
-import { Auth0ClientOptions, RedirectLoginOptions, PopupLoginOptions, PopupConfigOptions, RedirectLoginResult, GetTokenSilentlyOptions, GetTokenWithPopupOptions, LogoutOptions, User, IdToken, GetTokenSilentlyVerboseResponse, TokenEndpointResponse, ConnectAccountRedirectResult, RedirectConnectAccountOptions, ClientConfiguration, RevokeRefreshTokenOptions } from './global';
-import { CustomTokenExchangeOptions } from './TokenExchange';
-import { Dpop } from './dpop/dpop';
-import { Fetcher, type FetcherConfig, type CustomFetchMinimalOutput } from './fetcher';
-import { MfaApiClient } from './mfa';
-/**
- * Auth0 SDK for Single Page Applications using [Authorization Code Grant Flow with PKCE](https://auth0.com/docs/api-auth/tutorials/authorization-code-grant-pkce).
- */
-export declare class Auth0Client {
-    private readonly transactionManager;
-    private readonly cacheManager;
-    private readonly lockManager;
-    private readonly domainUrl;
-    private readonly tokenIssuer;
-    private readonly scope;
-    private readonly cookieStorage;
-    private readonly dpop;
-    private readonly sessionCheckExpiryDays;
-    private readonly orgHintCookieName;
-    private readonly isAuthenticatedCookieName;
-    private readonly nowProvider;
-    private readonly httpTimeoutMs;
-    private readonly options;
-    private readonly userCache;
-    private readonly myAccountApi;
-    /**
-     * MFA API client for multi-factor authentication operations.
-     *
-     * Provides methods for:
-     * - Listing enrolled authenticators
-     * - Enrolling new authenticators (OTP, SMS, Voice, Push, Email)
-     * - Initiating MFA challenges
-     * - Verifying MFA challenges
-     */
-    readonly mfa: MfaApiClient;
-    private worker?;
-    private readonly authJsClient;
-    private readonly defaultOptions;
-    constructor(options: Auth0ClientOptions);
-    /**
-     * Returns a readonly copy of the initialization configuration.
-     *
-     * @returns An object containing domain and clientId
-     *
-     * @example
-     * ```typescript
-     * const auth0 = new Auth0Client({
-     *   domain: 'tenant.auth0.com',
-     *   clientId: 'abc123'
-     * });
-     *
-     * const config = auth0.getConfiguration();
-     * // { domain: 'tenant.auth0.com', clientId: 'abc123' }
-     * ```
-     */
-    getConfiguration(): Readonly<ClientConfiguration>;
-    private _url;
-    private _authorizeUrl;
-    private _verifyIdToken;
-    private _processOrgHint;
-    /**
-     * Extracts the session transfer token from the current URL query parameters
-     * for Native to Web SSO flows.
-     *
-     * @param paramName The query parameter name to extract from the URL
-     * @returns The session transfer token if present, undefined otherwise
-     */
-    private _extractSessionTransferToken;
-    /**
-     * Clears the session transfer token from the current URL using the History API.
-     * This prevents the token from being re-sent on subsequent authentication requests,
-     * which is important since session transfer tokens are typically single-use.
-     *
-     * @param paramName The query parameter name to remove from the URL
-     */
-    private _clearSessionTransferTokenFromUrl;
-    /**
-     * Applies the session transfer token from the URL to the authorization parameters
-     * if configured and not already provided.
-     *
-     * @param authorizationParams The authorization parameters to enhance
-     * @returns The authorization parameters with session_transfer_token added if applicable
-     */
-    private _applySessionTransferToken;
-    private _prepareAuthorizeUrl;
-    /**
-     * ```js
-     * try {
-     *  await auth0.loginWithPopup(options);
-     * } catch(e) {
-     *  if (e instanceof PopupCancelledError) {
-     *    // Popup was closed before login completed
-     *  }
-     * }
-     * ```
-     *
-     * Opens a popup with the `/authorize` URL using the parameters
-     * provided as arguments. Random and secure `state` and `nonce`
-     * parameters will be auto-generated. If the response is successful,
-     * results will be valid according to their expiration times.
-     *
-     * IMPORTANT: This method has to be called from an event handler
-     * that was started by the user like a button click, for example,
-     * otherwise the popup will be blocked in most browsers.
-     *
-     * @param options
-     * @param config
-     */
-    loginWithPopup(options?: PopupLoginOptions, config?: PopupConfigOptions): Promise<void>;
-    /**
-     * ```js
-     * const user = await auth0.getUser();
-     * ```
-     *
-     * Returns the user information if available (decoded
-     * from the `id_token`).
-     *
-     * @typeparam TUser The type to return, has to extend {@link User}.
-     */
-    getUser<TUser extends User>(): Promise<TUser | undefined>;
-    /**
-     * ```js
-     * const claims = await auth0.getIdTokenClaims();
-     * ```
-     *
-     * Returns all claims from the id_token if available.
-     */
-    getIdTokenClaims(): Promise<IdToken | undefined>;
-    /**
-     * ```js
-     * await auth0.loginWithRedirect(options);
-     * ```
-     *
-     * Performs a redirect to `/authorize` using the parameters
-     * provided as arguments. Random and secure `state` and `nonce`
-     * parameters will be auto-generated.
-     *
-     * @param options
-     */
-    loginWithRedirect<TAppState = any>(options?: RedirectLoginOptions<TAppState>): Promise<void>;
-    /**
-     * After the browser redirects back to the callback page,
-     * call `handleRedirectCallback` to handle success and error
-     * responses from Auth0. If the response is successful, results
-     * will be valid according to their expiration times.
-     */
-    handleRedirectCallback<TAppState = any>(url?: string): Promise<RedirectLoginResult<TAppState> | ConnectAccountRedirectResult<TAppState>>;
-    /**
-     * Handles the redirect callback from the login flow.
-     *
-     * @template AppState - The application state persisted from the /authorize redirect.
-     * @param {string} authenticationResult - The parsed authentication result from the URL.
-     * @param {string} transaction - The login transaction.
-     *
-     * @returns {RedirectLoginResult} Resolves with the persisted app state.
-     * @throws {GenericError | Error} If the transaction is missing, invalid, or the code exchange fails.
-     */
-    private _handleLoginRedirectCallback;
-    /**
-     * Handles the redirect callback from the connect account flow.
-     * This works the same as the redirect from the login flow expect it verifies the `connect_code`
-     * with the My Account API rather than the `code` with the Authorization Server.
-     *
-     * @template AppState - The application state persisted from the connect redirect.
-     * @param {string} connectResult - The parsed connect accounts result from the URL.
-     * @param {string} transaction - The login transaction.
-     * @returns {Promise<ConnectAccountRedirectResult>} The result of the My Account API, including any persisted app state.
-     * @throws {GenericError | MyAccountApiError} If the transaction is missing, invalid, or an error is returned from the My Account API.
-     */
-    private _handleConnectAccountRedirectCallback;
-    /**
-     * ```js
-     * await auth0.checkSession();
-     * ```
-     *
-     * Check if the user is logged in using `getTokenSilently`. The difference
-     * with `getTokenSilently` is that this doesn't return a token, but it will
-     * pre-fill the token cache.
-     *
-     * This method also heeds the `auth0.{clientId}.is.authenticated` cookie, as an optimization
-     *  to prevent calling Auth0 unnecessarily. If the cookie is not present because
-     * there was no previous login (or it has expired) then tokens will not be refreshed.
-     *
-     * It should be used for silently logging in the user when you instantiate the
-     * `Auth0Client` constructor. You should not need this if you are using the
-     * `createAuth0Client` factory.
-     *
-     * **Note:** the cookie **may not** be present if running an app using a private tab, as some
-     * browsers clear JS cookie data and local storage when the tab or page is closed, or on page reload. This effectively
-     * means that `checkSession` could silently return without authenticating the user on page refresh when
-     * using a private tab, despite having previously logged in. As a workaround, use `getTokenSilently` instead
-     * and handle the possible `login_required` error [as shown in the readme](https://github.com/auth0/auth0-spa-js#creating-the-client).
-     *
-     * @param options
-     */
-    checkSession(options?: GetTokenSilentlyOptions): Promise<void>;
-    /**
-     * Fetches a new access token and returns the response from the /oauth/token endpoint, omitting the refresh token.
-     *
-     * @param options
-     */
-    getTokenSilently(options: GetTokenSilentlyOptions & {
-        detailedResponse: true;
-    }): Promise<GetTokenSilentlyVerboseResponse>;
-    /**
-     * Fetches a new access token and returns it.
-     *
-     * @param options
-     */
-    getTokenSilently(options?: GetTokenSilentlyOptions): Promise<string>;
-    private _getTokenSilently;
-    /**
-     * Checks if an error should be handled by the interactive error handler.
-     * Matches:
-     * - MfaRequiredError (refresh token path, error='mfa_required')
-     * - GenericError from iframe path (error='login_required',
-     *   error_description='Multifactor authentication required')
-     * Extensible for future interactive error types.
-     */
-    private _isInteractiveError;
-    /**
-     * Checks if a login_required error from the iframe flow is actually
-     * an MFA step-up requirement. The /authorize endpoint returns
-     * error='login_required' with error_description='Multifactor authentication required'
-     * when MFA is needed but prompt=none prevents interaction.
-     */
-    private _isIframeMfaError;
-    /**
-     * Handles MFA errors by opening a popup to complete authentication,
-     * then reads the resulting token from cache.
-     */
-    private _handleInteractiveErrorWithPopup;
-    /**
-     * ```js
-     * const token = await auth0.getTokenWithPopup(options);
-     * ```
-     * Opens a popup with the `/authorize` URL using the parameters
-     * provided as arguments. Random and secure `state` and `nonce`
-     * parameters will be auto-generated. If the response is successful,
-     * results will be valid according to their expiration times.
-     *
-     * @param options
-     * @param config
-     */
-    getTokenWithPopup(options?: GetTokenWithPopupOptions, config?: PopupConfigOptions): Promise<string | undefined>;
-    /**
-     * ```js
-     * const isAuthenticated = await auth0.isAuthenticated();
-     * ```
-     *
-     * Returns `true` if there's valid information stored,
-     * otherwise returns `false`.
-     *
-     */
-    isAuthenticated(): Promise<boolean>;
-    /**
-     * ```js
-     * await auth0.buildLogoutUrl(options);
-     * ```
-     *
-     * Builds a URL to the logout endpoint using the parameters provided as arguments.
-     * @param options
-     */
-    private _buildLogoutUrl;
-    /**
-     * ```js
-     * await auth0.revokeRefreshToken();
-     * ```
-     *
-     * Revokes the refresh token using the `/oauth/revoke` endpoint.
-     * This invalidates the refresh token so it can no longer be used to obtain new access tokens.
-     *
-     * The method works with both memory and localStorage cache modes:
-     * - For memory storage with worker: The refresh token never leaves the worker thread,
-     *   maintaining security isolation
-     * - For localStorage: The token is retrieved from cache and revoked
-     *
-     * If `useRefreshTokens` is disabled, this method does nothing.
-     *
-     * **Important:** This method revokes the refresh token for a single audience. If your
-     * application requests tokens for multiple audiences, each audience may have its own
-     * refresh token. To fully revoke all refresh tokens, call this method once per audience.
-     * If you want to terminate the user's session entirely, use `logout()` instead.
-     *
-     * When using Multi-Resource Refresh Tokens (MRRT), a single refresh token may cover
-     * multiple audiences. In that case, revoking it will affect all cache entries that
-     * share the same token.
-     *
-     * @param options - Optional parameters to identify which refresh token to revoke.
-     *   Defaults to the audience configured in `authorizationParams`.
-     *
-     * @example
-     * // Revoke the default refresh token
-     * await auth0.revokeRefreshToken();
-     *
-     * @example
-     * // Revoke refresh tokens for each audience individually
-     * await auth0.revokeRefreshToken({ audience: 'https://api.example.com' });
-     * await auth0.revokeRefreshToken({ audience: 'https://api2.example.com' });
-     */
-    revokeRefreshToken(options?: RevokeRefreshTokenOptions): Promise<void>;
-    /**
-     * ```js
-     * await auth0.logout(options);
-     * ```
-     *
-     * Clears the application session and performs a redirect to `/v2/logout`, using
-     * the parameters provided as arguments, to clear the Auth0 session.
-     *
-     * If the `federated` option is specified it also clears the Identity Provider session.
-     * [Read more about how Logout works at Auth0](https://auth0.com/docs/logout).
-     *
-     * @param options
-     */
-    logout(options?: LogoutOptions): Promise<void>;
-    private _getTokenFromIFrame;
-    private _getTokenUsingRefreshToken;
-    private _saveEntryInCache;
-    private _getIdTokenFromCache;
-    private _getEntryFromCache;
-    private _requestToken;
-    /**
-     * ```js
-     * await auth0.loginWithCustomTokenExchange(options);
-     * ```
-     *
-     * Exchanges an external subject token for Auth0 tokens and logs the user in.
-     * This method implements the Custom Token Exchange grant as specified in RFC 8693.
-     *
-     * The exchanged tokens are automatically cached, establishing an authenticated session.
-     * After calling this method, you can use `getUser()`, `getIdTokenClaims()`, and
-     * `getTokenSilently()` to access the user's information and tokens.
-     *
-     * @param {CustomTokenExchangeOptions} options - The options required to perform the token exchange.
-     *
-     * @returns {Promise<TokenEndpointResponse>} A promise that resolves to the token endpoint response,
-     * which contains the issued Auth0 tokens (access_token, id_token, etc.).
-     *
-     * The request includes the following parameters:
-     * - `grant_type`: "urn:ietf:params:oauth:grant-type:token-exchange"
-     * - `subject_token`: The external token to exchange
-     * - `subject_token_type`: The type identifier of the external token
-     * - `scope`: Merged scopes from the request and SDK defaults
-     * - `audience`: Target audience (defaults to SDK configuration)
-     * - `organization`: Optional organization ID/name for org-scoped authentication
-     *
-     * **Example Usage:**
-     *
-     * ```js
-     * const options = {
-     *   subject_token: 'eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp...',
-     *   subject_token_type: 'urn:acme:legacy-system-token',
-     *   scope: 'openid profile email',
-     *   audience: 'https://api.example.com',
-     *   organization: 'org_12345'
-     * };
-     *
-     * try {
-     *   const tokenResponse = await auth0.loginWithCustomTokenExchange(options);
-     *   console.log('Access token:', tokenResponse.access_token);
-     *
-     *   // User is now logged in - access user info
-     *   const user = await auth0.getUser();
-     *   console.log('Logged in user:', user);
-     * } catch (error) {
-     *   console.error('Token exchange failed:', error);
-     * }
-     * ```
-     */
-    loginWithCustomTokenExchange(options: CustomTokenExchangeOptions): Promise<TokenEndpointResponse>;
-    /**
-     * @deprecated Use `loginWithCustomTokenExchange()` instead. This method will be removed in the next major version.
-     *
-     * Exchanges an external subject token for Auth0 tokens.
-     *
-     * @param {CustomTokenExchangeOptions} options - The options required to perform the token exchange.
-     * @returns {Promise<TokenEndpointResponse>} A promise that resolves to the token endpoint response.
-     *
-     * **Example:**
-     * ```js
-     * // Instead of:
-     * const tokens = await auth0.exchangeToken(options);
-     *
-     * // Use:
-     * const tokens = await auth0.loginWithCustomTokenExchange(options);
-     * ```
-     */
-    exchangeToken(options: CustomTokenExchangeOptions): Promise<TokenEndpointResponse>;
-    protected _assertDpop(dpop: Dpop | undefined): asserts dpop is Dpop;
-    /**
-     * Returns the current DPoP nonce used for making requests to Auth0.
-     *
-     * It can return `undefined` because when starting fresh it will not
-     * be populated until after the first response from the server.
-     *
-     * It requires enabling the {@link Auth0ClientOptions.useDpop} option.
-     *
-     * @param nonce The nonce value.
-     * @param id    The identifier of a nonce: if absent, it will get the nonce
-     *              used for requests to Auth0. Otherwise, it will be used to
-     *              select a specific non-Auth0 nonce.
-     */
-    getDpopNonce(id?: string): Promise<string | undefined>;
-    /**
-     * Sets the current DPoP nonce used for making requests to Auth0.
-     *
-     * It requires enabling the {@link Auth0ClientOptions.useDpop} option.
-     *
-     * @param nonce The nonce value.
-     * @param id    The identifier of a nonce: if absent, it will set the nonce
-     *              used for requests to Auth0. Otherwise, it will be used to
-     *              select a specific non-Auth0 nonce.
-     */
-    setDpopNonce(nonce: string, id?: string): Promise<void>;
-    /**
-     * Returns a string to be used to demonstrate possession of the private
-     * key used to cryptographically bind access tokens with DPoP.
-     *
-     * It requires enabling the {@link Auth0ClientOptions.useDpop} option.
-     */
-    generateDpopProof(params: {
-        url: string;
-        method: string;
-        nonce?: string;
-        accessToken: string;
-    }): Promise<string>;
-    /**
-     * Returns a new `Fetcher` class that will contain a `fetchWithAuth()` method.
-     * This is a drop-in replacement for the Fetch API's `fetch()` method, but will
-     * handle certain authentication logic for you, like building the proper auth
-     * headers or managing DPoP nonces and retries automatically.
-     *
-     * Check the `EXAMPLES.md` file for a deeper look into this method.
-     */
-    createFetcher<TOutput extends CustomFetchMinimalOutput = Response>(config?: FetcherConfig<TOutput>): Fetcher<TOutput>;
-    /**
-     * Initiates a redirect to connect the user's account with a specified connection.
-     * This method generates PKCE parameters, creates a transaction, and redirects to the /connect endpoint.
-     *
-     * You must enable `Offline Access` from the Connection Permissions settings to be able to use the connection with Connected Accounts.
-     *
-     * @template TAppState - The application state to persist through the transaction.
-     * @param {RedirectConnectAccountOptions<TAppState>} options - Options for the connect account redirect flow.
-     * @param   {string} options.connection - The name of the connection to link (e.g. 'google-oauth2').
-     * @param   {string[]} [options.scopes] - Array of scopes to request from the Identity Provider during the connect account flow.
-     * @param   {AuthorizationParams} [options.authorization_params] - Additional authorization parameters for the request to the upstream IdP.
-     * @param   {string} [options.redirectUri] - The URI to redirect back to after connecting the account.
-     * @param   {TAppState} [options.appState] - Application state to persist through the transaction.
-     * @param   {(url: string) => Promise<void>} [options.openUrl] - Custom function to open the URL.
-     *
-     * @returns {Promise<void>} Resolves when the redirect is initiated.
-     * @throws {MyAccountApiError} If the connect request to the My Account API fails.
-     */
-    connectAccountWithRedirect<TAppState = any>(options: RedirectConnectAccountOptions<TAppState>): Promise<void>;
-    /**
-     * @internal
-     * Internal method used by MfaApiClient to exchange MFA tokens for access tokens.
-     * This method should not be called directly by applications.
-     */
-    _requestTokenForMfa(options: {
-        grant_type: string;
-        mfaToken: string;
-        scope?: string;
-        audience?: string;
-        otp?: string;
-        binding_code?: string;
-        oob_code?: string;
-        recovery_code?: string;
-    }, additionalParameters?: RequestTokenAdditionalParameters): Promise<TokenEndpointResponse>;
-}
-interface RequestTokenAdditionalParameters {
-    nonceIn?: string;
-    organization?: string;
-    scopesToRequest?: string;
-}
-export {};
+import { Auth0ClientOptions, RedirectLoginOptions, PopupLoginOptions, PopupConfigOptions, RedirectLoginResult, GetTokenSilentlyOptions, GetTokenWithPopupOptions, LogoutOptions, User, IdToken, GetTokenSilentlyVerboseResponse, TokenEndpointResponse, ConnectAccountRedirectResult, RedirectConnectAccountOptions, ClientConfiguration, RevokeRefreshTokenOptions } from './global';
+import { CustomTokenExchangeOptions } from './TokenExchange';
+import { Dpop } from './dpop/dpop';
+import { Fetcher, type FetcherConfig, type CustomFetchMinimalOutput } from './fetcher';
+import { MfaApiClient } from './mfa';
+/**
+ * Auth0 SDK for Single Page Applications using [Authorization Code Grant Flow with PKCE](https://auth0.com/docs/api-auth/tutorials/authorization-code-grant-pkce).
+ */
+export declare class Auth0Client {
+    private readonly transactionManager;
+    private readonly cacheManager;
+    private readonly lockManager;
+    private readonly domainUrl;
+    private readonly tokenIssuer;
+    private readonly scope;
+    private readonly cookieStorage;
+    private readonly dpop;
+    private readonly sessionCheckExpiryDays;
+    private readonly orgHintCookieName;
+    private readonly isAuthenticatedCookieName;
+    private readonly nowProvider;
+    private readonly httpTimeoutMs;
+    private readonly options;
+    private readonly userCache;
+    private readonly myAccountApi;
+    /**
+     * MFA API client for multi-factor authentication operations.
+     *
+     * Provides methods for:
+     * - Listing enrolled authenticators
+     * - Enrolling new authenticators (OTP, SMS, Voice, Push, Email)
+     * - Initiating MFA challenges
+     * - Verifying MFA challenges
+     */
+    readonly mfa: MfaApiClient;
+    private worker?;
+    private readonly authJsClient;
+    private readonly defaultOptions;
+    constructor(options: Auth0ClientOptions);
+    /**
+     * Returns a readonly copy of the initialization configuration.
+     *
+     * @returns An object containing domain and clientId
+     *
+     * @example
+     * ```typescript
+     * const auth0 = new Auth0Client({
+     *   domain: 'tenant.auth0.com',
+     *   clientId: 'abc123'
+     * });
+     *
+     * const config = auth0.getConfiguration();
+     * // { domain: 'tenant.auth0.com', clientId: 'abc123' }
+     * ```
+     */
+    getConfiguration(): Readonly<ClientConfiguration>;
+    private _url;
+    private _authorizeUrl;
+    private _verifyIdToken;
+    private _processOrgHint;
+    /**
+     * Extracts the session transfer token from the current URL query parameters
+     * for Native to Web SSO flows.
+     *
+     * @param paramName The query parameter name to extract from the URL
+     * @returns The session transfer token if present, undefined otherwise
+     */
+    private _extractSessionTransferToken;
+    /**
+     * Clears the session transfer token from the current URL using the History API.
+     * This prevents the token from being re-sent on subsequent authentication requests,
+     * which is important since session transfer tokens are typically single-use.
+     *
+     * @param paramName The query parameter name to remove from the URL
+     */
+    private _clearSessionTransferTokenFromUrl;
+    /**
+     * Applies the session transfer token from the URL to the authorization parameters
+     * if configured and not already provided.
+     *
+     * @param authorizationParams The authorization parameters to enhance
+     * @returns The authorization parameters with session_transfer_token added if applicable
+     */
+    private _applySessionTransferToken;
+    private _prepareAuthorizeUrl;
+    /**
+     * ```js
+     * try {
+     *  await auth0.loginWithPopup(options);
+     * } catch(e) {
+     *  if (e instanceof PopupCancelledError) {
+     *    // Popup was closed before login completed
+     *  }
+     * }
+     * ```
+     *
+     * Opens a popup with the `/authorize` URL using the parameters
+     * provided as arguments. Random and secure `state` and `nonce`
+     * parameters will be auto-generated. If the response is successful,
+     * results will be valid according to their expiration times.
+     *
+     * IMPORTANT: This method has to be called from an event handler
+     * that was started by the user like a button click, for example,
+     * otherwise the popup will be blocked in most browsers.
+     *
+     * @param options
+     * @param config
+     */
+    loginWithPopup(options?: PopupLoginOptions, config?: PopupConfigOptions): Promise<void>;
+    /**
+     * ```js
+     * const user = await auth0.getUser();
+     * ```
+     *
+     * Returns the user information if available (decoded
+     * from the `id_token`).
+     *
+     * @typeparam TUser The type to return, has to extend {@link User}.
+     */
+    getUser<TUser extends User>(): Promise<TUser | undefined>;
+    /**
+     * ```js
+     * const claims = await auth0.getIdTokenClaims();
+     * ```
+     *
+     * Returns all claims from the id_token if available.
+     */
+    getIdTokenClaims(): Promise<IdToken | undefined>;
+    /**
+     * ```js
+     * await auth0.loginWithRedirect(options);
+     * ```
+     *
+     * Performs a redirect to `/authorize` using the parameters
+     * provided as arguments. Random and secure `state` and `nonce`
+     * parameters will be auto-generated.
+     *
+     * @param options
+     */
+    loginWithRedirect<TAppState = any>(options?: RedirectLoginOptions<TAppState>): Promise<void>;
+    /**
+     * After the browser redirects back to the callback page,
+     * call `handleRedirectCallback` to handle success and error
+     * responses from Auth0. If the response is successful, results
+     * will be valid according to their expiration times.
+     */
+    handleRedirectCallback<TAppState = any>(url?: string): Promise<RedirectLoginResult<TAppState> | ConnectAccountRedirectResult<TAppState>>;
+    /**
+     * Handles the redirect callback from the login flow.
+     *
+     * @template AppState - The application state persisted from the /authorize redirect.
+     * @param {string} authenticationResult - The parsed authentication result from the URL.
+     * @param {string} transaction - The login transaction.
+     *
+     * @returns {RedirectLoginResult} Resolves with the persisted app state.
+     * @throws {GenericError | Error} If the transaction is missing, invalid, or the code exchange fails.
+     */
+    private _handleLoginRedirectCallback;
+    /**
+     * Handles the redirect callback from the connect account flow.
+     * This works the same as the redirect from the login flow expect it verifies the `connect_code`
+     * with the My Account API rather than the `code` with the Authorization Server.
+     *
+     * @template AppState - The application state persisted from the connect redirect.
+     * @param {string} connectResult - The parsed connect accounts result from the URL.
+     * @param {string} transaction - The login transaction.
+     * @returns {Promise<ConnectAccountRedirectResult>} The result of the My Account API, including any persisted app state.
+     * @throws {GenericError | MyAccountApiError} If the transaction is missing, invalid, or an error is returned from the My Account API.
+     */
+    private _handleConnectAccountRedirectCallback;
+    /**
+     * ```js
+     * await auth0.checkSession();
+     * ```
+     *
+     * Check if the user is logged in using `getTokenSilently`. The difference
+     * with `getTokenSilently` is that this doesn't return a token, but it will
+     * pre-fill the token cache.
+     *
+     * This method also heeds the `auth0.{clientId}.is.authenticated` cookie, as an optimization
+     *  to prevent calling Auth0 unnecessarily. If the cookie is not present because
+     * there was no previous login (or it has expired) then tokens will not be refreshed.
+     *
+     * It should be used for silently logging in the user when you instantiate the
+     * `Auth0Client` constructor. You should not need this if you are using the
+     * `createAuth0Client` factory.
+     *
+     * **Note:** the cookie **may not** be present if running an app using a private tab, as some
+     * browsers clear JS cookie data and local storage when the tab or page is closed, or on page reload. This effectively
+     * means that `checkSession` could silently return without authenticating the user on page refresh when
+     * using a private tab, despite having previously logged in. As a workaround, use `getTokenSilently` instead
+     * and handle the possible `login_required` error [as shown in the readme](https://github.com/auth0/auth0-spa-js#creating-the-client).
+     *
+     * @param options
+     */
+    checkSession(options?: GetTokenSilentlyOptions): Promise<void>;
+    /**
+     * Fetches a new access token and returns the response from the /oauth/token endpoint, omitting the refresh token.
+     *
+     * @param options
+     */
+    getTokenSilently(options: GetTokenSilentlyOptions & {
+        detailedResponse: true;
+    }): Promise<GetTokenSilentlyVerboseResponse>;
+    /**
+     * Fetches a new access token and returns it.
+     *
+     * @param options
+     */
+    getTokenSilently(options?: GetTokenSilentlyOptions): Promise<string>;
+    private _getTokenSilently;
+    /**
+     * Checks if an error should be handled by the interactive error handler.
+     * Matches:
+     * - MfaRequiredError (refresh token path, error='mfa_required')
+     * - GenericError from iframe path (error='login_required',
+     *   error_description='Multifactor authentication required')
+     * Extensible for future interactive error types.
+     */
+    private _isInteractiveError;
+    /**
+     * Checks if a login_required error from the iframe flow is actually
+     * an MFA step-up requirement. The /authorize endpoint returns
+     * error='login_required' with error_description='Multifactor authentication required'
+     * when MFA is needed but prompt=none prevents interaction.
+     */
+    private _isIframeMfaError;
+    /**
+     * Handles MFA errors by opening a popup to complete authentication,
+     * then reads the resulting token from cache.
+     */
+    private _handleInteractiveErrorWithPopup;
+    /**
+     * ```js
+     * const token = await auth0.getTokenWithPopup(options);
+     * ```
+     * Opens a popup with the `/authorize` URL using the parameters
+     * provided as arguments. Random and secure `state` and `nonce`
+     * parameters will be auto-generated. If the response is successful,
+     * results will be valid according to their expiration times.
+     *
+     * @param options
+     * @param config
+     */
+    getTokenWithPopup(options?: GetTokenWithPopupOptions, config?: PopupConfigOptions): Promise<string | undefined>;
+    /**
+     * ```js
+     * const isAuthenticated = await auth0.isAuthenticated();
+     * ```
+     *
+     * Returns `true` if there's valid information stored,
+     * otherwise returns `false`.
+     *
+     */
+    isAuthenticated(): Promise<boolean>;
+    /**
+     * ```js
+     * await auth0.buildLogoutUrl(options);
+     * ```
+     *
+     * Builds a URL to the logout endpoint using the parameters provided as arguments.
+     * @param options
+     */
+    private _buildLogoutUrl;
+    /**
+     * ```js
+     * await auth0.revokeRefreshToken();
+     * ```
+     *
+     * Revokes the refresh token using the `/oauth/revoke` endpoint.
+     * This invalidates the refresh token so it can no longer be used to obtain new access tokens.
+     *
+     * The method works with both memory and localStorage cache modes:
+     * - For memory storage with worker: The refresh token never leaves the worker thread,
+     *   maintaining security isolation
+     * - For localStorage: The token is retrieved from cache and revoked
+     *
+     * If `useRefreshTokens` is disabled, this method does nothing.
+     *
+     * **Important:** This method revokes the refresh token for a single audience. If your
+     * application requests tokens for multiple audiences, each audience may have its own
+     * refresh token. To fully revoke all refresh tokens, call this method once per audience.
+     * If you want to terminate the user's session entirely, use `logout()` instead.
+     *
+     * When using Multi-Resource Refresh Tokens (MRRT), a single refresh token may cover
+     * multiple audiences. In that case, revoking it will affect all cache entries that
+     * share the same token.
+     *
+     * @param options - Optional parameters to identify which refresh token to revoke.
+     *   Defaults to the audience configured in `authorizationParams`.
+     *
+     * @example
+     * // Revoke the default refresh token
+     * await auth0.revokeRefreshToken();
+     *
+     * @example
+     * // Revoke refresh tokens for each audience individually
+     * await auth0.revokeRefreshToken({ audience: 'https://api.example.com' });
+     * await auth0.revokeRefreshToken({ audience: 'https://api2.example.com' });
+     */
+    revokeRefreshToken(options?: RevokeRefreshTokenOptions): Promise<void>;
+    /**
+     * ```js
+     * await auth0.logout(options);
+     * ```
+     *
+     * Clears the application session and performs a redirect to `/v2/logout`, using
+     * the parameters provided as arguments, to clear the Auth0 session.
+     *
+     * If the `federated` option is specified it also clears the Identity Provider session.
+     * [Read more about how Logout works at Auth0](https://auth0.com/docs/logout).
+     *
+     * @param options
+     */
+    logout(options?: LogoutOptions): Promise<void>;
+    private _getTokenFromIFrame;
+    private _getTokenUsingRefreshToken;
+    private _saveEntryInCache;
+    private _getIdTokenFromCache;
+    private _getEntryFromCache;
+    private _requestToken;
+    /**
+     * ```js
+     * await auth0.loginWithCustomTokenExchange(options);
+     * ```
+     *
+     * Exchanges an external subject token for Auth0 tokens and logs the user in.
+     * This method implements the Custom Token Exchange grant as specified in RFC 8693.
+     *
+     * The exchanged tokens are automatically cached, establishing an authenticated session.
+     * After calling this method, you can use `getUser()`, `getIdTokenClaims()`, and
+     * `getTokenSilently()` to access the user's information and tokens.
+     *
+     * @param {CustomTokenExchangeOptions} options - The options required to perform the token exchange.
+     *
+     * @returns {Promise<TokenEndpointResponse>} A promise that resolves to the token endpoint response,
+     * which contains the issued Auth0 tokens (access_token, id_token, etc.).
+     *
+     * The request includes the following parameters:
+     * - `grant_type`: "urn:ietf:params:oauth:grant-type:token-exchange"
+     * - `subject_token`: The external token to exchange
+     * - `subject_token_type`: The type identifier of the external token
+     * - `scope`: Merged scopes from the request and SDK defaults
+     * - `audience`: Target audience (defaults to SDK configuration)
+     * - `organization`: Optional organization ID/name for org-scoped authentication
+     *
+     * **Example Usage:**
+     *
+     * ```js
+     * const options = {
+     *   subject_token: 'eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp...',
+     *   subject_token_type: 'urn:acme:legacy-system-token',
+     *   scope: 'openid profile email',
+     *   audience: 'https://api.example.com',
+     *   organization: 'org_12345'
+     * };
+     *
+     * try {
+     *   const tokenResponse = await auth0.loginWithCustomTokenExchange(options);
+     *   console.log('Access token:', tokenResponse.access_token);
+     *
+     *   // User is now logged in - access user info
+     *   const user = await auth0.getUser();
+     *   console.log('Logged in user:', user);
+     * } catch (error) {
+     *   console.error('Token exchange failed:', error);
+     * }
+     * ```
+     */
+    loginWithCustomTokenExchange(options: CustomTokenExchangeOptions): Promise<TokenEndpointResponse>;
+    /**
+     * @deprecated Use `loginWithCustomTokenExchange()` instead. This method will be removed in the next major version.
+     *
+     * Exchanges an external subject token for Auth0 tokens.
+     *
+     * @param {CustomTokenExchangeOptions} options - The options required to perform the token exchange.
+     * @returns {Promise<TokenEndpointResponse>} A promise that resolves to the token endpoint response.
+     *
+     * **Example:**
+     * ```js
+     * // Instead of:
+     * const tokens = await auth0.exchangeToken(options);
+     *
+     * // Use:
+     * const tokens = await auth0.loginWithCustomTokenExchange(options);
+     * ```
+     */
+    exchangeToken(options: CustomTokenExchangeOptions): Promise<TokenEndpointResponse>;
+    protected _assertDpop(dpop: Dpop | undefined): asserts dpop is Dpop;
+    /**
+     * Returns the current DPoP nonce used for making requests to Auth0.
+     *
+     * It can return `undefined` because when starting fresh it will not
+     * be populated until after the first response from the server.
+     *
+     * It requires enabling the {@link Auth0ClientOptions.useDpop} option.
+     *
+     * @param nonce The nonce value.
+     * @param id    The identifier of a nonce: if absent, it will get the nonce
+     *              used for requests to Auth0. Otherwise, it will be used to
+     *              select a specific non-Auth0 nonce.
+     */
+    getDpopNonce(id?: string): Promise<string | undefined>;
+    /**
+     * Sets the current DPoP nonce used for making requests to Auth0.
+     *
+     * It requires enabling the {@link Auth0ClientOptions.useDpop} option.
+     *
+     * @param nonce The nonce value.
+     * @param id    The identifier of a nonce: if absent, it will set the nonce
+     *              used for requests to Auth0. Otherwise, it will be used to
+     *              select a specific non-Auth0 nonce.
+     */
+    setDpopNonce(nonce: string, id?: string): Promise<void>;
+    /**
+     * Returns a string to be used to demonstrate possession of the private
+     * key used to cryptographically bind access tokens with DPoP.
+     *
+     * It requires enabling the {@link Auth0ClientOptions.useDpop} option.
+     */
+    generateDpopProof(params: {
+        url: string;
+        method: string;
+        nonce?: string;
+        accessToken: string;
+    }): Promise<string>;
+    /**
+     * Returns a new `Fetcher` class that will contain a `fetchWithAuth()` method.
+     * This is a drop-in replacement for the Fetch API's `fetch()` method, but will
+     * handle certain authentication logic for you, like building the proper auth
+     * headers or managing DPoP nonces and retries automatically.
+     *
+     * Check the `EXAMPLES.md` file for a deeper look into this method.
+     */
+    createFetcher<TOutput extends CustomFetchMinimalOutput = Response>(config?: FetcherConfig<TOutput>): Fetcher<TOutput>;
+    /**
+     * Initiates a redirect to connect the user's account with a specified connection.
+     * This method generates PKCE parameters, creates a transaction, and redirects to the /connect endpoint.
+     *
+     * You must enable `Offline Access` from the Connection Permissions settings to be able to use the connection with Connected Accounts.
+     *
+     * @template TAppState - The application state to persist through the transaction.
+     * @param {RedirectConnectAccountOptions<TAppState>} options - Options for the connect account redirect flow.
+     * @param   {string} options.connection - The name of the connection to link (e.g. 'google-oauth2').
+     * @param   {string[]} [options.scopes] - Array of scopes to request from the Identity Provider during the connect account flow.
+     * @param   {AuthorizationParams} [options.authorization_params] - Additional authorization parameters for the request to the upstream IdP.
+     * @param   {string} [options.redirectUri] - The URI to redirect back to after connecting the account.
+     * @param   {TAppState} [options.appState] - Application state to persist through the transaction.
+     * @param   {(url: string) => Promise<void>} [options.openUrl] - Custom function to open the URL.
+     *
+     * @returns {Promise<void>} Resolves when the redirect is initiated.
+     * @throws {MyAccountApiError} If the connect request to the My Account API fails.
+     */
+    connectAccountWithRedirect<TAppState = any>(options: RedirectConnectAccountOptions<TAppState>): Promise<void>;
+    /**
+     * @internal
+     * Internal method used by MfaApiClient to exchange MFA tokens for access tokens.
+     * This method should not be called directly by applications.
+     */
+    _requestTokenForMfa(options: {
+        grant_type: string;
+        mfaToken: string;
+        scope?: string;
+        audience?: string;
+        otp?: string;
+        binding_code?: string;
+        oob_code?: string;
+        recovery_code?: string;
+    }, additionalParameters?: RequestTokenAdditionalParameters): Promise<TokenEndpointResponse>;
+}
+interface RequestTokenAdditionalParameters {
+    nonceIn?: string;
+    organization?: string;
+    scopesToRequest?: string;
+}
+export {};