@authgear/nextjs 0.1.6 → 0.1.8

package/LICENSE

@@ -0,0 +1,192 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship made available under
+      the License, as indicated by a copyright notice that is included in
+      or attached to the work (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean, as submitted to the Licensor for inclusion
+      in the Work by the copyright owner or by an individual or Legal Entity
+      authorized to submit on behalf of the copyright owner. For the purposes
+      of this definition, "submitted" means any form of electronic, verbal,
+      or written communication sent to the Licensor or its representatives,
+      including but not limited to communication on electronic mailing lists,
+      source code control systems, and issue tracking systems that are managed
+      by, or on behalf of, the Licensor for the purpose of discussing and
+      improving the Work, but excluding communication that is conspicuously
+      marked or otherwise designated in writing by the copyright owner as
+      "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any Legal Entity on behalf of
+      whom a Contribution has been received by the Licensor and subsequently
+      incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a cross-claim
+      or counterclaim in a lawsuit) alleging that the Work or any Contribution
+      incorporated within the Work constitutes direct or contributory patent
+      infringement, then any patent licenses granted to You under this License
+      for that Work shall terminate as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or Derivative Works
+          a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, You must include a readable copy of the attribution
+          notices contained within such NOTICE file, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own license statement for Your modifications and
+      may provide additional grant of rights to use, copy, modify, merge,
+      publish, distribute, sublicense, and/or sell copies of Your
+      modifications, or for such Derivative Works as a whole, subject to
+      the terms and conditions of this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any conditions of title,
+      merchantability, fitness for a particular purpose and
+      noninfringement. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or exemplary damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or all other
+      commercial damages or losses), even if such Contributor has been
+      advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format in use. Please also include a
+      relevant "NOTICE" text file as appropriate.
+
+   Copyright 2026 Oursky
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/README.md

@@ -7,7 +7,7 @@
 With Authgear SDK for Next.js, you can easily integrate authentication features into your Next.js application — covering both the frontend and backend in one package.
 In most cases, it involves just **a few lines of code** to enable **multiple authentication methods**, such as [social logins](https://www.authgear.com/features/social-login), [passwordless](https://www.authgear.com/features/passwordless-authentication), [biometrics logins](https://www.authgear.com/features/biometric-authentication), [one-time-password (OTP)](https://www.authgear.com/features/whatsapp-otp) with SMS/WhatsApp, and multi-factor authentication (MFA).
 
-**Quick links** — 📚 [Documentation](#documentation) · 🏁 [Getting Started](#getting-started) · 🛠️ [Troubleshooting](#troubleshooting) · 👥 [Contributing](#contributing)
+**Quick links** — 📚 [Documentation](https://authgear.github.io/authgear-sdk-nextjs/) · 🏁 [Getting Started](#getting-started) · 🛠️ [Troubleshooting](#troubleshooting) · 👥 [Contributing](#contributing)
 
 ## What is Authgear?
 
@@ -35,6 +35,8 @@ npm install @authgear/nextjs
 
 ## Getting Started
 
+For a complete tutorial, see the [Next.js integration guide](https://docs.authgear.com/get-started/regular-web-app/nextjs) on Authgear Docs, or explore the [example project](https://github.com/authgear/authgear-example-nextjs) on GitHub.
+
 ### 1. Configure Authgear
 
 Create a config object. The `sessionSecret` must be at least 32 characters and should be stored in an environment variable.
@@ -169,17 +171,27 @@ export async function GET(request: NextRequest) {
 }
 ```
 
-### Reading the Session
+### Reading the Session in Server Actions
 
-Use `auth()` to read the raw session (tokens + expiry) without fetching user info.
+Use `auth()` to get the session (including a fresh access token) without fetching user info. This is the right choice for Server Actions that need to call a downstream API on behalf of the user — `auth()` will auto-refresh the token if expired before returning it.
 
 ```ts
-import { auth } from "@authgear/nextjs/server";
+"use server";
+import { auth, SessionState } from "@authgear/nextjs/server";
 import { authgearConfig } from "@/lib/authgear";
 
-const session = await auth(authgearConfig);
-// session.state: SessionState.Authenticated | SessionState.NoSession
-// session.accessToken: string | null
+export async function callMyApiAction() {
+  const session = await auth(authgearConfig);
+  if (session.state !== SessionState.Authenticated || !session.accessToken) {
+    throw new Error("Not authenticated");
+  }
+
+  // session.accessToken is always fresh — auto-refreshed if it was expired
+  const res = await fetch("https://api.example.com/data", {
+    headers: { Authorization: `Bearer ${session.accessToken}` },
+  });
+  return res.json();
+}
 ```
 
 ---
@@ -196,8 +208,8 @@ const session = await auth(authgearConfig);
 
 | Export | Description |
 |---|---|
-| `auth(config)` | Returns the current `Session` from the session cookie |
-| `currentUser(config)` | Returns `UserInfo \| null`, auto-refreshes access token |
+| `auth(config)` | Returns the current `Session`, auto-refreshes access token if expired |
+| `currentUser(config)` | Returns `UserInfo \| null`, auto-refreshes access token if expired |
 | `verifyAccessToken(token, config)` | Verifies a JWT Bearer token with JWKS, returns `JWTPayload` |
 
 ### `@authgear/nextjs/client`
@@ -272,6 +284,7 @@ window.open(url, "_blank");
 
 ## Documentation
 
+- **SDK Documentation**: [https://authgear.github.io/authgear-sdk-nextjs/](https://authgear.github.io/authgear-sdk-nextjs/)
 - Learn how to set up an Authgear application at [https://docs.authgear.com/](https://docs.authgear.com/)
 - Learn how to manage your users through the [Admin API](https://docs.authgear.com/reference/apis/admin-api)
 

package/dist/proxy.js

@@ -55,8 +55,6 @@ function createAuthgearProxy(options) {
     }
     const response = NextResponse.next();
     if (sessionData) {
-      const requestHeaders = new Headers(request.headers);
-      requestHeaders.set("Authorization", `Bearer ${sessionData.accessToken}`);
       const newCookie = buildSessionCookie(resolved.cookieName, sessionData, resolved.sessionSecret);
       response.cookies.set(newCookie.name, newCookie.value, {
         httpOnly: newCookie.httpOnly,
@@ -65,6 +63,8 @@ function createAuthgearProxy(options) {
         path: newCookie.path,
         maxAge: newCookie.maxAge
       });
+    } else if (sessionCookieValue) {
+      response.cookies.set(resolved.cookieName, "", { maxAge: 0, path: "/" });
     }
     return response;
   };

package/dist/proxy.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/proxy.ts"],"sourcesContent":["import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig } from \"./types.js\";\nimport { resolveConfig } from \"./config.js\";\nimport { decryptSession, buildSessionCookie } from \"./session/cookie.js\";\nimport { isTokenExpired } from \"./session/state.js\";\nimport { fetchOIDCConfiguration } from \"./oauth/discovery.js\";\nimport { refreshAccessToken } from \"./oauth/token.js\";\n\nexport interface AuthgearProxyOptions extends AuthgearConfig {\n  /**\n   * Paths that require authentication. Unauthenticated requests are redirected to login.\n   * Supports exact paths and prefix patterns ending with `*` (e.g. \"/dashboard/*\").\n   */\n  protectedPaths?: string[];\n\n  /**\n   * Paths that are always public (never redirected to login).\n   * Takes precedence over protectedPaths.\n   * Defaults to [\"/api/auth/*\"].\n   */\n  publicPaths?: string[];\n\n  /**\n   * URL to redirect unauthenticated users. Defaults to \"/api/auth/login\".\n   */\n  loginPath?: string;\n}\n\nfunction matchesPath(pathname: string, patterns: string[]): boolean {\n  return patterns.some((pattern) => {\n    if (pattern.endsWith(\"*\")) {\n      return pathname.startsWith(pattern.slice(0, -1));\n    }\n    return pathname === pattern;\n  });\n}\n\n/**\n * Create a Next.js 16 proxy function for Authgear authentication.\n *\n * Usage in `proxy.ts`:\n * ```ts\n * import { createAuthgearProxy } from \"@authgear/nextjs/proxy\";\n * export const proxy = createAuthgearProxy({ ...config, protectedPaths: [\"/dashboard/*\"] });\n * ```\n */\nexport function createAuthgearProxy(options: AuthgearProxyOptions) {\n  const resolved = resolveConfig(options);\n  const protectedPaths = options.protectedPaths ?? [];\n  const publicPaths = options.publicPaths ?? [\"/api/auth/*\"];\n  const loginPath = options.loginPath ?? \"/api/auth/login\";\n\n  return async function proxy(request: NextRequest): Promise<NextResponse> {\n    const { pathname } = request.nextUrl;\n\n    // Always allow public paths\n    if (matchesPath(pathname, publicPaths)) {\n      return NextResponse.next();\n    }\n\n    const sessionCookieValue = request.cookies.get(resolved.cookieName)?.value;\n    let sessionData = sessionCookieValue\n      ? decryptSession(sessionCookieValue, resolved.sessionSecret)\n      : null;\n\n    // Try to refresh expired token\n    if (sessionData && isTokenExpired(sessionData.expiresAt) && sessionData.refreshToken) {\n      try {\n        const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n        const tokenResponse = await refreshAccessToken(oidcConfig, {\n          refreshToken: sessionData.refreshToken,\n          clientID: resolved.clientID,\n          clientSecret: resolved.clientSecret || undefined,\n        });\n        sessionData = {\n          accessToken: tokenResponse.access_token,\n          refreshToken: tokenResponse.refresh_token ?? sessionData.refreshToken,\n          idToken: tokenResponse.id_token ?? sessionData.idToken,\n          expiresAt: Math.floor(Date.now() / 1000) + tokenResponse.expires_in,\n        };\n      } catch {\n        sessionData = null;\n      }\n    }\n\n    // Redirect unauthenticated requests on protected paths\n    if (!sessionData && matchesPath(pathname, protectedPaths)) {\n      const loginURL = new URL(loginPath, request.nextUrl.origin);\n      loginURL.searchParams.set(\"returnTo\", pathname);\n      return NextResponse.redirect(loginURL);\n    }\n\n    const response = NextResponse.next();\n\n    // Inject Authorization header for authenticated requests\n    if (sessionData) {\n      const requestHeaders = new Headers(request.headers);\n      requestHeaders.set(\"Authorization\", `Bearer ${sessionData.accessToken}`);\n\n      // Update session cookie if token was refreshed\n      const newCookie = buildSessionCookie(resolved.cookieName, sessionData, resolved.sessionSecret);\n      response.cookies.set(newCookie.name, newCookie.value, {\n        httpOnly: newCookie.httpOnly,\n        secure: newCookie.secure,\n        sameSite: newCookie.sameSite,\n        path: newCookie.path,\n        maxAge: newCookie.maxAge,\n      });\n    }\n\n    return response;\n  };\n}\n"],"mappings":";;;;;;;;;;;AAAA,SAAS,oBAAsC;AA4B/C,SAAS,YAAY,UAAkB,UAA6B;AAClE,SAAO,SAAS,KAAK,CAAC,YAAY;AAChC,QAAI,QAAQ,SAAS,GAAG,GAAG;AACzB,aAAO,SAAS,WAAW,QAAQ,MAAM,GAAG,EAAE,CAAC;AAAA,IACjD;AACA,WAAO,aAAa;AAAA,EACtB,CAAC;AACH;AAWO,SAAS,oBAAoB,SAA+B;AACjE,QAAM,WAAW,cAAc,OAAO;AACtC,QAAM,iBAAiB,QAAQ,kBAAkB,CAAC;AAClD,QAAM,cAAc,QAAQ,eAAe,CAAC,aAAa;AACzD,QAAM,YAAY,QAAQ,aAAa;AAEvC,SAAO,eAAe,MAAM,SAA6C;AACvE,UAAM,EAAE,SAAS,IAAI,QAAQ;AAG7B,QAAI,YAAY,UAAU,WAAW,GAAG;AACtC,aAAO,aAAa,KAAK;AAAA,IAC3B;AAEA,UAAM,qBAAqB,QAAQ,QAAQ,IAAI,SAAS,UAAU,GAAG;AACrE,QAAI,cAAc,qBACd,eAAe,oBAAoB,SAAS,aAAa,IACzD;AAGJ,QAAI,eAAe,eAAe,YAAY,SAAS,KAAK,YAAY,cAAc;AACpF,UAAI;AACF,cAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,cAAM,gBAAgB,MAAM,mBAAmB,YAAY;AAAA,UACzD,cAAc,YAAY;AAAA,UAC1B,UAAU,SAAS;AAAA,UACnB,cAAc,SAAS,gBAAgB;AAAA,QACzC,CAAC;AACD,sBAAc;AAAA,UACZ,aAAa,cAAc;AAAA,UAC3B,cAAc,cAAc,iBAAiB,YAAY;AAAA,UACzD,SAAS,cAAc,YAAY,YAAY;AAAA,UAC/C,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,cAAc;AAAA,QAC3D;AAAA,MACF,QAAQ;AACN,sBAAc;AAAA,MAChB;AAAA,IACF;AAGA,QAAI,CAAC,eAAe,YAAY,UAAU,cAAc,GAAG;AACzD,YAAM,WAAW,IAAI,IAAI,WAAW,QAAQ,QAAQ,MAAM;AAC1D,eAAS,aAAa,IAAI,YAAY,QAAQ;AAC9C,aAAO,aAAa,SAAS,QAAQ;AAAA,IACvC;AAEA,UAAM,WAAW,aAAa,KAAK;AAGnC,QAAI,aAAa;AACf,YAAM,iBAAiB,IAAI,QAAQ,QAAQ,OAAO;AAClD,qBAAe,IAAI,iBAAiB,UAAU,YAAY,WAAW,EAAE;AAGvE,YAAM,YAAY,mBAAmB,SAAS,YAAY,aAAa,SAAS,aAAa;AAC7F,eAAS,QAAQ,IAAI,UAAU,MAAM,UAAU,OAAO;AAAA,QACpD,UAAU,UAAU;AAAA,QACpB,QAAQ,UAAU;AAAA,QAClB,UAAU,UAAU;AAAA,QACpB,MAAM,UAAU;AAAA,QAChB,QAAQ,UAAU;AAAA,MACpB,CAAC;AAAA,IACH;AAEA,WAAO;AAAA,EACT;AACF;","names":[]}
+{"version":3,"sources":["../src/proxy.ts"],"sourcesContent":["import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig } from \"./types.js\";\nimport { resolveConfig } from \"./config.js\";\nimport { decryptSession, buildSessionCookie } from \"./session/cookie.js\";\nimport { isTokenExpired } from \"./session/state.js\";\nimport { fetchOIDCConfiguration } from \"./oauth/discovery.js\";\nimport { refreshAccessToken } from \"./oauth/token.js\";\n\nexport interface AuthgearProxyOptions extends AuthgearConfig {\n  /**\n   * Paths that require authentication. Unauthenticated requests are redirected to login.\n   * Supports exact paths and prefix patterns ending with `*` (e.g. \"/dashboard/*\").\n   */\n  protectedPaths?: string[];\n\n  /**\n   * Paths that are always public (never redirected to login).\n   * Takes precedence over protectedPaths.\n   * Defaults to [\"/api/auth/*\"].\n   */\n  publicPaths?: string[];\n\n  /**\n   * URL to redirect unauthenticated users. Defaults to \"/api/auth/login\".\n   */\n  loginPath?: string;\n}\n\nfunction matchesPath(pathname: string, patterns: string[]): boolean {\n  return patterns.some((pattern) => {\n    if (pattern.endsWith(\"*\")) {\n      return pathname.startsWith(pattern.slice(0, -1));\n    }\n    return pathname === pattern;\n  });\n}\n\n/**\n * Create a Next.js 16 proxy function for Authgear authentication.\n *\n * Usage in `proxy.ts`:\n * ```ts\n * import { createAuthgearProxy } from \"@authgear/nextjs/proxy\";\n * export const proxy = createAuthgearProxy({ ...config, protectedPaths: [\"/dashboard/*\"] });\n * ```\n */\nexport function createAuthgearProxy(options: AuthgearProxyOptions) {\n  const resolved = resolveConfig(options);\n  const protectedPaths = options.protectedPaths ?? [];\n  const publicPaths = options.publicPaths ?? [\"/api/auth/*\"];\n  const loginPath = options.loginPath ?? \"/api/auth/login\";\n\n  return async function proxy(request: NextRequest): Promise<NextResponse> {\n    const { pathname } = request.nextUrl;\n\n    // Always allow public paths\n    if (matchesPath(pathname, publicPaths)) {\n      return NextResponse.next();\n    }\n\n    const sessionCookieValue = request.cookies.get(resolved.cookieName)?.value;\n    let sessionData = sessionCookieValue\n      ? decryptSession(sessionCookieValue, resolved.sessionSecret)\n      : null;\n\n    // Try to refresh expired token\n    if (sessionData && isTokenExpired(sessionData.expiresAt) && sessionData.refreshToken) {\n      try {\n        const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n        const tokenResponse = await refreshAccessToken(oidcConfig, {\n          refreshToken: sessionData.refreshToken,\n          clientID: resolved.clientID,\n          clientSecret: resolved.clientSecret || undefined,\n        });\n        sessionData = {\n          accessToken: tokenResponse.access_token,\n          refreshToken: tokenResponse.refresh_token ?? sessionData.refreshToken,\n          idToken: tokenResponse.id_token ?? sessionData.idToken,\n          expiresAt: Math.floor(Date.now() / 1000) + tokenResponse.expires_in,\n        };\n      } catch {\n        sessionData = null;\n      }\n    }\n\n    // Redirect unauthenticated requests on protected paths\n    if (!sessionData && matchesPath(pathname, protectedPaths)) {\n      const loginURL = new URL(loginPath, request.nextUrl.origin);\n      loginURL.searchParams.set(\"returnTo\", pathname);\n      return NextResponse.redirect(loginURL);\n    }\n\n    const response = NextResponse.next();\n\n    if (sessionData) {\n      // Update session cookie (captures rotated refresh token if server rotated it)\n      const newCookie = buildSessionCookie(resolved.cookieName, sessionData, resolved.sessionSecret);\n      response.cookies.set(newCookie.name, newCookie.value, {\n        httpOnly: newCookie.httpOnly,\n        secure: newCookie.secure,\n        sameSite: newCookie.sameSite,\n        path: newCookie.path,\n        maxAge: newCookie.maxAge,\n      });\n    } else if (sessionCookieValue) {\n      // Refresh failed — clear the stale cookie so Server Components don't see a broken session\n      response.cookies.set(resolved.cookieName, \"\", { maxAge: 0, path: \"/\" });\n    }\n\n    return response;\n  };\n}\n"],"mappings":";;;;;;;;;;;AAAA,SAAS,oBAAsC;AA4B/C,SAAS,YAAY,UAAkB,UAA6B;AAClE,SAAO,SAAS,KAAK,CAAC,YAAY;AAChC,QAAI,QAAQ,SAAS,GAAG,GAAG;AACzB,aAAO,SAAS,WAAW,QAAQ,MAAM,GAAG,EAAE,CAAC;AAAA,IACjD;AACA,WAAO,aAAa;AAAA,EACtB,CAAC;AACH;AAWO,SAAS,oBAAoB,SAA+B;AACjE,QAAM,WAAW,cAAc,OAAO;AACtC,QAAM,iBAAiB,QAAQ,kBAAkB,CAAC;AAClD,QAAM,cAAc,QAAQ,eAAe,CAAC,aAAa;AACzD,QAAM,YAAY,QAAQ,aAAa;AAEvC,SAAO,eAAe,MAAM,SAA6C;AACvE,UAAM,EAAE,SAAS,IAAI,QAAQ;AAG7B,QAAI,YAAY,UAAU,WAAW,GAAG;AACtC,aAAO,aAAa,KAAK;AAAA,IAC3B;AAEA,UAAM,qBAAqB,QAAQ,QAAQ,IAAI,SAAS,UAAU,GAAG;AACrE,QAAI,cAAc,qBACd,eAAe,oBAAoB,SAAS,aAAa,IACzD;AAGJ,QAAI,eAAe,eAAe,YAAY,SAAS,KAAK,YAAY,cAAc;AACpF,UAAI;AACF,cAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,cAAM,gBAAgB,MAAM,mBAAmB,YAAY;AAAA,UACzD,cAAc,YAAY;AAAA,UAC1B,UAAU,SAAS;AAAA,UACnB,cAAc,SAAS,gBAAgB;AAAA,QACzC,CAAC;AACD,sBAAc;AAAA,UACZ,aAAa,cAAc;AAAA,UAC3B,cAAc,cAAc,iBAAiB,YAAY;AAAA,UACzD,SAAS,cAAc,YAAY,YAAY;AAAA,UAC/C,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,cAAc;AAAA,QAC3D;AAAA,MACF,QAAQ;AACN,sBAAc;AAAA,MAChB;AAAA,IACF;AAGA,QAAI,CAAC,eAAe,YAAY,UAAU,cAAc,GAAG;AACzD,YAAM,WAAW,IAAI,IAAI,WAAW,QAAQ,QAAQ,MAAM;AAC1D,eAAS,aAAa,IAAI,YAAY,QAAQ;AAC9C,aAAO,aAAa,SAAS,QAAQ;AAAA,IACvC;AAEA,UAAM,WAAW,aAAa,KAAK;AAEnC,QAAI,aAAa;AAEf,YAAM,YAAY,mBAAmB,SAAS,YAAY,aAAa,SAAS,aAAa;AAC7F,eAAS,QAAQ,IAAI,UAAU,MAAM,UAAU,OAAO;AAAA,QACpD,UAAU,UAAU;AAAA,QACpB,QAAQ,UAAU;AAAA,QAClB,UAAU,UAAU;AAAA,QACpB,MAAM,UAAU;AAAA,QAChB,QAAQ,UAAU;AAAA,MACpB,CAAC;AAAA,IACH,WAAW,oBAAoB;AAE7B,eAAS,QAAQ,IAAI,SAAS,YAAY,IAAI,EAAE,QAAQ,GAAG,MAAM,IAAI,CAAC;AAAA,IACxE;AAEA,WAAO;AAAA,EACT;AACF;","names":[]}

package/dist/server.d.ts

@@ -2,13 +2,17 @@ import { A as AuthgearConfig, S as Session, U as UserInfo, J as JWTPayload } fro
 export { P as Page, b as SessionState } from './types-Csfra4K2.js';
 
 /**
- * Read the current session in a Server Component or Route Handler.
- * Automatically refreshes the access token if expired.
+ * Read the current session in a Server Component, Route Handler, or Server Action.
+ * Automatically refreshes the access token if expired, so `session.accessToken` is
+ * always valid when the session state is `Authenticated`. Use this when you need a
+ * fresh access token to call a downstream API (e.g. inside a Server Action).
  */
 declare function auth(config: AuthgearConfig): Promise<Session>;
 /**
  * Get the current user in a Server Component or Route Handler.
- * Returns null if not authenticated.
+ * Automatically refreshes the access token if expired, including persisting a
+ * rotated refresh token when the Authgear project has refresh token rotation enabled.
+ * Returns null if not authenticated or if the session cannot be refreshed.
  */
 declare function currentUser(config: AuthgearConfig): Promise<UserInfo | null>;
 /**

package/dist/server.js

@@ -2,6 +2,7 @@ import {
   parseUserInfo
 } from "./chunk-3KVYAFQJ.js";
 import {
+  buildSessionCookie,
   decryptSession,
   deriveSessionState,
   fetchOIDCConfiguration,
@@ -50,7 +51,36 @@ async function auth(config) {
   const resolved = resolveConfig(config);
   const cookieStore = await cookies();
   const sessionCookieValue = cookieStore.get(resolved.cookieName)?.value;
-  const sessionData = sessionCookieValue ? decryptSession(sessionCookieValue, resolved.sessionSecret) : null;
+  let sessionData = sessionCookieValue ? decryptSession(sessionCookieValue, resolved.sessionSecret) : null;
+  if (sessionData && isTokenExpired(sessionData.expiresAt) && sessionData.refreshToken) {
+    try {
+      const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);
+      const tokenResponse = await refreshAccessToken(oidcConfig, {
+        refreshToken: sessionData.refreshToken,
+        clientID: resolved.clientID,
+        clientSecret: resolved.clientSecret || void 0
+      });
+      sessionData = {
+        accessToken: tokenResponse.access_token,
+        refreshToken: tokenResponse.refresh_token ?? sessionData.refreshToken,
+        idToken: tokenResponse.id_token ?? sessionData.idToken,
+        expiresAt: Math.floor(Date.now() / 1e3) + tokenResponse.expires_in
+      };
+      try {
+        const newCookie = buildSessionCookie(resolved.cookieName, sessionData, resolved.sessionSecret);
+        cookieStore.set(newCookie.name, newCookie.value, {
+          httpOnly: newCookie.httpOnly,
+          secure: newCookie.secure,
+          sameSite: newCookie.sameSite,
+          path: newCookie.path,
+          maxAge: newCookie.maxAge
+        });
+      } catch {
+      }
+    } catch {
+      sessionData = null;
+    }
+  }
   return deriveSessionState(sessionData);
 }
 async function currentUser(config) {
@@ -74,6 +104,17 @@ async function currentUser(config) {
         idToken: tokenResponse.id_token ?? sessionData.idToken,
         expiresAt: Math.floor(Date.now() / 1e3) + tokenResponse.expires_in
       };
+      try {
+        const newCookie = buildSessionCookie(resolved.cookieName, sessionData, resolved.sessionSecret);
+        cookieStore.set(newCookie.name, newCookie.value, {
+          httpOnly: newCookie.httpOnly,
+          secure: newCookie.secure,
+          sameSite: newCookie.sameSite,
+          path: newCookie.path,
+          maxAge: newCookie.maxAge
+        });
+      } catch {
+      }
     } catch {
       return null;
     }

package/dist/server.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/server.ts","../src/jwt/verify.ts","../src/jwt/jwks.ts"],"sourcesContent":["import \"server-only\";\nimport { cookies } from \"next/headers\";\nimport { SessionState, Page, type Session, type UserInfo, type JWTPayload, type AuthgearConfig } from \"./types.js\";\nimport { resolveConfig } from \"./config.js\";\nimport { decryptSession } from \"./session/cookie.js\";\nimport { deriveSessionState, isTokenExpired } from \"./session/state.js\";\nimport { fetchOIDCConfiguration } from \"./oauth/discovery.js\";\nimport { refreshAccessToken } from \"./oauth/token.js\";\n// ROADMAP: import { getAppSessionToken } from \"./oauth/token.js\";\n// ROADMAP: import { buildOpenURL } from \"./oauth/authorize.js\";\nimport { verifyJWT } from \"./jwt/verify.js\";\nimport { parseUserInfo } from \"./user.js\";\n\n/**\n * Read the current session in a Server Component or Route Handler.\n * Automatically refreshes the access token if expired.\n */\nexport async function auth(config: AuthgearConfig): Promise<Session> {\n  const resolved = resolveConfig(config);\n  const cookieStore = await cookies();\n  const sessionCookieValue = cookieStore.get(resolved.cookieName)?.value;\n\n  const sessionData = sessionCookieValue\n    ? decryptSession(sessionCookieValue, resolved.sessionSecret)\n    : null;\n\n  return deriveSessionState(sessionData);\n}\n\n/**\n * Get the current user in a Server Component or Route Handler.\n * Returns null if not authenticated.\n */\nexport async function currentUser(config: AuthgearConfig): Promise<UserInfo | null> {\n  const resolved = resolveConfig(config);\n  const cookieStore = await cookies();\n  const sessionCookieValue = cookieStore.get(resolved.cookieName)?.value;\n\n  if (!sessionCookieValue) return null;\n\n  let sessionData = decryptSession(sessionCookieValue, resolved.sessionSecret);\n  if (!sessionData) return null;\n\n  const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n\n  // Auto-refresh expired token\n  if (isTokenExpired(sessionData.expiresAt) && sessionData.refreshToken) {\n    try {\n      const tokenResponse = await refreshAccessToken(oidcConfig, {\n        refreshToken: sessionData.refreshToken,\n        clientID: resolved.clientID,\n        clientSecret: resolved.clientSecret || undefined,\n      });\n      sessionData = {\n        accessToken: tokenResponse.access_token,\n        refreshToken: tokenResponse.refresh_token ?? sessionData.refreshToken,\n        idToken: tokenResponse.id_token ?? sessionData.idToken,\n        expiresAt: Math.floor(Date.now() / 1000) + tokenResponse.expires_in,\n      };\n    } catch {\n      return null;\n    }\n  }\n\n  const userinfoRes = await fetch(oidcConfig.userinfo_endpoint, {\n    headers: { Authorization: `Bearer ${sessionData.accessToken}` },\n  });\n\n  if (!userinfoRes.ok) return null;\n\n  const raw = (await userinfoRes.json()) as Record<string, unknown>;\n  return parseUserInfo(raw);\n}\n\n/**\n * Verify a JWT access token (from Authorization: Bearer header).\n * Useful for protecting API routes.\n *\n * @throws {Error} If the token is invalid, expired, or has wrong issuer/audience\n */\nexport async function verifyAccessToken(\n  token: string,\n  config: AuthgearConfig,\n): Promise<JWTPayload> {\n  const resolved = resolveConfig(config);\n  const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n  return verifyJWT(token, oidcConfig);\n}\n\n// ROADMAP: getOpenURL — open Authgear settings (or any Authgear page) with the\n// current user pre-authenticated via the app_session_token exchange.\n//\n// This requires the Authgear server to grant the client permission to call\n// POST /oauth2/app_session_token (\"full user access\"). Once that server-side\n// configuration is available, uncomment the implementation below and the\n// imports above, then expose it from the example dashboard via a Server Action.\n//\n// export async function getOpenURL(\n//   page: Page | string,\n//   config: AuthgearConfig,\n// ): Promise<string> {\n//   const resolved = resolveConfig(config);\n//   const cookieStore = await cookies();\n//   const sessionCookieValue = cookieStore.get(resolved.cookieName)?.value;\n//   if (!sessionCookieValue) throw new Error(\"Not authenticated\");\n//   const sessionData = decryptSession(sessionCookieValue, resolved.sessionSecret);\n//   if (!sessionData?.refreshToken) throw new Error(\"No refresh token in session\");\n//   const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n//   const { app_session_token } = await getAppSessionToken(\n//     resolved.endpoint,\n//     sessionData.refreshToken,\n//   );\n//   return buildOpenURL(oidcConfig, {\n//     clientID: resolved.clientID,\n//     appSessionToken: app_session_token,\n//     targetPath: page,\n//   });\n// }\n\nexport { SessionState, Page };\nexport type { Session, UserInfo, JWTPayload };\n","import { jwtVerify } from \"jose\";\nimport type { JWTPayload, OIDCConfiguration } from \"../types.js\";\nimport { getJWKS } from \"./jwks.js\";\n\nexport interface VerifyOptions {\n  /** Expected audience. If not set, audience is not checked. */\n  audience?: string | string[];\n}\n\nexport async function verifyJWT(\n  token: string,\n  oidcConfig: OIDCConfiguration,\n  options?: VerifyOptions,\n): Promise<JWTPayload> {\n  const jwks = getJWKS(oidcConfig);\n\n  const { payload } = await jwtVerify(token, jwks, {\n    issuer: oidcConfig.issuer,\n    audience: options?.audience,\n    algorithms: [\"RS256\"],\n  });\n\n  return payload as unknown as JWTPayload;\n}\n","import { createRemoteJWKSet } from \"jose\";\nimport type { OIDCConfiguration } from \"../types.js\";\n\nconst jwksSets = new Map<string, ReturnType<typeof createRemoteJWKSet>>();\n\nexport function getJWKS(oidcConfig: OIDCConfiguration) {\n  const uri = oidcConfig.jwks_uri;\n  let jwks = jwksSets.get(uri);\n  if (!jwks) {\n    jwks = createRemoteJWKSet(new URL(uri));\n    jwksSets.set(uri, jwks);\n  }\n  return jwks;\n}\n\n/** Clear cached JWKS (useful for testing) */\nexport function clearJWKSCache(): void {\n  jwksSets.clear();\n}\n"],"mappings":";;;;;;;;;;;;;;;;;AAAA,OAAO;AACP,SAAS,eAAe;;;ACDxB,SAAS,iBAAiB;;;ACA1B,SAAS,0BAA0B;AAGnC,IAAM,WAAW,oBAAI,IAAmD;AAEjE,SAAS,QAAQ,YAA+B;AACrD,QAAM,MAAM,WAAW;AACvB,MAAI,OAAO,SAAS,IAAI,GAAG;AAC3B,MAAI,CAAC,MAAM;AACT,WAAO,mBAAmB,IAAI,IAAI,GAAG,CAAC;AACtC,aAAS,IAAI,KAAK,IAAI;AAAA,EACxB;AACA,SAAO;AACT;;;ADJA,eAAsB,UACpB,OACA,YACA,SACqB;AACrB,QAAM,OAAO,QAAQ,UAAU;AAE/B,QAAM,EAAE,QAAQ,IAAI,MAAM,UAAU,OAAO,MAAM;AAAA,IAC/C,QAAQ,WAAW;AAAA,IACnB,UAAU,SAAS;AAAA,IACnB,YAAY,CAAC,OAAO;AAAA,EACtB,CAAC;AAED,SAAO;AACT;;;ADNA,eAAsB,KAAK,QAA0C;AACnE,QAAM,WAAW,cAAc,MAAM;AACrC,QAAM,cAAc,MAAM,QAAQ;AAClC,QAAM,qBAAqB,YAAY,IAAI,SAAS,UAAU,GAAG;AAEjE,QAAM,cAAc,qBAChB,eAAe,oBAAoB,SAAS,aAAa,IACzD;AAEJ,SAAO,mBAAmB,WAAW;AACvC;AAMA,eAAsB,YAAY,QAAkD;AAClF,QAAM,WAAW,cAAc,MAAM;AACrC,QAAM,cAAc,MAAM,QAAQ;AAClC,QAAM,qBAAqB,YAAY,IAAI,SAAS,UAAU,GAAG;AAEjE,MAAI,CAAC,mBAAoB,QAAO;AAEhC,MAAI,cAAc,eAAe,oBAAoB,SAAS,aAAa;AAC3E,MAAI,CAAC,YAAa,QAAO;AAEzB,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AAGjE,MAAI,eAAe,YAAY,SAAS,KAAK,YAAY,cAAc;AACrE,QAAI;AACF,YAAM,gBAAgB,MAAM,mBAAmB,YAAY;AAAA,QACzD,cAAc,YAAY;AAAA,QAC1B,UAAU,SAAS;AAAA,QACnB,cAAc,SAAS,gBAAgB;AAAA,MACzC,CAAC;AACD,oBAAc;AAAA,QACZ,aAAa,cAAc;AAAA,QAC3B,cAAc,cAAc,iBAAiB,YAAY;AAAA,QACzD,SAAS,cAAc,YAAY,YAAY;AAAA,QAC/C,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,cAAc;AAAA,MAC3D;AAAA,IACF,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAEA,QAAM,cAAc,MAAM,MAAM,WAAW,mBAAmB;AAAA,IAC5D,SAAS,EAAE,eAAe,UAAU,YAAY,WAAW,GAAG;AAAA,EAChE,CAAC;AAED,MAAI,CAAC,YAAY,GAAI,QAAO;AAE5B,QAAM,MAAO,MAAM,YAAY,KAAK;AACpC,SAAO,cAAc,GAAG;AAC1B;AAQA,eAAsB,kBACpB,OACA,QACqB;AACrB,QAAM,WAAW,cAAc,MAAM;AACrC,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,SAAO,UAAU,OAAO,UAAU;AACpC;","names":[]}
+{"version":3,"sources":["../src/server.ts","../src/jwt/verify.ts","../src/jwt/jwks.ts"],"sourcesContent":["import \"server-only\";\nimport { cookies } from \"next/headers\";\nimport { SessionState, Page, type Session, type UserInfo, type JWTPayload, type AuthgearConfig } from \"./types.js\";\nimport { resolveConfig } from \"./config.js\";\nimport { decryptSession, buildSessionCookie } from \"./session/cookie.js\";\nimport { deriveSessionState, isTokenExpired } from \"./session/state.js\";\nimport { fetchOIDCConfiguration } from \"./oauth/discovery.js\";\nimport { refreshAccessToken } from \"./oauth/token.js\";\n// ROADMAP: import { getAppSessionToken } from \"./oauth/token.js\";\n// ROADMAP: import { buildOpenURL } from \"./oauth/authorize.js\";\nimport { verifyJWT } from \"./jwt/verify.js\";\nimport { parseUserInfo } from \"./user.js\";\n\n/**\n * Read the current session in a Server Component, Route Handler, or Server Action.\n * Automatically refreshes the access token if expired, so `session.accessToken` is\n * always valid when the session state is `Authenticated`. Use this when you need a\n * fresh access token to call a downstream API (e.g. inside a Server Action).\n */\nexport async function auth(config: AuthgearConfig): Promise<Session> {\n  const resolved = resolveConfig(config);\n  const cookieStore = await cookies();\n  const sessionCookieValue = cookieStore.get(resolved.cookieName)?.value;\n\n  let sessionData = sessionCookieValue\n    ? decryptSession(sessionCookieValue, resolved.sessionSecret)\n    : null;\n\n  // Auto-refresh expired token so callers (e.g. Server Actions) always get a valid access token\n  if (sessionData && isTokenExpired(sessionData.expiresAt) && sessionData.refreshToken) {\n    try {\n      const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n      const tokenResponse = await refreshAccessToken(oidcConfig, {\n        refreshToken: sessionData.refreshToken,\n        clientID: resolved.clientID,\n        clientSecret: resolved.clientSecret || undefined,\n      });\n      sessionData = {\n        accessToken: tokenResponse.access_token,\n        refreshToken: tokenResponse.refresh_token ?? sessionData.refreshToken,\n        idToken: tokenResponse.id_token ?? sessionData.idToken,\n        expiresAt: Math.floor(Date.now() / 1000) + tokenResponse.expires_in,\n      };\n      try {\n        const newCookie = buildSessionCookie(resolved.cookieName, sessionData, resolved.sessionSecret);\n        cookieStore.set(newCookie.name, newCookie.value, {\n          httpOnly: newCookie.httpOnly,\n          secure: newCookie.secure,\n          sameSite: newCookie.sameSite,\n          path: newCookie.path,\n          maxAge: newCookie.maxAge,\n        });\n      } catch {\n        // Not in a Route Handler — cookie will be persisted by the proxy on next navigation\n      }\n    } catch {\n      sessionData = null;\n    }\n  }\n\n  return deriveSessionState(sessionData);\n}\n\n/**\n * Get the current user in a Server Component or Route Handler.\n * Automatically refreshes the access token if expired, including persisting a\n * rotated refresh token when the Authgear project has refresh token rotation enabled.\n * Returns null if not authenticated or if the session cannot be refreshed.\n */\nexport async function currentUser(config: AuthgearConfig): Promise<UserInfo | null> {\n  const resolved = resolveConfig(config);\n  const cookieStore = await cookies();\n  const sessionCookieValue = cookieStore.get(resolved.cookieName)?.value;\n\n  if (!sessionCookieValue) return null;\n\n  let sessionData = decryptSession(sessionCookieValue, resolved.sessionSecret);\n  if (!sessionData) return null;\n\n  const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n\n  // Auto-refresh expired token\n  if (isTokenExpired(sessionData.expiresAt) && sessionData.refreshToken) {\n    try {\n      const tokenResponse = await refreshAccessToken(oidcConfig, {\n        refreshToken: sessionData.refreshToken,\n        clientID: resolved.clientID,\n        clientSecret: resolved.clientSecret || undefined,\n      });\n      sessionData = {\n        accessToken: tokenResponse.access_token,\n        refreshToken: tokenResponse.refresh_token ?? sessionData.refreshToken,\n        idToken: tokenResponse.id_token ?? sessionData.idToken,\n        expiresAt: Math.floor(Date.now() / 1000) + tokenResponse.expires_in,\n      };\n      // Persist the updated session (with rotated refresh token) back to the cookie.\n      // This succeeds in Route Handlers but throws in Server Components (Next.js restriction).\n      // In Server Components the proxy will write the updated cookie on the next page navigation.\n      try {\n        const newCookie = buildSessionCookie(resolved.cookieName, sessionData, resolved.sessionSecret);\n        cookieStore.set(newCookie.name, newCookie.value, {\n          httpOnly: newCookie.httpOnly,\n          secure: newCookie.secure,\n          sameSite: newCookie.sameSite,\n          path: newCookie.path,\n          maxAge: newCookie.maxAge,\n        });\n      } catch {\n        // Not in a Route Handler — cookie will be persisted by the proxy on next navigation\n      }\n    } catch {\n      return null;\n    }\n  }\n\n  const userinfoRes = await fetch(oidcConfig.userinfo_endpoint, {\n    headers: { Authorization: `Bearer ${sessionData.accessToken}` },\n  });\n\n  if (!userinfoRes.ok) return null;\n\n  const raw = (await userinfoRes.json()) as Record<string, unknown>;\n  return parseUserInfo(raw);\n}\n\n/**\n * Verify a JWT access token (from Authorization: Bearer header).\n * Useful for protecting API routes.\n *\n * @throws {Error} If the token is invalid, expired, or has wrong issuer/audience\n */\nexport async function verifyAccessToken(\n  token: string,\n  config: AuthgearConfig,\n): Promise<JWTPayload> {\n  const resolved = resolveConfig(config);\n  const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n  return verifyJWT(token, oidcConfig);\n}\n\n// ROADMAP: getOpenURL — open Authgear settings (or any Authgear page) with the\n// current user pre-authenticated via the app_session_token exchange.\n//\n// This requires the Authgear server to grant the client permission to call\n// POST /oauth2/app_session_token (\"full user access\"). Once that server-side\n// configuration is available, uncomment the implementation below and the\n// imports above, then expose it from the example dashboard via a Server Action.\n//\n// export async function getOpenURL(\n//   page: Page | string,\n//   config: AuthgearConfig,\n// ): Promise<string> {\n//   const resolved = resolveConfig(config);\n//   const cookieStore = await cookies();\n//   const sessionCookieValue = cookieStore.get(resolved.cookieName)?.value;\n//   if (!sessionCookieValue) throw new Error(\"Not authenticated\");\n//   const sessionData = decryptSession(sessionCookieValue, resolved.sessionSecret);\n//   if (!sessionData?.refreshToken) throw new Error(\"No refresh token in session\");\n//   const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n//   const { app_session_token } = await getAppSessionToken(\n//     resolved.endpoint,\n//     sessionData.refreshToken,\n//   );\n//   return buildOpenURL(oidcConfig, {\n//     clientID: resolved.clientID,\n//     appSessionToken: app_session_token,\n//     targetPath: page,\n//   });\n// }\n\nexport { SessionState, Page };\nexport type { Session, UserInfo, JWTPayload };\n","import { jwtVerify } from \"jose\";\nimport type { JWTPayload, OIDCConfiguration } from \"../types.js\";\nimport { getJWKS } from \"./jwks.js\";\n\nexport interface VerifyOptions {\n  /** Expected audience. If not set, audience is not checked. */\n  audience?: string | string[];\n}\n\nexport async function verifyJWT(\n  token: string,\n  oidcConfig: OIDCConfiguration,\n  options?: VerifyOptions,\n): Promise<JWTPayload> {\n  const jwks = getJWKS(oidcConfig);\n\n  const { payload } = await jwtVerify(token, jwks, {\n    issuer: oidcConfig.issuer,\n    audience: options?.audience,\n    algorithms: [\"RS256\"],\n  });\n\n  return payload as unknown as JWTPayload;\n}\n","import { createRemoteJWKSet } from \"jose\";\nimport type { OIDCConfiguration } from \"../types.js\";\n\nconst jwksSets = new Map<string, ReturnType<typeof createRemoteJWKSet>>();\n\nexport function getJWKS(oidcConfig: OIDCConfiguration) {\n  const uri = oidcConfig.jwks_uri;\n  let jwks = jwksSets.get(uri);\n  if (!jwks) {\n    jwks = createRemoteJWKSet(new URL(uri));\n    jwksSets.set(uri, jwks);\n  }\n  return jwks;\n}\n\n/** Clear cached JWKS (useful for testing) */\nexport function clearJWKSCache(): void {\n  jwksSets.clear();\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA,OAAO;AACP,SAAS,eAAe;;;ACDxB,SAAS,iBAAiB;;;ACA1B,SAAS,0BAA0B;AAGnC,IAAM,WAAW,oBAAI,IAAmD;AAEjE,SAAS,QAAQ,YAA+B;AACrD,QAAM,MAAM,WAAW;AACvB,MAAI,OAAO,SAAS,IAAI,GAAG;AAC3B,MAAI,CAAC,MAAM;AACT,WAAO,mBAAmB,IAAI,IAAI,GAAG,CAAC;AACtC,aAAS,IAAI,KAAK,IAAI;AAAA,EACxB;AACA,SAAO;AACT;;;ADJA,eAAsB,UACpB,OACA,YACA,SACqB;AACrB,QAAM,OAAO,QAAQ,UAAU;AAE/B,QAAM,EAAE,QAAQ,IAAI,MAAM,UAAU,OAAO,MAAM;AAAA,IAC/C,QAAQ,WAAW;AAAA,IACnB,UAAU,SAAS;AAAA,IACnB,YAAY,CAAC,OAAO;AAAA,EACtB,CAAC;AAED,SAAO;AACT;;;ADJA,eAAsB,KAAK,QAA0C;AACnE,QAAM,WAAW,cAAc,MAAM;AACrC,QAAM,cAAc,MAAM,QAAQ;AAClC,QAAM,qBAAqB,YAAY,IAAI,SAAS,UAAU,GAAG;AAEjE,MAAI,cAAc,qBACd,eAAe,oBAAoB,SAAS,aAAa,IACzD;AAGJ,MAAI,eAAe,eAAe,YAAY,SAAS,KAAK,YAAY,cAAc;AACpF,QAAI;AACF,YAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,YAAM,gBAAgB,MAAM,mBAAmB,YAAY;AAAA,QACzD,cAAc,YAAY;AAAA,QAC1B,UAAU,SAAS;AAAA,QACnB,cAAc,SAAS,gBAAgB;AAAA,MACzC,CAAC;AACD,oBAAc;AAAA,QACZ,aAAa,cAAc;AAAA,QAC3B,cAAc,cAAc,iBAAiB,YAAY;AAAA,QACzD,SAAS,cAAc,YAAY,YAAY;AAAA,QAC/C,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,cAAc;AAAA,MAC3D;AACA,UAAI;AACF,cAAM,YAAY,mBAAmB,SAAS,YAAY,aAAa,SAAS,aAAa;AAC7F,oBAAY,IAAI,UAAU,MAAM,UAAU,OAAO;AAAA,UAC/C,UAAU,UAAU;AAAA,UACpB,QAAQ,UAAU;AAAA,UAClB,UAAU,UAAU;AAAA,UACpB,MAAM,UAAU;AAAA,UAChB,QAAQ,UAAU;AAAA,QACpB,CAAC;AAAA,MACH,QAAQ;AAAA,MAER;AAAA,IACF,QAAQ;AACN,oBAAc;AAAA,IAChB;AAAA,EACF;AAEA,SAAO,mBAAmB,WAAW;AACvC;AAQA,eAAsB,YAAY,QAAkD;AAClF,QAAM,WAAW,cAAc,MAAM;AACrC,QAAM,cAAc,MAAM,QAAQ;AAClC,QAAM,qBAAqB,YAAY,IAAI,SAAS,UAAU,GAAG;AAEjE,MAAI,CAAC,mBAAoB,QAAO;AAEhC,MAAI,cAAc,eAAe,oBAAoB,SAAS,aAAa;AAC3E,MAAI,CAAC,YAAa,QAAO;AAEzB,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AAGjE,MAAI,eAAe,YAAY,SAAS,KAAK,YAAY,cAAc;AACrE,QAAI;AACF,YAAM,gBAAgB,MAAM,mBAAmB,YAAY;AAAA,QACzD,cAAc,YAAY;AAAA,QAC1B,UAAU,SAAS;AAAA,QACnB,cAAc,SAAS,gBAAgB;AAAA,MACzC,CAAC;AACD,oBAAc;AAAA,QACZ,aAAa,cAAc;AAAA,QAC3B,cAAc,cAAc,iBAAiB,YAAY;AAAA,QACzD,SAAS,cAAc,YAAY,YAAY;AAAA,QAC/C,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,cAAc;AAAA,MAC3D;AAIA,UAAI;AACF,cAAM,YAAY,mBAAmB,SAAS,YAAY,aAAa,SAAS,aAAa;AAC7F,oBAAY,IAAI,UAAU,MAAM,UAAU,OAAO;AAAA,UAC/C,UAAU,UAAU;AAAA,UACpB,QAAQ,UAAU;AAAA,UAClB,UAAU,UAAU;AAAA,UACpB,MAAM,UAAU;AAAA,UAChB,QAAQ,UAAU;AAAA,QACpB,CAAC;AAAA,MACH,QAAQ;AAAA,MAER;AAAA,IACF,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAEA,QAAM,cAAc,MAAM,MAAM,WAAW,mBAAmB;AAAA,IAC5D,SAAS,EAAE,eAAe,UAAU,YAAY,WAAW,GAAG;AAAA,EAChE,CAAC;AAED,MAAI,CAAC,YAAY,GAAI,QAAO;AAE5B,QAAM,MAAO,MAAM,YAAY,KAAK;AACpC,SAAO,cAAc,GAAG;AAC1B;AAQA,eAAsB,kBACpB,OACA,QACqB;AACrB,QAAM,WAAW,cAAc,MAAM;AACrC,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,SAAO,UAAU,OAAO,UAAU;AACpC;","names":[]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@authgear/nextjs",
-  "version": "0.1.6",
+  "version": "0.1.8",
   "description": "Authgear SDK for Next.js 16 - OAuth authentication, session management, and JWT verification",
   "type": "module",
   "exports": {
@@ -38,6 +38,10 @@
     "oidc",
     "jwt"
   ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/authgear/authgear-sdk-nextjs"
+  },
   "license": "MIT",
   "dependencies": {
     "jose": "^6.0.0"