@authrim/core 0.1.2 → 0.1.4

package/dist/index.d.cts

@@ -51,6 +51,14 @@ interface HttpClient {
      */
     fetch<T = unknown>(url: string, options?: HttpOptions): Promise<HttpResponse<T>>;
 }
+/**
+ * HTTP error response body (OAuth 2.0 / OIDC standard)
+ */
+interface OAuthErrorResponse {
+    error: string;
+    error_description?: string;
+    error_uri?: string;
+}
 
 /**
  * Crypto Provider Interface
@@ -386,6 +394,32 @@ interface OIDCDiscoveryDocument {
     introspection_endpoint_auth_signing_alg_values_supported?: string[];
     /** Code challenge methods supported (OPTIONAL) */
     code_challenge_methods_supported?: string[];
+    /** Pushed Authorization Request endpoint (OPTIONAL) */
+    pushed_authorization_request_endpoint?: string;
+    /** Whether PAR is required (OPTIONAL) */
+    require_pushed_authorization_requests?: boolean;
+    /** Device Authorization endpoint (OPTIONAL) */
+    device_authorization_endpoint?: string;
+    /** DPoP signing algorithms supported (OPTIONAL) */
+    dpop_signing_alg_values_supported?: string[];
+    /** Whether signed request object is required (OPTIONAL) */
+    require_signed_request_object?: boolean;
+    /** Authorization response signing algorithms supported (OPTIONAL) */
+    authorization_signing_alg_values_supported?: string[];
+    /** Authorization response encryption algorithms supported (OPTIONAL) */
+    authorization_encryption_alg_values_supported?: string[];
+    /** Authorization response encryption enc values supported (OPTIONAL) */
+    authorization_encryption_enc_values_supported?: string[];
+    /** Check session iframe URL (OPTIONAL) */
+    check_session_iframe?: string;
+    /** Whether front-channel logout is supported (OPTIONAL) */
+    frontchannel_logout_supported?: boolean;
+    /** Whether session ID is required in front-channel logout (OPTIONAL) */
+    frontchannel_logout_session_supported?: boolean;
+    /** Whether back-channel logout is supported (OPTIONAL) */
+    backchannel_logout_supported?: boolean;
+    /** Whether session ID is required in back-channel logout (OPTIONAL) */
+    backchannel_logout_session_supported?: boolean;
     /** Flow Engine support indicator (OPTIONAL, Authrim-specific) */
     flow_engine_supported?: boolean;
     [key: string]: unknown;
@@ -591,9 +625,16 @@ interface TokenExchangeResult {
  */
 type AuthrimErrorUserAction = 'retry' | 'reauthenticate' | 'contact_support' | 'check_network' | 'none';
 /**
- * Error severity level
+ * Error severity level (legacy - 3 levels)
  */
 type AuthrimErrorSeverity = 'fatal' | 'error' | 'warning';
+/**
+ * Error remediation action
+ *
+ * Specifies what action should be taken to recover from an error.
+ * Separated from severity for clearer decision making.
+ */
+type AuthrimErrorRemediation = 'retry' | 'reauthenticate' | 'switch_flow' | 'contact_support' | 'none';
 /**
  * Error metadata for recovery information
  */
@@ -614,7 +655,7 @@ interface AuthrimErrorMeta {
 /**
  * Error codes used by the SDK
  */
-type AuthrimErrorCode = 'invalid_request' | 'unauthorized_client' | 'access_denied' | 'unsupported_response_type' | 'invalid_scope' | 'server_error' | 'temporarily_unavailable' | 'invalid_grant' | 'invalid_token' | 'invalid_state' | 'expired_state' | 'invalid_nonce' | 'nonce_mismatch' | 'session_expired' | 'session_check_failed' | 'network_error' | 'timeout_error' | 'discovery_error' | 'discovery_mismatch' | 'configuration_error' | 'storage_error' | 'flow_engine_error' | 'no_tokens' | 'token_expired' | 'token_error' | 'refresh_error' | 'token_exchange_error' | 'oauth_error' | 'missing_code' | 'missing_state' | 'not_initialized' | 'no_discovery' | 'no_userinfo_endpoint' | 'userinfo_error' | 'introspection_error' | 'revocation_error' | 'no_introspection_endpoint' | 'no_revocation_endpoint' | 'login_required' | 'interaction_required' | 'consent_required' | 'account_selection_required' | 'dom_not_ready' | 'state_mismatch' | 'popup_blocked' | 'popup_closed' | 'invalid_response';
+type AuthrimErrorCode = 'invalid_request' | 'unauthorized_client' | 'access_denied' | 'unsupported_response_type' | 'invalid_scope' | 'server_error' | 'temporarily_unavailable' | 'invalid_grant' | 'invalid_token' | 'invalid_state' | 'expired_state' | 'invalid_nonce' | 'nonce_mismatch' | 'missing_nonce' | 'missing_id_token' | 'session_expired' | 'session_check_failed' | 'network_error' | 'timeout_error' | 'discovery_error' | 'discovery_mismatch' | 'configuration_error' | 'storage_error' | 'flow_engine_error' | 'no_tokens' | 'token_expired' | 'token_error' | 'refresh_error' | 'token_exchange_error' | 'oauth_error' | 'missing_code' | 'missing_state' | 'not_initialized' | 'no_discovery' | 'no_userinfo_endpoint' | 'userinfo_error' | 'introspection_error' | 'revocation_error' | 'no_introspection_endpoint' | 'no_revocation_endpoint' | 'login_required' | 'interaction_required' | 'consent_required' | 'account_selection_required' | 'dom_not_ready' | 'state_mismatch' | 'popup_blocked' | 'popup_closed' | 'invalid_response' | 'invalid_callback' | 'passkey_not_found' | 'passkey_verification_failed' | 'passkey_not_supported' | 'passkey_cancelled' | 'passkey_invalid_credential' | 'email_code_invalid' | 'email_code_expired' | 'email_code_too_many_attempts' | 'challenge_expired' | 'challenge_invalid' | 'auth_code_invalid' | 'auth_code_expired' | 'pkce_mismatch' | 'origin_not_allowed' | 'mfa_required' | 'email_verification_required' | 'consent_required_direct' | 'rate_limited' | 'event_handler_error' | 'par_required' | 'no_par_endpoint' | 'par_error' | 'par_request_uri_expired' | 'no_device_authorization_endpoint' | 'device_authorization_error' | 'device_authorization_pending' | 'device_slow_down' | 'device_authorization_expired' | 'device_access_denied' | 'client_credentials_error' | 'invalid_client_authentication' | 'insecure_client_auth' | 'dpop_key_generation_error' | 'dpop_proof_generation_error' | 'dpop_nonce_required' | 'jar_signing_error' | 'jar_required' | 'jarm_validation_error' | 'jarm_signature_invalid' | 'operation_cancelled' | 'invalid_return_to';
 /**
  * Options for creating an AuthrimError
  */
@@ -657,81 +698,456 @@ declare class AuthrimError extends Error {
  * Get error metadata for a given error code
  */
 declare function getErrorMeta(code: AuthrimErrorCode): AuthrimErrorMeta;
+/**
+ * Error classification result
+ */
+interface ErrorClassification {
+    /** Severity: recoverable or fatal */
+    severity: 'recoverable' | 'fatal';
+    /** Recommended remediation action */
+    remediation: AuthrimErrorRemediation;
+}
+/**
+ * Classify an error by severity and remediation
+ *
+ * This provides a simplified 2-axis classification for UI decision making:
+ * - severity: Is this recoverable or fatal?
+ * - remediation: What action should be taken?
+ */
+declare function classifyError(error: AuthrimError): ErrorClassification;
+/**
+ * Check if an error is retryable based on classification
+ */
+declare function isRetryableError(error: AuthrimError): boolean;
+/**
+ * Event emitter interface for error emission
+ *
+ * Minimal interface required by emitClassifiedError
+ */
+interface ErrorEventEmitter {
+    emit(event: 'error', payload: {
+        error: AuthrimError;
+        severity: 'recoverable' | 'fatal';
+        remediation: AuthrimErrorRemediation;
+        context: string;
+        timestamp: number;
+        source: 'core' | 'web';
+        operationId?: string;
+    }): void;
+    emit(event: 'error:recoverable', payload: {
+        error: AuthrimError;
+        severity: 'recoverable';
+        remediation: AuthrimErrorRemediation;
+        context: string;
+        timestamp: number;
+        source: 'core' | 'web';
+        operationId?: string;
+    }): void;
+    emit(event: 'error:fatal', payload: {
+        error: AuthrimError;
+        severity: 'fatal';
+        remediation: AuthrimErrorRemediation;
+        context: string;
+        timestamp: number;
+        source: 'core' | 'web';
+        operationId?: string;
+    }): void;
+}
+/**
+ * Options for emitting classified errors
+ */
+interface EmitClassifiedErrorOptions {
+    /** Operation context where the error occurred */
+    context: string;
+    /** Operation tracking ID */
+    operationId?: string;
+    /** Event source (defaults to 'core') */
+    source?: 'core' | 'web';
+}
+/**
+ * Emit error events with proper classification
+ *
+ * Emits three events:
+ * 1. 'error' - Legacy event for backward compatibility
+ * 2. 'error:recoverable' - If severity is recoverable
+ * 3. 'error:fatal' - If severity is fatal
+ *
+ * @param emitter - Event emitter instance
+ * @param error - The error to emit
+ * @param options - Emission options (context, operationId, source)
+ */
+declare function emitClassifiedError(emitter: ErrorEventEmitter, error: AuthrimError, options: EmitClassifiedErrorOptions): void;
 
 /**
  * Event Types
+ *
+ * Unified event system for SDK observability.
+ * All events follow the namespace convention: auth:*, token:*, session:*, state:*, error:*, warning:*, debug:*
  */
 
 /**
- * Token refresh event data
+ * Base event payload - all events include these fields
  */
-interface TokenRefreshedEvent {
-    tokens: TokenSet;
+interface BaseEventPayload {
+    /** Event timestamp (Date.now()) */
+    timestamp: number;
+    /** Event source */
+    source: 'core' | 'web';
+    /** Operation tracking ID (maintained from redirect start to callback complete) */
+    operationId?: string;
 }
 /**
- * Token expired event data
+ * SDK initialization complete
  */
-interface TokenExpiredEvent {
-    accessToken: string;
+interface AuthInitEvent extends BaseEventPayload {
+    /** Client ID */
+    clientId: string;
+    /** Issuer URL */
+    issuer: string;
+}
+/**
+ * Auth redirecting event data
+ */
+interface AuthRedirectingEvent extends BaseEventPayload {
+    /** Authorization URL */
+    url: string;
+}
+/**
+ * Auth callback received
+ */
+interface AuthCallbackEvent extends BaseEventPayload {
+    /** Authorization code */
+    code: string;
+    /** State parameter */
+    state: string;
+}
+/**
+ * Callback processing started
+ */
+interface AuthCallbackProcessingEvent extends BaseEventPayload {
+    /** State parameter being processed */
+    state: string;
+}
+/**
+ * Callback processing complete
+ */
+interface AuthCallbackCompleteEvent extends BaseEventPayload {
+    /** Whether authentication was successful */
+    success: boolean;
+}
+/**
+ * Login complete
+ */
+interface AuthLoginCompleteEvent extends BaseEventPayload {
+    /** Authentication method used */
+    method: 'redirect' | 'popup' | 'silent' | 'passkey' | 'email_code' | 'social';
+    /** User info (if available) */
+    user?: UserInfo;
+}
+/**
+ * Logout complete
+ */
+interface AuthLogoutCompleteEvent extends BaseEventPayload {
+    /** Logout method */
+    method: 'local' | 'redirect' | 'front_channel' | 'back_channel';
+}
+/**
+ * Re-authentication required
+ */
+interface AuthRequiredEvent extends BaseEventPayload {
+    /** Reason for re-authentication */
+    reason: 'refresh_failed' | 'session_expired' | 'token_revoked' | 'user_action';
 }
 /**
- * Token error event data
+ * Popup blocked by browser (Web SDK only)
  */
-interface TokenErrorEvent {
+interface AuthPopupBlockedEvent extends BaseEventPayload {
+    /** Intended popup URL */
+    url?: string;
+}
+/**
+ * Flow fallback occurred (e.g., popup → redirect)
+ */
+interface AuthFallbackEvent extends BaseEventPayload {
+    /** Original flow */
+    from: 'popup' | 'silent' | 'iframe';
+    /** Fallback flow */
+    to: 'redirect';
+    /** Reason for fallback */
+    reason: 'popup_blocked' | 'iframe_timeout' | 'silent_failed';
+}
+/**
+ * Token refresh starting
+ */
+interface TokenRefreshingEvent extends BaseEventPayload {
+    /** Reason for refresh */
+    reason: 'expiring' | 'manual' | 'on_demand' | 'background';
+}
+/**
+ * Token refresh succeeded
+ */
+interface TokenRefreshedEvent extends BaseEventPayload {
+    /** Whether access token is present */
+    hasAccessToken: boolean;
+    /** Whether refresh token is present */
+    hasRefreshToken: boolean;
+    /** Whether ID token is present */
+    hasIdToken: boolean;
+    /** Token expiration timestamp (epoch seconds) */
+    expiresAt: number;
+}
+/**
+ * Token refresh failed
+ */
+interface TokenRefreshFailedEvent extends BaseEventPayload {
+    /** Error that caused the failure */
     error: AuthrimError;
+    /** Whether retry is possible */
+    willRetry: boolean;
+    /** Retry attempt number (0 = first attempt) */
+    attempt: number;
 }
 /**
- * Token exchanged event data (RFC 8693)
+ * Token expiring soon (warning)
  */
-interface TokenExchangedEvent {
-    tokens: TokenSet;
-    issuedTokenType: string;
+interface TokenExpiringEvent extends BaseEventPayload {
+    /** Token expiration timestamp (epoch seconds) */
+    expiresAt: number;
+    /** Remaining time in seconds */
+    expiresIn: number;
+}
+/**
+ * Token expired
+ */
+interface TokenExpiredEvent extends BaseEventPayload {
+    /** Token expiration timestamp (epoch seconds) */
+    expiredAt: number;
+    /** Whether refresh token is available */
+    hasRefreshToken: boolean;
+}
+/**
+ * Token error
+ */
+interface TokenErrorEvent extends BaseEventPayload {
+    /** Error details */
+    error: AuthrimError;
+    /** Operation context */
+    context: 'refresh' | 'exchange' | 'validation' | 'storage';
+}
+/**
+ * Token exchanged (RFC 8693)
+ */
+interface TokenExchangedEvent extends BaseEventPayload {
+    /** Whether new access token is present */
+    hasAccessToken: boolean;
+    /** Whether new refresh token is present */
+    hasRefreshToken: boolean;
+    /** Issued token type URI */
+    issuedTokenType: TokenTypeUri | string;
 }
 /**
- * Session started event data
+ * Session started
  */
-interface SessionStartedEvent {
+interface SessionStartedEvent extends BaseEventPayload {
+    /** User info */
     user: UserInfo;
 }
 /**
- * Session ended event data
+ * Session ended
  */
-interface SessionEndedEvent {
+interface SessionEndedEvent extends BaseEventPayload {
+    /** Reason for session end */
     reason: 'logout' | 'expired' | 'revoked';
 }
 /**
- * Auth redirecting event data
+ * Session changed (general)
  */
-interface AuthRedirectingEvent {
-    url: string;
+interface SessionChangedEvent extends BaseEventPayload {
+    /** Whether user is authenticated */
+    isAuthenticated: boolean;
+    /** User info (if authenticated) */
+    user?: UserInfo;
 }
 /**
- * Auth callback event data
+ * Tab synchronization event (Web SDK only)
  */
-interface AuthCallbackEvent {
-    code: string;
-    state: string;
+interface SessionSyncEvent extends BaseEventPayload {
+    /** Sync action */
+    action: 'login' | 'logout' | 'refresh' | 'leader_change';
+    /** Source tab ID */
+    sourceTabId?: string;
 }
 /**
- * Error event data
+ * Logout broadcast from another tab (Web SDK only)
+ */
+interface SessionLogoutBroadcastEvent extends BaseEventPayload {
+    /** Source tab ID */
+    sourceTabId?: string;
+}
+/**
+ * Auth state type
+ */
+type AuthState$1 = 'idle' | 'initializing' | 'authenticated' | 'unauthenticated' | 'authenticating' | 'refreshing' | 'logging_out' | 'error';
+/**
+ * Auth state snapshot
+ */
+interface AuthStateSnapshot {
+    /** Current state */
+    state: AuthState$1;
+    /** Previous state */
+    previousState: AuthState$1 | null;
+    /** Snapshot timestamp */
+    timestamp: number;
+    /** Current operation ID */
+    operationId: string | null;
+    /** State context */
+    context: {
+        /** Whether user is authenticated */
+        isAuthenticated: boolean;
+        /** Token expiration timestamp (epoch seconds) */
+        tokenExpiresAt: number | null;
+        /** Last error */
+        lastError: AuthrimError | null;
+        /** Pending operation description */
+        pendingOperation: string | null;
+    };
+}
+/**
+ * State change event
+ */
+interface StateChangeEvent extends BaseEventPayload {
+    /** Previous state */
+    from: AuthState$1;
+    /** New state */
+    to: AuthState$1;
+    /** Full state snapshot */
+    snapshot: AuthStateSnapshot;
+}
+/**
+ * Error severity for event classification
+ */
+type ErrorSeverity = 'recoverable' | 'fatal';
+/**
+ * Error event payload (extended)
+ */
+interface ErrorEventPayload extends BaseEventPayload {
+    /** Error instance */
+    error: AuthrimError;
+    /** Error severity */
+    severity: ErrorSeverity;
+    /** Recommended remediation */
+    remediation: AuthrimErrorRemediation;
+    /** Operation context where error occurred */
+    context: string;
+}
+/**
+ * Legacy error event (backward compatibility)
  */
 interface ErrorEvent {
     error: AuthrimError;
     context: string;
 }
+/**
+ * Recoverable error event
+ */
+interface ErrorRecoverableEvent extends ErrorEventPayload {
+    severity: 'recoverable';
+}
+/**
+ * Fatal error event
+ */
+interface ErrorFatalEvent extends ErrorEventPayload {
+    severity: 'fatal';
+}
+/**
+ * ITP environment detected warning (Web SDK only)
+ */
+interface WarningITPEvent extends BaseEventPayload {
+    /** Warning message */
+    message: string;
+    /** Detected browser */
+    browser: 'safari' | 'webkit' | 'unknown';
+    /** Recommended action */
+    recommendation: 'use_redirect' | 'use_popup' | 'normal';
+}
+/**
+ * Storage fallback warning
+ *
+ * Fired when:
+ * - localStorage → sessionStorage fallback
+ * - sessionStorage → memory fallback
+ */
+interface WarningStorageFallbackEvent extends BaseEventPayload {
+    /** Original storage type */
+    from: 'localStorage' | 'sessionStorage';
+    /** Fallback storage type */
+    to: 'sessionStorage' | 'memory';
+    /** Reason for fallback */
+    reason: 'not_available' | 'quota_exceeded' | 'private_mode' | 'security_error';
+}
+/**
+ * Private browsing mode detected warning (Web SDK only)
+ */
+interface WarningPrivateModeEvent extends BaseEventPayload {
+    /** Detected browser */
+    browser: 'safari' | 'firefox' | 'chrome' | 'edge' | 'unknown';
+    /** Storage limitations */
+    limitations: string[];
+}
+/**
+ * Timeline event entry
+ */
+interface TimelineEntry {
+    /** Event type */
+    type: string;
+    /** Event timestamp */
+    timestamp: number;
+    /** Operation ID */
+    operationId?: string;
+    /** Redacted event data */
+    data?: Record<string, unknown>;
+}
+/**
+ * Debug timeline event
+ */
+interface DebugTimelineEvent extends BaseEventPayload {
+    /** Timeline entry */
+    entry: TimelineEntry;
+}
 /**
  * All Authrim events
  */
 interface AuthrimEvents {
+    'auth:init': AuthInitEvent;
+    'auth:redirecting': AuthRedirectingEvent;
+    'auth:callback': AuthCallbackEvent;
+    'auth:callback:processing': AuthCallbackProcessingEvent;
+    'auth:callback:complete': AuthCallbackCompleteEvent;
+    'auth:login:complete': AuthLoginCompleteEvent;
+    'auth:logout:complete': AuthLogoutCompleteEvent;
+    'auth:required': AuthRequiredEvent;
+    'auth:popup_blocked': AuthPopupBlockedEvent;
+    'auth:fallback': AuthFallbackEvent;
+    'token:refreshing': TokenRefreshingEvent;
     'token:refreshed': TokenRefreshedEvent;
+    'token:refresh:failed': TokenRefreshFailedEvent;
+    'token:expiring': TokenExpiringEvent;
     'token:expired': TokenExpiredEvent;
     'token:error': TokenErrorEvent;
     'token:exchanged': TokenExchangedEvent;
     'session:started': SessionStartedEvent;
     'session:ended': SessionEndedEvent;
-    'auth:redirecting': AuthRedirectingEvent;
-    'auth:callback': AuthCallbackEvent;
-    error: ErrorEvent;
+    'session:changed': SessionChangedEvent;
+    'session:sync': SessionSyncEvent;
+    'session:logout:broadcast': SessionLogoutBroadcastEvent;
+    'state:change': StateChangeEvent;
+    'error': ErrorEvent;
+    'error:recoverable': ErrorRecoverableEvent;
+    'error:fatal': ErrorFatalEvent;
+    'warning:itp': WarningITPEvent;
+    'warning:storage_fallback': WarningStorageFallbackEvent;
+    'warning:private_mode': WarningPrivateModeEvent;
+    'debug:timeline': DebugTimelineEvent;
 }
 /**
  * Event names
@@ -741,129 +1157,429 @@ type AuthrimEventName = keyof AuthrimEvents;
  * Event handler type
  */
 type AuthrimEventHandler<T extends AuthrimEventName> = (event: AuthrimEvents[T]) => void;
-
 /**
- * State/Nonce Manager
- *
- * Manages CSRF protection (state) and replay attack prevention (nonce)
- * for Authorization Code Flow.
+ * Events emitted by Core SDK
+ */
+type CoreEventName = 'auth:init' | 'auth:redirecting' | 'auth:callback' | 'auth:callback:processing' | 'auth:callback:complete' | 'auth:login:complete' | 'auth:logout:complete' | 'auth:required' | 'token:refreshing' | 'token:refreshed' | 'token:refresh:failed' | 'token:expiring' | 'token:expired' | 'token:error' | 'token:exchanged' | 'session:started' | 'session:ended' | 'session:changed' | 'state:change' | 'error' | 'error:recoverable' | 'error:fatal' | 'debug:timeline';
+/**
+ * Events emitted by Web SDK only
  */
+type WebOnlyEventName = 'auth:popup_blocked' | 'auth:fallback' | 'session:sync' | 'session:logout:broadcast' | 'warning:itp' | 'warning:storage_fallback' | 'warning:private_mode';
 
 /**
- * Auth state stored in storage
+ * Device Authorization Flow Types
+ * RFC 8628: OAuth 2.0 Device Authorization Grant
+ *
+ * Used for devices with limited input capabilities (TVs, CLI tools, IoT devices).
  */
-interface AuthState {
-    /** State parameter (CSRF protection) */
-    state: string;
-    /** Nonce parameter (replay attack prevention) */
-    nonce: string;
-    /** PKCE code verifier */
-    codeVerifier: string;
-    /** Redirect URI used for this auth request */
-    redirectUri: string;
-    /** Timestamp when state was created */
-    createdAt: number;
-    /** Timestamp when state expires */
-    expiresAt: number;
-}
 /**
- * Options for generating auth state
+ * Device authorization response from the server (RFC 8628 §3.2)
  */
-interface GenerateAuthStateOptions {
-    /** Redirect URI for this auth request */
-    redirectUri: string;
-    /** Code verifier for PKCE */
-    codeVerifier: string;
-    /** TTL in seconds (default: 600 = 10 minutes) */
-    ttlSeconds?: number;
+interface DeviceAuthorizationResponse {
+    /** Device verification code (for token requests) */
+    device_code: string;
+    /** User-facing code to enter at verification_uri */
+    user_code: string;
+    /** URI where the user should go to enter the code */
+    verification_uri: string;
+    /** Complete URI with user_code embedded (optional) */
+    verification_uri_complete?: string;
+    /** Lifetime of device_code and user_code in seconds */
+    expires_in: number;
+    /** Minimum polling interval in seconds (default: 5) */
+    interval?: number;
 }
 /**
- * Storage keys factory
+ * Device flow state maintained by the client
  */
-declare const STORAGE_KEYS: {
-    /**
-     * Auth state key (state-specific)
-     */
-    readonly authState: (issuerHash: string, clientIdHash: string, state: string) => string;
-    /**
-     * Token storage key
-     */
-    readonly tokens: (issuerHash: string, clientIdHash: string) => string;
-    /**
-     * ID token storage key
-     */
-    readonly idToken: (issuerHash: string, clientIdHash: string) => string;
+interface DeviceFlowState {
+    /** Device code (used for polling) */
+    deviceCode: string;
+    /** User code (displayed to user) */
+    userCode: string;
+    /** Verification URI (user goes here) */
+    verificationUri: string;
+    /** Complete verification URI with code (if provided) */
+    verificationUriComplete?: string;
+    /** Absolute expiration time (epoch seconds) */
+    expiresAt: number;
     /**
-     * Auth state prefix for cleanup
+     * Polling interval in seconds (RFC 8628)
+     *
+     * IMPORTANT: This value is in SECONDS, not milliseconds.
+     * When using with setTimeout, multiply by 1000.
      */
-    readonly authStatePrefix: (issuerHash: string, clientIdHash: string) => string;
-};
+    interval: number;
+}
 /**
- * State Manager
+ * Poll result from Device Flow
+ *
+ * Core SDK returns "facts" only - UX events are the responsibility
+ * of upper-layer SDKs (web/react/svelte).
  */
-declare class StateManager {
-    private readonly crypto;
-    private readonly storage;
-    private readonly issuerHash;
-    private readonly clientIdHash;
-    /** Default TTL: 10 minutes */
-    private static readonly DEFAULT_TTL_SECONDS;
-    constructor(crypto: CryptoProvider, storage: AuthrimStorage, issuerHash: string, clientIdHash: string);
-    /**
-     * Generate and store auth state
-     *
-     * Creates state, nonce, stores them with the code verifier.
-     *
-     * @param options - Generation options
-     * @returns Generated state string
-     */
-    generateAuthState(options: GenerateAuthStateOptions): Promise<AuthState>;
+type DeviceFlowPollResult = DeviceFlowPendingResult | DeviceFlowCompletedResult | DeviceFlowSlowDownResult | DeviceFlowExpiredResult | DeviceFlowAccessDeniedResult;
+/**
+ * Authorization pending - user hasn't completed auth yet
+ */
+interface DeviceFlowPendingResult {
+    status: 'pending';
     /**
-     * Validate and consume state
-     *
-     * Retrieves, validates, and ALWAYS deletes the state (success or failure).
-     * This ensures replay attack prevention and GC.
+     * Seconds until next poll attempt (RFC 8628)
      *
-     * @param state - State parameter from callback
-     * @returns Auth state if valid
-     * @throws AuthrimError if state is invalid or expired
+     * IMPORTANT: This value is in SECONDS.
+     * Use `retryAfter * 1000` for setTimeout in JavaScript.
      */
-    validateAndConsumeState(state: string): Promise<AuthState>;
+    retryAfter: number;
+}
+/**
+ * Authorization completed - tokens received
+ */
+interface DeviceFlowCompletedResult {
+    status: 'completed';
+    /** Received tokens */
+    tokens: TokenSet;
+}
+/**
+ * Slow down - polling too fast
+ */
+interface DeviceFlowSlowDownResult {
+    status: 'slow_down';
     /**
-     * Clean up expired states
-     *
-     * This is a best-effort cleanup. Only works if storage.getAll() is available.
-     * The primary GC mechanism is validateAndConsumeState()'s finally delete.
+     * New interval in seconds (server-specified)
      *
-     * Safe to call at startup or periodically.
+     * IMPORTANT: This value is in SECONDS.
+     * The polling interval should be increased to this value.
      */
-    cleanupExpiredStates(): Promise<void>;
+    retryAfter: number;
 }
-
 /**
- * PKCE (Proof Key for Code Exchange) Helper
- *
- * Implements RFC 7636 for Authorization Code Flow security.
- * https://tools.ietf.org/html/rfc7636
+ * Device code expired - user needs to start over
  */
-
+interface DeviceFlowExpiredResult {
+    status: 'expired';
+}
 /**
- * PKCE challenge method
+ * Access denied - user denied the authorization request
  */
-type CodeChallengeMethod = 'S256' | 'plain';
+interface DeviceFlowAccessDeniedResult {
+    status: 'access_denied';
+}
 /**
- * PKCE pair (verifier and challenge)
+ * Options for starting device authorization
  */
-interface PKCEPair {
-    /** Code verifier (high-entropy random string) */
-    codeVerifier: string;
-    /** Code challenge (derived from verifier) */
-    codeChallenge: string;
-    /** Challenge method used */
-    codeChallengeMethod: CodeChallengeMethod;
+interface DeviceFlowStartOptions {
+    /** Scopes to request */
+    scope?: string;
+    /** Additional parameters */
+    extraParams?: Record<string, string>;
 }
+
 /**
- * PKCE Helper class
+ * PAR (Pushed Authorization Request) Types
+ * RFC 9126: OAuth 2.0 Pushed Authorization Requests
+ */
+/**
+ * PAR request parameters
+ */
+interface PARRequest {
+    /** Redirect URI (required) */
+    redirectUri: string;
+    /** Scopes to request (default: 'openid profile') */
+    scope?: string;
+    /**
+     * Response type (default: 'code')
+     *
+     * Use 'none' for session check without token issuance
+     * (OAuth 2.0 Multiple Response Types 1.0 §5)
+     */
+    responseType?: 'code' | 'none';
+    /** State parameter for CSRF protection */
+    state: string;
+    /** Nonce for replay attack prevention */
+    nonce: string;
+    /** PKCE code challenge */
+    codeChallenge: string;
+    /** PKCE code challenge method (always S256) */
+    codeChallengeMethod: 'S256';
+    /** Prompt behavior */
+    prompt?: 'none' | 'login' | 'consent' | 'select_account';
+    /** Hint about the login identifier */
+    loginHint?: string;
+    /** Requested Authentication Context Class Reference values */
+    acrValues?: string;
+    /** Additional custom parameters */
+    extraParams?: Record<string, string>;
+}
+/**
+ * PAR response from the server (RFC 9126 §2.2)
+ */
+interface PARResponse {
+    /** The request URI to use in authorization request */
+    request_uri: string;
+    /** Lifetime of the request URI in seconds */
+    expires_in: number;
+}
+/**
+ * PAR result returned by PARClient
+ */
+interface PARResult {
+    /** The request URI to use in authorization request */
+    requestUri: string;
+    /** Absolute expiration time (epoch seconds) */
+    expiresAt: number;
+}
+/**
+ * Options for PAR client
+ */
+interface PARClientOptions {
+    /** Additional headers to include in PAR request */
+    headers?: Record<string, string>;
+}
+
+/**
+ * Event Emitter
+ *
+ * Simple typed event emitter for SDK events.
+ */
+
+/**
+ * Typed Event Emitter
+ */
+declare class EventEmitter {
+    private listeners;
+    /**
+     * Subscribe to an event
+     *
+     * @param event - Event name
+     * @param handler - Event handler
+     * @returns Unsubscribe function
+     */
+    on<T extends AuthrimEventName>(event: T, handler: AuthrimEventHandler<T>): () => void;
+    /**
+     * Subscribe to an event (one-time)
+     *
+     * @param event - Event name
+     * @param handler - Event handler
+     * @returns Unsubscribe function
+     */
+    once<T extends AuthrimEventName>(event: T, handler: AuthrimEventHandler<T>): () => void;
+    /**
+     * Unsubscribe from an event
+     *
+     * @param event - Event name
+     * @param handler - Event handler to remove
+     */
+    off<T extends AuthrimEventName>(event: T, handler: AuthrimEventHandler<T>): void;
+    /**
+     * Emit an event
+     *
+     * @param event - Event name
+     * @param data - Event data
+     */
+    emit<T extends AuthrimEventName>(event: T, data: AuthrimEvents[T]): void;
+    /**
+     * Remove all listeners for an event (or all events)
+     *
+     * @param event - Event name (optional, removes all if not specified)
+     */
+    removeAllListeners(event?: AuthrimEventName): void;
+    /**
+     * Get the number of listeners for an event
+     *
+     * @param event - Event name
+     * @returns Number of listeners
+     */
+    listenerCount(event: AuthrimEventName): number;
+}
+
+/**
+ * State/Nonce Manager
+ *
+ * Manages CSRF protection (state) and replay attack prevention (nonce)
+ * for Authorization Code Flow.
+ */
+
+/**
+ * Auth state stored in storage
+ */
+interface AuthState {
+    /** State parameter (CSRF protection) */
+    state: string;
+    /** Nonce parameter (replay attack prevention) */
+    nonce: string;
+    /** PKCE code verifier */
+    codeVerifier: string;
+    /** Redirect URI used for this auth request */
+    redirectUri: string;
+    /** Requested scope (for validation) */
+    scope: string;
+    /** Timestamp when state was created */
+    createdAt: number;
+    /** Timestamp when state expires */
+    expiresAt: number;
+    /** Return URL after authentication (validated) */
+    returnTo?: string;
+    /** Operation tracking ID (for event correlation) */
+    operationId: string;
+}
+/**
+ * ReturnTo URL policy
+ *
+ * Controls which returnTo URLs are accepted to prevent open redirect attacks.
+ */
+type ReturnToPolicy = 'relative_only' | 'same_origin' | 'allowlist';
+/**
+ * ReturnTo URL options
+ */
+interface ReturnToOptions {
+    /** Validation policy */
+    policy: ReturnToPolicy;
+    /** Allowed origins (required when policy is 'allowlist') */
+    allowedOrigins?: string[];
+    /** Current origin for same_origin check (required in non-browser environments) */
+    currentOrigin?: string;
+}
+/**
+ * Options for generating auth state
+ */
+interface GenerateAuthStateOptions {
+    /** Redirect URI for this auth request */
+    redirectUri: string;
+    /** Code verifier for PKCE */
+    codeVerifier: string;
+    /** Requested scope (for validation) */
+    scope: string;
+    /** TTL in seconds (default: 600 = 10 minutes) */
+    ttlSeconds?: number;
+    /** Return URL after authentication */
+    returnTo?: string;
+    /** ReturnTo URL validation options */
+    returnToOptions?: ReturnToOptions;
+}
+/**
+ * Storage keys factory
+ */
+declare const STORAGE_KEYS: {
+    /**
+     * Auth state key (state-specific)
+     */
+    readonly authState: (issuerHash: string, clientIdHash: string, state: string) => string;
+    /**
+     * Token storage key
+     */
+    readonly tokens: (issuerHash: string, clientIdHash: string) => string;
+    /**
+     * ID token storage key
+     */
+    readonly idToken: (issuerHash: string, clientIdHash: string) => string;
+    /**
+     * Auth state prefix for cleanup
+     */
+    readonly authStatePrefix: (issuerHash: string, clientIdHash: string) => string;
+};
+/**
+ * State Manager
+ */
+declare class StateManager {
+    private readonly crypto;
+    private readonly storage;
+    private readonly issuerHash;
+    private readonly clientIdHash;
+    /** Default TTL: 10 minutes */
+    private static readonly DEFAULT_TTL_SECONDS;
+    /** Entropy bytes for state/nonce generation (256 bits = 32 bytes) */
+    private static readonly ENTROPY_BYTES;
+    /** Entropy bytes for operationId (128 bits = 16 bytes, enough for tracking) */
+    private static readonly OPERATION_ID_BYTES;
+    /** Auto cleanup interval (5 minutes) */
+    private static readonly DEFAULT_CLEANUP_INTERVAL_MS;
+    /** Cleanup interval handle */
+    private cleanupInterval;
+    constructor(crypto: CryptoProvider, storage: AuthrimStorage, issuerHash: string, clientIdHash: string);
+    /**
+     * Generate and store auth state
+     *
+     * Creates state, nonce, stores them with the code verifier.
+     *
+     * @param options - Generation options
+     * @returns Generated state string
+     */
+    generateAuthState(options: GenerateAuthStateOptions): Promise<AuthState>;
+    /**
+     * Validate returnTo URL against policy (Open Redirect Protection)
+     *
+     * @param returnTo - URL to validate
+     * @param options - Validation options
+     * @returns Validated URL
+     * @throws AuthrimError if URL is invalid
+     */
+    private validateReturnTo;
+    /**
+     * Validate and consume state
+     *
+     * Retrieves, validates, and ALWAYS deletes the state (success or failure).
+     * This ensures replay attack prevention and GC.
+     *
+     * @param state - State parameter from callback
+     * @returns Auth state if valid
+     * @throws AuthrimError if state is invalid or expired
+     */
+    validateAndConsumeState(state: string): Promise<AuthState>;
+    /**
+     * Clean up expired states
+     *
+     * This is a best-effort cleanup. Only works if storage.getAll() is available.
+     * The primary GC mechanism is validateAndConsumeState()'s finally delete.
+     *
+     * Safe to call at startup or periodically.
+     */
+    cleanupExpiredStates(): Promise<void>;
+    /**
+     * Start automatic cleanup of expired states
+     *
+     * Runs cleanup every 5 minutes by default.
+     *
+     * @param intervalMs - Cleanup interval in milliseconds (default: 300000 = 5 minutes)
+     */
+    startAutoCleanup(intervalMs?: number): void;
+    /**
+     * Stop automatic cleanup
+     */
+    stopAutoCleanup(): void;
+    /**
+     * Get the number of stored auth states
+     *
+     * Only works if storage.getAll() is available.
+     *
+     * @returns Number of stored states, or -1 if not supported
+     */
+    getStoredStateCount(): Promise<number>;
+}
+
+/**
+ * PKCE (Proof Key for Code Exchange) Helper
+ *
+ * Implements RFC 7636 for Authorization Code Flow security.
+ * https://tools.ietf.org/html/rfc7636
+ */
+
+/**
+ * PKCE challenge method
+ */
+type CodeChallengeMethod = 'S256' | 'plain';
+/**
+ * PKCE pair (verifier and challenge)
+ */
+interface PKCEPair {
+    /** Code verifier (high-entropy random string) */
+    codeVerifier: string;
+    /** Code challenge (derived from verifier) */
+    codeChallenge: string;
+    /** Challenge method used */
+    codeChallengeMethod: CodeChallengeMethod;
+}
+/**
+ * PKCE Helper class
  */
 declare class PKCEHelper {
     private readonly crypto;
@@ -906,6 +1622,13 @@ interface BuildAuthorizationUrlOptions {
     redirectUri: string;
     /** Scopes to request (default: 'openid profile') */
     scope?: string;
+    /**
+     * Response type (default: 'code')
+     *
+     * Use 'none' for session check without token issuance
+     * (OAuth 2.0 Multiple Response Types 1.0 §5)
+     */
+    responseType?: 'code' | 'none';
     /** Prompt behavior */
     prompt?: 'none' | 'login' | 'consent' | 'select_account';
     /** Hint about the login identifier */
@@ -922,6 +1645,23 @@ interface BuildAuthorizationUrlOptions {
      * (e.g., cookie, server-side session)
      */
     exposeState?: boolean;
+    /**
+     * Use PAR (Pushed Authorization Request - RFC 9126)
+     *
+     * When true, authorization parameters are first pushed to the PAR endpoint,
+     * and the resulting request_uri is used in the authorization URL.
+     *
+     * Required when server sets require_pushed_authorization_requests=true.
+     */
+    usePar?: boolean;
+    /**
+     * Use JAR (JWT Secured Authorization Request - RFC 9101)
+     *
+     * When true, authorization parameters are encoded in a signed JWT.
+     *
+     * Required when server sets require_signed_request_object=true.
+     */
+    useJar?: boolean;
 }
 /**
  * Result of buildAuthorizationUrl
@@ -957,6 +1697,8 @@ interface ExchangeCodeOptions {
     codeVerifier: string;
     /** Nonce to validate in ID token */
     nonce: string;
+    /** Requested scope (for validation) */
+    scope: string;
 }
 /**
  * Authorization Code Flow helper
@@ -973,6 +1715,7 @@ declare class AuthorizationCodeFlow {
      * @param pkce - PKCE pair
      * @param options - Authorization options
      * @returns Authorization URL result
+     * @throws AuthrimError with code 'par_required' if server requires PAR but usePar is not enabled
      */
     buildAuthorizationUrl(discovery: OIDCDiscoveryDocument, authState: AuthState, pkce: PKCEPair, options: BuildAuthorizationUrlOptions): AuthorizationUrlResult;
     /**
@@ -980,7 +1723,9 @@ declare class AuthorizationCodeFlow {
      *
      * @param callbackUrl - Callback URL or query string
      * @returns Parsed code and state
-     * @throws AuthrimError if code or state is missing, or if error is present
+     * @throws AuthrimError with code 'oauth_error' if OAuth error response is present
+     * @throws AuthrimError with code 'missing_code' if authorization code is not found
+     * @throws AuthrimError with code 'missing_state' if state parameter is not found
      */
     parseCallback(callbackUrl: string): {
         code: string;
@@ -992,7 +1737,9 @@ declare class AuthorizationCodeFlow {
      * @param discovery - OIDC discovery document
      * @param options - Exchange options
      * @returns Token set
-     * @throws AuthrimError if exchange fails or nonce validation fails
+     * @throws AuthrimError with code 'network_error' if token request fails
+     * @throws AuthrimError with code 'token_error' if token exchange fails
+     * @throws AuthrimError with code 'nonce_mismatch' if ID token nonce validation fails
      */
     exchangeCode(discovery: OIDCDiscoveryDocument, options: ExchangeCodeOptions): Promise<TokenSet>;
 }
@@ -1166,70 +1913,14 @@ declare class TokenRevoker {
 }
 
 /**
- * Event Emitter
+ * Logout Handler
  *
- * Simple typed event emitter for SDK events.
+ * Implements RP-Initiated Logout (OpenID Connect RP-Initiated Logout 1.0)
+ * https://openid.net/specs/openid-connect-rpinitiated-1_0.html
  */
 
 /**
- * Typed Event Emitter
- */
-declare class EventEmitter {
-    private listeners;
-    /**
-     * Subscribe to an event
-     *
-     * @param event - Event name
-     * @param handler - Event handler
-     * @returns Unsubscribe function
-     */
-    on<T extends AuthrimEventName>(event: T, handler: AuthrimEventHandler<T>): () => void;
-    /**
-     * Subscribe to an event (one-time)
-     *
-     * @param event - Event name
-     * @param handler - Event handler
-     * @returns Unsubscribe function
-     */
-    once<T extends AuthrimEventName>(event: T, handler: AuthrimEventHandler<T>): () => void;
-    /**
-     * Unsubscribe from an event
-     *
-     * @param event - Event name
-     * @param handler - Event handler to remove
-     */
-    off<T extends AuthrimEventName>(event: T, handler: AuthrimEventHandler<T>): void;
-    /**
-     * Emit an event
-     *
-     * @param event - Event name
-     * @param data - Event data
-     */
-    emit<T extends AuthrimEventName>(event: T, data: AuthrimEvents[T]): void;
-    /**
-     * Remove all listeners for an event (or all events)
-     *
-     * @param event - Event name (optional, removes all if not specified)
-     */
-    removeAllListeners(event?: AuthrimEventName): void;
-    /**
-     * Get the number of listeners for an event
-     *
-     * @param event - Event name
-     * @returns Number of listeners
-     */
-    listenerCount(event: AuthrimEventName): number;
-}
-
-/**
- * Logout Handler
- *
- * Implements RP-Initiated Logout (OpenID Connect RP-Initiated Logout 1.0)
- * https://openid.net/specs/openid-connect-rpinitiated-1_0.html
- */
-
-/**
- * Logout options
+ * Logout options
  */
 interface LogoutOptions {
     /** URI to redirect to after logout */
@@ -1345,6 +2036,12 @@ declare class AuthrimClient {
     private stateManager;
     /** Authorization code flow helper */
     private readonly authCodeFlow;
+    /** PAR client */
+    private readonly parClient;
+    /** Device Flow client */
+    private readonly deviceFlowClient;
+    /** DPoP manager (lazily initialized) */
+    private dpopManager;
     /** Token manager (initialized in initialize()) */
     private tokenManager;
     /** Logout handler (initialized in initialize()) */
@@ -1363,6 +2060,10 @@ declare class AuthrimClient {
     private readonly normalizedIssuer;
     /** Whether the client has been initialized */
     private initialized;
+    /**
+     * Get the event emitter for subscribing to SDK events
+     */
+    get eventEmitter(): EventEmitter;
     /**
      * Create a new Authrim client
      *
@@ -1405,6 +2106,144 @@ declare class AuthrimClient {
      * @returns Token set
      */
     handleCallback(callbackUrl: string): Promise<TokenSet>;
+    /**
+     * PAR API accessor
+     *
+     * Provides access to Pushed Authorization Request functionality.
+     * PAR allows pushing authorization request parameters to a dedicated endpoint,
+     * receiving a request_uri to use in the authorization URL.
+     */
+    get par(): {
+        /**
+         * Push authorization request and get request_uri
+         *
+         * @param options - Authorization options
+         * @returns PAR result with request_uri and expiration
+         */
+        push: (options: BuildAuthorizationUrlOptions) => Promise<PARResult>;
+        /**
+         * Build authorization URL using request_uri from PAR
+         *
+         * @param requestUri - Request URI from PAR response
+         * @returns Authorization URL
+         */
+        buildAuthorizationUrl: (requestUri: string) => Promise<string>;
+        /**
+         * Check if PAR is available
+         *
+         * @returns True if PAR endpoint is available
+         */
+        isAvailable: () => Promise<boolean>;
+        /**
+         * Check if PAR is required by the server
+         *
+         * @returns True if server requires PAR
+         */
+        isRequired: () => Promise<boolean>;
+    };
+    /**
+     * Device Flow API accessor
+     *
+     * Provides access to Device Authorization Grant functionality.
+     * Used for devices with limited input capabilities (TVs, CLIs, IoT).
+     */
+    get deviceFlow(): {
+        /**
+         * Start device authorization
+         *
+         * @param options - Start options (scope, etc.)
+         * @returns Device flow state with codes and URIs
+         */
+        start: (options?: DeviceFlowStartOptions) => Promise<DeviceFlowState>;
+        /**
+         * Poll once for token
+         *
+         * @param state - Device flow state
+         * @returns Poll result
+         */
+        pollOnce: (state: DeviceFlowState) => Promise<DeviceFlowPollResult>;
+        /**
+         * Poll until complete or expired
+         *
+         * @param state - Device flow state
+         * @param options - Polling options (signal for abort)
+         * @returns Token set on success
+         */
+        pollUntilComplete: (state: DeviceFlowState, options?: {
+            signal?: AbortSignal;
+        }) => Promise<TokenSet>;
+        /**
+         * Check if Device Flow is available
+         *
+         * @returns True if device authorization endpoint is available
+         */
+        isAvailable: () => Promise<boolean>;
+    };
+    /**
+     * DPoP API accessor
+     *
+     * Provides access to DPoP (Demonstrating Proof of Possession) functionality.
+     * DPoP binds access tokens to a cryptographic key held by the client,
+     * preventing token theft and replay attacks.
+     *
+     * NOTE: The CryptoProvider must implement DPoPCryptoProvider interface
+     * for DPoP to be available.
+     *
+     * @returns DPoP API accessor, or undefined if not supported
+     */
+    get dpop(): {
+        /**
+         * Initialize DPoP (generates or retrieves key pair)
+         */
+        initialize: () => Promise<void>;
+        /**
+         * Check if DPoP is initialized
+         */
+        isInitialized: () => boolean;
+        /**
+         * Generate a DPoP proof for a request
+         *
+         * @param method - HTTP method (GET, POST, etc.)
+         * @param uri - Full request URI
+         * @param options - Additional options (access token hash, nonce)
+         * @returns Signed DPoP proof JWT
+         */
+        generateProof: (method: string, uri: string, options?: {
+            accessTokenHash?: string;
+            nonce?: string;
+        }) => Promise<string>;
+        /**
+         * Handle DPoP-Nonce response from server
+         *
+         * @param nonce - Server-provided nonce
+         */
+        handleNonceResponse: (nonce: string) => void;
+        /**
+         * Calculate access token hash for ath claim
+         *
+         * @param accessToken - Access token to hash
+         * @returns Base64url-encoded SHA-256 hash
+         */
+        calculateAccessTokenHash: (accessToken: string) => Promise<string>;
+        /**
+         * Get the public key JWK
+         */
+        getPublicKeyJwk: () => JWK | null;
+        /**
+         * Get the JWK thumbprint
+         */
+        getThumbprint: () => string | null;
+        /**
+         * Clear DPoP key pair (call on logout)
+         */
+        clear: () => Promise<void>;
+        /**
+         * Check if DPoP is supported by the server
+         *
+         * @returns True if server advertises DPoP support
+         */
+        isServerSupported: () => Promise<boolean>;
+    } | undefined;
     /**
      * Token API accessor
      */
@@ -1608,6 +2447,13 @@ interface SilentAuthOptions {
     redirectUri: string;
     /** Scopes to request (default: 'openid') */
     scope?: string;
+    /**
+     * Response type (default: 'code')
+     *
+     * Use 'none' for session check without token issuance
+     * (OAuth 2.0 Multiple Response Types 1.0 §5)
+     */
+    responseType?: 'code' | 'none';
     /** Hint about the login identifier */
     loginHint?: string;
     /** ID token hint (helps IdP identify the user) */
@@ -1699,298 +2545,1472 @@ declare class SilentAuthHandler {
 }
 
 /**
- * Token Manager
+ * PAR (Pushed Authorization Request) Client
+ * RFC 9126: OAuth 2.0 Pushed Authorization Requests
  *
- * Manages token storage, retrieval, and automatic refresh.
- * Implements in-flight request coalescing for concurrent refresh requests.
+ * PAR allows the client to push the authorization request payload
+ * to the authorization server via a direct POST request, receiving
+ * a request_uri to use in the authorization URL.
+ *
+ * Benefits:
+ * - Integrity protection of authorization request
+ * - Confidentiality of authorization request parameters
+ * - Support for large request parameters
+ * - Required for FAPI 2.0 compliance
  */
 
 /**
- * Token manager options
+ * PAR Client
+ *
+ * Handles Pushed Authorization Requests per RFC 9126.
  */
-interface TokenManagerOptions {
+declare class PARClient {
+    private readonly http;
+    private readonly clientId;
+    private readonly options?;
+    constructor(http: HttpClient, clientId: string, options?: PARClientOptions | undefined);
+    /**
+     * Push authorization request to the server
+     *
+     * @param discovery - OIDC discovery document
+     * @param request - PAR request parameters
+     * @returns PAR result with request_uri and expiration
+     * @throws AuthrimError with code 'no_par_endpoint' if PAR endpoint not available
+     * @throws AuthrimError with code 'par_error' if PAR request fails
+     */
+    pushAuthorizationRequest(discovery: OIDCDiscoveryDocument, request: PARRequest): Promise<PARResult>;
+    /**
+     * Build authorization URL using request_uri from PAR
+     *
+     * @param discovery - OIDC discovery document
+     * @param requestUri - Request URI from PAR response
+     * @returns Authorization URL
+     */
+    buildAuthorizationUrlWithPar(discovery: OIDCDiscoveryDocument, requestUri: string): string;
+}
+
+/**
+ * Client Authentication Types
+ * RFC 6749 §2.3, RFC 7521, RFC 7523
+ */
+/**
+ * Client authentication methods
+ */
+type ClientAuthMethod = 'client_secret_basic' | 'client_secret_post' | 'private_key_jwt' | 'none';
+/**
+ * Client secret credentials (Basic or POST)
+ */
+interface ClientSecretCredentials {
+    /** Authentication method */
+    method: 'client_secret_basic' | 'client_secret_post';
+    /** Client secret */
+    clientSecret: string;
+}
+/**
+ * Private key JWT credentials (RFC 7523)
+ */
+interface PrivateKeyJwtCredentials {
+    /** Authentication method */
+    method: 'private_key_jwt';
+    /**
+     * Function to sign JWT assertions
+     *
+     * @param claims - JWT claims to sign
+     * @returns Signed JWT string
+     */
+    signJwt: (claims: Record<string, unknown>) => Promise<string>;
+    /** Key ID to include in JWT header */
+    keyId?: string;
+}
+/**
+ * No client authentication (public client)
+ *
+ * SECURITY: method='none' requires explicit opt-in via dangerouslyAllowInsecure
+ * to ensure developers consciously choose to use public client authentication.
+ */
+interface NoClientCredentials {
+    /** Authentication method */
+    method: 'none';
+    /**
+     * Required flag to acknowledge insecure client authentication
+     *
+     * Setting this to true acknowledges that:
+     * - The client cannot be authenticated securely
+     * - This should only be used for public clients (browser apps, native apps)
+     * - Tokens may be exposed to the user
+     */
+    dangerouslyAllowInsecure: true;
+}
+/**
+ * Union type for all client credentials
+ */
+type ClientCredentials = ClientSecretCredentials | PrivateKeyJwtCredentials | NoClientCredentials;
+/**
+ * JWT assertion claims for client authentication
+ */
+interface ClientAssertionClaims extends Record<string, unknown> {
+    /** Issuer (client_id) */
+    iss: string;
+    /** Subject (client_id) */
+    sub: string;
+    /** Audience (token endpoint URL) */
+    aud: string;
+    /** JWT ID (unique identifier) */
+    jti: string;
+    /** Expiration time (epoch seconds) */
+    exp: number;
+    /** Issued at time (epoch seconds) */
+    iat: number;
+}
+
+/**
+ * Client Authentication Utilities
+ * RFC 6749 §2.3, RFC 7521, RFC 7523
+ *
+ * Provides utilities for building client authentication headers and body parameters
+ * for various authentication methods.
+ */
+
+/**
+ * Client authentication result
+ */
+interface ClientAuthResult {
+    /** Headers to include in the request */
+    headers: Record<string, string>;
+    /** Body parameters to include in the request */
+    bodyParams: Record<string, string>;
+}
+/**
+ * Build client authentication headers and body parameters
+ *
+ * @param credentials - Client credentials configuration
+ * @param clientId - Client ID
+ * @param tokenEndpoint - Token endpoint URL (used as audience for private_key_jwt)
+ * @returns Headers and body parameters for authentication
+ * @throws AuthrimError with code 'insecure_client_auth' if method='none' without dangerouslyAllowInsecure
+ * @throws AuthrimError with code 'invalid_client_authentication' for invalid credentials
+ */
+declare function buildClientAuthentication(credentials: ClientCredentials, clientId: string, tokenEndpoint: string): Promise<ClientAuthResult>;
+
+/**
+ * Client Credentials Flow
+ * RFC 6749 §4.4
+ *
+ * The client credentials grant is used for machine-to-machine (M2M) authentication
+ * where no user is involved. The client authenticates directly with the authorization
+ * server using its own credentials.
+ *
+ * IMPORTANT: This flow should only be used in secure environments (server-side)
+ * where client credentials can be kept confidential.
+ */
+
+/**
+ * Options for ClientCredentialsClient constructor
+ */
+interface ClientCredentialsClientOptions {
     /** HTTP client */
     http: HttpClient;
-    /** Storage provider */
-    storage: AuthrimStorage;
     /** Client ID */
     clientId: string;
-    /** Issuer hash for storage keys */
-    issuerHash: string;
-    /** Client ID hash for storage keys */
-    clientIdHash: string;
-    /** Refresh skew in seconds (default: 30) */
-    refreshSkewSeconds?: number;
-    /** Event emitter for token events */
-    eventEmitter?: EventEmitter;
+    /** Client credentials */
+    credentials: ClientCredentials;
 }
 /**
- * Token Manager
+ * Options for getting a token
+ */
+interface ClientCredentialsTokenOptions {
+    /** Scopes to request */
+    scope?: string;
+    /** Target audience (resource server identifier) */
+    audience?: string;
+    /** Additional parameters */
+    extraParams?: Record<string, string>;
+}
+/**
+ * Client Credentials Flow Client
  *
- * Handles token storage, retrieval, and automatic refresh with
- * concurrent request coalescing.
+ * Handles machine-to-machine authentication using the client credentials grant.
  */
-declare class TokenManager {
+declare class ClientCredentialsClient {
     private readonly http;
-    private readonly storage;
     private readonly clientId;
-    private readonly issuerHash;
-    private readonly clientIdHash;
-    private readonly refreshSkewSeconds;
-    private readonly eventEmitter?;
-    /** In-flight refresh promise for request coalescing */
-    private refreshPromise;
-    /** Discovery document (set externally) */
-    private discovery;
-    /** Default refresh skew: 30 seconds */
-    private static readonly DEFAULT_REFRESH_SKEW_SECONDS;
-    constructor(options: TokenManagerOptions);
-    /**
-     * Set discovery document
-     */
-    setDiscovery(discovery: OIDCDiscoveryDocument): void;
+    private readonly credentials;
+    constructor(options: ClientCredentialsClientOptions);
     /**
-     * Get storage key for tokens
+     * Get an access token using client credentials
+     *
+     * @param discovery - OIDC discovery document
+     * @param options - Token request options
+     * @returns Token set
+     * @throws AuthrimError with code 'client_credentials_error' if token request fails
      */
-    private get tokenKey();
+    getToken(discovery: OIDCDiscoveryDocument, options?: ClientCredentialsTokenOptions): Promise<TokenSet>;
+}
+
+/**
+ * Device Authorization Flow
+ * RFC 8628: OAuth 2.0 Device Authorization Grant
+ *
+ * Used for devices with limited input capabilities where the user
+ * authenticates on a separate device (phone, computer).
+ *
+ * Flow:
+ * 1. Client requests device code from authorization server
+ * 2. User goes to verification URI and enters user code
+ * 3. Client polls token endpoint until user completes auth
+ *
+ * NOTE: This core SDK returns "facts" only - UX events like
+ * 'device:started' or 'device:pending' are the responsibility
+ * of upper-layer SDKs (web/react/svelte).
+ */
+
+/**
+ * Device Flow Client
+ *
+ * Handles the OAuth 2.0 Device Authorization Grant (RFC 8628).
+ */
+declare class DeviceFlowClient {
+    private readonly http;
+    private readonly clientId;
+    constructor(http: HttpClient, clientId: string);
     /**
-     * Get storage key for ID token
+     * Start device authorization
+     *
+     * Requests a device code and user code from the authorization server.
+     *
+     * @param discovery - OIDC discovery document
+     * @param options - Start options (scope, etc.)
+     * @returns Device flow state with codes and URIs
+     * @throws AuthrimError with code 'no_device_authorization_endpoint' if endpoint not available
+     * @throws AuthrimError with code 'device_authorization_error' if request fails
      */
-    private get idTokenKey();
+    startDeviceAuthorization(discovery: OIDCDiscoveryDocument, options?: DeviceFlowStartOptions): Promise<DeviceFlowState>;
     /**
-     * Get current tokens from storage
+     * Poll the token endpoint once
      *
-     * @returns Token set or null if not found
+     * Returns the current state of the authorization:
+     * - 'pending': User hasn't completed auth yet
+     * - 'completed': Auth complete, tokens received
+     * - 'slow_down': Polling too fast, increase interval
+     * - 'expired': Device code expired
+     * - 'access_denied': User denied the request
+     *
+     * @param discovery - OIDC discovery document
+     * @param state - Device flow state from startDeviceAuthorization
+     * @returns Poll result
      */
-    getTokens(): Promise<TokenSet | null>;
+    pollOnce(discovery: OIDCDiscoveryDocument, state: DeviceFlowState): Promise<DeviceFlowPollResult>;
     /**
-     * Save tokens to storage
+     * Poll until authorization is complete or expires
      *
-     * @param tokens - Token set to save
+     * Automatically handles polling interval and retries.
+     *
+     * @param discovery - OIDC discovery document
+     * @param state - Device flow state from startDeviceAuthorization
+     * @param options - Polling options
+     * @returns Token set on success
+     * @throws AuthrimError with code 'device_authorization_expired' if device code expires
+     * @throws AuthrimError with code 'device_access_denied' if user denies authorization
      */
-    saveTokens(tokens: TokenSet): Promise<void>;
+    pollUntilComplete(discovery: OIDCDiscoveryDocument, state: DeviceFlowState, options?: {
+        signal?: AbortSignal;
+    }): Promise<TokenSet>;
     /**
-     * Clear all tokens from storage
+     * Sleep for a given number of milliseconds
+     * @param ms - Milliseconds to sleep
+     * @param signal - Optional abort signal
      */
-    clearTokens(): Promise<void>;
-    /**
-     * Get access token, refreshing if necessary
+    private sleep;
+}
+
+/**
+ * DPoP (Demonstrating Proof of Possession) Types
+ * RFC 9449: OAuth 2.0 Demonstrating Proof of Possession (DPoP)
+ *
+ * DPoP provides a mechanism for sender-constraining access tokens
+ * to a particular client by binding tokens to a cryptographic key.
+ */
+/**
+ * JSON Web Key (JWK) format
+ *
+ * Subset of the Web Crypto API JWK interface.
+ * Defined here for platform-agnostic support.
+ */
+interface JWK {
+    /** Key type (e.g., 'EC', 'RSA') */
+    kty?: string;
+    /** Key ID */
+    kid?: string;
+    /** Algorithm */
+    alg?: string;
+    /** Public key use */
+    use?: string;
+    /** Key operations */
+    key_ops?: string[];
+    /** Extractable flag */
+    ext?: boolean;
+    /** Curve name */
+    crv?: string;
+    /** X coordinate (base64url) */
+    x?: string;
+    /** Y coordinate (base64url) */
+    y?: string;
+    /** Private key value (base64url) - should not be exported */
+    d?: string;
+    /** Modulus (base64url) */
+    n?: string;
+    /** Public exponent (base64url) */
+    e?: string;
+    [key: string]: unknown;
+}
+/**
+ * DPoP key pair interface
+ *
+ * Represents an asymmetric key pair used for DPoP proofs.
+ */
+interface DPoPKeyPair {
+    /** Algorithm identifier (e.g., 'ES256', 'RS256') */
+    algorithm: string;
+    /** JWK thumbprint of the public key (base64url encoded) */
+    thumbprint: string;
+    /** Public key in JWK format */
+    publicKeyJwk: JWK;
+    /**
+     * Sign data with the private key
      *
-     * This method coalesces concurrent refresh requests - if multiple
-     * calls are made while a refresh is in-flight, they all share the
-     * same refresh operation.
+     * @param data - Data to sign
+     * @returns Signature
+     */
+    sign(data: Uint8Array): Promise<Uint8Array>;
+}
+/**
+ * DPoP proof JWT header
+ */
+interface DPoPProofHeader {
+    /** Type (always 'dpop+jwt') */
+    typ: 'dpop+jwt';
+    /** Algorithm */
+    alg: string;
+    /** Public key in JWK format */
+    jwk: JWK;
+}
+/**
+ * DPoP proof JWT claims
+ */
+interface DPoPProofClaims {
+    /** Unique identifier for the proof */
+    jti: string;
+    /** HTTP method of the request */
+    htm: string;
+    /** HTTP URI of the request (without query and fragment) */
+    htu: string;
+    /** Issued at time (epoch seconds) */
+    iat: number;
+    /** Access token hash (when binding to access token) */
+    ath?: string;
+    /** Server-provided nonce (when server requires it) */
+    nonce?: string;
+}
+/**
+ * Options for generating a DPoP proof
+ */
+interface DPoPProofOptions {
+    /** Hash of the access token (base64url(SHA-256(access_token))) */
+    accessTokenHash?: string;
+    /** Server-provided nonce */
+    nonce?: string;
+}
+/**
+ * DPoP Manager configuration
+ */
+interface DPoPManagerConfig {
+    /** Preferred algorithm (default: 'ES256') */
+    algorithm?: string;
+}
+/**
+ * Extended CryptoProvider interface with DPoP support
+ *
+ * This extends the base CryptoProvider with optional DPoP methods.
+ * Implementations that support DPoP should implement these methods.
+ */
+interface DPoPCryptoProvider {
+    /**
+     * Generate a new DPoP key pair
      *
-     * @returns Access token
-     * @throws AuthrimError if no tokens available or refresh fails
+     * @param algorithm - Preferred algorithm (default: 'ES256')
+     * @returns Generated key pair
      */
-    getAccessToken(): Promise<string>;
+    generateDPoPKeyPair?(algorithm?: string): Promise<DPoPKeyPair>;
     /**
-     * Get ID token
+     * Get the current DPoP key pair
      *
-     * @returns ID token or null
+     * Returns null if no key pair has been generated.
+     *
+     * @returns Current key pair or null
      */
-    getIdToken(): Promise<string | null>;
+    getDPoPKeyPair?(): Promise<DPoPKeyPair | null>;
     /**
-     * Check if token needs refresh
+     * Clear the DPoP key pair
      *
-     * @param tokens - Token set to check
-     * @returns True if token should be refreshed
+     * Should be called on logout to clean up key material.
      */
-    private shouldRefresh;
+    clearDPoPKeyPair?(): Promise<void>;
+}
+
+/**
+ * DPoP Manager
+ * RFC 9449: OAuth 2.0 Demonstrating Proof of Possession (DPoP)
+ *
+ * DPoP provides sender-constrained access tokens by binding them
+ * to a cryptographic key held by the client. This prevents token theft
+ * and replay attacks.
+ *
+ * NOTE: DPoP proofs are required for:
+ * - Token requests (authorization code exchange, refresh)
+ * - PAR requests
+ * - UserInfo requests
+ * - Any protected resource request
+ *
+ * Future consideration: HttpClient-level middleware for automatic DPoP proof attachment.
+ */
+
+/**
+ * DPoP Manager
+ *
+ * Manages DPoP key pairs and generates DPoP proofs for requests.
+ */
+declare class DPoPManager {
+    private readonly crypto;
+    private readonly config;
+    private keyPair;
+    private serverNonce;
+    constructor(crypto: CryptoProvider & DPoPCryptoProvider, config?: DPoPManagerConfig);
     /**
-     * Refresh token with in-flight request coalescing
+     * Initialize the DPoP manager
      *
-     * If a refresh is already in progress, wait for it instead of
-     * starting a new one.
+     * Generates or retrieves a DPoP key pair.
      *
-     * @param refreshToken - Refresh token to use
-     * @returns Access token from new token set
+     * @throws AuthrimError with code 'dpop_key_generation_error' if key generation fails
      */
-    private refreshWithLock;
+    initialize(): Promise<void>;
+    /**
+     * Check if DPoP is initialized
+     */
+    isInitialized(): boolean;
     /**
-     * Perform refresh with single retry for network errors
+     * Generate a DPoP proof
      *
-     * @param refreshToken - Refresh token to use
-     * @param attemptedRetry - Whether retry has been attempted (stack-local)
-     * @returns New token set
+     * Creates a signed JWT proof for the specified HTTP method and URI.
+     *
+     * @param method - HTTP method (GET, POST, etc.)
+     * @param uri - Full request URI (https://example.com/path)
+     * @param options - Additional options (access token hash, nonce)
+     * @returns Signed DPoP proof JWT
+     * @throws AuthrimError with code 'dpop_proof_generation_error' if proof generation fails
      */
-    private doRefreshWithRetry;
+    generateProof(method: string, uri: string, options?: DPoPProofOptions): Promise<string>;
     /**
-     * Perform the actual token refresh
+     * Handle a DPoP-Nonce response from the server
      *
-     * @param refreshToken - Refresh token to use
-     * @returns New token set
+     * When the server returns a use_dpop_nonce error or includes
+     * a DPoP-Nonce header, this method stores the nonce for future proofs.
+     *
+     * @param nonce - Server-provided nonce value
      */
-    private doRefresh;
+    handleNonceResponse(nonce: string): void;
     /**
-     * Check if error is retryable (network errors only)
+     * Get the current server nonce
      */
-    private isRetryableError;
+    getServerNonce(): string | null;
     /**
-     * Check if user is authenticated
+     * Clear the server nonce
+     */
+    clearServerNonce(): void;
+    /**
+     * Get the public key JWK
      *
-     * @returns True if valid tokens exist
+     * @returns Public key in JWK format, or null if not initialized
      */
-    isAuthenticated(): Promise<boolean>;
+    getPublicKeyJwk(): JWK | null;
     /**
-     * Exchange a token using RFC 8693 Token Exchange
+     * Get the JWK thumbprint
      *
-     * This allows exchanging tokens for different audiences or scopes,
-     * delegation scenarios, and cross-service token acquisition.
+     * @returns Base64url-encoded thumbprint, or null if not initialized
+     */
+    getThumbprint(): string | null;
+    /**
+     * Calculate access token hash for ath claim
      *
-     * @param request - Token exchange request parameters
-     * @returns Token exchange result with new tokens and issued token type
-     * @throws AuthrimError if exchange fails
+     * @param accessToken - Access token to hash
+     * @returns Base64url-encoded SHA-256 hash
      */
-    exchangeToken(request: TokenExchangeRequest): Promise<TokenExchangeResult>;
+    calculateAccessTokenHash(accessToken: string): Promise<string>;
     /**
-     * Map short token type to URI (RFC 8693)
+     * Clear the DPoP key pair
+     *
+     * Should be called on logout to clean up key material.
      */
-    private mapTokenTypeToUri;
+    clear(): Promise<void>;
+    /**
+     * Generate a unique JWT ID (jti)
+     */
+    private generateJti;
 }
 
 /**
- * Token API Client
+ * JAR (JWT Secured Authorization Request) Types
+ * RFC 9101: The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)
  *
- * Provides session verification against the authorization server.
- * Uses the UserInfo endpoint or custom session check endpoint.
+ * JAR allows authorization request parameters to be encoded in a
+ * signed JWT, providing integrity protection and non-repudiation.
  */
-
 /**
- * Session check result
+ * JAR request object claims
  */
-interface SessionCheckResult {
-    /** Whether session is valid */
-    valid: boolean;
-    /** User info if session is valid */
-    user?: UserInfo;
-    /** Error if session is invalid */
-    error?: AuthrimError;
+interface JARRequestObjectClaims {
+    /** Issuer (client_id) */
+    iss: string;
+    /** Audience (authorization server issuer) */
+    aud: string;
+    /** Response type */
+    response_type: string;
+    /** Client ID */
+    client_id: string;
+    /** Redirect URI */
+    redirect_uri: string;
+    /** Scope */
+    scope: string;
+    /** State */
+    state: string;
+    /** Nonce */
+    nonce: string;
+    /** PKCE code challenge */
+    code_challenge: string;
+    /** PKCE code challenge method */
+    code_challenge_method: string;
+    /** Issued at time (epoch seconds) */
+    iat: number;
+    /** Expiration time (epoch seconds) */
+    exp: number;
+    /** JWT ID (optional but recommended) */
+    jti?: string;
+    /** Not before time (optional) */
+    nbf?: number;
+    /** Prompt */
+    prompt?: string;
+    /** Login hint */
+    login_hint?: string;
+    /** ACR values */
+    acr_values?: string;
+    [key: string]: unknown;
 }
 /**
- * Token API client options
+ * JAR Builder configuration
  */
-interface TokenApiClientOptions {
-    /** HTTP client */
-    http: HttpClient;
+interface JARBuilderConfig {
+    /**
+     * Function to sign JWT
+     *
+     * @param header - JWT header object
+     * @param claims - JWT claims object
+     * @returns Signed JWT string
+     */
+    signJwt: (header: object, claims: object) => Promise<string>;
+    /** Key ID to include in JWT header */
+    keyId?: string;
+    /** Lifetime of the request object in seconds (default: 300) */
+    lifetime?: number;
+    /** Algorithm for signing (e.g., 'RS256', 'ES256') */
+    algorithm?: string;
 }
 /**
- * Token API Client
+ * Options for building a request object
+ */
+interface JARRequestOptions {
+    /** Client ID */
+    clientId: string;
+    /** Authorization server issuer */
+    issuer: string;
+    /** Response type (default: 'code') */
+    responseType?: string;
+    /** Redirect URI */
+    redirectUri: string;
+    /** Scope */
+    scope: string;
+    /** State */
+    state: string;
+    /** Nonce */
+    nonce: string;
+    /** PKCE code challenge */
+    codeChallenge: string;
+    /** PKCE code challenge method */
+    codeChallengeMethod: string;
+    /** Prompt */
+    prompt?: string;
+    /** Login hint */
+    loginHint?: string;
+    /** ACR values */
+    acrValues?: string;
+    /** Additional claims */
+    extraClaims?: Record<string, unknown>;
+}
+
+/**
+ * JAR Builder
+ * RFC 9101: JWT-Secured Authorization Request (JAR)
  *
- * Verifies session status with the authorization server.
+ * JAR provides a way to send authorization request parameters
+ * in a signed (and optionally encrypted) JWT, ensuring:
+ * - Integrity protection of parameters
+ * - Non-repudiation
+ * - Confidentiality (when encrypted)
+ *
+ * The signed JWT is sent as the 'request' parameter in the authorization URL,
+ * or can be passed by reference using the 'request_uri' parameter (with PAR).
  */
-declare class TokenApiClient {
-    private readonly http;
-    constructor(options: TokenApiClientOptions);
+
+/**
+ * JAR Builder
+ *
+ * Builds signed JWT request objects for authorization requests.
+ */
+declare class JARBuilder {
+    private readonly config;
+    constructor(config: JARBuilderConfig);
     /**
-     * Check session validity by calling UserInfo endpoint
+     * Build a signed request object
      *
-     * @param discovery - OIDC discovery document
-     * @param accessToken - Access token to verify
-     * @returns Session check result
+     * @param options - Request options
+     * @returns Signed JWT request object
+     * @throws AuthrimError with code 'jar_signing_error' if signing fails
      */
-    checkSession(discovery: OIDCDiscoveryDocument, accessToken: string): Promise<SessionCheckResult>;
+    buildRequestObject(options: JARRequestOptions): Promise<string>;
     /**
-     * Get user info from the authorization server
-     *
-     * @param discovery - OIDC discovery document
-     * @param accessToken - Access token
-     * @returns User info
-     * @throws AuthrimError if request fails
+     * Generate a unique JWT ID (jti)
      */
-    getUserInfo(discovery: OIDCDiscoveryDocument, accessToken: string): Promise<UserInfo>;
+    private generateJti;
 }
-
 /**
- * Session Manager
+ * Check if JAR is required by the authorization server
  *
- * Coordinates session-related operations including checking
- * session status and retrieving user information.
+ * @param discovery - OIDC discovery document
+ * @returns True if require_signed_request_object is true
  */
+declare function isJarRequired(discovery: {
+    require_signed_request_object?: boolean;
+}): boolean;
 
 /**
- * Session manager options
+ * JARM (JWT Secured Authorization Response Mode) Types
+ * Financial-grade API (FAPI) / OpenID Connect
+ *
+ * JARM provides a way for authorization servers to return authorization
+ * response parameters in a signed (and optionally encrypted) JWT.
+ * This provides integrity protection and authenticity verification.
  */
-interface SessionManagerOptions {
-    /** Token manager */
-    tokenManager: TokenManager;
-    /** Token API client */
-    tokenApiClient: TokenApiClient;
+/**
+ * JARM response JWT claims
+ */
+interface JARMResponseClaims {
+    /** Issuer (authorization server) */
+    iss: string;
+    /** Audience (client_id) */
+    aud: string;
+    /** Expiration time (epoch seconds) */
+    exp: number;
+    /** Issued at time (optional) */
+    iat?: number;
+    /** Authorization code */
+    code?: string;
+    /** State parameter */
+    state?: string;
+    /** Error code */
+    error?: string;
+    /** Error description */
+    error_description?: string;
+    /** Error URI */
+    error_uri?: string;
+    [key: string]: unknown;
 }
 /**
- * Session Manager
+ * JARM validation options
  */
-declare class SessionManager {
-    private readonly tokenManager;
-    private readonly tokenApiClient;
-    /** Discovery document */
-    private discovery;
-    constructor(options: SessionManagerOptions);
-    /**
-     * Set discovery document
-     */
-    setDiscovery(discovery: OIDCDiscoveryDocument): void;
+interface JARMValidationOptions {
+    /** Expected state value */
+    expectedState: string;
+    /** Client ID (audience) */
+    clientId: string;
+    /** Clock skew tolerance in seconds (default: 60) */
+    clockSkewSeconds?: number;
+}
+/**
+ * JARM validation result
+ */
+interface JARMValidationResult {
+    /** Authorization code (if present) */
+    code: string;
+    /** State parameter */
+    state: string;
+}
+/**
+ * JARM Validator configuration
+ */
+interface JARMValidatorConfig {
     /**
-     * Check if user is authenticated locally
+     * Function to verify JWT signature
      *
-     * This checks if valid tokens exist in storage.
-     * Does not verify with the authorization server.
+     * Should verify the signature using the authorization server's public keys
+     * (typically from JWKS endpoint) and return the decoded claims.
      *
-     * @returns True if tokens exist
+     * @param jwt - The JWT string to verify
+     * @param issuer - Expected issuer
+     * @returns Decoded and verified claims
+     * @throws Error if signature verification fails
      */
-    isAuthenticated(): Promise<boolean>;
+    verifyJwt: (jwt: string, issuer: string) => Promise<JARMResponseClaims>;
+}
+
+/**
+ * JARM Validator
+ * JWT Secured Authorization Response Mode (JARM)
+ *
+ * JARM allows authorization servers to return authorization response
+ * parameters in a signed JWT, providing:
+ * - Response integrity protection
+ * - Response authenticity verification
+ * - Confidentiality (when encrypted)
+ *
+ * The response JWT is returned in the 'response' parameter of the
+ * authorization callback.
+ */
+
+/**
+ * JARM Validator
+ *
+ * Validates JWT-secured authorization responses.
+ */
+declare class JARMValidator {
+    private readonly config;
+    constructor(config: JARMValidatorConfig);
     /**
-     * Check session validity with authorization server
-     *
-     * Calls the UserInfo endpoint to verify the session is still valid.
+     * Validate a JARM response
      *
-     * @returns Session check result
+     * @param discovery - OIDC discovery document
+     * @param response - The JWT response string from the 'response' parameter
+     * @param options - Validation options
+     * @returns Validated authorization code and state
+     * @throws AuthrimError with code 'jarm_validation_error' if validation fails
+     * @throws AuthrimError with code 'jarm_signature_invalid' if signature verification fails
      */
-    checkSession(): Promise<SessionCheckResult>;
+    validateResponse(discovery: OIDCDiscoveryDocument, response: string, options: JARMValidationOptions): Promise<JARMValidationResult>;
     /**
-     * Get user information
+     * Parse a JARM response from callback URL
      *
-     * Fetches user info from the UserInfo endpoint.
+     * Extracts the 'response' parameter from the callback URL.
      *
-     * @returns User info
-     * @throws AuthrimError if not authenticated or request fails
+     * @param callbackUrl - Full callback URL or query string
+     * @returns The response JWT, or null if not present
      */
-    getUser(): Promise<UserInfo>;
+    static extractResponseFromCallback(callbackUrl: string): string | null;
 }
 
 /**
- * Base64URL Encoding/Decoding Utilities
+ * Session Management Types
+ * OpenID Connect Session Management 1.0
  *
- * Implements RFC 4648 Section 5 (Base64 URL and Filename Safe Alphabet)
+ * These types support session management via check_session_iframe
+ * and related specifications.
+ *
+ * NOTE: Actual implementation of session management (postMessage communication,
+ * iframe handling) is the responsibility of the web SDK (@authrim/web).
+ * Core SDK only provides type definitions.
  */
 /**
- * Encode a Uint8Array to base64url string
- *
- * @param data - Bytes to encode
- * @returns Base64URL encoded string (no padding)
+ * Session state from check_session_iframe
  */
-declare function base64urlEncode(data: Uint8Array): string;
+type SessionState = string;
 /**
- * Decode a base64url string to Uint8Array
+ * Check session iframe message
  *
- * @param str - Base64URL encoded string
- * @returns Decoded bytes
+ * Format: "client_id session_state"
  */
-declare function base64urlDecode(str: string): Uint8Array;
+interface CheckSessionMessage {
+    /** Client ID */
+    clientId: string;
+    /** Session state from authentication response */
+    sessionState: SessionState;
+}
 /**
- * Encode a string to base64url
- *
- * @param str - String to encode (UTF-8)
- * @returns Base64URL encoded string
+ * Check session iframe response
  */
-declare function stringToBase64url(str: string): string;
+type CheckSessionResponse = 'changed' | 'unchanged' | 'error';
 /**
- * Decode a base64url string to string
+ * Session management configuration
+ */
+interface SessionManagementConfig {
+    /** check_session_iframe URL from discovery */
+    checkSessionIframe?: string;
+    /** Polling interval in milliseconds (default: 2000) */
+    pollIntervalMs?: number;
+    /** Whether session management is enabled */
+    enabled: boolean;
+}
+/**
+ * Session change event
+ */
+interface SessionChangeEvent {
+    /** Previous session state */
+    previousState: SessionState | null;
+    /** Current session state */
+    currentState: SessionState | null;
+    /** Whether the session is still valid */
+    isValid: boolean;
+}
+/**
+ * Front-Channel Logout Types
+ * OpenID Connect Front-Channel Logout 1.0
+ *
+ * Front-channel logout allows the OP to notify RPs of logout events
+ * via browser redirects.
+ *
+ * NOTE: Actual implementation of front-channel logout (iframe handling)
+ * is the responsibility of the web SDK (@authrim/web).
+ * Core SDK only provides type definitions.
+ */
+/**
+ * Front-channel logout request parameters
+ */
+interface FrontChannelLogoutParams {
+    /** Issuer identifier */
+    iss?: string;
+    /** Session ID */
+    sid?: string;
+}
+/**
+ * Front-channel logout URL builder options
+ */
+interface FrontChannelLogoutUrlOptions {
+    /** Base logout URI registered with the OP */
+    logoutUri: string;
+    /** Whether to include issuer parameter */
+    includeIssuer?: boolean;
+    /** Whether to include session ID parameter */
+    includeSessionId?: boolean;
+}
+/**
+ * Back-Channel Logout Types
+ * OpenID Connect Back-Channel Logout 1.0
+ *
+ * Back-channel logout allows the OP to notify RPs of logout events
+ * via direct HTTP calls (server-to-server).
+ *
+ * NOTE: This is typically handled server-side, not in the browser.
+ * Included here for completeness of type definitions.
+ */
+/**
+ * Logout token claims (for back-channel logout)
+ */
+interface LogoutTokenClaims {
+    /** Issuer */
+    iss: string;
+    /** Subject */
+    sub?: string;
+    /** Audience */
+    aud: string | string[];
+    /** Issued at time */
+    iat: number;
+    /** JWT ID */
+    jti: string;
+    /** Events claim (must contain logout event) */
+    events: {
+        'http://schemas.openid.net/event/backchannel-logout': Record<string, never>;
+    };
+    /** Session ID (if back-channel logout session is supported) */
+    sid?: string;
+}
+
+/**
+ * Token Manager
+ *
+ * Manages token storage, retrieval, and automatic refresh.
+ * Implements in-flight request coalescing for concurrent refresh requests.
+ */
+
+/**
+ * Token manager options
+ */
+interface TokenManagerOptions {
+    /** HTTP client */
+    http: HttpClient;
+    /** Storage provider */
+    storage: AuthrimStorage;
+    /** Client ID */
+    clientId: string;
+    /** Issuer hash for storage keys */
+    issuerHash: string;
+    /** Client ID hash for storage keys */
+    clientIdHash: string;
+    /** Refresh skew in seconds (default: 30) */
+    refreshSkewSeconds?: number;
+    /** Event emitter for token events */
+    eventEmitter?: EventEmitter;
+    /** Token expiring warning threshold in seconds (default: 300 = 5 minutes) */
+    expiringThresholdSeconds?: number;
+    /** Jitter for expiring event in milliseconds (default: 30000 = ±30 seconds) */
+    expiringJitterMs?: number;
+}
+/**
+ * Token Manager
+ *
+ * Handles token storage, retrieval, and automatic refresh with
+ * concurrent request coalescing.
+ */
+declare class TokenManager {
+    private readonly http;
+    private readonly storage;
+    private readonly clientId;
+    private readonly issuerHash;
+    private readonly clientIdHash;
+    private readonly refreshSkewSeconds;
+    private readonly eventEmitter?;
+    private readonly expiringThresholdMs;
+    private readonly expiringJitterMs;
+    /** In-flight refresh promise for request coalescing */
+    private refreshPromise;
+    /** Discovery document (set externally) */
+    private discovery;
+    /** Timer for token expiring event */
+    private expiringTimeout;
+    /** Whether this tab is the leader for refresh scheduling */
+    private isLeaderTab;
+    /** Current operation ID for event tracking */
+    private currentOperationId;
+    /** Default refresh skew: 30 seconds */
+    private static readonly DEFAULT_REFRESH_SKEW_SECONDS;
+    /** Default expiring threshold: 5 minutes */
+    private static readonly DEFAULT_EXPIRING_THRESHOLD_SECONDS;
+    /** Default expiring jitter: ±30 seconds */
+    private static readonly DEFAULT_EXPIRING_JITTER_MS;
+    constructor(options: TokenManagerOptions);
+    /**
+     * Set discovery document
+     */
+    setDiscovery(discovery: OIDCDiscoveryDocument): void;
+    /**
+     * Get storage key for tokens
+     */
+    private get tokenKey();
+    /**
+     * Get storage key for ID token
+     */
+    private get idTokenKey();
+    /**
+     * Get current tokens from storage
+     *
+     * @returns Token set or null if not found
+     */
+    getTokens(): Promise<TokenSet | null>;
+    /**
+     * Save tokens to storage
+     *
+     * @param tokens - Token set to save
+     */
+    saveTokens(tokens: TokenSet): Promise<void>;
+    /**
+     * Schedule token:expiring event with jitter
+     *
+     * @param expiresAt - Token expiration timestamp (epoch seconds)
+     */
+    private scheduleExpiringEvent;
+    /**
+     * Set leader tab status
+     *
+     * When not the leader, expiring event scheduling is disabled
+     * to prevent multiple tabs from triggering simultaneous refreshes.
+     *
+     * @param isLeader - Whether this tab is the leader
+     */
+    setLeaderTab(isLeader: boolean): void;
+    /**
+     * Set current operation ID for event tracking
+     */
+    setOperationId(operationId: string | null): void;
+    /**
+     * Get current operation ID
+     */
+    getOperationId(): string | null;
+    /**
+     * Clear all tokens from storage
+     */
+    clearTokens(): Promise<void>;
+    /**
+     * Get access token, refreshing if necessary
+     *
+     * This method coalesces concurrent refresh requests - if multiple
+     * calls are made while a refresh is in-flight, they all share the
+     * same refresh operation.
+     *
+     * @returns Access token
+     * @throws AuthrimError if no tokens available or refresh fails
+     */
+    getAccessToken(): Promise<string>;
+    /**
+     * Get ID token
+     *
+     * @returns ID token or null
+     */
+    getIdToken(): Promise<string | null>;
+    /**
+     * Check if token needs refresh
+     *
+     * @param tokens - Token set to check
+     * @returns True if token should be refreshed
+     */
+    private shouldRefresh;
+    /**
+     * Refresh token with in-flight request coalescing
+     *
+     * If a refresh is already in progress, wait for it instead of
+     * starting a new one.
+     *
+     * @param refreshToken - Refresh token to use
+     * @param reason - Reason for refresh
+     * @returns Access token from new token set
+     */
+    private refreshWithLock;
+    /**
+     * Manually refresh tokens
+     *
+     * @returns New token set
+     * @throws AuthrimError if refresh fails
+     */
+    refresh(): Promise<TokenSet>;
+    /**
+     * Perform refresh with retry for network errors
+     *
+     * @param refreshToken - Refresh token to use
+     * @param reason - Reason for refresh
+     * @param attempt - Current retry attempt (0-indexed)
+     * @returns New token set
+     */
+    private doRefreshWithRetry;
+    /**
+     * Perform the actual token refresh
+     *
+     * @param refreshToken - Refresh token to use
+     * @returns New token set
+     */
+    private doRefresh;
+    /**
+     * Check if user is authenticated
+     *
+     * @returns True if valid tokens exist
+     */
+    isAuthenticated(): Promise<boolean>;
+    /**
+     * Exchange a token using RFC 8693 Token Exchange
+     *
+     * This allows exchanging tokens for different audiences or scopes,
+     * delegation scenarios, and cross-service token acquisition.
+     *
+     * @param request - Token exchange request parameters
+     * @returns Token exchange result with new tokens and issued token type
+     * @throws AuthrimError if exchange fails
+     */
+    exchangeToken(request: TokenExchangeRequest): Promise<TokenExchangeResult>;
+    /**
+     * Map short token type to URI (RFC 8693)
+     */
+    private mapTokenTypeToUri;
+    /**
+     * Clean up resources
+     */
+    destroy(): void;
+}
+
+/**
+ * Auto Refresh Scheduler
+ *
+ * Automatically refreshes tokens before they expire.
+ * Supports cancellation via AbortController.
+ */
+
+/**
+ * Auto refresh options
+ */
+interface AutoRefreshOptions {
+    /** Refresh threshold in seconds before expiry (default: 60) */
+    thresholdSeconds?: number;
+    /** Check interval in milliseconds (default: 30000 = 30 seconds) */
+    checkIntervalMs?: number;
+    /** Event emitter for logging/debugging */
+    eventEmitter?: EventEmitter;
+}
+/**
+ * Auto Refresh Scheduler
+ *
+ * Schedules automatic token refresh before expiration.
+ * Can be stopped and started as needed.
+ */
+declare class AutoRefreshScheduler {
+    private tokenManager;
+    private options;
+    private checkInterval;
+    private abortController;
+    private isRunning;
+    /** Default refresh threshold: 60 seconds */
+    private static readonly DEFAULT_THRESHOLD_SECONDS;
+    /** Default check interval: 30 seconds */
+    private static readonly DEFAULT_CHECK_INTERVAL_MS;
+    constructor(options?: AutoRefreshOptions);
+    /**
+     * Start auto-refresh scheduling
+     *
+     * @param tokenManager - Token manager instance
+     */
+    start(tokenManager: TokenManager): void;
+    /**
+     * Stop auto-refresh scheduling
+     */
+    stop(): void;
+    /**
+     * Check if scheduler is running
+     */
+    get running(): boolean;
+    /**
+     * Get the abort signal for external cancellation support
+     */
+    get signal(): AbortSignal | null;
+    /**
+     * Check if token needs refresh and perform if needed
+     */
+    private checkAndRefresh;
+    /**
+     * Force an immediate refresh check
+     */
+    forceCheck(): Promise<void>;
+}
+
+/**
+ * Token API Client
+ *
+ * Provides session verification against the authorization server.
+ * Uses the UserInfo endpoint or custom session check endpoint.
+ */
+
+/**
+ * Session check result
+ */
+interface SessionCheckResult {
+    /** Whether session is valid */
+    valid: boolean;
+    /** User info if session is valid */
+    user?: UserInfo;
+    /** Error if session is invalid */
+    error?: AuthrimError;
+}
+/**
+ * Token API client options
+ */
+interface TokenApiClientOptions {
+    /** HTTP client */
+    http: HttpClient;
+}
+/**
+ * Token API Client
+ *
+ * Verifies session status with the authorization server.
+ */
+declare class TokenApiClient {
+    private readonly http;
+    constructor(options: TokenApiClientOptions);
+    /**
+     * Check session validity by calling UserInfo endpoint
+     *
+     * @param discovery - OIDC discovery document
+     * @param accessToken - Access token to verify
+     * @returns Session check result
+     */
+    checkSession(discovery: OIDCDiscoveryDocument, accessToken: string): Promise<SessionCheckResult>;
+    /**
+     * Get user info from the authorization server
+     *
+     * @param discovery - OIDC discovery document
+     * @param accessToken - Access token
+     * @returns User info
+     * @throws AuthrimError if request fails
+     */
+    getUserInfo(discovery: OIDCDiscoveryDocument, accessToken: string): Promise<UserInfo>;
+}
+
+/**
+ * Session Manager
+ *
+ * Coordinates session-related operations including checking
+ * session status and retrieving user information.
+ */
+
+/**
+ * Session manager options
+ */
+interface SessionManagerOptions {
+    /** Token manager */
+    tokenManager: TokenManager;
+    /** Token API client */
+    tokenApiClient: TokenApiClient;
+}
+/**
+ * Session Manager
+ */
+declare class SessionManager {
+    private readonly tokenManager;
+    private readonly tokenApiClient;
+    /** Discovery document */
+    private discovery;
+    constructor(options: SessionManagerOptions);
+    /**
+     * Set discovery document
+     */
+    setDiscovery(discovery: OIDCDiscoveryDocument): void;
+    /**
+     * Check if user is authenticated locally
+     *
+     * This checks if valid tokens exist in storage.
+     * Does not verify with the authorization server.
+     *
+     * @returns True if tokens exist
+     */
+    isAuthenticated(): Promise<boolean>;
+    /**
+     * Check session validity with authorization server
+     *
+     * Calls the UserInfo endpoint to verify the session is still valid.
+     *
+     * @returns Session check result
+     */
+    checkSession(): Promise<SessionCheckResult>;
+    /**
+     * Get user information
+     *
+     * Fetches user info from the UserInfo endpoint.
+     *
+     * @returns User info
+     * @throws AuthrimError if not authenticated or request fails
+     */
+    getUser(): Promise<UserInfo>;
+}
+
+/**
+ * Session State Calculator
  *
- * @param base64url - Base64URL encoded string
- * @returns Decoded string (UTF-8)
+ * Implements OIDC Session Management 1.0 specification
+ * https://openid.net/specs/openid-connect-session-1_0.html
+ *
+ * session_state = hash(client_id + " " + origin + " " + browser_state + salt) + "." + salt
  */
-declare function base64urlToString(base64url: string): string;
+
+/**
+ * Parameters for calculating session_state
+ */
+interface SessionStateParams {
+    /** OAuth client_id */
+    clientId: string;
+    /** RP origin (e.g., "https://example.com") */
+    origin: string;
+    /**
+     * OP-managed browser state (opaque value)
+     *
+     * Per OIDC Session Management 1.0 spec, this is called "browser_state" but is actually
+     * an opaque value managed by the OP to identify the session at the OP.
+     * It is NOT a value managed by the RP's browser.
+     */
+    opBrowserState: string;
+    /** Optional salt (generated if not provided) */
+    salt?: string;
+}
+/**
+ * Result of session_state calculation
+ */
+interface SessionStateResult {
+    /** Full session_state value (hash.salt) */
+    sessionState: string;
+    /** Hash portion of session_state */
+    hash: string;
+    /** Salt used in calculation */
+    salt: string;
+}
+/**
+ * Options for SessionStateCalculator
+ */
+interface SessionStateCalculatorOptions {
+    /** Crypto provider for hashing */
+    crypto: CryptoProvider;
+}
+/**
+ * Session State Calculator
+ *
+ * Calculates and validates session_state values per OIDC Session Management 1.0.
+ *
+ * Usage (OP side - calculating session_state to include in auth response):
+ * ```typescript
+ * const calculator = new SessionStateCalculator({ crypto });
+ * const result = await calculator.calculate({
+ *   clientId: 'my-client',
+ *   origin: 'https://rp.example.com',
+ *   opBrowserState: 'op-session-id-xyz'
+ * });
+ * // result.sessionState -> include in auth response
+ * ```
+ *
+ * Usage (RP check_session_iframe - validating session state):
+ * ```typescript
+ * const isValid = await calculator.validate(sessionState, {
+ *   clientId: 'my-client',
+ *   origin: 'https://rp.example.com',
+ *   opBrowserState: 'op-session-id-xyz'
+ * });
+ * ```
+ */
+declare class SessionStateCalculator {
+    private readonly crypto;
+    constructor(options: SessionStateCalculatorOptions);
+    /**
+     * Calculate session_state
+     *
+     * Per OIDC Session Management 1.0:
+     * session_state = hash(client_id + " " + origin + " " + browser_state + salt) + "." + salt
+     *
+     * @param params - Parameters for calculation
+     * @returns Session state result
+     */
+    calculate(params: SessionStateParams): Promise<SessionStateResult>;
+    /**
+     * Validate session_state
+     *
+     * Uses constant-time comparison to prevent timing attacks.
+     *
+     * @param sessionState - session_state value to validate
+     * @param params - Parameters that should match (without salt, extracted from sessionState)
+     * @returns true if valid
+     */
+    validate(sessionState: string, params: Omit<SessionStateParams, 'salt'>): Promise<boolean>;
+    /**
+     * Parse session_state into hash and salt components
+     *
+     * @param sessionState - session_state value to parse
+     * @returns Parsed components or null if invalid format
+     */
+    parse(sessionState: string): {
+        hash: string;
+        salt: string;
+    } | null;
+}
+
+/**
+ * Front-Channel Logout URL Builder
+ *
+ * Implements OpenID Connect Front-Channel Logout 1.0
+ * https://openid.net/specs/openid-connect-frontchannel-1_0.html
+ *
+ * Front-channel logout allows the OP to notify RPs of logout events
+ * via browser redirects (iframes loaded by the OP's logout page).
+ */
+
+/**
+ * Result of building a front-channel logout URL
+ */
+interface FrontChannelLogoutUrlResult {
+    /** Complete logout URL with query parameters */
+    url: string;
+    /** Parameters included in the URL */
+    params: FrontChannelLogoutParams;
+}
+/**
+ * Parameters for building a front-channel logout URL
+ */
+interface FrontChannelLogoutBuildParams {
+    /** Issuer identifier to include (optional) */
+    iss?: string;
+    /** Session ID to include (optional) */
+    sid?: string;
+}
+/**
+ * Validation options for front-channel logout requests
+ */
+interface FrontChannelLogoutValidationOptions {
+    /** Expected issuer (for validation) */
+    issuer?: string;
+    /** Expected session ID (for validation) */
+    sessionId?: string;
+    /** Require issuer parameter */
+    requireIss?: boolean;
+    /** Require session ID parameter */
+    requireSid?: boolean;
+}
+/**
+ * Result of front-channel logout request validation
+ */
+interface FrontChannelLogoutValidationResult {
+    /** Whether the request is valid */
+    valid: boolean;
+    /** Parsed parameters (if valid) */
+    params?: FrontChannelLogoutParams;
+    /** Error message (if invalid) */
+    error?: string;
+}
+/**
+ * Front-Channel Logout URL Builder
+ *
+ * Builds and validates front-channel logout URLs per OIDC Front-Channel Logout 1.0.
+ *
+ * Usage (OP side - building logout URL to load in iframe):
+ * ```typescript
+ * const builder = new FrontChannelLogoutUrlBuilder();
+ * const result = builder.build(
+ *   { logoutUri: 'https://rp.example.com/logout', includeIssuer: true, includeSessionId: true },
+ *   { iss: 'https://op.example.com', sid: 'session-123' }
+ * );
+ * // result.url -> load in iframe
+ * ```
+ *
+ * Usage (RP side - validating incoming logout request):
+ * ```typescript
+ * const result = builder.validateRequest(window.location.href, {
+ *   issuer: 'https://op.example.com',
+ *   requireIss: true
+ * });
+ * if (result.valid) {
+ *   // Perform local logout
+ * }
+ * ```
+ */
+declare class FrontChannelLogoutUrlBuilder {
+    /**
+     * Build a front-channel logout URL
+     *
+     * @param options - URL configuration options
+     * @param params - Parameters to include in the URL
+     * @returns Built URL and included parameters
+     */
+    build(options: FrontChannelLogoutUrlOptions, params: FrontChannelLogoutBuildParams): FrontChannelLogoutUrlResult;
+    /**
+     * Parse parameters from a front-channel logout URL
+     *
+     * @param url - URL or URL string to parse
+     * @returns Parsed parameters
+     */
+    parseParams(url: string | URL): FrontChannelLogoutParams;
+    /**
+     * Validate a front-channel logout request
+     *
+     * Uses constant-time comparison for security-sensitive values to prevent timing attacks.
+     *
+     * @param url - URL to validate
+     * @param expected - Expected values and requirements
+     * @returns Validation result
+     */
+    validateRequest(url: string | URL, expected?: FrontChannelLogoutValidationOptions): FrontChannelLogoutValidationResult;
+}
 
 /**
  * JWT Utilities
@@ -2050,12 +4070,375 @@ declare function isJwtExpired(payload: {
     exp?: number;
 }, skewSeconds?: number): boolean;
 /**
- * Get the nonce claim from an ID token
+ * Get the nonce claim from an ID token
+ *
+ * @param idToken - ID token string
+ * @returns nonce value or undefined
+ */
+declare function getIdTokenNonce(idToken: string): string | undefined;
+
+/**
+ * Back-Channel Logout Validator
+ *
+ * Implements OpenID Connect Back-Channel Logout 1.0
+ * https://openid.net/specs/openid-connect-backchannel-1_0.html
+ *
+ * Back-channel logout allows the OP to notify RPs of logout events
+ * via direct HTTP calls (server-to-server).
+ *
+ * NOTE: This validator performs claims validation only.
+ * JWT signature verification MUST be performed separately using JWKS.
+ */
+
+/**
+ * Back-channel logout event URI
+ */
+declare const BACKCHANNEL_LOGOUT_EVENT = "http://schemas.openid.net/event/backchannel-logout";
+/**
+ * Back-channel logout validation error codes
+ */
+type BackChannelLogoutErrorCode = 'invalid_format' | 'invalid_issuer' | 'invalid_audience' | 'invalid_events' | 'expired' | 'not_yet_valid' | 'missing_sub_and_sid' | 'sub_mismatch' | 'sid_mismatch' | 'missing_jti' | 'nonce_present';
+/**
+ * Options for validating a logout token
+ */
+interface BackChannelLogoutValidationOptions {
+    /** Expected issuer */
+    issuer: string;
+    /** Expected audience (client_id) */
+    audience: string;
+    /** Maximum age in seconds (default: 60) */
+    maxAge?: number;
+    /** Clock skew tolerance in seconds (default: 30) */
+    clockSkew?: number;
+    /** Expected session ID (optional) */
+    expectedSid?: string;
+    /** Expected subject (optional) */
+    expectedSub?: string;
+}
+/**
+ * Result of back-channel logout token validation
+ */
+interface BackChannelLogoutValidationResult {
+    /** Whether the token is valid */
+    valid: boolean;
+    /** Validated claims (if valid) */
+    claims?: LogoutTokenClaims;
+    /** JWT header (if valid) */
+    header?: JwtHeader;
+    /** Error message (if invalid) */
+    error?: string;
+    /** Error code (if invalid) */
+    errorCode?: BackChannelLogoutErrorCode;
+}
+/**
+ * Back-Channel Logout Validator
+ *
+ * Validates logout_token JWTs per OIDC Back-Channel Logout 1.0.
+ *
+ * ## Security Notes
+ *
+ * 1. **JWT Signature Verification**: This class performs claims validation only.
+ *    JWT signature verification MUST be performed separately using JWKS
+ *    before calling validate().
+ *
+ * 2. **JTI Replay Protection**: This validator checks for jti presence only.
+ *    The application MUST implement jti replay protection by:
+ *    - Storing used jti values (at least until token expiry + clock skew)
+ *    - Rejecting tokens with previously-used jti values
+ *
+ * Usage (Node.js server receiving back-channel logout request):
+ * ```typescript
+ * // 1. Receive logout_token from POST body
+ * const logoutToken = req.body.logout_token;
+ *
+ * // 2. Verify JWT signature using JWKS (not shown - use jose or similar)
+ * await verifyJwtSignature(logoutToken, jwks);
+ *
+ * // 3. Validate claims
+ * const validator = new BackChannelLogoutValidator();
+ * const result = validator.validate(logoutToken, {
+ *   issuer: 'https://op.example.com',
+ *   audience: 'my-client-id'
+ * });
+ *
+ * if (!result.valid) {
+ *   return res.status(400).send('Invalid logout token');
+ * }
+ *
+ * // 4. Check for jti replay (application responsibility)
+ * if (await jtiStore.has(result.claims.jti)) {
+ *   return res.status(400).send('Token replay detected');
+ * }
+ * await jtiStore.set(result.claims.jti, true, maxAge + clockSkew);
+ *
+ * // 5. Perform logout for sub and/or sid
+ * await logoutUser(result.claims.sub, result.claims.sid);
+ * ```
+ */
+declare class BackChannelLogoutValidator {
+    /**
+     * Validate a logout_token
+     *
+     * Per OIDC Back-Channel Logout 1.0, the logout_token MUST:
+     * - Be a valid JWT
+     * - Contain iss, aud, iat, jti claims
+     * - Contain events claim with back-channel logout event
+     * - Contain either sub or sid (or both)
+     * - NOT contain a nonce claim
+     *
+     * @param logoutToken - JWT logout token to validate
+     * @param options - Validation options
+     * @returns Validation result
+     */
+    validate(logoutToken: string, options: BackChannelLogoutValidationOptions): BackChannelLogoutValidationResult;
+    /**
+     * Extract claims from a logout token without validation
+     *
+     * Useful for inspecting the token before/during validation.
+     *
+     * @param logoutToken - JWT logout token
+     * @returns Claims or null if invalid format
+     */
+    extractClaims(logoutToken: string): LogoutTokenClaims | null;
+    /**
+     * Extract header from a logout token without validation
+     *
+     * Useful for getting kid to select the correct JWKS key.
+     *
+     * @param logoutToken - JWT logout token
+     * @returns Header or null if invalid format
+     */
+    extractHeader(logoutToken: string): JwtHeader | null;
+}
+
+/**
+ * Debug Module Types
+ *
+ * Types for debugging and observability features.
+ */
+/**
+ * Debug options for SDK initialization
+ */
+interface DebugOptions {
+    /** Enable debug mode */
+    enabled: boolean;
+    /** Enable verbose logging */
+    verbose?: boolean;
+    /** Include timestamps in logs */
+    logTimestamps?: boolean;
+    /** Custom logger implementation */
+    logger?: DebugLogger;
+    /** Maximum events to keep in timeline (default: 100) */
+    maxTimelineEvents?: number;
+    /** Redaction level for sensitive data */
+    redactLevel?: RedactLevel;
+}
+/**
+ * Debug logger interface
+ */
+interface DebugLogger {
+    /** Log a message with optional data */
+    log(level: DebugLogLevel, message: string, data?: unknown): void;
+}
+/**
+ * Debug log levels
+ */
+type DebugLogLevel = 'debug' | 'info' | 'warn' | 'error';
+/**
+ * Redaction level for sensitive data
+ *
+ * - 'default': Mask token values, keep structure
+ * - 'none': No redaction (only for development)
+ * - 'aggressive': Mask tokens and URL parameters
+ */
+type RedactLevel = 'default' | 'none' | 'aggressive';
+
+/**
+ * Event Timeline
+ *
+ * Records SDK events for debugging and observability.
+ * All sensitive data is automatically redacted.
+ */
+
+/**
+ * Event Timeline for debugging
+ *
+ * Records events with automatic redaction of sensitive data.
+ * Safe to use in production - no sensitive data is stored.
+ */
+declare class EventTimeline {
+    private entries;
+    private maxEvents;
+    private redactLevel;
+    constructor(options?: {
+        maxEvents?: number;
+        redactLevel?: RedactLevel;
+    });
+    /**
+     * Record an event to the timeline
+     *
+     * Data is automatically redacted based on redact level.
+     *
+     * @param type - Event type
+     * @param data - Event data (will be redacted)
+     * @param options - Recording options
+     */
+    record(type: string, data?: unknown, options?: {
+        operationId?: string;
+        redact?: RedactLevel;
+    }): void;
+    /**
+     * Get recent entries
+     *
+     * @param count - Number of entries to return (default: all)
+     * @returns Recent timeline entries
+     */
+    getRecent(count?: number): TimelineEntry[];
+    /**
+     * Get entries for a specific operation
+     *
+     * @param operationId - Operation ID to filter by
+     * @returns Entries for the operation
+     */
+    getByOperationId(operationId: string): TimelineEntry[];
+    /**
+     * Get entries by event type
+     *
+     * @param type - Event type to filter by
+     * @returns Entries matching the type
+     */
+    getByType(type: string): TimelineEntry[];
+    /**
+     * Clear all entries
+     */
+    clear(): void;
+    /**
+     * Get entry count
+     */
+    get length(): number;
+    /**
+     * Convert timeline to JSON string (for export/logging)
+     */
+    toJSON(): string;
+    /**
+     * Set redaction level
+     */
+    setRedactLevel(level: RedactLevel): void;
+    /**
+     * Redact sensitive data from event payload
+     */
+    private redactData;
+    /**
+     * Deep redact an object
+     */
+    private deepRedact;
+    /**
+     * Check if a key is sensitive
+     */
+    private isSensitiveKey;
+    /**
+     * Redact sensitive URL parameters
+     */
+    private redactUrl;
+}
+
+/**
+ * Debug Logger
+ *
+ * Platform-agnostic logging infrastructure for SDK debugging.
+ */
+
+/**
+ * Create a console-based debug logger
+ *
+ * This logger writes to console with Authrim-prefixed messages.
+ * Safe to use with any console implementation.
+ */
+declare function createConsoleLogger(options?: {
+    timestamps?: boolean;
+}): DebugLogger;
+/**
+ * No-op logger for when debug mode is disabled
+ */
+declare const noopLogger: DebugLogger;
+/**
+ * Create a debug logger based on options
+ */
+declare function createDebugLogger(options: DebugOptions): DebugLogger;
+/**
+ * Debug context for tracking operations
+ */
+declare class DebugContext {
+    private logger;
+    private verbose;
+    private operationId;
+    constructor(logger: DebugLogger, options?: {
+        verbose?: boolean;
+    });
+    /**
+     * Set current operation ID for log correlation
+     */
+    setOperationId(id: string | null): void;
+    /**
+     * Get current operation ID
+     */
+    getOperationId(): string | null;
+    /**
+     * Log a debug message (verbose mode only)
+     */
+    debug(message: string, data?: unknown): void;
+    /**
+     * Log an info message
+     */
+    info(message: string, data?: unknown): void;
+    /**
+     * Log a warning message
+     */
+    warn(message: string, data?: unknown): void;
+    /**
+     * Log an error message
+     */
+    error(message: string, data?: unknown): void;
+    /**
+     * Format message with operation ID if available
+     */
+    private formatMessage;
+}
+
+/**
+ * Base64URL Encoding/Decoding Utilities
+ *
+ * Implements RFC 4648 Section 5 (Base64 URL and Filename Safe Alphabet)
+ */
+/**
+ * Encode a Uint8Array to base64url string
+ *
+ * @param data - Bytes to encode
+ * @returns Base64URL encoded string (no padding)
+ */
+declare function base64urlEncode(data: Uint8Array): string;
+/**
+ * Decode a base64url string to Uint8Array
+ *
+ * @param str - Base64URL encoded string
+ * @returns Decoded bytes
+ * @throws Error if the input contains invalid characters
+ */
+declare function base64urlDecode(str: string): Uint8Array;
+/**
+ * Encode a string to base64url
+ *
+ * @param str - String to encode (UTF-8)
+ * @returns Base64URL encoded string
+ */
+declare function stringToBase64url(str: string): string;
+/**
+ * Decode a base64url string to string
  *
- * @param idToken - ID token string
- * @returns nonce value or undefined
+ * @param base64url - Base64URL encoded string
+ * @returns Decoded string (UTF-8)
  */
-declare function getIdTokenNonce(idToken: string): string | undefined;
+declare function base64urlToString(base64url: string): string;
 
 /**
  * Hash Utilities
@@ -2087,4 +4470,691 @@ declare function getIdTokenNonce(idToken: string): string | undefined;
  */
 declare function calculateDsHash(deviceSecret: string, crypto: CryptoProvider): Promise<string>;
 
-export { type AddressClaim, type AuthCallbackEvent, type AuthRedirectingEvent, type AuthState, AuthorizationCodeFlow, type AuthorizationContext, type AuthorizationUrlResult, AuthrimClient, type AuthrimClientConfig, AuthrimError, type AuthrimErrorCode, type AuthrimErrorMeta, type AuthrimErrorOptions, type AuthrimErrorSeverity, type AuthrimErrorUserAction, type AuthrimEventHandler, type AuthrimEventName, type AuthrimEvents, type AuthrimStorage, type BuildAuthorizationUrlOptions, type CodeChallengeMethod, type CryptoProvider, type DecodedJwt, DiscoveryClient, type EndpointOverrides, type ErrorEvent, EventEmitter, type ExchangeCodeOptions, type GenerateAuthStateOptions, type HashOptions, type HttpClient, type HttpOptions, type HttpResponse, type IntrospectTokenOptions, type IntrospectionResponse, type IntrospectionTokenTypeHint, type JwtHeader, LogoutHandler, type LogoutHandlerOptions, type LogoutOptions, type LogoutResult, type OIDCDiscoveryDocument, PKCEHelper, type PKCEPair, type ResolvedConfig, type RevokeTokenOptions, STORAGE_KEYS, type SessionCheckResult, type SessionEndedEvent, SessionManager, type SessionManagerOptions, type SessionStartedEvent, SilentAuthHandler, type SilentAuthOptions, type SilentAuthResult, type SilentAuthUrlResult, type StandardClaims, StateManager, TOKEN_TYPE_URIS, TokenApiClient, type TokenApiClientOptions, type TokenErrorEvent, type TokenExchangeRequest, type TokenExchangeResponse, type TokenExchangeResult, type TokenExchangedEvent, type TokenExpiredEvent, TokenIntrospector, type TokenIntrospectorOptions, TokenManager, type TokenManagerOptions, type TokenRefreshedEvent, type TokenResponse, TokenRevoker, type TokenRevokerOptions, type TokenSet, type TokenTypeHint, type TokenTypeUri, type UserInfo, base64urlDecode, base64urlEncode, base64urlToString, calculateDsHash, createAuthrimClient, decodeIdToken, decodeJwt, getErrorMeta, getIdTokenNonce, isJwtExpired, normalizeIssuer, resolveConfig, stringToBase64url };
+/**
+ * Timing-Safe Comparison Utilities
+ *
+ * Provides constant-time string comparison to prevent timing attacks.
+ * Used for comparing security-sensitive values like nonces and states.
+ */
+/**
+ * Compare two strings in constant time
+ *
+ * This function always takes the same amount of time regardless of
+ * where the strings differ, preventing timing attacks.
+ *
+ * @param a - First string
+ * @param b - Second string
+ * @returns true if strings are equal, false otherwise
+ */
+declare function timingSafeEqual(a: string, b: string): boolean;
+
+/**
+ * Cancellation Utilities
+ *
+ * Provides AbortController-based cancellation for async operations.
+ */
+/**
+ * Wrap a promise with AbortSignal support
+ *
+ * If the signal is aborted, the promise will reject with an
+ * 'operation_cancelled' error which is recoverable and retryable.
+ *
+ * @param promise - Promise to wrap
+ * @param signal - AbortSignal to use for cancellation
+ * @returns Promise that can be cancelled
+ */
+declare function withAbortSignal<T>(promise: Promise<T>, signal: AbortSignal): Promise<T>;
+/**
+ * Create a cancellable operation wrapper
+ *
+ * Returns an object with the promise and a cancel function.
+ * Useful for creating operations that can be externally cancelled.
+ *
+ * @param fn - Async function to execute
+ * @returns Object with promise and cancel function
+ */
+declare function createCancellableOperation<T>(fn: (signal: AbortSignal) => Promise<T>): {
+    promise: Promise<T>;
+    cancel: () => void;
+    signal: AbortSignal;
+};
+/**
+ * Check if an error is a cancellation error
+ */
+declare function isCancellationError(error: unknown): boolean;
+/**
+ * Race multiple promises with cancellation support
+ *
+ * When one promise resolves, other operations are cancelled.
+ *
+ * @param operations - Array of operations with their signals
+ * @returns Result of the first successful operation
+ */
+declare function raceWithCancellation<T>(operations: Array<{
+    promise: Promise<T>;
+    cancel: () => void;
+}>): Promise<T>;
+
+/**
+ * Retry Utilities
+ *
+ * Provides exponential backoff retry logic with jitter.
+ */
+/**
+ * Retry options
+ */
+interface RetryOptions {
+    /** Maximum number of retry attempts (default: 3) */
+    maxRetries?: number;
+    /** Base delay in milliseconds (default: 1000) */
+    baseDelayMs?: number;
+    /** Maximum delay in milliseconds (default: 30000) */
+    maxDelayMs?: number;
+    /** Enable jitter for delay randomization (default: true) */
+    jitter?: boolean;
+    /** AbortSignal for cancellation */
+    signal?: AbortSignal;
+    /** Custom retry condition (default: check isRetryableError) */
+    shouldRetry?: (error: unknown, attempt: number) => boolean;
+    /** Callback for each retry attempt */
+    onRetry?: (error: unknown, attempt: number, delayMs: number) => void;
+}
+/**
+ * Calculate delay with exponential backoff and optional jitter
+ *
+ * @param attempt - Current attempt number (0-indexed)
+ * @param baseDelayMs - Base delay in milliseconds
+ * @param maxDelayMs - Maximum delay in milliseconds
+ * @param jitter - Whether to add jitter
+ * @returns Delay in milliseconds
+ */
+declare function calculateBackoffDelay(attempt: number, baseDelayMs: number, maxDelayMs: number, jitter: boolean): number;
+/**
+ * Sleep for a specified duration
+ *
+ * @param ms - Duration in milliseconds
+ * @param signal - Optional AbortSignal for cancellation
+ */
+declare function sleep(ms: number, signal?: AbortSignal): Promise<void>;
+/**
+ * Execute a function with exponential backoff retry
+ *
+ * @param fn - Function to execute
+ * @param options - Retry options
+ * @returns Result of the function
+ */
+declare function withRetry<T>(fn: () => Promise<T>, options?: RetryOptions): Promise<T>;
+/**
+ * Create a retry function with preset options
+ *
+ * Useful for creating specialized retry functions for specific use cases.
+ *
+ * @param defaultOptions - Default options for all retries
+ * @returns Retry function with preset options
+ */
+declare function createRetryFunction(defaultOptions: RetryOptions): <T>(fn: () => Promise<T>, options?: RetryOptions) => Promise<T>;
+/**
+ * Extract Retry-After header value
+ *
+ * Supports both HTTP-date and delay-seconds formats.
+ *
+ * @param headers - Response headers
+ * @returns Delay in milliseconds, or null if not found
+ */
+declare function parseRetryAfterHeader(headers: Headers | Record<string, string>): number | null;
+
+/**
+ * Direct Authentication API Types
+ *
+ * Simple and intuitive BetterAuth-style API type definitions
+ * for calling Authrim API directly from custom login pages.
+ */
+/**
+ * Authenticator transport type
+ */
+type AuthenticatorTransportType = 'usb' | 'nfc' | 'ble' | 'internal' | 'hybrid';
+/**
+ * User verification requirement
+ */
+type UserVerificationRequirementType = 'required' | 'preferred' | 'discouraged';
+/**
+ * Authenticator attachment
+ */
+type AuthenticatorAttachmentType = 'platform' | 'cross-platform';
+/**
+ * Resident key requirement
+ */
+type ResidentKeyRequirementType = 'required' | 'preferred' | 'discouraged';
+/**
+ * Attestation conveyance preference
+ */
+type AttestationConveyancePreferenceType = 'none' | 'indirect' | 'direct' | 'enterprise';
+/**
+ * Public key credential type
+ */
+type PublicKeyCredentialType = 'public-key';
+/**
+ * COSE algorithm identifier
+ */
+type COSEAlgorithmIdentifier = -7 | -257 | -8 | -35 | -36 | -37 | -38 | -39 | number;
+/**
+ * Public key credential parameters
+ */
+interface PublicKeyCredentialParametersType {
+    type: PublicKeyCredentialType;
+    alg: COSEAlgorithmIdentifier;
+}
+/**
+ * Relying party entity
+ */
+interface PublicKeyCredentialRpEntityType {
+    id?: string;
+    name: string;
+}
+/**
+ * Authenticator selection criteria
+ */
+interface AuthenticatorSelectionCriteriaType {
+    authenticatorAttachment?: AuthenticatorAttachmentType;
+    residentKey?: ResidentKeyRequirementType;
+    requireResidentKey?: boolean;
+    userVerification?: UserVerificationRequirementType;
+}
+/**
+ * Authentication extensions client inputs
+ */
+interface AuthenticationExtensionsClientInputsType {
+    credProps?: boolean;
+    appid?: string;
+    [key: string]: unknown;
+}
+/**
+ * Social login provider
+ */
+type SocialProvider = 'google' | 'github' | 'apple' | 'microsoft' | 'facebook';
+/**
+ * MFA method
+ */
+type MfaMethod = 'totp' | 'sms' | 'email' | 'passkey';
+/**
+ * User information
+ */
+interface User {
+    /** User ID */
+    id: string;
+    /** Email address */
+    email?: string;
+    /** Whether email is verified */
+    emailVerified?: boolean;
+    /** Display name */
+    name?: string;
+    /** Profile picture URL */
+    picture?: string;
+    /** Username */
+    username?: string;
+    /** Additional claims */
+    [key: string]: unknown;
+}
+/**
+ * Session information
+ */
+interface Session {
+    /** Session ID */
+    id: string;
+    /** User ID */
+    userId: string;
+    /** Session creation time (ISO 8601) */
+    createdAt: string;
+    /** Session expiration time (ISO 8601) */
+    expiresAt: string;
+    /** Last activity time (ISO 8601) */
+    lastActiveAt?: string;
+    /** User agent that created the session */
+    userAgent?: string;
+    /** IP address (for display purposes only, not for security) */
+    ipAddress?: string;
+}
+/**
+ * Next action required after authentication
+ */
+type NextAction = {
+    type: 'mfa_required';
+    methods: MfaMethod[];
+} | {
+    type: 'consent_required';
+    scopes: string[];
+} | {
+    type: 'email_verification_required';
+};
+/**
+ * Authentication result (tokens are not returned directly for security)
+ */
+interface AuthResult {
+    /** Authentication success flag */
+    success: boolean;
+    /** Session information (on success) */
+    session?: Session;
+    /** User information (on success) */
+    user?: User;
+    /** Error information (on failure) */
+    error?: DirectAuthError;
+    /** Additional action required */
+    nextAction?: NextAction;
+}
+/**
+ * Direct Auth error structure (OAuth 2.0 extension)
+ */
+interface DirectAuthError {
+    /** OAuth 2.0 error code */
+    error: string;
+    /** Human-readable error description */
+    error_description?: string;
+    /** URI with more information about the error */
+    error_uri?: string;
+    /** Authrim error code (AR000001 format) */
+    code: string;
+    /** Error metadata */
+    meta: {
+        /** Whether the error can be retried */
+        retryable: boolean;
+        /** Whether the error is transient */
+        transient?: boolean;
+        /** Suggested user action */
+        user_action?: 'login' | 'reauth' | 'retry' | 'contact_admin';
+        /** Error severity */
+        severity: 'info' | 'warn' | 'error' | 'critical';
+        /** Retry after (seconds) */
+        retry_after?: number;
+    };
+}
+/**
+ * Passkey login options
+ */
+interface PasskeyLoginOptions {
+    /** Use conditional UI (autofill) */
+    conditional?: boolean;
+    /** Mediation preference */
+    mediation?: 'conditional' | 'optional' | 'required' | 'silent';
+    /** Abort signal for cancellation */
+    signal?: AbortSignal;
+}
+/**
+ * Passkey sign-up options
+ */
+interface PasskeySignUpOptions {
+    /** User email */
+    email: string;
+    /** User display name */
+    displayName?: string;
+    /** Preferred authenticator type */
+    authenticatorType?: 'platform' | 'cross-platform' | 'any';
+    /** Resident key requirement */
+    residentKey?: 'required' | 'preferred' | 'discouraged';
+    /** User verification requirement */
+    userVerification?: 'required' | 'preferred' | 'discouraged';
+    /** Abort signal for cancellation */
+    signal?: AbortSignal;
+}
+/**
+ * Passkey register options (for adding to existing account)
+ */
+interface PasskeyRegisterOptions {
+    /** Passkey display name */
+    displayName?: string;
+    /** Preferred authenticator type */
+    authenticatorType?: 'platform' | 'cross-platform' | 'any';
+    /** Resident key requirement */
+    residentKey?: 'required' | 'preferred' | 'discouraged';
+    /** User verification requirement */
+    userVerification?: 'required' | 'preferred' | 'discouraged';
+    /** Abort signal for cancellation */
+    signal?: AbortSignal;
+}
+/**
+ * Passkey credential (returned after registration)
+ */
+interface PasskeyCredential {
+    /** Credential ID (base64url) */
+    credentialId: string;
+    /** Public key (COSE format, base64url) */
+    publicKey: string;
+    /** Authenticator type */
+    authenticatorType: 'platform' | 'cross-platform';
+    /** Transports (usb, nfc, ble, internal, etc.) */
+    transports?: AuthenticatorTransportType[];
+    /** When the credential was created */
+    createdAt: string;
+    /** User-friendly name */
+    displayName?: string;
+}
+/**
+ * Email code send options
+ */
+interface EmailCodeSendOptions {
+    /** Email locale for the message */
+    locale?: string;
+    /** Code length (default: 6) */
+    codeLength?: 6 | 8;
+}
+/**
+ * Email code send result
+ */
+interface EmailCodeSendResult {
+    /** Attempt ID for verification */
+    attemptId: string;
+    /** Code expiration time (seconds) */
+    expiresIn: number;
+    /** Masked email for display */
+    maskedEmail: string;
+    /** Whether this is a new user */
+    isNewUser?: boolean;
+}
+/**
+ * Email code verify options
+ */
+interface EmailCodeVerifyOptions {
+    /** Create account if user doesn't exist */
+    createAccountIfNotExists?: boolean;
+}
+/**
+ * Social login options
+ */
+interface SocialLoginOptions {
+    /** Redirect URI after authentication */
+    redirectUri?: string;
+    /** Additional OAuth scopes */
+    scopes?: string[];
+    /** Custom state parameter */
+    state?: string;
+    /** Login hint (e.g., email address) */
+    loginHint?: string;
+    /** Popup window features */
+    popupFeatures?: {
+        width?: number;
+        height?: number;
+    };
+}
+/**
+ * Logout options
+ */
+interface DirectAuthLogoutOptions {
+    /** Revoke refresh tokens */
+    revokeTokens?: boolean;
+    /** Post-logout redirect URI */
+    redirectUri?: string;
+}
+/**
+ * Passkey login start request
+ */
+interface PasskeyLoginStartRequest {
+    client_id: string;
+    code_challenge: string;
+    code_challenge_method: 'S256';
+}
+/**
+ * Passkey login start response
+ */
+interface PasskeyLoginStartResponse {
+    /** Challenge ID (5 min TTL) */
+    challenge_id: string;
+    /** WebAuthn options */
+    options: PublicKeyCredentialRequestOptionsJSON;
+}
+/**
+ * Passkey login finish request
+ */
+interface PasskeyLoginFinishRequest {
+    challenge_id: string;
+    credential: AuthenticatorAssertionResponseJSON;
+    code_verifier: string;
+}
+/**
+ * Passkey login finish response
+ */
+interface PasskeyLoginFinishResponse {
+    /** Authorization code (60s TTL, single-use) */
+    auth_code: string;
+}
+/**
+ * Passkey signup start request
+ */
+interface PasskeySignupStartRequest {
+    client_id: string;
+    email: string;
+    display_name?: string;
+    code_challenge: string;
+    code_challenge_method: 'S256';
+    authenticator_type?: 'platform' | 'cross-platform' | 'any';
+    resident_key?: 'required' | 'preferred' | 'discouraged';
+    user_verification?: 'required' | 'preferred' | 'discouraged';
+}
+/**
+ * Passkey signup start response
+ */
+interface PasskeySignupStartResponse {
+    /** Challenge ID (5 min TTL) */
+    challenge_id: string;
+    /** WebAuthn creation options */
+    options: PublicKeyCredentialCreationOptionsJSON;
+}
+/**
+ * Passkey signup finish request
+ */
+interface PasskeySignupFinishRequest {
+    challenge_id: string;
+    credential: AuthenticatorAttestationResponseJSON;
+    code_verifier: string;
+}
+/**
+ * Passkey signup finish response
+ */
+interface PasskeySignupFinishResponse {
+    /** Authorization code (60s TTL, single-use) */
+    auth_code: string;
+    /** Whether the user was newly created */
+    is_new_user: boolean;
+}
+/**
+ * Email code send request
+ */
+interface EmailCodeSendRequest {
+    client_id: string;
+    email: string;
+    code_challenge: string;
+    code_challenge_method: 'S256';
+    locale?: string;
+}
+/**
+ * Email code send response
+ */
+interface EmailCodeSendResponse {
+    /** Attempt ID (5 min TTL) */
+    attempt_id: string;
+    /** Code expiration (seconds) */
+    expires_in: number;
+    /** Masked email */
+    masked_email: string;
+}
+/**
+ * Email code verify request
+ */
+interface EmailCodeVerifyRequest {
+    attempt_id: string;
+    code: string;
+    code_verifier: string;
+}
+/**
+ * Email code verify response
+ */
+interface EmailCodeVerifyResponse {
+    /** Authorization code (60s TTL, single-use) */
+    auth_code: string;
+    /** Whether the user was newly created */
+    is_new_user: boolean;
+}
+/**
+ * Token exchange request (Direct Auth)
+ */
+interface DirectAuthTokenRequest {
+    grant_type: 'authorization_code';
+    code: string;
+    client_id: string;
+    code_verifier: string;
+    /** Whether to request refresh token (for SPA opt-in) */
+    request_refresh_token?: boolean;
+}
+/**
+ * Token exchange response (OAuth 2.0 extension)
+ *
+ * Unified structure for Web/Mobile, differentiated by flags.
+ */
+interface DirectAuthTokenResponse {
+    /** Token type (always 'Bearer') */
+    token_type: 'Bearer';
+    /** Access token */
+    access_token: string;
+    /** Token expiration (seconds) */
+    expires_in: number;
+    /** Refresh token (Mobile, or SPA with opt-in) */
+    refresh_token?: string;
+    /** ID token */
+    id_token?: string;
+    /** Granted scopes */
+    scope?: string;
+    /** Whether session is established via Cookie (Web) */
+    session_established: boolean;
+    /** Session information */
+    session?: Session;
+    /** User information */
+    user?: User;
+}
+/**
+ * PublicKeyCredentialRequestOptions as JSON
+ */
+interface PublicKeyCredentialRequestOptionsJSON {
+    challenge: string;
+    timeout?: number;
+    rpId?: string;
+    allowCredentials?: PublicKeyCredentialDescriptorJSON[];
+    userVerification?: UserVerificationRequirementType;
+    extensions?: AuthenticationExtensionsClientInputsType;
+}
+/**
+ * PublicKeyCredentialCreationOptions as JSON
+ */
+interface PublicKeyCredentialCreationOptionsJSON {
+    rp: PublicKeyCredentialRpEntityType;
+    user: PublicKeyCredentialUserEntityJSON;
+    challenge: string;
+    pubKeyCredParams: PublicKeyCredentialParametersType[];
+    timeout?: number;
+    excludeCredentials?: PublicKeyCredentialDescriptorJSON[];
+    authenticatorSelection?: AuthenticatorSelectionCriteriaType;
+    attestation?: AttestationConveyancePreferenceType;
+    extensions?: AuthenticationExtensionsClientInputsType;
+}
+/**
+ * PublicKeyCredentialDescriptor as JSON
+ */
+interface PublicKeyCredentialDescriptorJSON {
+    type: PublicKeyCredentialType;
+    id: string;
+    transports?: AuthenticatorTransportType[];
+}
+/**
+ * PublicKeyCredentialUserEntity as JSON
+ */
+interface PublicKeyCredentialUserEntityJSON {
+    id: string;
+    name: string;
+    displayName: string;
+}
+/**
+ * AuthenticatorAssertionResponse as JSON
+ */
+interface AuthenticatorAssertionResponseJSON {
+    clientDataJSON: string;
+    authenticatorData: string;
+    signature: string;
+    userHandle?: string;
+}
+/**
+ * AuthenticatorAttestationResponse as JSON
+ */
+interface AuthenticatorAttestationResponseJSON {
+    clientDataJSON: string;
+    attestationObject: string;
+    transports?: AuthenticatorTransportType[];
+}
+/**
+ * Direct Auth client configuration
+ */
+interface DirectAuthClientConfig {
+    /** Authrim IdP URL */
+    issuer: string;
+    /** OAuth client ID */
+    clientId: string;
+    /** Default redirect URI */
+    redirectUri?: string;
+}
+/**
+ * Passkey authentication interface
+ */
+interface PasskeyAuth {
+    /** Login with Passkey */
+    login(options?: PasskeyLoginOptions): Promise<AuthResult>;
+    /** Sign up with Passkey (create account + register Passkey) */
+    signUp(options: PasskeySignUpOptions): Promise<AuthResult>;
+    /** Register a Passkey to existing account (requires authentication) */
+    register(options?: PasskeyRegisterOptions): Promise<PasskeyCredential>;
+    /** Check if WebAuthn is supported */
+    isSupported(): boolean;
+    /** Check if conditional UI (autofill) is available */
+    isConditionalUIAvailable(): Promise<boolean>;
+}
+/**
+ * Email code authentication interface
+ */
+interface EmailCodeAuth {
+    /** Send verification code to email */
+    send(email: string, options?: EmailCodeSendOptions): Promise<EmailCodeSendResult>;
+    /** Verify code and authenticate */
+    verify(email: string, code: string, options?: EmailCodeVerifyOptions): Promise<AuthResult>;
+}
+/**
+ * Social login interface
+ */
+interface SocialAuth {
+    /** Login with social provider (popup) */
+    loginWithPopup(provider: SocialProvider, options?: SocialLoginOptions): Promise<AuthResult>;
+    /** Login with social provider (redirect) */
+    loginWithRedirect(provider: SocialProvider, options?: SocialLoginOptions): Promise<void>;
+    /** Handle callback from social provider (redirect) */
+    handleCallback(): Promise<AuthResult>;
+}
+/**
+ * Session management interface
+ */
+interface SessionAuth {
+    /** Get current session */
+    get(): Promise<Session | null>;
+    /** Validate session */
+    validate(): Promise<boolean>;
+    /** Logout */
+    logout(options?: DirectAuthLogoutOptions): Promise<void>;
+}
+/**
+ * Direct Auth client interface (BetterAuth style)
+ */
+interface DirectAuthClient {
+    /** Passkey authentication */
+    passkey: PasskeyAuth;
+    /** Email code authentication */
+    emailCode: EmailCodeAuth;
+    /** Social login */
+    social: SocialAuth;
+    /** Session management */
+    session: SessionAuth;
+}
+
+export { type AddressClaim, type AttestationConveyancePreferenceType, type AuthCallbackCompleteEvent, type AuthCallbackEvent, type AuthCallbackProcessingEvent, type AuthFallbackEvent, type AuthInitEvent, type AuthLoginCompleteEvent, type AuthLogoutCompleteEvent, type AuthPopupBlockedEvent, type AuthRedirectingEvent, type AuthRequiredEvent, type AuthResult, type AuthState, type AuthStateSnapshot, type AuthState$1 as AuthStateType, type AuthenticationExtensionsClientInputsType, type AuthenticatorAssertionResponseJSON, type AuthenticatorAttachmentType, type AuthenticatorAttestationResponseJSON, type AuthenticatorSelectionCriteriaType, type AuthenticatorTransportType, AuthorizationCodeFlow, type AuthorizationContext, type AuthorizationUrlResult, AuthrimClient, type AuthrimClientConfig, AuthrimError, type AuthrimErrorCode, type AuthrimErrorMeta, type AuthrimErrorOptions, type AuthrimErrorRemediation, type AuthrimErrorSeverity, type AuthrimErrorUserAction, type AuthrimEventHandler, type AuthrimEventName, type AuthrimEvents, type AuthrimStorage, type AutoRefreshOptions, AutoRefreshScheduler, BACKCHANNEL_LOGOUT_EVENT, type BackChannelLogoutErrorCode, type BackChannelLogoutValidationOptions, type BackChannelLogoutValidationResult, BackChannelLogoutValidator, type BaseEventPayload, type BuildAuthorizationUrlOptions, type COSEAlgorithmIdentifier, type CheckSessionMessage, type CheckSessionResponse, type ClientAssertionClaims, type ClientAuthMethod, type ClientAuthResult, type ClientCredentials, ClientCredentialsClient, type ClientCredentialsClientOptions, type ClientCredentialsTokenOptions, type ClientSecretCredentials, type CodeChallengeMethod, type CoreEventName, type CryptoProvider, type DPoPCryptoProvider, type DPoPKeyPair, DPoPManager, type DPoPManagerConfig, type DPoPProofClaims, type DPoPProofHeader, type DPoPProofOptions, DebugContext, type DebugLogLevel, type DebugLogger, type DebugOptions, type DebugTimelineEvent, type DecodedJwt, type DeviceAuthorizationResponse, type DeviceFlowAccessDeniedResult, DeviceFlowClient, type DeviceFlowCompletedResult, type DeviceFlowExpiredResult, type DeviceFlowPendingResult, type DeviceFlowPollResult, type DeviceFlowSlowDownResult, type DeviceFlowStartOptions, type DeviceFlowState, type DirectAuthClient, type DirectAuthClientConfig, type DirectAuthError, type DirectAuthLogoutOptions, type DirectAuthTokenRequest, type DirectAuthTokenResponse, DiscoveryClient, type EmailCodeAuth, type EmailCodeSendOptions, type EmailCodeSendRequest, type EmailCodeSendResponse, type EmailCodeSendResult, type EmailCodeVerifyOptions, type EmailCodeVerifyRequest, type EmailCodeVerifyResponse, type EmitClassifiedErrorOptions, type EndpointOverrides, type ErrorClassification, type ErrorEvent, type ErrorEventEmitter, type ErrorEventPayload, type ErrorFatalEvent, type ErrorRecoverableEvent, type ErrorSeverity, EventEmitter, EventTimeline, type ExchangeCodeOptions, type FrontChannelLogoutBuildParams, type FrontChannelLogoutParams, FrontChannelLogoutUrlBuilder, type FrontChannelLogoutUrlOptions, type FrontChannelLogoutUrlResult, type FrontChannelLogoutValidationOptions, type FrontChannelLogoutValidationResult, type GenerateAuthStateOptions, type HashOptions, type HttpClient, type HttpOptions, type HttpResponse, type IntrospectTokenOptions, type IntrospectionResponse, type IntrospectionTokenTypeHint, JARBuilder, type JARBuilderConfig, type JARMResponseClaims, type JARMValidationOptions, type JARMValidationResult, JARMValidator, type JARMValidatorConfig, type JARRequestObjectClaims, type JARRequestOptions, type JWK, type JwtHeader, LogoutHandler, type LogoutHandlerOptions, type LogoutOptions, type LogoutResult, type LogoutTokenClaims, type MfaMethod, type NextAction, type NoClientCredentials, type OAuthErrorResponse, type OIDCDiscoveryDocument, PARClient, type PARClientOptions, type PARRequest, type PARResponse, type PARResult, PKCEHelper, type PKCEPair, type PasskeyAuth, type PasskeyCredential, type PasskeyLoginFinishRequest, type PasskeyLoginFinishResponse, type PasskeyLoginOptions, type PasskeyLoginStartRequest, type PasskeyLoginStartResponse, type PasskeyRegisterOptions, type PasskeySignUpOptions, type PasskeySignupFinishRequest, type PasskeySignupFinishResponse, type PasskeySignupStartRequest, type PasskeySignupStartResponse, type PrivateKeyJwtCredentials, type PublicKeyCredentialCreationOptionsJSON, type PublicKeyCredentialDescriptorJSON, type PublicKeyCredentialParametersType, type PublicKeyCredentialRequestOptionsJSON, type PublicKeyCredentialRpEntityType, type PublicKeyCredentialType, type PublicKeyCredentialUserEntityJSON, type RedactLevel, type ResidentKeyRequirementType, type ResolvedConfig, type RetryOptions, type RevokeTokenOptions, STORAGE_KEYS, type Session, type SessionAuth, type SessionChangeEvent, type SessionChangedEvent, type SessionCheckResult, type SessionEndedEvent, type SessionLogoutBroadcastEvent, type SessionManagementConfig, SessionManager, type SessionManagerOptions, type SessionStartedEvent, type SessionState, SessionStateCalculator, type SessionStateCalculatorOptions, type SessionStateParams, type SessionStateResult, type SessionSyncEvent, SilentAuthHandler, type SilentAuthOptions, type SilentAuthResult, type SilentAuthUrlResult, type SocialAuth, type SocialLoginOptions, type SocialProvider, type StandardClaims, type StateChangeEvent, StateManager, TOKEN_TYPE_URIS, type TimelineEntry, TokenApiClient, type TokenApiClientOptions, type TokenErrorEvent, type TokenExchangeRequest, type TokenExchangeResponse, type TokenExchangeResult, type TokenExchangedEvent, type TokenExpiredEvent, type TokenExpiringEvent, TokenIntrospector, type TokenIntrospectorOptions, TokenManager, type TokenManagerOptions, type TokenRefreshFailedEvent, type TokenRefreshedEvent, type TokenRefreshingEvent, type TokenResponse, TokenRevoker, type TokenRevokerOptions, type TokenSet, type TokenTypeHint, type TokenTypeUri, type User, type UserInfo, type UserVerificationRequirementType, type WarningITPEvent, type WarningPrivateModeEvent, type WarningStorageFallbackEvent, type WebOnlyEventName, base64urlDecode, base64urlEncode, base64urlToString, buildClientAuthentication, calculateBackoffDelay, calculateDsHash, classifyError, createAuthrimClient, createCancellableOperation, createConsoleLogger, createDebugLogger, createRetryFunction, decodeIdToken, decodeJwt, emitClassifiedError, getErrorMeta, getIdTokenNonce, isCancellationError, isJarRequired, isJwtExpired, isRetryableError, noopLogger, normalizeIssuer, parseRetryAfterHeader, raceWithCancellation, resolveConfig, sleep, stringToBase64url, timingSafeEqual, withAbortSignal, withRetry };