@authrim/core 0.1.3 → 0.1.4

package/dist/index.d.ts

@@ -394,6 +394,32 @@ interface OIDCDiscoveryDocument {
     introspection_endpoint_auth_signing_alg_values_supported?: string[];
     /** Code challenge methods supported (OPTIONAL) */
     code_challenge_methods_supported?: string[];
+    /** Pushed Authorization Request endpoint (OPTIONAL) */
+    pushed_authorization_request_endpoint?: string;
+    /** Whether PAR is required (OPTIONAL) */
+    require_pushed_authorization_requests?: boolean;
+    /** Device Authorization endpoint (OPTIONAL) */
+    device_authorization_endpoint?: string;
+    /** DPoP signing algorithms supported (OPTIONAL) */
+    dpop_signing_alg_values_supported?: string[];
+    /** Whether signed request object is required (OPTIONAL) */
+    require_signed_request_object?: boolean;
+    /** Authorization response signing algorithms supported (OPTIONAL) */
+    authorization_signing_alg_values_supported?: string[];
+    /** Authorization response encryption algorithms supported (OPTIONAL) */
+    authorization_encryption_alg_values_supported?: string[];
+    /** Authorization response encryption enc values supported (OPTIONAL) */
+    authorization_encryption_enc_values_supported?: string[];
+    /** Check session iframe URL (OPTIONAL) */
+    check_session_iframe?: string;
+    /** Whether front-channel logout is supported (OPTIONAL) */
+    frontchannel_logout_supported?: boolean;
+    /** Whether session ID is required in front-channel logout (OPTIONAL) */
+    frontchannel_logout_session_supported?: boolean;
+    /** Whether back-channel logout is supported (OPTIONAL) */
+    backchannel_logout_supported?: boolean;
+    /** Whether session ID is required in back-channel logout (OPTIONAL) */
+    backchannel_logout_session_supported?: boolean;
     /** Flow Engine support indicator (OPTIONAL, Authrim-specific) */
     flow_engine_supported?: boolean;
     [key: string]: unknown;
@@ -599,9 +625,16 @@ interface TokenExchangeResult {
  */
 type AuthrimErrorUserAction = 'retry' | 'reauthenticate' | 'contact_support' | 'check_network' | 'none';
 /**
- * Error severity level
+ * Error severity level (legacy - 3 levels)
  */
 type AuthrimErrorSeverity = 'fatal' | 'error' | 'warning';
+/**
+ * Error remediation action
+ *
+ * Specifies what action should be taken to recover from an error.
+ * Separated from severity for clearer decision making.
+ */
+type AuthrimErrorRemediation = 'retry' | 'reauthenticate' | 'switch_flow' | 'contact_support' | 'none';
 /**
  * Error metadata for recovery information
  */
@@ -622,7 +655,7 @@ interface AuthrimErrorMeta {
 /**
  * Error codes used by the SDK
  */
-type AuthrimErrorCode = 'invalid_request' | 'unauthorized_client' | 'access_denied' | 'unsupported_response_type' | 'invalid_scope' | 'server_error' | 'temporarily_unavailable' | 'invalid_grant' | 'invalid_token' | 'invalid_state' | 'expired_state' | 'invalid_nonce' | 'nonce_mismatch' | 'session_expired' | 'session_check_failed' | 'network_error' | 'timeout_error' | 'discovery_error' | 'discovery_mismatch' | 'configuration_error' | 'storage_error' | 'flow_engine_error' | 'no_tokens' | 'token_expired' | 'token_error' | 'refresh_error' | 'token_exchange_error' | 'oauth_error' | 'missing_code' | 'missing_state' | 'not_initialized' | 'no_discovery' | 'no_userinfo_endpoint' | 'userinfo_error' | 'introspection_error' | 'revocation_error' | 'no_introspection_endpoint' | 'no_revocation_endpoint' | 'login_required' | 'interaction_required' | 'consent_required' | 'account_selection_required' | 'dom_not_ready' | 'state_mismatch' | 'popup_blocked' | 'popup_closed' | 'invalid_response' | 'passkey_not_found' | 'passkey_verification_failed' | 'passkey_not_supported' | 'passkey_cancelled' | 'passkey_invalid_credential' | 'email_code_invalid' | 'email_code_expired' | 'email_code_too_many_attempts' | 'challenge_expired' | 'challenge_invalid' | 'auth_code_invalid' | 'auth_code_expired' | 'pkce_mismatch' | 'origin_not_allowed' | 'mfa_required' | 'email_verification_required' | 'consent_required_direct' | 'rate_limited' | 'event_handler_error';
+type AuthrimErrorCode = 'invalid_request' | 'unauthorized_client' | 'access_denied' | 'unsupported_response_type' | 'invalid_scope' | 'server_error' | 'temporarily_unavailable' | 'invalid_grant' | 'invalid_token' | 'invalid_state' | 'expired_state' | 'invalid_nonce' | 'nonce_mismatch' | 'missing_nonce' | 'missing_id_token' | 'session_expired' | 'session_check_failed' | 'network_error' | 'timeout_error' | 'discovery_error' | 'discovery_mismatch' | 'configuration_error' | 'storage_error' | 'flow_engine_error' | 'no_tokens' | 'token_expired' | 'token_error' | 'refresh_error' | 'token_exchange_error' | 'oauth_error' | 'missing_code' | 'missing_state' | 'not_initialized' | 'no_discovery' | 'no_userinfo_endpoint' | 'userinfo_error' | 'introspection_error' | 'revocation_error' | 'no_introspection_endpoint' | 'no_revocation_endpoint' | 'login_required' | 'interaction_required' | 'consent_required' | 'account_selection_required' | 'dom_not_ready' | 'state_mismatch' | 'popup_blocked' | 'popup_closed' | 'invalid_response' | 'invalid_callback' | 'passkey_not_found' | 'passkey_verification_failed' | 'passkey_not_supported' | 'passkey_cancelled' | 'passkey_invalid_credential' | 'email_code_invalid' | 'email_code_expired' | 'email_code_too_many_attempts' | 'challenge_expired' | 'challenge_invalid' | 'auth_code_invalid' | 'auth_code_expired' | 'pkce_mismatch' | 'origin_not_allowed' | 'mfa_required' | 'email_verification_required' | 'consent_required_direct' | 'rate_limited' | 'event_handler_error' | 'par_required' | 'no_par_endpoint' | 'par_error' | 'par_request_uri_expired' | 'no_device_authorization_endpoint' | 'device_authorization_error' | 'device_authorization_pending' | 'device_slow_down' | 'device_authorization_expired' | 'device_access_denied' | 'client_credentials_error' | 'invalid_client_authentication' | 'insecure_client_auth' | 'dpop_key_generation_error' | 'dpop_proof_generation_error' | 'dpop_nonce_required' | 'jar_signing_error' | 'jar_required' | 'jarm_validation_error' | 'jarm_signature_invalid' | 'operation_cancelled' | 'invalid_return_to';
 /**
  * Options for creating an AuthrimError
  */
@@ -665,82 +698,456 @@ declare class AuthrimError extends Error {
  * Get error metadata for a given error code
  */
 declare function getErrorMeta(code: AuthrimErrorCode): AuthrimErrorMeta;
+/**
+ * Error classification result
+ */
+interface ErrorClassification {
+    /** Severity: recoverable or fatal */
+    severity: 'recoverable' | 'fatal';
+    /** Recommended remediation action */
+    remediation: AuthrimErrorRemediation;
+}
+/**
+ * Classify an error by severity and remediation
+ *
+ * This provides a simplified 2-axis classification for UI decision making:
+ * - severity: Is this recoverable or fatal?
+ * - remediation: What action should be taken?
+ */
+declare function classifyError(error: AuthrimError): ErrorClassification;
+/**
+ * Check if an error is retryable based on classification
+ */
+declare function isRetryableError(error: AuthrimError): boolean;
+/**
+ * Event emitter interface for error emission
+ *
+ * Minimal interface required by emitClassifiedError
+ */
+interface ErrorEventEmitter {
+    emit(event: 'error', payload: {
+        error: AuthrimError;
+        severity: 'recoverable' | 'fatal';
+        remediation: AuthrimErrorRemediation;
+        context: string;
+        timestamp: number;
+        source: 'core' | 'web';
+        operationId?: string;
+    }): void;
+    emit(event: 'error:recoverable', payload: {
+        error: AuthrimError;
+        severity: 'recoverable';
+        remediation: AuthrimErrorRemediation;
+        context: string;
+        timestamp: number;
+        source: 'core' | 'web';
+        operationId?: string;
+    }): void;
+    emit(event: 'error:fatal', payload: {
+        error: AuthrimError;
+        severity: 'fatal';
+        remediation: AuthrimErrorRemediation;
+        context: string;
+        timestamp: number;
+        source: 'core' | 'web';
+        operationId?: string;
+    }): void;
+}
+/**
+ * Options for emitting classified errors
+ */
+interface EmitClassifiedErrorOptions {
+    /** Operation context where the error occurred */
+    context: string;
+    /** Operation tracking ID */
+    operationId?: string;
+    /** Event source (defaults to 'core') */
+    source?: 'core' | 'web';
+}
+/**
+ * Emit error events with proper classification
+ *
+ * Emits three events:
+ * 1. 'error' - Legacy event for backward compatibility
+ * 2. 'error:recoverable' - If severity is recoverable
+ * 3. 'error:fatal' - If severity is fatal
+ *
+ * @param emitter - Event emitter instance
+ * @param error - The error to emit
+ * @param options - Emission options (context, operationId, source)
+ */
+declare function emitClassifiedError(emitter: ErrorEventEmitter, error: AuthrimError, options: EmitClassifiedErrorOptions): void;
 
 /**
  * Event Types
+ *
+ * Unified event system for SDK observability.
+ * All events follow the namespace convention: auth:*, token:*, session:*, state:*, error:*, warning:*, debug:*
  */
 
 /**
- * Token refresh event data
+ * Base event payload - all events include these fields
  */
-interface TokenRefreshedEvent {
-    tokens: TokenSet;
+interface BaseEventPayload {
+    /** Event timestamp (Date.now()) */
+    timestamp: number;
+    /** Event source */
+    source: 'core' | 'web';
+    /** Operation tracking ID (maintained from redirect start to callback complete) */
+    operationId?: string;
 }
 /**
- * Token expired event data
+ * SDK initialization complete
  */
-interface TokenExpiredEvent {
-    accessToken: string;
+interface AuthInitEvent extends BaseEventPayload {
+    /** Client ID */
+    clientId: string;
+    /** Issuer URL */
+    issuer: string;
+}
+/**
+ * Auth redirecting event data
+ */
+interface AuthRedirectingEvent extends BaseEventPayload {
+    /** Authorization URL */
+    url: string;
+}
+/**
+ * Auth callback received
+ */
+interface AuthCallbackEvent extends BaseEventPayload {
+    /** Authorization code */
+    code: string;
+    /** State parameter */
+    state: string;
+}
+/**
+ * Callback processing started
+ */
+interface AuthCallbackProcessingEvent extends BaseEventPayload {
+    /** State parameter being processed */
+    state: string;
+}
+/**
+ * Callback processing complete
+ */
+interface AuthCallbackCompleteEvent extends BaseEventPayload {
+    /** Whether authentication was successful */
+    success: boolean;
+}
+/**
+ * Login complete
+ */
+interface AuthLoginCompleteEvent extends BaseEventPayload {
+    /** Authentication method used */
+    method: 'redirect' | 'popup' | 'silent' | 'passkey' | 'email_code' | 'social';
+    /** User info (if available) */
+    user?: UserInfo;
+}
+/**
+ * Logout complete
+ */
+interface AuthLogoutCompleteEvent extends BaseEventPayload {
+    /** Logout method */
+    method: 'local' | 'redirect' | 'front_channel' | 'back_channel';
+}
+/**
+ * Re-authentication required
+ */
+interface AuthRequiredEvent extends BaseEventPayload {
+    /** Reason for re-authentication */
+    reason: 'refresh_failed' | 'session_expired' | 'token_revoked' | 'user_action';
+}
+/**
+ * Popup blocked by browser (Web SDK only)
+ */
+interface AuthPopupBlockedEvent extends BaseEventPayload {
+    /** Intended popup URL */
+    url?: string;
 }
 /**
- * Token error event data
+ * Flow fallback occurred (e.g., popup → redirect)
  */
-interface TokenErrorEvent {
+interface AuthFallbackEvent extends BaseEventPayload {
+    /** Original flow */
+    from: 'popup' | 'silent' | 'iframe';
+    /** Fallback flow */
+    to: 'redirect';
+    /** Reason for fallback */
+    reason: 'popup_blocked' | 'iframe_timeout' | 'silent_failed';
+}
+/**
+ * Token refresh starting
+ */
+interface TokenRefreshingEvent extends BaseEventPayload {
+    /** Reason for refresh */
+    reason: 'expiring' | 'manual' | 'on_demand' | 'background';
+}
+/**
+ * Token refresh succeeded
+ */
+interface TokenRefreshedEvent extends BaseEventPayload {
+    /** Whether access token is present */
+    hasAccessToken: boolean;
+    /** Whether refresh token is present */
+    hasRefreshToken: boolean;
+    /** Whether ID token is present */
+    hasIdToken: boolean;
+    /** Token expiration timestamp (epoch seconds) */
+    expiresAt: number;
+}
+/**
+ * Token refresh failed
+ */
+interface TokenRefreshFailedEvent extends BaseEventPayload {
+    /** Error that caused the failure */
     error: AuthrimError;
+    /** Whether retry is possible */
+    willRetry: boolean;
+    /** Retry attempt number (0 = first attempt) */
+    attempt: number;
 }
 /**
- * Token exchanged event data (RFC 8693)
+ * Token expiring soon (warning)
  */
-interface TokenExchangedEvent {
-    tokens: TokenSet;
-    /** Issued token type URI (RFC 8693 standard or custom URI) */
+interface TokenExpiringEvent extends BaseEventPayload {
+    /** Token expiration timestamp (epoch seconds) */
+    expiresAt: number;
+    /** Remaining time in seconds */
+    expiresIn: number;
+}
+/**
+ * Token expired
+ */
+interface TokenExpiredEvent extends BaseEventPayload {
+    /** Token expiration timestamp (epoch seconds) */
+    expiredAt: number;
+    /** Whether refresh token is available */
+    hasRefreshToken: boolean;
+}
+/**
+ * Token error
+ */
+interface TokenErrorEvent extends BaseEventPayload {
+    /** Error details */
+    error: AuthrimError;
+    /** Operation context */
+    context: 'refresh' | 'exchange' | 'validation' | 'storage';
+}
+/**
+ * Token exchanged (RFC 8693)
+ */
+interface TokenExchangedEvent extends BaseEventPayload {
+    /** Whether new access token is present */
+    hasAccessToken: boolean;
+    /** Whether new refresh token is present */
+    hasRefreshToken: boolean;
+    /** Issued token type URI */
     issuedTokenType: TokenTypeUri | string;
 }
 /**
- * Session started event data
+ * Session started
  */
-interface SessionStartedEvent {
+interface SessionStartedEvent extends BaseEventPayload {
+    /** User info */
     user: UserInfo;
 }
 /**
- * Session ended event data
+ * Session ended
  */
-interface SessionEndedEvent {
+interface SessionEndedEvent extends BaseEventPayload {
+    /** Reason for session end */
     reason: 'logout' | 'expired' | 'revoked';
 }
 /**
- * Auth redirecting event data
+ * Session changed (general)
  */
-interface AuthRedirectingEvent {
-    url: string;
+interface SessionChangedEvent extends BaseEventPayload {
+    /** Whether user is authenticated */
+    isAuthenticated: boolean;
+    /** User info (if authenticated) */
+    user?: UserInfo;
 }
 /**
- * Auth callback event data
+ * Tab synchronization event (Web SDK only)
  */
-interface AuthCallbackEvent {
-    code: string;
-    state: string;
+interface SessionSyncEvent extends BaseEventPayload {
+    /** Sync action */
+    action: 'login' | 'logout' | 'refresh' | 'leader_change';
+    /** Source tab ID */
+    sourceTabId?: string;
+}
+/**
+ * Logout broadcast from another tab (Web SDK only)
+ */
+interface SessionLogoutBroadcastEvent extends BaseEventPayload {
+    /** Source tab ID */
+    sourceTabId?: string;
 }
 /**
- * Error event data
+ * Auth state type
+ */
+type AuthState$1 = 'idle' | 'initializing' | 'authenticated' | 'unauthenticated' | 'authenticating' | 'refreshing' | 'logging_out' | 'error';
+/**
+ * Auth state snapshot
+ */
+interface AuthStateSnapshot {
+    /** Current state */
+    state: AuthState$1;
+    /** Previous state */
+    previousState: AuthState$1 | null;
+    /** Snapshot timestamp */
+    timestamp: number;
+    /** Current operation ID */
+    operationId: string | null;
+    /** State context */
+    context: {
+        /** Whether user is authenticated */
+        isAuthenticated: boolean;
+        /** Token expiration timestamp (epoch seconds) */
+        tokenExpiresAt: number | null;
+        /** Last error */
+        lastError: AuthrimError | null;
+        /** Pending operation description */
+        pendingOperation: string | null;
+    };
+}
+/**
+ * State change event
+ */
+interface StateChangeEvent extends BaseEventPayload {
+    /** Previous state */
+    from: AuthState$1;
+    /** New state */
+    to: AuthState$1;
+    /** Full state snapshot */
+    snapshot: AuthStateSnapshot;
+}
+/**
+ * Error severity for event classification
+ */
+type ErrorSeverity = 'recoverable' | 'fatal';
+/**
+ * Error event payload (extended)
+ */
+interface ErrorEventPayload extends BaseEventPayload {
+    /** Error instance */
+    error: AuthrimError;
+    /** Error severity */
+    severity: ErrorSeverity;
+    /** Recommended remediation */
+    remediation: AuthrimErrorRemediation;
+    /** Operation context where error occurred */
+    context: string;
+}
+/**
+ * Legacy error event (backward compatibility)
  */
 interface ErrorEvent {
     error: AuthrimError;
     context: string;
 }
+/**
+ * Recoverable error event
+ */
+interface ErrorRecoverableEvent extends ErrorEventPayload {
+    severity: 'recoverable';
+}
+/**
+ * Fatal error event
+ */
+interface ErrorFatalEvent extends ErrorEventPayload {
+    severity: 'fatal';
+}
+/**
+ * ITP environment detected warning (Web SDK only)
+ */
+interface WarningITPEvent extends BaseEventPayload {
+    /** Warning message */
+    message: string;
+    /** Detected browser */
+    browser: 'safari' | 'webkit' | 'unknown';
+    /** Recommended action */
+    recommendation: 'use_redirect' | 'use_popup' | 'normal';
+}
+/**
+ * Storage fallback warning
+ *
+ * Fired when:
+ * - localStorage → sessionStorage fallback
+ * - sessionStorage → memory fallback
+ */
+interface WarningStorageFallbackEvent extends BaseEventPayload {
+    /** Original storage type */
+    from: 'localStorage' | 'sessionStorage';
+    /** Fallback storage type */
+    to: 'sessionStorage' | 'memory';
+    /** Reason for fallback */
+    reason: 'not_available' | 'quota_exceeded' | 'private_mode' | 'security_error';
+}
+/**
+ * Private browsing mode detected warning (Web SDK only)
+ */
+interface WarningPrivateModeEvent extends BaseEventPayload {
+    /** Detected browser */
+    browser: 'safari' | 'firefox' | 'chrome' | 'edge' | 'unknown';
+    /** Storage limitations */
+    limitations: string[];
+}
+/**
+ * Timeline event entry
+ */
+interface TimelineEntry {
+    /** Event type */
+    type: string;
+    /** Event timestamp */
+    timestamp: number;
+    /** Operation ID */
+    operationId?: string;
+    /** Redacted event data */
+    data?: Record<string, unknown>;
+}
+/**
+ * Debug timeline event
+ */
+interface DebugTimelineEvent extends BaseEventPayload {
+    /** Timeline entry */
+    entry: TimelineEntry;
+}
 /**
  * All Authrim events
  */
 interface AuthrimEvents {
+    'auth:init': AuthInitEvent;
+    'auth:redirecting': AuthRedirectingEvent;
+    'auth:callback': AuthCallbackEvent;
+    'auth:callback:processing': AuthCallbackProcessingEvent;
+    'auth:callback:complete': AuthCallbackCompleteEvent;
+    'auth:login:complete': AuthLoginCompleteEvent;
+    'auth:logout:complete': AuthLogoutCompleteEvent;
+    'auth:required': AuthRequiredEvent;
+    'auth:popup_blocked': AuthPopupBlockedEvent;
+    'auth:fallback': AuthFallbackEvent;
+    'token:refreshing': TokenRefreshingEvent;
     'token:refreshed': TokenRefreshedEvent;
+    'token:refresh:failed': TokenRefreshFailedEvent;
+    'token:expiring': TokenExpiringEvent;
     'token:expired': TokenExpiredEvent;
     'token:error': TokenErrorEvent;
     'token:exchanged': TokenExchangedEvent;
     'session:started': SessionStartedEvent;
     'session:ended': SessionEndedEvent;
-    'auth:redirecting': AuthRedirectingEvent;
-    'auth:callback': AuthCallbackEvent;
-    error: ErrorEvent;
+    'session:changed': SessionChangedEvent;
+    'session:sync': SessionSyncEvent;
+    'session:logout:broadcast': SessionLogoutBroadcastEvent;
+    'state:change': StateChangeEvent;
+    'error': ErrorEvent;
+    'error:recoverable': ErrorRecoverableEvent;
+    'error:fatal': ErrorFatalEvent;
+    'warning:itp': WarningITPEvent;
+    'warning:storage_fallback': WarningStorageFallbackEvent;
+    'warning:private_mode': WarningPrivateModeEvent;
+    'debug:timeline': DebugTimelineEvent;
 }
 /**
  * Event names
@@ -750,136 +1157,434 @@ type AuthrimEventName = keyof AuthrimEvents;
  * Event handler type
  */
 type AuthrimEventHandler<T extends AuthrimEventName> = (event: AuthrimEvents[T]) => void;
-
 /**
- * State/Nonce Manager
- *
- * Manages CSRF protection (state) and replay attack prevention (nonce)
- * for Authorization Code Flow.
+ * Events emitted by Core SDK
+ */
+type CoreEventName = 'auth:init' | 'auth:redirecting' | 'auth:callback' | 'auth:callback:processing' | 'auth:callback:complete' | 'auth:login:complete' | 'auth:logout:complete' | 'auth:required' | 'token:refreshing' | 'token:refreshed' | 'token:refresh:failed' | 'token:expiring' | 'token:expired' | 'token:error' | 'token:exchanged' | 'session:started' | 'session:ended' | 'session:changed' | 'state:change' | 'error' | 'error:recoverable' | 'error:fatal' | 'debug:timeline';
+/**
+ * Events emitted by Web SDK only
  */
+type WebOnlyEventName = 'auth:popup_blocked' | 'auth:fallback' | 'session:sync' | 'session:logout:broadcast' | 'warning:itp' | 'warning:storage_fallback' | 'warning:private_mode';
 
 /**
- * Auth state stored in storage
+ * Device Authorization Flow Types
+ * RFC 8628: OAuth 2.0 Device Authorization Grant
+ *
+ * Used for devices with limited input capabilities (TVs, CLI tools, IoT devices).
  */
-interface AuthState {
-    /** State parameter (CSRF protection) */
-    state: string;
-    /** Nonce parameter (replay attack prevention) */
-    nonce: string;
-    /** PKCE code verifier */
-    codeVerifier: string;
-    /** Redirect URI used for this auth request */
-    redirectUri: string;
-    /** Timestamp when state was created */
-    createdAt: number;
-    /** Timestamp when state expires */
-    expiresAt: number;
-}
 /**
- * Options for generating auth state
+ * Device authorization response from the server (RFC 8628 §3.2)
  */
-interface GenerateAuthStateOptions {
-    /** Redirect URI for this auth request */
-    redirectUri: string;
-    /** Code verifier for PKCE */
-    codeVerifier: string;
-    /** TTL in seconds (default: 600 = 10 minutes) */
-    ttlSeconds?: number;
+interface DeviceAuthorizationResponse {
+    /** Device verification code (for token requests) */
+    device_code: string;
+    /** User-facing code to enter at verification_uri */
+    user_code: string;
+    /** URI where the user should go to enter the code */
+    verification_uri: string;
+    /** Complete URI with user_code embedded (optional) */
+    verification_uri_complete?: string;
+    /** Lifetime of device_code and user_code in seconds */
+    expires_in: number;
+    /** Minimum polling interval in seconds (default: 5) */
+    interval?: number;
 }
 /**
- * Storage keys factory
- */
-declare const STORAGE_KEYS: {
-    /**
-     * Auth state key (state-specific)
-     */
-    readonly authState: (issuerHash: string, clientIdHash: string, state: string) => string;
-    /**
-     * Token storage key
-     */
-    readonly tokens: (issuerHash: string, clientIdHash: string) => string;
-    /**
-     * ID token storage key
-     */
-    readonly idToken: (issuerHash: string, clientIdHash: string) => string;
+ * Device flow state maintained by the client
+ */
+interface DeviceFlowState {
+    /** Device code (used for polling) */
+    deviceCode: string;
+    /** User code (displayed to user) */
+    userCode: string;
+    /** Verification URI (user goes here) */
+    verificationUri: string;
+    /** Complete verification URI with code (if provided) */
+    verificationUriComplete?: string;
+    /** Absolute expiration time (epoch seconds) */
+    expiresAt: number;
     /**
-     * Auth state prefix for cleanup
+     * Polling interval in seconds (RFC 8628)
+     *
+     * IMPORTANT: This value is in SECONDS, not milliseconds.
+     * When using with setTimeout, multiply by 1000.
      */
-    readonly authStatePrefix: (issuerHash: string, clientIdHash: string) => string;
-};
+    interval: number;
+}
 /**
- * State Manager
+ * Poll result from Device Flow
+ *
+ * Core SDK returns "facts" only - UX events are the responsibility
+ * of upper-layer SDKs (web/react/svelte).
  */
-declare class StateManager {
-    private readonly crypto;
-    private readonly storage;
-    private readonly issuerHash;
-    private readonly clientIdHash;
-    /** Default TTL: 10 minutes */
-    private static readonly DEFAULT_TTL_SECONDS;
-    /** Entropy bytes for state/nonce generation (256 bits = 32 bytes) */
-    private static readonly ENTROPY_BYTES;
-    constructor(crypto: CryptoProvider, storage: AuthrimStorage, issuerHash: string, clientIdHash: string);
-    /**
-     * Generate and store auth state
-     *
-     * Creates state, nonce, stores them with the code verifier.
-     *
-     * @param options - Generation options
-     * @returns Generated state string
-     */
-    generateAuthState(options: GenerateAuthStateOptions): Promise<AuthState>;
+type DeviceFlowPollResult = DeviceFlowPendingResult | DeviceFlowCompletedResult | DeviceFlowSlowDownResult | DeviceFlowExpiredResult | DeviceFlowAccessDeniedResult;
+/**
+ * Authorization pending - user hasn't completed auth yet
+ */
+interface DeviceFlowPendingResult {
+    status: 'pending';
     /**
-     * Validate and consume state
-     *
-     * Retrieves, validates, and ALWAYS deletes the state (success or failure).
-     * This ensures replay attack prevention and GC.
+     * Seconds until next poll attempt (RFC 8628)
      *
-     * @param state - State parameter from callback
-     * @returns Auth state if valid
-     * @throws AuthrimError if state is invalid or expired
+     * IMPORTANT: This value is in SECONDS.
+     * Use `retryAfter * 1000` for setTimeout in JavaScript.
      */
-    validateAndConsumeState(state: string): Promise<AuthState>;
+    retryAfter: number;
+}
+/**
+ * Authorization completed - tokens received
+ */
+interface DeviceFlowCompletedResult {
+    status: 'completed';
+    /** Received tokens */
+    tokens: TokenSet;
+}
+/**
+ * Slow down - polling too fast
+ */
+interface DeviceFlowSlowDownResult {
+    status: 'slow_down';
     /**
-     * Clean up expired states
-     *
-     * This is a best-effort cleanup. Only works if storage.getAll() is available.
-     * The primary GC mechanism is validateAndConsumeState()'s finally delete.
+     * New interval in seconds (server-specified)
      *
-     * Safe to call at startup or periodically.
+     * IMPORTANT: This value is in SECONDS.
+     * The polling interval should be increased to this value.
      */
-    cleanupExpiredStates(): Promise<void>;
+    retryAfter: number;
 }
-
 /**
- * PKCE (Proof Key for Code Exchange) Helper
- *
- * Implements RFC 7636 for Authorization Code Flow security.
- * https://tools.ietf.org/html/rfc7636
+ * Device code expired - user needs to start over
  */
-
+interface DeviceFlowExpiredResult {
+    status: 'expired';
+}
 /**
- * PKCE challenge method
+ * Access denied - user denied the authorization request
  */
-type CodeChallengeMethod = 'S256' | 'plain';
+interface DeviceFlowAccessDeniedResult {
+    status: 'access_denied';
+}
 /**
- * PKCE pair (verifier and challenge)
+ * Options for starting device authorization
  */
-interface PKCEPair {
-    /** Code verifier (high-entropy random string) */
-    codeVerifier: string;
-    /** Code challenge (derived from verifier) */
-    codeChallenge: string;
-    /** Challenge method used */
-    codeChallengeMethod: CodeChallengeMethod;
+interface DeviceFlowStartOptions {
+    /** Scopes to request */
+    scope?: string;
+    /** Additional parameters */
+    extraParams?: Record<string, string>;
 }
+
 /**
- * PKCE Helper class
+ * PAR (Pushed Authorization Request) Types
+ * RFC 9126: OAuth 2.0 Pushed Authorization Requests
  */
-declare class PKCEHelper {
-    private readonly crypto;
-    constructor(crypto: CryptoProvider);
-    /**
+/**
+ * PAR request parameters
+ */
+interface PARRequest {
+    /** Redirect URI (required) */
+    redirectUri: string;
+    /** Scopes to request (default: 'openid profile') */
+    scope?: string;
+    /**
+     * Response type (default: 'code')
+     *
+     * Use 'none' for session check without token issuance
+     * (OAuth 2.0 Multiple Response Types 1.0 §5)
+     */
+    responseType?: 'code' | 'none';
+    /** State parameter for CSRF protection */
+    state: string;
+    /** Nonce for replay attack prevention */
+    nonce: string;
+    /** PKCE code challenge */
+    codeChallenge: string;
+    /** PKCE code challenge method (always S256) */
+    codeChallengeMethod: 'S256';
+    /** Prompt behavior */
+    prompt?: 'none' | 'login' | 'consent' | 'select_account';
+    /** Hint about the login identifier */
+    loginHint?: string;
+    /** Requested Authentication Context Class Reference values */
+    acrValues?: string;
+    /** Additional custom parameters */
+    extraParams?: Record<string, string>;
+}
+/**
+ * PAR response from the server (RFC 9126 §2.2)
+ */
+interface PARResponse {
+    /** The request URI to use in authorization request */
+    request_uri: string;
+    /** Lifetime of the request URI in seconds */
+    expires_in: number;
+}
+/**
+ * PAR result returned by PARClient
+ */
+interface PARResult {
+    /** The request URI to use in authorization request */
+    requestUri: string;
+    /** Absolute expiration time (epoch seconds) */
+    expiresAt: number;
+}
+/**
+ * Options for PAR client
+ */
+interface PARClientOptions {
+    /** Additional headers to include in PAR request */
+    headers?: Record<string, string>;
+}
+
+/**
+ * Event Emitter
+ *
+ * Simple typed event emitter for SDK events.
+ */
+
+/**
+ * Typed Event Emitter
+ */
+declare class EventEmitter {
+    private listeners;
+    /**
+     * Subscribe to an event
+     *
+     * @param event - Event name
+     * @param handler - Event handler
+     * @returns Unsubscribe function
+     */
+    on<T extends AuthrimEventName>(event: T, handler: AuthrimEventHandler<T>): () => void;
+    /**
+     * Subscribe to an event (one-time)
+     *
+     * @param event - Event name
+     * @param handler - Event handler
+     * @returns Unsubscribe function
+     */
+    once<T extends AuthrimEventName>(event: T, handler: AuthrimEventHandler<T>): () => void;
+    /**
+     * Unsubscribe from an event
+     *
+     * @param event - Event name
+     * @param handler - Event handler to remove
+     */
+    off<T extends AuthrimEventName>(event: T, handler: AuthrimEventHandler<T>): void;
+    /**
+     * Emit an event
+     *
+     * @param event - Event name
+     * @param data - Event data
+     */
+    emit<T extends AuthrimEventName>(event: T, data: AuthrimEvents[T]): void;
+    /**
+     * Remove all listeners for an event (or all events)
+     *
+     * @param event - Event name (optional, removes all if not specified)
+     */
+    removeAllListeners(event?: AuthrimEventName): void;
+    /**
+     * Get the number of listeners for an event
+     *
+     * @param event - Event name
+     * @returns Number of listeners
+     */
+    listenerCount(event: AuthrimEventName): number;
+}
+
+/**
+ * State/Nonce Manager
+ *
+ * Manages CSRF protection (state) and replay attack prevention (nonce)
+ * for Authorization Code Flow.
+ */
+
+/**
+ * Auth state stored in storage
+ */
+interface AuthState {
+    /** State parameter (CSRF protection) */
+    state: string;
+    /** Nonce parameter (replay attack prevention) */
+    nonce: string;
+    /** PKCE code verifier */
+    codeVerifier: string;
+    /** Redirect URI used for this auth request */
+    redirectUri: string;
+    /** Requested scope (for validation) */
+    scope: string;
+    /** Timestamp when state was created */
+    createdAt: number;
+    /** Timestamp when state expires */
+    expiresAt: number;
+    /** Return URL after authentication (validated) */
+    returnTo?: string;
+    /** Operation tracking ID (for event correlation) */
+    operationId: string;
+}
+/**
+ * ReturnTo URL policy
+ *
+ * Controls which returnTo URLs are accepted to prevent open redirect attacks.
+ */
+type ReturnToPolicy = 'relative_only' | 'same_origin' | 'allowlist';
+/**
+ * ReturnTo URL options
+ */
+interface ReturnToOptions {
+    /** Validation policy */
+    policy: ReturnToPolicy;
+    /** Allowed origins (required when policy is 'allowlist') */
+    allowedOrigins?: string[];
+    /** Current origin for same_origin check (required in non-browser environments) */
+    currentOrigin?: string;
+}
+/**
+ * Options for generating auth state
+ */
+interface GenerateAuthStateOptions {
+    /** Redirect URI for this auth request */
+    redirectUri: string;
+    /** Code verifier for PKCE */
+    codeVerifier: string;
+    /** Requested scope (for validation) */
+    scope: string;
+    /** TTL in seconds (default: 600 = 10 minutes) */
+    ttlSeconds?: number;
+    /** Return URL after authentication */
+    returnTo?: string;
+    /** ReturnTo URL validation options */
+    returnToOptions?: ReturnToOptions;
+}
+/**
+ * Storage keys factory
+ */
+declare const STORAGE_KEYS: {
+    /**
+     * Auth state key (state-specific)
+     */
+    readonly authState: (issuerHash: string, clientIdHash: string, state: string) => string;
+    /**
+     * Token storage key
+     */
+    readonly tokens: (issuerHash: string, clientIdHash: string) => string;
+    /**
+     * ID token storage key
+     */
+    readonly idToken: (issuerHash: string, clientIdHash: string) => string;
+    /**
+     * Auth state prefix for cleanup
+     */
+    readonly authStatePrefix: (issuerHash: string, clientIdHash: string) => string;
+};
+/**
+ * State Manager
+ */
+declare class StateManager {
+    private readonly crypto;
+    private readonly storage;
+    private readonly issuerHash;
+    private readonly clientIdHash;
+    /** Default TTL: 10 minutes */
+    private static readonly DEFAULT_TTL_SECONDS;
+    /** Entropy bytes for state/nonce generation (256 bits = 32 bytes) */
+    private static readonly ENTROPY_BYTES;
+    /** Entropy bytes for operationId (128 bits = 16 bytes, enough for tracking) */
+    private static readonly OPERATION_ID_BYTES;
+    /** Auto cleanup interval (5 minutes) */
+    private static readonly DEFAULT_CLEANUP_INTERVAL_MS;
+    /** Cleanup interval handle */
+    private cleanupInterval;
+    constructor(crypto: CryptoProvider, storage: AuthrimStorage, issuerHash: string, clientIdHash: string);
+    /**
+     * Generate and store auth state
+     *
+     * Creates state, nonce, stores them with the code verifier.
+     *
+     * @param options - Generation options
+     * @returns Generated state string
+     */
+    generateAuthState(options: GenerateAuthStateOptions): Promise<AuthState>;
+    /**
+     * Validate returnTo URL against policy (Open Redirect Protection)
+     *
+     * @param returnTo - URL to validate
+     * @param options - Validation options
+     * @returns Validated URL
+     * @throws AuthrimError if URL is invalid
+     */
+    private validateReturnTo;
+    /**
+     * Validate and consume state
+     *
+     * Retrieves, validates, and ALWAYS deletes the state (success or failure).
+     * This ensures replay attack prevention and GC.
+     *
+     * @param state - State parameter from callback
+     * @returns Auth state if valid
+     * @throws AuthrimError if state is invalid or expired
+     */
+    validateAndConsumeState(state: string): Promise<AuthState>;
+    /**
+     * Clean up expired states
+     *
+     * This is a best-effort cleanup. Only works if storage.getAll() is available.
+     * The primary GC mechanism is validateAndConsumeState()'s finally delete.
+     *
+     * Safe to call at startup or periodically.
+     */
+    cleanupExpiredStates(): Promise<void>;
+    /**
+     * Start automatic cleanup of expired states
+     *
+     * Runs cleanup every 5 minutes by default.
+     *
+     * @param intervalMs - Cleanup interval in milliseconds (default: 300000 = 5 minutes)
+     */
+    startAutoCleanup(intervalMs?: number): void;
+    /**
+     * Stop automatic cleanup
+     */
+    stopAutoCleanup(): void;
+    /**
+     * Get the number of stored auth states
+     *
+     * Only works if storage.getAll() is available.
+     *
+     * @returns Number of stored states, or -1 if not supported
+     */
+    getStoredStateCount(): Promise<number>;
+}
+
+/**
+ * PKCE (Proof Key for Code Exchange) Helper
+ *
+ * Implements RFC 7636 for Authorization Code Flow security.
+ * https://tools.ietf.org/html/rfc7636
+ */
+
+/**
+ * PKCE challenge method
+ */
+type CodeChallengeMethod = 'S256' | 'plain';
+/**
+ * PKCE pair (verifier and challenge)
+ */
+interface PKCEPair {
+    /** Code verifier (high-entropy random string) */
+    codeVerifier: string;
+    /** Code challenge (derived from verifier) */
+    codeChallenge: string;
+    /** Challenge method used */
+    codeChallengeMethod: CodeChallengeMethod;
+}
+/**
+ * PKCE Helper class
+ */
+declare class PKCEHelper {
+    private readonly crypto;
+    constructor(crypto: CryptoProvider);
+    /**
      * Generate a PKCE pair (verifier + challenge)
      *
      * Uses S256 method (SHA-256 hash, base64url-encoded).
@@ -917,6 +1622,13 @@ interface BuildAuthorizationUrlOptions {
     redirectUri: string;
     /** Scopes to request (default: 'openid profile') */
     scope?: string;
+    /**
+     * Response type (default: 'code')
+     *
+     * Use 'none' for session check without token issuance
+     * (OAuth 2.0 Multiple Response Types 1.0 §5)
+     */
+    responseType?: 'code' | 'none';
     /** Prompt behavior */
     prompt?: 'none' | 'login' | 'consent' | 'select_account';
     /** Hint about the login identifier */
@@ -933,6 +1645,23 @@ interface BuildAuthorizationUrlOptions {
      * (e.g., cookie, server-side session)
      */
     exposeState?: boolean;
+    /**
+     * Use PAR (Pushed Authorization Request - RFC 9126)
+     *
+     * When true, authorization parameters are first pushed to the PAR endpoint,
+     * and the resulting request_uri is used in the authorization URL.
+     *
+     * Required when server sets require_pushed_authorization_requests=true.
+     */
+    usePar?: boolean;
+    /**
+     * Use JAR (JWT Secured Authorization Request - RFC 9101)
+     *
+     * When true, authorization parameters are encoded in a signed JWT.
+     *
+     * Required when server sets require_signed_request_object=true.
+     */
+    useJar?: boolean;
 }
 /**
  * Result of buildAuthorizationUrl
@@ -968,6 +1697,8 @@ interface ExchangeCodeOptions {
     codeVerifier: string;
     /** Nonce to validate in ID token */
     nonce: string;
+    /** Requested scope (for validation) */
+    scope: string;
 }
 /**
  * Authorization Code Flow helper
@@ -984,6 +1715,7 @@ declare class AuthorizationCodeFlow {
      * @param pkce - PKCE pair
      * @param options - Authorization options
      * @returns Authorization URL result
+     * @throws AuthrimError with code 'par_required' if server requires PAR but usePar is not enabled
      */
     buildAuthorizationUrl(discovery: OIDCDiscoveryDocument, authState: AuthState, pkce: PKCEPair, options: BuildAuthorizationUrlOptions): AuthorizationUrlResult;
     /**
@@ -1181,70 +1913,14 @@ declare class TokenRevoker {
 }
 
 /**
- * Event Emitter
+ * Logout Handler
  *
- * Simple typed event emitter for SDK events.
+ * Implements RP-Initiated Logout (OpenID Connect RP-Initiated Logout 1.0)
+ * https://openid.net/specs/openid-connect-rpinitiated-1_0.html
  */
 
 /**
- * Typed Event Emitter
- */
-declare class EventEmitter {
-    private listeners;
-    /**
-     * Subscribe to an event
-     *
-     * @param event - Event name
-     * @param handler - Event handler
-     * @returns Unsubscribe function
-     */
-    on<T extends AuthrimEventName>(event: T, handler: AuthrimEventHandler<T>): () => void;
-    /**
-     * Subscribe to an event (one-time)
-     *
-     * @param event - Event name
-     * @param handler - Event handler
-     * @returns Unsubscribe function
-     */
-    once<T extends AuthrimEventName>(event: T, handler: AuthrimEventHandler<T>): () => void;
-    /**
-     * Unsubscribe from an event
-     *
-     * @param event - Event name
-     * @param handler - Event handler to remove
-     */
-    off<T extends AuthrimEventName>(event: T, handler: AuthrimEventHandler<T>): void;
-    /**
-     * Emit an event
-     *
-     * @param event - Event name
-     * @param data - Event data
-     */
-    emit<T extends AuthrimEventName>(event: T, data: AuthrimEvents[T]): void;
-    /**
-     * Remove all listeners for an event (or all events)
-     *
-     * @param event - Event name (optional, removes all if not specified)
-     */
-    removeAllListeners(event?: AuthrimEventName): void;
-    /**
-     * Get the number of listeners for an event
-     *
-     * @param event - Event name
-     * @returns Number of listeners
-     */
-    listenerCount(event: AuthrimEventName): number;
-}
-
-/**
- * Logout Handler
- *
- * Implements RP-Initiated Logout (OpenID Connect RP-Initiated Logout 1.0)
- * https://openid.net/specs/openid-connect-rpinitiated-1_0.html
- */
-
-/**
- * Logout options
+ * Logout options
  */
 interface LogoutOptions {
     /** URI to redirect to after logout */
@@ -1360,6 +2036,12 @@ declare class AuthrimClient {
     private stateManager;
     /** Authorization code flow helper */
     private readonly authCodeFlow;
+    /** PAR client */
+    private readonly parClient;
+    /** Device Flow client */
+    private readonly deviceFlowClient;
+    /** DPoP manager (lazily initialized) */
+    private dpopManager;
     /** Token manager (initialized in initialize()) */
     private tokenManager;
     /** Logout handler (initialized in initialize()) */
@@ -1378,6 +2060,10 @@ declare class AuthrimClient {
     private readonly normalizedIssuer;
     /** Whether the client has been initialized */
     private initialized;
+    /**
+     * Get the event emitter for subscribing to SDK events
+     */
+    get eventEmitter(): EventEmitter;
     /**
      * Create a new Authrim client
      *
@@ -1420,6 +2106,144 @@ declare class AuthrimClient {
      * @returns Token set
      */
     handleCallback(callbackUrl: string): Promise<TokenSet>;
+    /**
+     * PAR API accessor
+     *
+     * Provides access to Pushed Authorization Request functionality.
+     * PAR allows pushing authorization request parameters to a dedicated endpoint,
+     * receiving a request_uri to use in the authorization URL.
+     */
+    get par(): {
+        /**
+         * Push authorization request and get request_uri
+         *
+         * @param options - Authorization options
+         * @returns PAR result with request_uri and expiration
+         */
+        push: (options: BuildAuthorizationUrlOptions) => Promise<PARResult>;
+        /**
+         * Build authorization URL using request_uri from PAR
+         *
+         * @param requestUri - Request URI from PAR response
+         * @returns Authorization URL
+         */
+        buildAuthorizationUrl: (requestUri: string) => Promise<string>;
+        /**
+         * Check if PAR is available
+         *
+         * @returns True if PAR endpoint is available
+         */
+        isAvailable: () => Promise<boolean>;
+        /**
+         * Check if PAR is required by the server
+         *
+         * @returns True if server requires PAR
+         */
+        isRequired: () => Promise<boolean>;
+    };
+    /**
+     * Device Flow API accessor
+     *
+     * Provides access to Device Authorization Grant functionality.
+     * Used for devices with limited input capabilities (TVs, CLIs, IoT).
+     */
+    get deviceFlow(): {
+        /**
+         * Start device authorization
+         *
+         * @param options - Start options (scope, etc.)
+         * @returns Device flow state with codes and URIs
+         */
+        start: (options?: DeviceFlowStartOptions) => Promise<DeviceFlowState>;
+        /**
+         * Poll once for token
+         *
+         * @param state - Device flow state
+         * @returns Poll result
+         */
+        pollOnce: (state: DeviceFlowState) => Promise<DeviceFlowPollResult>;
+        /**
+         * Poll until complete or expired
+         *
+         * @param state - Device flow state
+         * @param options - Polling options (signal for abort)
+         * @returns Token set on success
+         */
+        pollUntilComplete: (state: DeviceFlowState, options?: {
+            signal?: AbortSignal;
+        }) => Promise<TokenSet>;
+        /**
+         * Check if Device Flow is available
+         *
+         * @returns True if device authorization endpoint is available
+         */
+        isAvailable: () => Promise<boolean>;
+    };
+    /**
+     * DPoP API accessor
+     *
+     * Provides access to DPoP (Demonstrating Proof of Possession) functionality.
+     * DPoP binds access tokens to a cryptographic key held by the client,
+     * preventing token theft and replay attacks.
+     *
+     * NOTE: The CryptoProvider must implement DPoPCryptoProvider interface
+     * for DPoP to be available.
+     *
+     * @returns DPoP API accessor, or undefined if not supported
+     */
+    get dpop(): {
+        /**
+         * Initialize DPoP (generates or retrieves key pair)
+         */
+        initialize: () => Promise<void>;
+        /**
+         * Check if DPoP is initialized
+         */
+        isInitialized: () => boolean;
+        /**
+         * Generate a DPoP proof for a request
+         *
+         * @param method - HTTP method (GET, POST, etc.)
+         * @param uri - Full request URI
+         * @param options - Additional options (access token hash, nonce)
+         * @returns Signed DPoP proof JWT
+         */
+        generateProof: (method: string, uri: string, options?: {
+            accessTokenHash?: string;
+            nonce?: string;
+        }) => Promise<string>;
+        /**
+         * Handle DPoP-Nonce response from server
+         *
+         * @param nonce - Server-provided nonce
+         */
+        handleNonceResponse: (nonce: string) => void;
+        /**
+         * Calculate access token hash for ath claim
+         *
+         * @param accessToken - Access token to hash
+         * @returns Base64url-encoded SHA-256 hash
+         */
+        calculateAccessTokenHash: (accessToken: string) => Promise<string>;
+        /**
+         * Get the public key JWK
+         */
+        getPublicKeyJwk: () => JWK | null;
+        /**
+         * Get the JWK thumbprint
+         */
+        getThumbprint: () => string | null;
+        /**
+         * Clear DPoP key pair (call on logout)
+         */
+        clear: () => Promise<void>;
+        /**
+         * Check if DPoP is supported by the server
+         *
+         * @returns True if server advertises DPoP support
+         */
+        isServerSupported: () => Promise<boolean>;
+    } | undefined;
     /**
      * Token API accessor
      */
@@ -1623,6 +2447,13 @@ interface SilentAuthOptions {
     redirectUri: string;
     /** Scopes to request (default: 'openid') */
     scope?: string;
+    /**
+     * Response type (default: 'code')
+     *
+     * Use 'none' for session check without token issuance
+     * (OAuth 2.0 Multiple Response Types 1.0 §5)
+     */
+    responseType?: 'code' | 'none';
     /** Hint about the login identifier */
     loginHint?: string;
     /** ID token hint (helps IdP identify the user) */
@@ -1714,263 +2545,1864 @@ declare class SilentAuthHandler {
 }
 
 /**
- * Token Manager
+ * PAR (Pushed Authorization Request) Client
+ * RFC 9126: OAuth 2.0 Pushed Authorization Requests
  *
- * Manages token storage, retrieval, and automatic refresh.
- * Implements in-flight request coalescing for concurrent refresh requests.
+ * PAR allows the client to push the authorization request payload
+ * to the authorization server via a direct POST request, receiving
+ * a request_uri to use in the authorization URL.
+ *
+ * Benefits:
+ * - Integrity protection of authorization request
+ * - Confidentiality of authorization request parameters
+ * - Support for large request parameters
+ * - Required for FAPI 2.0 compliance
  */
 
 /**
- * Token manager options
+ * PAR Client
+ *
+ * Handles Pushed Authorization Requests per RFC 9126.
  */
-interface TokenManagerOptions {
+declare class PARClient {
+    private readonly http;
+    private readonly clientId;
+    private readonly options?;
+    constructor(http: HttpClient, clientId: string, options?: PARClientOptions | undefined);
+    /**
+     * Push authorization request to the server
+     *
+     * @param discovery - OIDC discovery document
+     * @param request - PAR request parameters
+     * @returns PAR result with request_uri and expiration
+     * @throws AuthrimError with code 'no_par_endpoint' if PAR endpoint not available
+     * @throws AuthrimError with code 'par_error' if PAR request fails
+     */
+    pushAuthorizationRequest(discovery: OIDCDiscoveryDocument, request: PARRequest): Promise<PARResult>;
+    /**
+     * Build authorization URL using request_uri from PAR
+     *
+     * @param discovery - OIDC discovery document
+     * @param requestUri - Request URI from PAR response
+     * @returns Authorization URL
+     */
+    buildAuthorizationUrlWithPar(discovery: OIDCDiscoveryDocument, requestUri: string): string;
+}
+
+/**
+ * Client Authentication Types
+ * RFC 6749 §2.3, RFC 7521, RFC 7523
+ */
+/**
+ * Client authentication methods
+ */
+type ClientAuthMethod = 'client_secret_basic' | 'client_secret_post' | 'private_key_jwt' | 'none';
+/**
+ * Client secret credentials (Basic or POST)
+ */
+interface ClientSecretCredentials {
+    /** Authentication method */
+    method: 'client_secret_basic' | 'client_secret_post';
+    /** Client secret */
+    clientSecret: string;
+}
+/**
+ * Private key JWT credentials (RFC 7523)
+ */
+interface PrivateKeyJwtCredentials {
+    /** Authentication method */
+    method: 'private_key_jwt';
+    /**
+     * Function to sign JWT assertions
+     *
+     * @param claims - JWT claims to sign
+     * @returns Signed JWT string
+     */
+    signJwt: (claims: Record<string, unknown>) => Promise<string>;
+    /** Key ID to include in JWT header */
+    keyId?: string;
+}
+/**
+ * No client authentication (public client)
+ *
+ * SECURITY: method='none' requires explicit opt-in via dangerouslyAllowInsecure
+ * to ensure developers consciously choose to use public client authentication.
+ */
+interface NoClientCredentials {
+    /** Authentication method */
+    method: 'none';
+    /**
+     * Required flag to acknowledge insecure client authentication
+     *
+     * Setting this to true acknowledges that:
+     * - The client cannot be authenticated securely
+     * - This should only be used for public clients (browser apps, native apps)
+     * - Tokens may be exposed to the user
+     */
+    dangerouslyAllowInsecure: true;
+}
+/**
+ * Union type for all client credentials
+ */
+type ClientCredentials = ClientSecretCredentials | PrivateKeyJwtCredentials | NoClientCredentials;
+/**
+ * JWT assertion claims for client authentication
+ */
+interface ClientAssertionClaims extends Record<string, unknown> {
+    /** Issuer (client_id) */
+    iss: string;
+    /** Subject (client_id) */
+    sub: string;
+    /** Audience (token endpoint URL) */
+    aud: string;
+    /** JWT ID (unique identifier) */
+    jti: string;
+    /** Expiration time (epoch seconds) */
+    exp: number;
+    /** Issued at time (epoch seconds) */
+    iat: number;
+}
+
+/**
+ * Client Authentication Utilities
+ * RFC 6749 §2.3, RFC 7521, RFC 7523
+ *
+ * Provides utilities for building client authentication headers and body parameters
+ * for various authentication methods.
+ */
+
+/**
+ * Client authentication result
+ */
+interface ClientAuthResult {
+    /** Headers to include in the request */
+    headers: Record<string, string>;
+    /** Body parameters to include in the request */
+    bodyParams: Record<string, string>;
+}
+/**
+ * Build client authentication headers and body parameters
+ *
+ * @param credentials - Client credentials configuration
+ * @param clientId - Client ID
+ * @param tokenEndpoint - Token endpoint URL (used as audience for private_key_jwt)
+ * @returns Headers and body parameters for authentication
+ * @throws AuthrimError with code 'insecure_client_auth' if method='none' without dangerouslyAllowInsecure
+ * @throws AuthrimError with code 'invalid_client_authentication' for invalid credentials
+ */
+declare function buildClientAuthentication(credentials: ClientCredentials, clientId: string, tokenEndpoint: string): Promise<ClientAuthResult>;
+
+/**
+ * Client Credentials Flow
+ * RFC 6749 §4.4
+ *
+ * The client credentials grant is used for machine-to-machine (M2M) authentication
+ * where no user is involved. The client authenticates directly with the authorization
+ * server using its own credentials.
+ *
+ * IMPORTANT: This flow should only be used in secure environments (server-side)
+ * where client credentials can be kept confidential.
+ */
+
+/**
+ * Options for ClientCredentialsClient constructor
+ */
+interface ClientCredentialsClientOptions {
     /** HTTP client */
     http: HttpClient;
-    /** Storage provider */
-    storage: AuthrimStorage;
     /** Client ID */
     clientId: string;
-    /** Issuer hash for storage keys */
-    issuerHash: string;
-    /** Client ID hash for storage keys */
-    clientIdHash: string;
-    /** Refresh skew in seconds (default: 30) */
-    refreshSkewSeconds?: number;
-    /** Event emitter for token events */
-    eventEmitter?: EventEmitter;
+    /** Client credentials */
+    credentials: ClientCredentials;
 }
 /**
- * Token Manager
+ * Options for getting a token
+ */
+interface ClientCredentialsTokenOptions {
+    /** Scopes to request */
+    scope?: string;
+    /** Target audience (resource server identifier) */
+    audience?: string;
+    /** Additional parameters */
+    extraParams?: Record<string, string>;
+}
+/**
+ * Client Credentials Flow Client
  *
- * Handles token storage, retrieval, and automatic refresh with
- * concurrent request coalescing.
+ * Handles machine-to-machine authentication using the client credentials grant.
  */
-declare class TokenManager {
+declare class ClientCredentialsClient {
     private readonly http;
-    private readonly storage;
     private readonly clientId;
-    private readonly issuerHash;
-    private readonly clientIdHash;
-    private readonly refreshSkewSeconds;
-    private readonly eventEmitter?;
-    /** In-flight refresh promise for request coalescing */
-    private refreshPromise;
-    /** Discovery document (set externally) */
-    private discovery;
-    /** Default refresh skew: 30 seconds */
-    private static readonly DEFAULT_REFRESH_SKEW_SECONDS;
-    constructor(options: TokenManagerOptions);
+    private readonly credentials;
+    constructor(options: ClientCredentialsClientOptions);
     /**
-     * Set discovery document
+     * Get an access token using client credentials
+     *
+     * @param discovery - OIDC discovery document
+     * @param options - Token request options
+     * @returns Token set
+     * @throws AuthrimError with code 'client_credentials_error' if token request fails
      */
-    setDiscovery(discovery: OIDCDiscoveryDocument): void;
+    getToken(discovery: OIDCDiscoveryDocument, options?: ClientCredentialsTokenOptions): Promise<TokenSet>;
+}
+
+/**
+ * Device Authorization Flow
+ * RFC 8628: OAuth 2.0 Device Authorization Grant
+ *
+ * Used for devices with limited input capabilities where the user
+ * authenticates on a separate device (phone, computer).
+ *
+ * Flow:
+ * 1. Client requests device code from authorization server
+ * 2. User goes to verification URI and enters user code
+ * 3. Client polls token endpoint until user completes auth
+ *
+ * NOTE: This core SDK returns "facts" only - UX events like
+ * 'device:started' or 'device:pending' are the responsibility
+ * of upper-layer SDKs (web/react/svelte).
+ */
+
+/**
+ * Device Flow Client
+ *
+ * Handles the OAuth 2.0 Device Authorization Grant (RFC 8628).
+ */
+declare class DeviceFlowClient {
+    private readonly http;
+    private readonly clientId;
+    constructor(http: HttpClient, clientId: string);
     /**
-     * Get storage key for tokens
+     * Start device authorization
+     *
+     * Requests a device code and user code from the authorization server.
+     *
+     * @param discovery - OIDC discovery document
+     * @param options - Start options (scope, etc.)
+     * @returns Device flow state with codes and URIs
+     * @throws AuthrimError with code 'no_device_authorization_endpoint' if endpoint not available
+     * @throws AuthrimError with code 'device_authorization_error' if request fails
      */
-    private get tokenKey();
+    startDeviceAuthorization(discovery: OIDCDiscoveryDocument, options?: DeviceFlowStartOptions): Promise<DeviceFlowState>;
     /**
-     * Get storage key for ID token
+     * Poll the token endpoint once
+     *
+     * Returns the current state of the authorization:
+     * - 'pending': User hasn't completed auth yet
+     * - 'completed': Auth complete, tokens received
+     * - 'slow_down': Polling too fast, increase interval
+     * - 'expired': Device code expired
+     * - 'access_denied': User denied the request
+     *
+     * @param discovery - OIDC discovery document
+     * @param state - Device flow state from startDeviceAuthorization
+     * @returns Poll result
      */
-    private get idTokenKey();
+    pollOnce(discovery: OIDCDiscoveryDocument, state: DeviceFlowState): Promise<DeviceFlowPollResult>;
     /**
-     * Get current tokens from storage
+     * Poll until authorization is complete or expires
      *
-     * @returns Token set or null if not found
+     * Automatically handles polling interval and retries.
+     *
+     * @param discovery - OIDC discovery document
+     * @param state - Device flow state from startDeviceAuthorization
+     * @param options - Polling options
+     * @returns Token set on success
+     * @throws AuthrimError with code 'device_authorization_expired' if device code expires
+     * @throws AuthrimError with code 'device_access_denied' if user denies authorization
      */
-    getTokens(): Promise<TokenSet | null>;
+    pollUntilComplete(discovery: OIDCDiscoveryDocument, state: DeviceFlowState, options?: {
+        signal?: AbortSignal;
+    }): Promise<TokenSet>;
     /**
-     * Save tokens to storage
-     *
+     * Sleep for a given number of milliseconds
+     * @param ms - Milliseconds to sleep
+     * @param signal - Optional abort signal
+     */
+    private sleep;
+}
+
+/**
+ * DPoP (Demonstrating Proof of Possession) Types
+ * RFC 9449: OAuth 2.0 Demonstrating Proof of Possession (DPoP)
+ *
+ * DPoP provides a mechanism for sender-constraining access tokens
+ * to a particular client by binding tokens to a cryptographic key.
+ */
+/**
+ * JSON Web Key (JWK) format
+ *
+ * Subset of the Web Crypto API JWK interface.
+ * Defined here for platform-agnostic support.
+ */
+interface JWK {
+    /** Key type (e.g., 'EC', 'RSA') */
+    kty?: string;
+    /** Key ID */
+    kid?: string;
+    /** Algorithm */
+    alg?: string;
+    /** Public key use */
+    use?: string;
+    /** Key operations */
+    key_ops?: string[];
+    /** Extractable flag */
+    ext?: boolean;
+    /** Curve name */
+    crv?: string;
+    /** X coordinate (base64url) */
+    x?: string;
+    /** Y coordinate (base64url) */
+    y?: string;
+    /** Private key value (base64url) - should not be exported */
+    d?: string;
+    /** Modulus (base64url) */
+    n?: string;
+    /** Public exponent (base64url) */
+    e?: string;
+    [key: string]: unknown;
+}
+/**
+ * DPoP key pair interface
+ *
+ * Represents an asymmetric key pair used for DPoP proofs.
+ */
+interface DPoPKeyPair {
+    /** Algorithm identifier (e.g., 'ES256', 'RS256') */
+    algorithm: string;
+    /** JWK thumbprint of the public key (base64url encoded) */
+    thumbprint: string;
+    /** Public key in JWK format */
+    publicKeyJwk: JWK;
+    /**
+     * Sign data with the private key
+     *
+     * @param data - Data to sign
+     * @returns Signature
+     */
+    sign(data: Uint8Array): Promise<Uint8Array>;
+}
+/**
+ * DPoP proof JWT header
+ */
+interface DPoPProofHeader {
+    /** Type (always 'dpop+jwt') */
+    typ: 'dpop+jwt';
+    /** Algorithm */
+    alg: string;
+    /** Public key in JWK format */
+    jwk: JWK;
+}
+/**
+ * DPoP proof JWT claims
+ */
+interface DPoPProofClaims {
+    /** Unique identifier for the proof */
+    jti: string;
+    /** HTTP method of the request */
+    htm: string;
+    /** HTTP URI of the request (without query and fragment) */
+    htu: string;
+    /** Issued at time (epoch seconds) */
+    iat: number;
+    /** Access token hash (when binding to access token) */
+    ath?: string;
+    /** Server-provided nonce (when server requires it) */
+    nonce?: string;
+}
+/**
+ * Options for generating a DPoP proof
+ */
+interface DPoPProofOptions {
+    /** Hash of the access token (base64url(SHA-256(access_token))) */
+    accessTokenHash?: string;
+    /** Server-provided nonce */
+    nonce?: string;
+}
+/**
+ * DPoP Manager configuration
+ */
+interface DPoPManagerConfig {
+    /** Preferred algorithm (default: 'ES256') */
+    algorithm?: string;
+}
+/**
+ * Extended CryptoProvider interface with DPoP support
+ *
+ * This extends the base CryptoProvider with optional DPoP methods.
+ * Implementations that support DPoP should implement these methods.
+ */
+interface DPoPCryptoProvider {
+    /**
+     * Generate a new DPoP key pair
+     *
+     * @param algorithm - Preferred algorithm (default: 'ES256')
+     * @returns Generated key pair
+     */
+    generateDPoPKeyPair?(algorithm?: string): Promise<DPoPKeyPair>;
+    /**
+     * Get the current DPoP key pair
+     *
+     * Returns null if no key pair has been generated.
+     *
+     * @returns Current key pair or null
+     */
+    getDPoPKeyPair?(): Promise<DPoPKeyPair | null>;
+    /**
+     * Clear the DPoP key pair
+     *
+     * Should be called on logout to clean up key material.
+     */
+    clearDPoPKeyPair?(): Promise<void>;
+}
+
+/**
+ * DPoP Manager
+ * RFC 9449: OAuth 2.0 Demonstrating Proof of Possession (DPoP)
+ *
+ * DPoP provides sender-constrained access tokens by binding them
+ * to a cryptographic key held by the client. This prevents token theft
+ * and replay attacks.
+ *
+ * NOTE: DPoP proofs are required for:
+ * - Token requests (authorization code exchange, refresh)
+ * - PAR requests
+ * - UserInfo requests
+ * - Any protected resource request
+ *
+ * Future consideration: HttpClient-level middleware for automatic DPoP proof attachment.
+ */
+
+/**
+ * DPoP Manager
+ *
+ * Manages DPoP key pairs and generates DPoP proofs for requests.
+ */
+declare class DPoPManager {
+    private readonly crypto;
+    private readonly config;
+    private keyPair;
+    private serverNonce;
+    constructor(crypto: CryptoProvider & DPoPCryptoProvider, config?: DPoPManagerConfig);
+    /**
+     * Initialize the DPoP manager
+     *
+     * Generates or retrieves a DPoP key pair.
+     *
+     * @throws AuthrimError with code 'dpop_key_generation_error' if key generation fails
+     */
+    initialize(): Promise<void>;
+    /**
+     * Check if DPoP is initialized
+     */
+    isInitialized(): boolean;
+    /**
+     * Generate a DPoP proof
+     *
+     * Creates a signed JWT proof for the specified HTTP method and URI.
+     *
+     * @param method - HTTP method (GET, POST, etc.)
+     * @param uri - Full request URI (https://example.com/path)
+     * @param options - Additional options (access token hash, nonce)
+     * @returns Signed DPoP proof JWT
+     * @throws AuthrimError with code 'dpop_proof_generation_error' if proof generation fails
+     */
+    generateProof(method: string, uri: string, options?: DPoPProofOptions): Promise<string>;
+    /**
+     * Handle a DPoP-Nonce response from the server
+     *
+     * When the server returns a use_dpop_nonce error or includes
+     * a DPoP-Nonce header, this method stores the nonce for future proofs.
+     *
+     * @param nonce - Server-provided nonce value
+     */
+    handleNonceResponse(nonce: string): void;
+    /**
+     * Get the current server nonce
+     */
+    getServerNonce(): string | null;
+    /**
+     * Clear the server nonce
+     */
+    clearServerNonce(): void;
+    /**
+     * Get the public key JWK
+     *
+     * @returns Public key in JWK format, or null if not initialized
+     */
+    getPublicKeyJwk(): JWK | null;
+    /**
+     * Get the JWK thumbprint
+     *
+     * @returns Base64url-encoded thumbprint, or null if not initialized
+     */
+    getThumbprint(): string | null;
+    /**
+     * Calculate access token hash for ath claim
+     *
+     * @param accessToken - Access token to hash
+     * @returns Base64url-encoded SHA-256 hash
+     */
+    calculateAccessTokenHash(accessToken: string): Promise<string>;
+    /**
+     * Clear the DPoP key pair
+     *
+     * Should be called on logout to clean up key material.
+     */
+    clear(): Promise<void>;
+    /**
+     * Generate a unique JWT ID (jti)
+     */
+    private generateJti;
+}
+
+/**
+ * JAR (JWT Secured Authorization Request) Types
+ * RFC 9101: The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)
+ *
+ * JAR allows authorization request parameters to be encoded in a
+ * signed JWT, providing integrity protection and non-repudiation.
+ */
+/**
+ * JAR request object claims
+ */
+interface JARRequestObjectClaims {
+    /** Issuer (client_id) */
+    iss: string;
+    /** Audience (authorization server issuer) */
+    aud: string;
+    /** Response type */
+    response_type: string;
+    /** Client ID */
+    client_id: string;
+    /** Redirect URI */
+    redirect_uri: string;
+    /** Scope */
+    scope: string;
+    /** State */
+    state: string;
+    /** Nonce */
+    nonce: string;
+    /** PKCE code challenge */
+    code_challenge: string;
+    /** PKCE code challenge method */
+    code_challenge_method: string;
+    /** Issued at time (epoch seconds) */
+    iat: number;
+    /** Expiration time (epoch seconds) */
+    exp: number;
+    /** JWT ID (optional but recommended) */
+    jti?: string;
+    /** Not before time (optional) */
+    nbf?: number;
+    /** Prompt */
+    prompt?: string;
+    /** Login hint */
+    login_hint?: string;
+    /** ACR values */
+    acr_values?: string;
+    [key: string]: unknown;
+}
+/**
+ * JAR Builder configuration
+ */
+interface JARBuilderConfig {
+    /**
+     * Function to sign JWT
+     *
+     * @param header - JWT header object
+     * @param claims - JWT claims object
+     * @returns Signed JWT string
+     */
+    signJwt: (header: object, claims: object) => Promise<string>;
+    /** Key ID to include in JWT header */
+    keyId?: string;
+    /** Lifetime of the request object in seconds (default: 300) */
+    lifetime?: number;
+    /** Algorithm for signing (e.g., 'RS256', 'ES256') */
+    algorithm?: string;
+}
+/**
+ * Options for building a request object
+ */
+interface JARRequestOptions {
+    /** Client ID */
+    clientId: string;
+    /** Authorization server issuer */
+    issuer: string;
+    /** Response type (default: 'code') */
+    responseType?: string;
+    /** Redirect URI */
+    redirectUri: string;
+    /** Scope */
+    scope: string;
+    /** State */
+    state: string;
+    /** Nonce */
+    nonce: string;
+    /** PKCE code challenge */
+    codeChallenge: string;
+    /** PKCE code challenge method */
+    codeChallengeMethod: string;
+    /** Prompt */
+    prompt?: string;
+    /** Login hint */
+    loginHint?: string;
+    /** ACR values */
+    acrValues?: string;
+    /** Additional claims */
+    extraClaims?: Record<string, unknown>;
+}
+
+/**
+ * JAR Builder
+ * RFC 9101: JWT-Secured Authorization Request (JAR)
+ *
+ * JAR provides a way to send authorization request parameters
+ * in a signed (and optionally encrypted) JWT, ensuring:
+ * - Integrity protection of parameters
+ * - Non-repudiation
+ * - Confidentiality (when encrypted)
+ *
+ * The signed JWT is sent as the 'request' parameter in the authorization URL,
+ * or can be passed by reference using the 'request_uri' parameter (with PAR).
+ */
+
+/**
+ * JAR Builder
+ *
+ * Builds signed JWT request objects for authorization requests.
+ */
+declare class JARBuilder {
+    private readonly config;
+    constructor(config: JARBuilderConfig);
+    /**
+     * Build a signed request object
+     *
+     * @param options - Request options
+     * @returns Signed JWT request object
+     * @throws AuthrimError with code 'jar_signing_error' if signing fails
+     */
+    buildRequestObject(options: JARRequestOptions): Promise<string>;
+    /**
+     * Generate a unique JWT ID (jti)
+     */
+    private generateJti;
+}
+/**
+ * Check if JAR is required by the authorization server
+ *
+ * @param discovery - OIDC discovery document
+ * @returns True if require_signed_request_object is true
+ */
+declare function isJarRequired(discovery: {
+    require_signed_request_object?: boolean;
+}): boolean;
+
+/**
+ * JARM (JWT Secured Authorization Response Mode) Types
+ * Financial-grade API (FAPI) / OpenID Connect
+ *
+ * JARM provides a way for authorization servers to return authorization
+ * response parameters in a signed (and optionally encrypted) JWT.
+ * This provides integrity protection and authenticity verification.
+ */
+/**
+ * JARM response JWT claims
+ */
+interface JARMResponseClaims {
+    /** Issuer (authorization server) */
+    iss: string;
+    /** Audience (client_id) */
+    aud: string;
+    /** Expiration time (epoch seconds) */
+    exp: number;
+    /** Issued at time (optional) */
+    iat?: number;
+    /** Authorization code */
+    code?: string;
+    /** State parameter */
+    state?: string;
+    /** Error code */
+    error?: string;
+    /** Error description */
+    error_description?: string;
+    /** Error URI */
+    error_uri?: string;
+    [key: string]: unknown;
+}
+/**
+ * JARM validation options
+ */
+interface JARMValidationOptions {
+    /** Expected state value */
+    expectedState: string;
+    /** Client ID (audience) */
+    clientId: string;
+    /** Clock skew tolerance in seconds (default: 60) */
+    clockSkewSeconds?: number;
+}
+/**
+ * JARM validation result
+ */
+interface JARMValidationResult {
+    /** Authorization code (if present) */
+    code: string;
+    /** State parameter */
+    state: string;
+}
+/**
+ * JARM Validator configuration
+ */
+interface JARMValidatorConfig {
+    /**
+     * Function to verify JWT signature
+     *
+     * Should verify the signature using the authorization server's public keys
+     * (typically from JWKS endpoint) and return the decoded claims.
+     *
+     * @param jwt - The JWT string to verify
+     * @param issuer - Expected issuer
+     * @returns Decoded and verified claims
+     * @throws Error if signature verification fails
+     */
+    verifyJwt: (jwt: string, issuer: string) => Promise<JARMResponseClaims>;
+}
+
+/**
+ * JARM Validator
+ * JWT Secured Authorization Response Mode (JARM)
+ *
+ * JARM allows authorization servers to return authorization response
+ * parameters in a signed JWT, providing:
+ * - Response integrity protection
+ * - Response authenticity verification
+ * - Confidentiality (when encrypted)
+ *
+ * The response JWT is returned in the 'response' parameter of the
+ * authorization callback.
+ */
+
+/**
+ * JARM Validator
+ *
+ * Validates JWT-secured authorization responses.
+ */
+declare class JARMValidator {
+    private readonly config;
+    constructor(config: JARMValidatorConfig);
+    /**
+     * Validate a JARM response
+     *
+     * @param discovery - OIDC discovery document
+     * @param response - The JWT response string from the 'response' parameter
+     * @param options - Validation options
+     * @returns Validated authorization code and state
+     * @throws AuthrimError with code 'jarm_validation_error' if validation fails
+     * @throws AuthrimError with code 'jarm_signature_invalid' if signature verification fails
+     */
+    validateResponse(discovery: OIDCDiscoveryDocument, response: string, options: JARMValidationOptions): Promise<JARMValidationResult>;
+    /**
+     * Parse a JARM response from callback URL
+     *
+     * Extracts the 'response' parameter from the callback URL.
+     *
+     * @param callbackUrl - Full callback URL or query string
+     * @returns The response JWT, or null if not present
+     */
+    static extractResponseFromCallback(callbackUrl: string): string | null;
+}
+
+/**
+ * Session Management Types
+ * OpenID Connect Session Management 1.0
+ *
+ * These types support session management via check_session_iframe
+ * and related specifications.
+ *
+ * NOTE: Actual implementation of session management (postMessage communication,
+ * iframe handling) is the responsibility of the web SDK (@authrim/web).
+ * Core SDK only provides type definitions.
+ */
+/**
+ * Session state from check_session_iframe
+ */
+type SessionState = string;
+/**
+ * Check session iframe message
+ *
+ * Format: "client_id session_state"
+ */
+interface CheckSessionMessage {
+    /** Client ID */
+    clientId: string;
+    /** Session state from authentication response */
+    sessionState: SessionState;
+}
+/**
+ * Check session iframe response
+ */
+type CheckSessionResponse = 'changed' | 'unchanged' | 'error';
+/**
+ * Session management configuration
+ */
+interface SessionManagementConfig {
+    /** check_session_iframe URL from discovery */
+    checkSessionIframe?: string;
+    /** Polling interval in milliseconds (default: 2000) */
+    pollIntervalMs?: number;
+    /** Whether session management is enabled */
+    enabled: boolean;
+}
+/**
+ * Session change event
+ */
+interface SessionChangeEvent {
+    /** Previous session state */
+    previousState: SessionState | null;
+    /** Current session state */
+    currentState: SessionState | null;
+    /** Whether the session is still valid */
+    isValid: boolean;
+}
+/**
+ * Front-Channel Logout Types
+ * OpenID Connect Front-Channel Logout 1.0
+ *
+ * Front-channel logout allows the OP to notify RPs of logout events
+ * via browser redirects.
+ *
+ * NOTE: Actual implementation of front-channel logout (iframe handling)
+ * is the responsibility of the web SDK (@authrim/web).
+ * Core SDK only provides type definitions.
+ */
+/**
+ * Front-channel logout request parameters
+ */
+interface FrontChannelLogoutParams {
+    /** Issuer identifier */
+    iss?: string;
+    /** Session ID */
+    sid?: string;
+}
+/**
+ * Front-channel logout URL builder options
+ */
+interface FrontChannelLogoutUrlOptions {
+    /** Base logout URI registered with the OP */
+    logoutUri: string;
+    /** Whether to include issuer parameter */
+    includeIssuer?: boolean;
+    /** Whether to include session ID parameter */
+    includeSessionId?: boolean;
+}
+/**
+ * Back-Channel Logout Types
+ * OpenID Connect Back-Channel Logout 1.0
+ *
+ * Back-channel logout allows the OP to notify RPs of logout events
+ * via direct HTTP calls (server-to-server).
+ *
+ * NOTE: This is typically handled server-side, not in the browser.
+ * Included here for completeness of type definitions.
+ */
+/**
+ * Logout token claims (for back-channel logout)
+ */
+interface LogoutTokenClaims {
+    /** Issuer */
+    iss: string;
+    /** Subject */
+    sub?: string;
+    /** Audience */
+    aud: string | string[];
+    /** Issued at time */
+    iat: number;
+    /** JWT ID */
+    jti: string;
+    /** Events claim (must contain logout event) */
+    events: {
+        'http://schemas.openid.net/event/backchannel-logout': Record<string, never>;
+    };
+    /** Session ID (if back-channel logout session is supported) */
+    sid?: string;
+}
+
+/**
+ * Token Manager
+ *
+ * Manages token storage, retrieval, and automatic refresh.
+ * Implements in-flight request coalescing for concurrent refresh requests.
+ */
+
+/**
+ * Token manager options
+ */
+interface TokenManagerOptions {
+    /** HTTP client */
+    http: HttpClient;
+    /** Storage provider */
+    storage: AuthrimStorage;
+    /** Client ID */
+    clientId: string;
+    /** Issuer hash for storage keys */
+    issuerHash: string;
+    /** Client ID hash for storage keys */
+    clientIdHash: string;
+    /** Refresh skew in seconds (default: 30) */
+    refreshSkewSeconds?: number;
+    /** Event emitter for token events */
+    eventEmitter?: EventEmitter;
+    /** Token expiring warning threshold in seconds (default: 300 = 5 minutes) */
+    expiringThresholdSeconds?: number;
+    /** Jitter for expiring event in milliseconds (default: 30000 = ±30 seconds) */
+    expiringJitterMs?: number;
+}
+/**
+ * Token Manager
+ *
+ * Handles token storage, retrieval, and automatic refresh with
+ * concurrent request coalescing.
+ */
+declare class TokenManager {
+    private readonly http;
+    private readonly storage;
+    private readonly clientId;
+    private readonly issuerHash;
+    private readonly clientIdHash;
+    private readonly refreshSkewSeconds;
+    private readonly eventEmitter?;
+    private readonly expiringThresholdMs;
+    private readonly expiringJitterMs;
+    /** In-flight refresh promise for request coalescing */
+    private refreshPromise;
+    /** Discovery document (set externally) */
+    private discovery;
+    /** Timer for token expiring event */
+    private expiringTimeout;
+    /** Whether this tab is the leader for refresh scheduling */
+    private isLeaderTab;
+    /** Current operation ID for event tracking */
+    private currentOperationId;
+    /** Default refresh skew: 30 seconds */
+    private static readonly DEFAULT_REFRESH_SKEW_SECONDS;
+    /** Default expiring threshold: 5 minutes */
+    private static readonly DEFAULT_EXPIRING_THRESHOLD_SECONDS;
+    /** Default expiring jitter: ±30 seconds */
+    private static readonly DEFAULT_EXPIRING_JITTER_MS;
+    constructor(options: TokenManagerOptions);
+    /**
+     * Set discovery document
+     */
+    setDiscovery(discovery: OIDCDiscoveryDocument): void;
+    /**
+     * Get storage key for tokens
+     */
+    private get tokenKey();
+    /**
+     * Get storage key for ID token
+     */
+    private get idTokenKey();
+    /**
+     * Get current tokens from storage
+     *
+     * @returns Token set or null if not found
+     */
+    getTokens(): Promise<TokenSet | null>;
+    /**
+     * Save tokens to storage
+     *
      * @param tokens - Token set to save
      */
-    saveTokens(tokens: TokenSet): Promise<void>;
+    saveTokens(tokens: TokenSet): Promise<void>;
+    /**
+     * Schedule token:expiring event with jitter
+     *
+     * @param expiresAt - Token expiration timestamp (epoch seconds)
+     */
+    private scheduleExpiringEvent;
+    /**
+     * Set leader tab status
+     *
+     * When not the leader, expiring event scheduling is disabled
+     * to prevent multiple tabs from triggering simultaneous refreshes.
+     *
+     * @param isLeader - Whether this tab is the leader
+     */
+    setLeaderTab(isLeader: boolean): void;
+    /**
+     * Set current operation ID for event tracking
+     */
+    setOperationId(operationId: string | null): void;
+    /**
+     * Get current operation ID
+     */
+    getOperationId(): string | null;
+    /**
+     * Clear all tokens from storage
+     */
+    clearTokens(): Promise<void>;
+    /**
+     * Get access token, refreshing if necessary
+     *
+     * This method coalesces concurrent refresh requests - if multiple
+     * calls are made while a refresh is in-flight, they all share the
+     * same refresh operation.
+     *
+     * @returns Access token
+     * @throws AuthrimError if no tokens available or refresh fails
+     */
+    getAccessToken(): Promise<string>;
+    /**
+     * Get ID token
+     *
+     * @returns ID token or null
+     */
+    getIdToken(): Promise<string | null>;
+    /**
+     * Check if token needs refresh
+     *
+     * @param tokens - Token set to check
+     * @returns True if token should be refreshed
+     */
+    private shouldRefresh;
+    /**
+     * Refresh token with in-flight request coalescing
+     *
+     * If a refresh is already in progress, wait for it instead of
+     * starting a new one.
+     *
+     * @param refreshToken - Refresh token to use
+     * @param reason - Reason for refresh
+     * @returns Access token from new token set
+     */
+    private refreshWithLock;
+    /**
+     * Manually refresh tokens
+     *
+     * @returns New token set
+     * @throws AuthrimError if refresh fails
+     */
+    refresh(): Promise<TokenSet>;
+    /**
+     * Perform refresh with retry for network errors
+     *
+     * @param refreshToken - Refresh token to use
+     * @param reason - Reason for refresh
+     * @param attempt - Current retry attempt (0-indexed)
+     * @returns New token set
+     */
+    private doRefreshWithRetry;
+    /**
+     * Perform the actual token refresh
+     *
+     * @param refreshToken - Refresh token to use
+     * @returns New token set
+     */
+    private doRefresh;
+    /**
+     * Check if user is authenticated
+     *
+     * @returns True if valid tokens exist
+     */
+    isAuthenticated(): Promise<boolean>;
+    /**
+     * Exchange a token using RFC 8693 Token Exchange
+     *
+     * This allows exchanging tokens for different audiences or scopes,
+     * delegation scenarios, and cross-service token acquisition.
+     *
+     * @param request - Token exchange request parameters
+     * @returns Token exchange result with new tokens and issued token type
+     * @throws AuthrimError if exchange fails
+     */
+    exchangeToken(request: TokenExchangeRequest): Promise<TokenExchangeResult>;
+    /**
+     * Map short token type to URI (RFC 8693)
+     */
+    private mapTokenTypeToUri;
+    /**
+     * Clean up resources
+     */
+    destroy(): void;
+}
+
+/**
+ * Auto Refresh Scheduler
+ *
+ * Automatically refreshes tokens before they expire.
+ * Supports cancellation via AbortController.
+ */
+
+/**
+ * Auto refresh options
+ */
+interface AutoRefreshOptions {
+    /** Refresh threshold in seconds before expiry (default: 60) */
+    thresholdSeconds?: number;
+    /** Check interval in milliseconds (default: 30000 = 30 seconds) */
+    checkIntervalMs?: number;
+    /** Event emitter for logging/debugging */
+    eventEmitter?: EventEmitter;
+}
+/**
+ * Auto Refresh Scheduler
+ *
+ * Schedules automatic token refresh before expiration.
+ * Can be stopped and started as needed.
+ */
+declare class AutoRefreshScheduler {
+    private tokenManager;
+    private options;
+    private checkInterval;
+    private abortController;
+    private isRunning;
+    /** Default refresh threshold: 60 seconds */
+    private static readonly DEFAULT_THRESHOLD_SECONDS;
+    /** Default check interval: 30 seconds */
+    private static readonly DEFAULT_CHECK_INTERVAL_MS;
+    constructor(options?: AutoRefreshOptions);
+    /**
+     * Start auto-refresh scheduling
+     *
+     * @param tokenManager - Token manager instance
+     */
+    start(tokenManager: TokenManager): void;
+    /**
+     * Stop auto-refresh scheduling
+     */
+    stop(): void;
+    /**
+     * Check if scheduler is running
+     */
+    get running(): boolean;
+    /**
+     * Get the abort signal for external cancellation support
+     */
+    get signal(): AbortSignal | null;
+    /**
+     * Check if token needs refresh and perform if needed
+     */
+    private checkAndRefresh;
+    /**
+     * Force an immediate refresh check
+     */
+    forceCheck(): Promise<void>;
+}
+
+/**
+ * Token API Client
+ *
+ * Provides session verification against the authorization server.
+ * Uses the UserInfo endpoint or custom session check endpoint.
+ */
+
+/**
+ * Session check result
+ */
+interface SessionCheckResult {
+    /** Whether session is valid */
+    valid: boolean;
+    /** User info if session is valid */
+    user?: UserInfo;
+    /** Error if session is invalid */
+    error?: AuthrimError;
+}
+/**
+ * Token API client options
+ */
+interface TokenApiClientOptions {
+    /** HTTP client */
+    http: HttpClient;
+}
+/**
+ * Token API Client
+ *
+ * Verifies session status with the authorization server.
+ */
+declare class TokenApiClient {
+    private readonly http;
+    constructor(options: TokenApiClientOptions);
+    /**
+     * Check session validity by calling UserInfo endpoint
+     *
+     * @param discovery - OIDC discovery document
+     * @param accessToken - Access token to verify
+     * @returns Session check result
+     */
+    checkSession(discovery: OIDCDiscoveryDocument, accessToken: string): Promise<SessionCheckResult>;
+    /**
+     * Get user info from the authorization server
+     *
+     * @param discovery - OIDC discovery document
+     * @param accessToken - Access token
+     * @returns User info
+     * @throws AuthrimError if request fails
+     */
+    getUserInfo(discovery: OIDCDiscoveryDocument, accessToken: string): Promise<UserInfo>;
+}
+
+/**
+ * Session Manager
+ *
+ * Coordinates session-related operations including checking
+ * session status and retrieving user information.
+ */
+
+/**
+ * Session manager options
+ */
+interface SessionManagerOptions {
+    /** Token manager */
+    tokenManager: TokenManager;
+    /** Token API client */
+    tokenApiClient: TokenApiClient;
+}
+/**
+ * Session Manager
+ */
+declare class SessionManager {
+    private readonly tokenManager;
+    private readonly tokenApiClient;
+    /** Discovery document */
+    private discovery;
+    constructor(options: SessionManagerOptions);
+    /**
+     * Set discovery document
+     */
+    setDiscovery(discovery: OIDCDiscoveryDocument): void;
     /**
-     * Clear all tokens from storage
+     * Check if user is authenticated locally
+     *
+     * This checks if valid tokens exist in storage.
+     * Does not verify with the authorization server.
+     *
+     * @returns True if tokens exist
      */
-    clearTokens(): Promise<void>;
+    isAuthenticated(): Promise<boolean>;
+    /**
+     * Check session validity with authorization server
+     *
+     * Calls the UserInfo endpoint to verify the session is still valid.
+     *
+     * @returns Session check result
+     */
+    checkSession(): Promise<SessionCheckResult>;
+    /**
+     * Get user information
+     *
+     * Fetches user info from the UserInfo endpoint.
+     *
+     * @returns User info
+     * @throws AuthrimError if not authenticated or request fails
+     */
+    getUser(): Promise<UserInfo>;
+}
+
+/**
+ * Session State Calculator
+ *
+ * Implements OIDC Session Management 1.0 specification
+ * https://openid.net/specs/openid-connect-session-1_0.html
+ *
+ * session_state = hash(client_id + " " + origin + " " + browser_state + salt) + "." + salt
+ */
+
+/**
+ * Parameters for calculating session_state
+ */
+interface SessionStateParams {
+    /** OAuth client_id */
+    clientId: string;
+    /** RP origin (e.g., "https://example.com") */
+    origin: string;
+    /**
+     * OP-managed browser state (opaque value)
+     *
+     * Per OIDC Session Management 1.0 spec, this is called "browser_state" but is actually
+     * an opaque value managed by the OP to identify the session at the OP.
+     * It is NOT a value managed by the RP's browser.
+     */
+    opBrowserState: string;
+    /** Optional salt (generated if not provided) */
+    salt?: string;
+}
+/**
+ * Result of session_state calculation
+ */
+interface SessionStateResult {
+    /** Full session_state value (hash.salt) */
+    sessionState: string;
+    /** Hash portion of session_state */
+    hash: string;
+    /** Salt used in calculation */
+    salt: string;
+}
+/**
+ * Options for SessionStateCalculator
+ */
+interface SessionStateCalculatorOptions {
+    /** Crypto provider for hashing */
+    crypto: CryptoProvider;
+}
+/**
+ * Session State Calculator
+ *
+ * Calculates and validates session_state values per OIDC Session Management 1.0.
+ *
+ * Usage (OP side - calculating session_state to include in auth response):
+ * ```typescript
+ * const calculator = new SessionStateCalculator({ crypto });
+ * const result = await calculator.calculate({
+ *   clientId: 'my-client',
+ *   origin: 'https://rp.example.com',
+ *   opBrowserState: 'op-session-id-xyz'
+ * });
+ * // result.sessionState -> include in auth response
+ * ```
+ *
+ * Usage (RP check_session_iframe - validating session state):
+ * ```typescript
+ * const isValid = await calculator.validate(sessionState, {
+ *   clientId: 'my-client',
+ *   origin: 'https://rp.example.com',
+ *   opBrowserState: 'op-session-id-xyz'
+ * });
+ * ```
+ */
+declare class SessionStateCalculator {
+    private readonly crypto;
+    constructor(options: SessionStateCalculatorOptions);
+    /**
+     * Calculate session_state
+     *
+     * Per OIDC Session Management 1.0:
+     * session_state = hash(client_id + " " + origin + " " + browser_state + salt) + "." + salt
+     *
+     * @param params - Parameters for calculation
+     * @returns Session state result
+     */
+    calculate(params: SessionStateParams): Promise<SessionStateResult>;
+    /**
+     * Validate session_state
+     *
+     * Uses constant-time comparison to prevent timing attacks.
+     *
+     * @param sessionState - session_state value to validate
+     * @param params - Parameters that should match (without salt, extracted from sessionState)
+     * @returns true if valid
+     */
+    validate(sessionState: string, params: Omit<SessionStateParams, 'salt'>): Promise<boolean>;
+    /**
+     * Parse session_state into hash and salt components
+     *
+     * @param sessionState - session_state value to parse
+     * @returns Parsed components or null if invalid format
+     */
+    parse(sessionState: string): {
+        hash: string;
+        salt: string;
+    } | null;
+}
+
+/**
+ * Front-Channel Logout URL Builder
+ *
+ * Implements OpenID Connect Front-Channel Logout 1.0
+ * https://openid.net/specs/openid-connect-frontchannel-1_0.html
+ *
+ * Front-channel logout allows the OP to notify RPs of logout events
+ * via browser redirects (iframes loaded by the OP's logout page).
+ */
+
+/**
+ * Result of building a front-channel logout URL
+ */
+interface FrontChannelLogoutUrlResult {
+    /** Complete logout URL with query parameters */
+    url: string;
+    /** Parameters included in the URL */
+    params: FrontChannelLogoutParams;
+}
+/**
+ * Parameters for building a front-channel logout URL
+ */
+interface FrontChannelLogoutBuildParams {
+    /** Issuer identifier to include (optional) */
+    iss?: string;
+    /** Session ID to include (optional) */
+    sid?: string;
+}
+/**
+ * Validation options for front-channel logout requests
+ */
+interface FrontChannelLogoutValidationOptions {
+    /** Expected issuer (for validation) */
+    issuer?: string;
+    /** Expected session ID (for validation) */
+    sessionId?: string;
+    /** Require issuer parameter */
+    requireIss?: boolean;
+    /** Require session ID parameter */
+    requireSid?: boolean;
+}
+/**
+ * Result of front-channel logout request validation
+ */
+interface FrontChannelLogoutValidationResult {
+    /** Whether the request is valid */
+    valid: boolean;
+    /** Parsed parameters (if valid) */
+    params?: FrontChannelLogoutParams;
+    /** Error message (if invalid) */
+    error?: string;
+}
+/**
+ * Front-Channel Logout URL Builder
+ *
+ * Builds and validates front-channel logout URLs per OIDC Front-Channel Logout 1.0.
+ *
+ * Usage (OP side - building logout URL to load in iframe):
+ * ```typescript
+ * const builder = new FrontChannelLogoutUrlBuilder();
+ * const result = builder.build(
+ *   { logoutUri: 'https://rp.example.com/logout', includeIssuer: true, includeSessionId: true },
+ *   { iss: 'https://op.example.com', sid: 'session-123' }
+ * );
+ * // result.url -> load in iframe
+ * ```
+ *
+ * Usage (RP side - validating incoming logout request):
+ * ```typescript
+ * const result = builder.validateRequest(window.location.href, {
+ *   issuer: 'https://op.example.com',
+ *   requireIss: true
+ * });
+ * if (result.valid) {
+ *   // Perform local logout
+ * }
+ * ```
+ */
+declare class FrontChannelLogoutUrlBuilder {
+    /**
+     * Build a front-channel logout URL
+     *
+     * @param options - URL configuration options
+     * @param params - Parameters to include in the URL
+     * @returns Built URL and included parameters
+     */
+    build(options: FrontChannelLogoutUrlOptions, params: FrontChannelLogoutBuildParams): FrontChannelLogoutUrlResult;
+    /**
+     * Parse parameters from a front-channel logout URL
+     *
+     * @param url - URL or URL string to parse
+     * @returns Parsed parameters
+     */
+    parseParams(url: string | URL): FrontChannelLogoutParams;
+    /**
+     * Validate a front-channel logout request
+     *
+     * Uses constant-time comparison for security-sensitive values to prevent timing attacks.
+     *
+     * @param url - URL to validate
+     * @param expected - Expected values and requirements
+     * @returns Validation result
+     */
+    validateRequest(url: string | URL, expected?: FrontChannelLogoutValidationOptions): FrontChannelLogoutValidationResult;
+}
+
+/**
+ * JWT Utilities
+ *
+ * Note: This module only provides decoding (parsing) functionality.
+ * JWT signature verification MUST be performed by the server.
+ * Never trust decoded JWT claims without server-side verification.
+ */
+
+/**
+ * JWT Header
+ */
+interface JwtHeader {
+    alg: string;
+    typ?: string;
+    kid?: string;
+    [key: string]: unknown;
+}
+/**
+ * Decoded JWT structure
+ */
+interface DecodedJwt<T = Record<string, unknown>> {
+    header: JwtHeader;
+    payload: T;
+    signature: string;
+}
+/**
+ * Decode a JWT without verifying the signature
+ *
+ * WARNING: This function does NOT verify the JWT signature.
+ * Use this only for reading claims after the token has been
+ * validated by the authorization server.
+ *
+ * @param jwt - JWT string to decode
+ * @returns Decoded JWT parts
+ * @throws Error if the JWT format is invalid
+ */
+declare function decodeJwt<T = Record<string, unknown>>(jwt: string): DecodedJwt<T>;
+/**
+ * Decode an ID token and extract claims
+ *
+ * WARNING: This function does NOT verify the ID token.
+ * The token MUST be verified by the authorization server before use.
+ *
+ * @param idToken - ID token string
+ * @returns ID token claims
+ */
+declare function decodeIdToken(idToken: string): IdTokenClaims;
+/**
+ * Check if a JWT is expired
+ *
+ * @param jwt - Decoded JWT payload with exp claim
+ * @param skewSeconds - Clock skew tolerance in seconds (default: 0)
+ * @returns true if expired
+ */
+declare function isJwtExpired(payload: {
+    exp?: number;
+}, skewSeconds?: number): boolean;
+/**
+ * Get the nonce claim from an ID token
+ *
+ * @param idToken - ID token string
+ * @returns nonce value or undefined
+ */
+declare function getIdTokenNonce(idToken: string): string | undefined;
+
+/**
+ * Back-Channel Logout Validator
+ *
+ * Implements OpenID Connect Back-Channel Logout 1.0
+ * https://openid.net/specs/openid-connect-backchannel-1_0.html
+ *
+ * Back-channel logout allows the OP to notify RPs of logout events
+ * via direct HTTP calls (server-to-server).
+ *
+ * NOTE: This validator performs claims validation only.
+ * JWT signature verification MUST be performed separately using JWKS.
+ */
+
+/**
+ * Back-channel logout event URI
+ */
+declare const BACKCHANNEL_LOGOUT_EVENT = "http://schemas.openid.net/event/backchannel-logout";
+/**
+ * Back-channel logout validation error codes
+ */
+type BackChannelLogoutErrorCode = 'invalid_format' | 'invalid_issuer' | 'invalid_audience' | 'invalid_events' | 'expired' | 'not_yet_valid' | 'missing_sub_and_sid' | 'sub_mismatch' | 'sid_mismatch' | 'missing_jti' | 'nonce_present';
+/**
+ * Options for validating a logout token
+ */
+interface BackChannelLogoutValidationOptions {
+    /** Expected issuer */
+    issuer: string;
+    /** Expected audience (client_id) */
+    audience: string;
+    /** Maximum age in seconds (default: 60) */
+    maxAge?: number;
+    /** Clock skew tolerance in seconds (default: 30) */
+    clockSkew?: number;
+    /** Expected session ID (optional) */
+    expectedSid?: string;
+    /** Expected subject (optional) */
+    expectedSub?: string;
+}
+/**
+ * Result of back-channel logout token validation
+ */
+interface BackChannelLogoutValidationResult {
+    /** Whether the token is valid */
+    valid: boolean;
+    /** Validated claims (if valid) */
+    claims?: LogoutTokenClaims;
+    /** JWT header (if valid) */
+    header?: JwtHeader;
+    /** Error message (if invalid) */
+    error?: string;
+    /** Error code (if invalid) */
+    errorCode?: BackChannelLogoutErrorCode;
+}
+/**
+ * Back-Channel Logout Validator
+ *
+ * Validates logout_token JWTs per OIDC Back-Channel Logout 1.0.
+ *
+ * ## Security Notes
+ *
+ * 1. **JWT Signature Verification**: This class performs claims validation only.
+ *    JWT signature verification MUST be performed separately using JWKS
+ *    before calling validate().
+ *
+ * 2. **JTI Replay Protection**: This validator checks for jti presence only.
+ *    The application MUST implement jti replay protection by:
+ *    - Storing used jti values (at least until token expiry + clock skew)
+ *    - Rejecting tokens with previously-used jti values
+ *
+ * Usage (Node.js server receiving back-channel logout request):
+ * ```typescript
+ * // 1. Receive logout_token from POST body
+ * const logoutToken = req.body.logout_token;
+ *
+ * // 2. Verify JWT signature using JWKS (not shown - use jose or similar)
+ * await verifyJwtSignature(logoutToken, jwks);
+ *
+ * // 3. Validate claims
+ * const validator = new BackChannelLogoutValidator();
+ * const result = validator.validate(logoutToken, {
+ *   issuer: 'https://op.example.com',
+ *   audience: 'my-client-id'
+ * });
+ *
+ * if (!result.valid) {
+ *   return res.status(400).send('Invalid logout token');
+ * }
+ *
+ * // 4. Check for jti replay (application responsibility)
+ * if (await jtiStore.has(result.claims.jti)) {
+ *   return res.status(400).send('Token replay detected');
+ * }
+ * await jtiStore.set(result.claims.jti, true, maxAge + clockSkew);
+ *
+ * // 5. Perform logout for sub and/or sid
+ * await logoutUser(result.claims.sub, result.claims.sid);
+ * ```
+ */
+declare class BackChannelLogoutValidator {
+    /**
+     * Validate a logout_token
+     *
+     * Per OIDC Back-Channel Logout 1.0, the logout_token MUST:
+     * - Be a valid JWT
+     * - Contain iss, aud, iat, jti claims
+     * - Contain events claim with back-channel logout event
+     * - Contain either sub or sid (or both)
+     * - NOT contain a nonce claim
+     *
+     * @param logoutToken - JWT logout token to validate
+     * @param options - Validation options
+     * @returns Validation result
+     */
+    validate(logoutToken: string, options: BackChannelLogoutValidationOptions): BackChannelLogoutValidationResult;
+    /**
+     * Extract claims from a logout token without validation
+     *
+     * Useful for inspecting the token before/during validation.
+     *
+     * @param logoutToken - JWT logout token
+     * @returns Claims or null if invalid format
+     */
+    extractClaims(logoutToken: string): LogoutTokenClaims | null;
+    /**
+     * Extract header from a logout token without validation
+     *
+     * Useful for getting kid to select the correct JWKS key.
+     *
+     * @param logoutToken - JWT logout token
+     * @returns Header or null if invalid format
+     */
+    extractHeader(logoutToken: string): JwtHeader | null;
+}
+
+/**
+ * Debug Module Types
+ *
+ * Types for debugging and observability features.
+ */
+/**
+ * Debug options for SDK initialization
+ */
+interface DebugOptions {
+    /** Enable debug mode */
+    enabled: boolean;
+    /** Enable verbose logging */
+    verbose?: boolean;
+    /** Include timestamps in logs */
+    logTimestamps?: boolean;
+    /** Custom logger implementation */
+    logger?: DebugLogger;
+    /** Maximum events to keep in timeline (default: 100) */
+    maxTimelineEvents?: number;
+    /** Redaction level for sensitive data */
+    redactLevel?: RedactLevel;
+}
+/**
+ * Debug logger interface
+ */
+interface DebugLogger {
+    /** Log a message with optional data */
+    log(level: DebugLogLevel, message: string, data?: unknown): void;
+}
+/**
+ * Debug log levels
+ */
+type DebugLogLevel = 'debug' | 'info' | 'warn' | 'error';
+/**
+ * Redaction level for sensitive data
+ *
+ * - 'default': Mask token values, keep structure
+ * - 'none': No redaction (only for development)
+ * - 'aggressive': Mask tokens and URL parameters
+ */
+type RedactLevel = 'default' | 'none' | 'aggressive';
+
+/**
+ * Event Timeline
+ *
+ * Records SDK events for debugging and observability.
+ * All sensitive data is automatically redacted.
+ */
+
+/**
+ * Event Timeline for debugging
+ *
+ * Records events with automatic redaction of sensitive data.
+ * Safe to use in production - no sensitive data is stored.
+ */
+declare class EventTimeline {
+    private entries;
+    private maxEvents;
+    private redactLevel;
+    constructor(options?: {
+        maxEvents?: number;
+        redactLevel?: RedactLevel;
+    });
     /**
-     * Get access token, refreshing if necessary
+     * Record an event to the timeline
      *
-     * This method coalesces concurrent refresh requests - if multiple
-     * calls are made while a refresh is in-flight, they all share the
-     * same refresh operation.
+     * Data is automatically redacted based on redact level.
      *
-     * @returns Access token
-     * @throws AuthrimError if no tokens available or refresh fails
+     * @param type - Event type
+     * @param data - Event data (will be redacted)
+     * @param options - Recording options
      */
-    getAccessToken(): Promise<string>;
+    record(type: string, data?: unknown, options?: {
+        operationId?: string;
+        redact?: RedactLevel;
+    }): void;
     /**
-     * Get ID token
+     * Get recent entries
      *
-     * @returns ID token or null
+     * @param count - Number of entries to return (default: all)
+     * @returns Recent timeline entries
      */
-    getIdToken(): Promise<string | null>;
+    getRecent(count?: number): TimelineEntry[];
     /**
-     * Check if token needs refresh
+     * Get entries for a specific operation
      *
-     * @param tokens - Token set to check
-     * @returns True if token should be refreshed
+     * @param operationId - Operation ID to filter by
+     * @returns Entries for the operation
      */
-    private shouldRefresh;
+    getByOperationId(operationId: string): TimelineEntry[];
     /**
-     * Refresh token with in-flight request coalescing
-     *
-     * If a refresh is already in progress, wait for it instead of
-     * starting a new one.
+     * Get entries by event type
      *
-     * @param refreshToken - Refresh token to use
-     * @returns Access token from new token set
+     * @param type - Event type to filter by
+     * @returns Entries matching the type
      */
-    private refreshWithLock;
+    getByType(type: string): TimelineEntry[];
     /**
-     * Perform refresh with single retry for network errors
-     *
-     * @param refreshToken - Refresh token to use
-     * @param attemptedRetry - Internal flag to prevent infinite recursion (do not pass externally)
-     * @returns New token set
+     * Clear all entries
      */
-    private doRefreshWithRetry;
+    clear(): void;
     /**
-     * Perform the actual token refresh
-     *
-     * @param refreshToken - Refresh token to use
-     * @returns New token set
+     * Get entry count
      */
-    private doRefresh;
+    get length(): number;
     /**
-     * Check if error is retryable (network errors only)
+     * Convert timeline to JSON string (for export/logging)
      */
-    private isRetryableError;
+    toJSON(): string;
     /**
-     * Check if user is authenticated
-     *
-     * @returns True if valid tokens exist
+     * Set redaction level
      */
-    isAuthenticated(): Promise<boolean>;
+    setRedactLevel(level: RedactLevel): void;
     /**
-     * Exchange a token using RFC 8693 Token Exchange
-     *
-     * This allows exchanging tokens for different audiences or scopes,
-     * delegation scenarios, and cross-service token acquisition.
-     *
-     * @param request - Token exchange request parameters
-     * @returns Token exchange result with new tokens and issued token type
-     * @throws AuthrimError if exchange fails
+     * Redact sensitive data from event payload
      */
-    exchangeToken(request: TokenExchangeRequest): Promise<TokenExchangeResult>;
+    private redactData;
     /**
-     * Map short token type to URI (RFC 8693)
+     * Deep redact an object
      */
-    private mapTokenTypeToUri;
+    private deepRedact;
+    /**
+     * Check if a key is sensitive
+     */
+    private isSensitiveKey;
+    /**
+     * Redact sensitive URL parameters
+     */
+    private redactUrl;
 }
 
 /**
- * Token API Client
+ * Debug Logger
  *
- * Provides session verification against the authorization server.
- * Uses the UserInfo endpoint or custom session check endpoint.
+ * Platform-agnostic logging infrastructure for SDK debugging.
  */
 
 /**
- * Session check result
+ * Create a console-based debug logger
+ *
+ * This logger writes to console with Authrim-prefixed messages.
+ * Safe to use with any console implementation.
  */
-interface SessionCheckResult {
-    /** Whether session is valid */
-    valid: boolean;
-    /** User info if session is valid */
-    user?: UserInfo;
-    /** Error if session is invalid */
-    error?: AuthrimError;
-}
+declare function createConsoleLogger(options?: {
+    timestamps?: boolean;
+}): DebugLogger;
 /**
- * Token API client options
+ * No-op logger for when debug mode is disabled
  */
-interface TokenApiClientOptions {
-    /** HTTP client */
-    http: HttpClient;
-}
+declare const noopLogger: DebugLogger;
 /**
- * Token API Client
- *
- * Verifies session status with the authorization server.
+ * Create a debug logger based on options
  */
-declare class TokenApiClient {
-    private readonly http;
-    constructor(options: TokenApiClientOptions);
+declare function createDebugLogger(options: DebugOptions): DebugLogger;
+/**
+ * Debug context for tracking operations
+ */
+declare class DebugContext {
+    private logger;
+    private verbose;
+    private operationId;
+    constructor(logger: DebugLogger, options?: {
+        verbose?: boolean;
+    });
     /**
-     * Check session validity by calling UserInfo endpoint
-     *
-     * @param discovery - OIDC discovery document
-     * @param accessToken - Access token to verify
-     * @returns Session check result
+     * Set current operation ID for log correlation
      */
-    checkSession(discovery: OIDCDiscoveryDocument, accessToken: string): Promise<SessionCheckResult>;
+    setOperationId(id: string | null): void;
     /**
-     * Get user info from the authorization server
-     *
-     * @param discovery - OIDC discovery document
-     * @param accessToken - Access token
-     * @returns User info
-     * @throws AuthrimError if request fails
+     * Get current operation ID
      */
-    getUserInfo(discovery: OIDCDiscoveryDocument, accessToken: string): Promise<UserInfo>;
-}
-
-/**
- * Session Manager
- *
- * Coordinates session-related operations including checking
- * session status and retrieving user information.
- */
-
-/**
- * Session manager options
- */
-interface SessionManagerOptions {
-    /** Token manager */
-    tokenManager: TokenManager;
-    /** Token API client */
-    tokenApiClient: TokenApiClient;
-}
-/**
- * Session Manager
- */
-declare class SessionManager {
-    private readonly tokenManager;
-    private readonly tokenApiClient;
-    /** Discovery document */
-    private discovery;
-    constructor(options: SessionManagerOptions);
+    getOperationId(): string | null;
     /**
-     * Set discovery document
+     * Log a debug message (verbose mode only)
      */
-    setDiscovery(discovery: OIDCDiscoveryDocument): void;
+    debug(message: string, data?: unknown): void;
     /**
-     * Check if user is authenticated locally
-     *
-     * This checks if valid tokens exist in storage.
-     * Does not verify with the authorization server.
-     *
-     * @returns True if tokens exist
+     * Log an info message
      */
-    isAuthenticated(): Promise<boolean>;
+    info(message: string, data?: unknown): void;
     /**
-     * Check session validity with authorization server
-     *
-     * Calls the UserInfo endpoint to verify the session is still valid.
-     *
-     * @returns Session check result
+     * Log a warning message
      */
-    checkSession(): Promise<SessionCheckResult>;
+    warn(message: string, data?: unknown): void;
     /**
-     * Get user information
-     *
-     * Fetches user info from the UserInfo endpoint.
-     *
-     * @returns User info
-     * @throws AuthrimError if not authenticated or request fails
+     * Log an error message
      */
-    getUser(): Promise<UserInfo>;
+    error(message: string, data?: unknown): void;
+    /**
+     * Format message with operation ID if available
+     */
+    private formatMessage;
 }
 
 /**
@@ -2008,71 +4440,6 @@ declare function stringToBase64url(str: string): string;
  */
 declare function base64urlToString(base64url: string): string;
 
-/**
- * JWT Utilities
- *
- * Note: This module only provides decoding (parsing) functionality.
- * JWT signature verification MUST be performed by the server.
- * Never trust decoded JWT claims without server-side verification.
- */
-
-/**
- * JWT Header
- */
-interface JwtHeader {
-    alg: string;
-    typ?: string;
-    kid?: string;
-    [key: string]: unknown;
-}
-/**
- * Decoded JWT structure
- */
-interface DecodedJwt<T = Record<string, unknown>> {
-    header: JwtHeader;
-    payload: T;
-    signature: string;
-}
-/**
- * Decode a JWT without verifying the signature
- *
- * WARNING: This function does NOT verify the JWT signature.
- * Use this only for reading claims after the token has been
- * validated by the authorization server.
- *
- * @param jwt - JWT string to decode
- * @returns Decoded JWT parts
- * @throws Error if the JWT format is invalid
- */
-declare function decodeJwt<T = Record<string, unknown>>(jwt: string): DecodedJwt<T>;
-/**
- * Decode an ID token and extract claims
- *
- * WARNING: This function does NOT verify the ID token.
- * The token MUST be verified by the authorization server before use.
- *
- * @param idToken - ID token string
- * @returns ID token claims
- */
-declare function decodeIdToken(idToken: string): IdTokenClaims;
-/**
- * Check if a JWT is expired
- *
- * @param jwt - Decoded JWT payload with exp claim
- * @param skewSeconds - Clock skew tolerance in seconds (default: 0)
- * @returns true if expired
- */
-declare function isJwtExpired(payload: {
-    exp?: number;
-}, skewSeconds?: number): boolean;
-/**
- * Get the nonce claim from an ID token
- *
- * @param idToken - ID token string
- * @returns nonce value or undefined
- */
-declare function getIdTokenNonce(idToken: string): string | undefined;
-
 /**
  * Hash Utilities
  *
@@ -2121,6 +4488,121 @@ declare function calculateDsHash(deviceSecret: string, crypto: CryptoProvider):
  */
 declare function timingSafeEqual(a: string, b: string): boolean;
 
+/**
+ * Cancellation Utilities
+ *
+ * Provides AbortController-based cancellation for async operations.
+ */
+/**
+ * Wrap a promise with AbortSignal support
+ *
+ * If the signal is aborted, the promise will reject with an
+ * 'operation_cancelled' error which is recoverable and retryable.
+ *
+ * @param promise - Promise to wrap
+ * @param signal - AbortSignal to use for cancellation
+ * @returns Promise that can be cancelled
+ */
+declare function withAbortSignal<T>(promise: Promise<T>, signal: AbortSignal): Promise<T>;
+/**
+ * Create a cancellable operation wrapper
+ *
+ * Returns an object with the promise and a cancel function.
+ * Useful for creating operations that can be externally cancelled.
+ *
+ * @param fn - Async function to execute
+ * @returns Object with promise and cancel function
+ */
+declare function createCancellableOperation<T>(fn: (signal: AbortSignal) => Promise<T>): {
+    promise: Promise<T>;
+    cancel: () => void;
+    signal: AbortSignal;
+};
+/**
+ * Check if an error is a cancellation error
+ */
+declare function isCancellationError(error: unknown): boolean;
+/**
+ * Race multiple promises with cancellation support
+ *
+ * When one promise resolves, other operations are cancelled.
+ *
+ * @param operations - Array of operations with their signals
+ * @returns Result of the first successful operation
+ */
+declare function raceWithCancellation<T>(operations: Array<{
+    promise: Promise<T>;
+    cancel: () => void;
+}>): Promise<T>;
+
+/**
+ * Retry Utilities
+ *
+ * Provides exponential backoff retry logic with jitter.
+ */
+/**
+ * Retry options
+ */
+interface RetryOptions {
+    /** Maximum number of retry attempts (default: 3) */
+    maxRetries?: number;
+    /** Base delay in milliseconds (default: 1000) */
+    baseDelayMs?: number;
+    /** Maximum delay in milliseconds (default: 30000) */
+    maxDelayMs?: number;
+    /** Enable jitter for delay randomization (default: true) */
+    jitter?: boolean;
+    /** AbortSignal for cancellation */
+    signal?: AbortSignal;
+    /** Custom retry condition (default: check isRetryableError) */
+    shouldRetry?: (error: unknown, attempt: number) => boolean;
+    /** Callback for each retry attempt */
+    onRetry?: (error: unknown, attempt: number, delayMs: number) => void;
+}
+/**
+ * Calculate delay with exponential backoff and optional jitter
+ *
+ * @param attempt - Current attempt number (0-indexed)
+ * @param baseDelayMs - Base delay in milliseconds
+ * @param maxDelayMs - Maximum delay in milliseconds
+ * @param jitter - Whether to add jitter
+ * @returns Delay in milliseconds
+ */
+declare function calculateBackoffDelay(attempt: number, baseDelayMs: number, maxDelayMs: number, jitter: boolean): number;
+/**
+ * Sleep for a specified duration
+ *
+ * @param ms - Duration in milliseconds
+ * @param signal - Optional AbortSignal for cancellation
+ */
+declare function sleep(ms: number, signal?: AbortSignal): Promise<void>;
+/**
+ * Execute a function with exponential backoff retry
+ *
+ * @param fn - Function to execute
+ * @param options - Retry options
+ * @returns Result of the function
+ */
+declare function withRetry<T>(fn: () => Promise<T>, options?: RetryOptions): Promise<T>;
+/**
+ * Create a retry function with preset options
+ *
+ * Useful for creating specialized retry functions for specific use cases.
+ *
+ * @param defaultOptions - Default options for all retries
+ * @returns Retry function with preset options
+ */
+declare function createRetryFunction(defaultOptions: RetryOptions): <T>(fn: () => Promise<T>, options?: RetryOptions) => Promise<T>;
+/**
+ * Extract Retry-After header value
+ *
+ * Supports both HTTP-date and delay-seconds formats.
+ *
+ * @param headers - Response headers
+ * @returns Delay in milliseconds, or null if not found
+ */
+declare function parseRetryAfterHeader(headers: Headers | Record<string, string>): number | null;
+
 /**
  * Direct Authentication API Types
  *
@@ -2675,4 +5157,4 @@ interface DirectAuthClient {
     session: SessionAuth;
 }
 
-export { type AddressClaim, type AttestationConveyancePreferenceType, type AuthCallbackEvent, type AuthRedirectingEvent, type AuthResult, type AuthState, type AuthenticationExtensionsClientInputsType, type AuthenticatorAssertionResponseJSON, type AuthenticatorAttachmentType, type AuthenticatorAttestationResponseJSON, type AuthenticatorSelectionCriteriaType, type AuthenticatorTransportType, AuthorizationCodeFlow, type AuthorizationContext, type AuthorizationUrlResult, AuthrimClient, type AuthrimClientConfig, AuthrimError, type AuthrimErrorCode, type AuthrimErrorMeta, type AuthrimErrorOptions, type AuthrimErrorSeverity, type AuthrimErrorUserAction, type AuthrimEventHandler, type AuthrimEventName, type AuthrimEvents, type AuthrimStorage, type BuildAuthorizationUrlOptions, type COSEAlgorithmIdentifier, type CodeChallengeMethod, type CryptoProvider, type DecodedJwt, type DirectAuthClient, type DirectAuthClientConfig, type DirectAuthError, type DirectAuthLogoutOptions, type DirectAuthTokenRequest, type DirectAuthTokenResponse, DiscoveryClient, type EmailCodeAuth, type EmailCodeSendOptions, type EmailCodeSendRequest, type EmailCodeSendResponse, type EmailCodeSendResult, type EmailCodeVerifyOptions, type EmailCodeVerifyRequest, type EmailCodeVerifyResponse, type EndpointOverrides, type ErrorEvent, EventEmitter, type ExchangeCodeOptions, type GenerateAuthStateOptions, type HashOptions, type HttpClient, type HttpOptions, type HttpResponse, type IntrospectTokenOptions, type IntrospectionResponse, type IntrospectionTokenTypeHint, type JwtHeader, LogoutHandler, type LogoutHandlerOptions, type LogoutOptions, type LogoutResult, type MfaMethod, type NextAction, type OAuthErrorResponse, type OIDCDiscoveryDocument, PKCEHelper, type PKCEPair, type PasskeyAuth, type PasskeyCredential, type PasskeyLoginFinishRequest, type PasskeyLoginFinishResponse, type PasskeyLoginOptions, type PasskeyLoginStartRequest, type PasskeyLoginStartResponse, type PasskeyRegisterOptions, type PasskeySignUpOptions, type PasskeySignupFinishRequest, type PasskeySignupFinishResponse, type PasskeySignupStartRequest, type PasskeySignupStartResponse, type PublicKeyCredentialCreationOptionsJSON, type PublicKeyCredentialDescriptorJSON, type PublicKeyCredentialParametersType, type PublicKeyCredentialRequestOptionsJSON, type PublicKeyCredentialRpEntityType, type PublicKeyCredentialType, type PublicKeyCredentialUserEntityJSON, type ResidentKeyRequirementType, type ResolvedConfig, type RevokeTokenOptions, STORAGE_KEYS, type Session, type SessionAuth, type SessionCheckResult, type SessionEndedEvent, SessionManager, type SessionManagerOptions, type SessionStartedEvent, SilentAuthHandler, type SilentAuthOptions, type SilentAuthResult, type SilentAuthUrlResult, type SocialAuth, type SocialLoginOptions, type SocialProvider, type StandardClaims, StateManager, TOKEN_TYPE_URIS, TokenApiClient, type TokenApiClientOptions, type TokenErrorEvent, type TokenExchangeRequest, type TokenExchangeResponse, type TokenExchangeResult, type TokenExchangedEvent, type TokenExpiredEvent, TokenIntrospector, type TokenIntrospectorOptions, TokenManager, type TokenManagerOptions, type TokenRefreshedEvent, type TokenResponse, TokenRevoker, type TokenRevokerOptions, type TokenSet, type TokenTypeHint, type TokenTypeUri, type User, type UserInfo, type UserVerificationRequirementType, base64urlDecode, base64urlEncode, base64urlToString, calculateDsHash, createAuthrimClient, decodeIdToken, decodeJwt, getErrorMeta, getIdTokenNonce, isJwtExpired, normalizeIssuer, resolveConfig, stringToBase64url, timingSafeEqual };
+export { type AddressClaim, type AttestationConveyancePreferenceType, type AuthCallbackCompleteEvent, type AuthCallbackEvent, type AuthCallbackProcessingEvent, type AuthFallbackEvent, type AuthInitEvent, type AuthLoginCompleteEvent, type AuthLogoutCompleteEvent, type AuthPopupBlockedEvent, type AuthRedirectingEvent, type AuthRequiredEvent, type AuthResult, type AuthState, type AuthStateSnapshot, type AuthState$1 as AuthStateType, type AuthenticationExtensionsClientInputsType, type AuthenticatorAssertionResponseJSON, type AuthenticatorAttachmentType, type AuthenticatorAttestationResponseJSON, type AuthenticatorSelectionCriteriaType, type AuthenticatorTransportType, AuthorizationCodeFlow, type AuthorizationContext, type AuthorizationUrlResult, AuthrimClient, type AuthrimClientConfig, AuthrimError, type AuthrimErrorCode, type AuthrimErrorMeta, type AuthrimErrorOptions, type AuthrimErrorRemediation, type AuthrimErrorSeverity, type AuthrimErrorUserAction, type AuthrimEventHandler, type AuthrimEventName, type AuthrimEvents, type AuthrimStorage, type AutoRefreshOptions, AutoRefreshScheduler, BACKCHANNEL_LOGOUT_EVENT, type BackChannelLogoutErrorCode, type BackChannelLogoutValidationOptions, type BackChannelLogoutValidationResult, BackChannelLogoutValidator, type BaseEventPayload, type BuildAuthorizationUrlOptions, type COSEAlgorithmIdentifier, type CheckSessionMessage, type CheckSessionResponse, type ClientAssertionClaims, type ClientAuthMethod, type ClientAuthResult, type ClientCredentials, ClientCredentialsClient, type ClientCredentialsClientOptions, type ClientCredentialsTokenOptions, type ClientSecretCredentials, type CodeChallengeMethod, type CoreEventName, type CryptoProvider, type DPoPCryptoProvider, type DPoPKeyPair, DPoPManager, type DPoPManagerConfig, type DPoPProofClaims, type DPoPProofHeader, type DPoPProofOptions, DebugContext, type DebugLogLevel, type DebugLogger, type DebugOptions, type DebugTimelineEvent, type DecodedJwt, type DeviceAuthorizationResponse, type DeviceFlowAccessDeniedResult, DeviceFlowClient, type DeviceFlowCompletedResult, type DeviceFlowExpiredResult, type DeviceFlowPendingResult, type DeviceFlowPollResult, type DeviceFlowSlowDownResult, type DeviceFlowStartOptions, type DeviceFlowState, type DirectAuthClient, type DirectAuthClientConfig, type DirectAuthError, type DirectAuthLogoutOptions, type DirectAuthTokenRequest, type DirectAuthTokenResponse, DiscoveryClient, type EmailCodeAuth, type EmailCodeSendOptions, type EmailCodeSendRequest, type EmailCodeSendResponse, type EmailCodeSendResult, type EmailCodeVerifyOptions, type EmailCodeVerifyRequest, type EmailCodeVerifyResponse, type EmitClassifiedErrorOptions, type EndpointOverrides, type ErrorClassification, type ErrorEvent, type ErrorEventEmitter, type ErrorEventPayload, type ErrorFatalEvent, type ErrorRecoverableEvent, type ErrorSeverity, EventEmitter, EventTimeline, type ExchangeCodeOptions, type FrontChannelLogoutBuildParams, type FrontChannelLogoutParams, FrontChannelLogoutUrlBuilder, type FrontChannelLogoutUrlOptions, type FrontChannelLogoutUrlResult, type FrontChannelLogoutValidationOptions, type FrontChannelLogoutValidationResult, type GenerateAuthStateOptions, type HashOptions, type HttpClient, type HttpOptions, type HttpResponse, type IntrospectTokenOptions, type IntrospectionResponse, type IntrospectionTokenTypeHint, JARBuilder, type JARBuilderConfig, type JARMResponseClaims, type JARMValidationOptions, type JARMValidationResult, JARMValidator, type JARMValidatorConfig, type JARRequestObjectClaims, type JARRequestOptions, type JWK, type JwtHeader, LogoutHandler, type LogoutHandlerOptions, type LogoutOptions, type LogoutResult, type LogoutTokenClaims, type MfaMethod, type NextAction, type NoClientCredentials, type OAuthErrorResponse, type OIDCDiscoveryDocument, PARClient, type PARClientOptions, type PARRequest, type PARResponse, type PARResult, PKCEHelper, type PKCEPair, type PasskeyAuth, type PasskeyCredential, type PasskeyLoginFinishRequest, type PasskeyLoginFinishResponse, type PasskeyLoginOptions, type PasskeyLoginStartRequest, type PasskeyLoginStartResponse, type PasskeyRegisterOptions, type PasskeySignUpOptions, type PasskeySignupFinishRequest, type PasskeySignupFinishResponse, type PasskeySignupStartRequest, type PasskeySignupStartResponse, type PrivateKeyJwtCredentials, type PublicKeyCredentialCreationOptionsJSON, type PublicKeyCredentialDescriptorJSON, type PublicKeyCredentialParametersType, type PublicKeyCredentialRequestOptionsJSON, type PublicKeyCredentialRpEntityType, type PublicKeyCredentialType, type PublicKeyCredentialUserEntityJSON, type RedactLevel, type ResidentKeyRequirementType, type ResolvedConfig, type RetryOptions, type RevokeTokenOptions, STORAGE_KEYS, type Session, type SessionAuth, type SessionChangeEvent, type SessionChangedEvent, type SessionCheckResult, type SessionEndedEvent, type SessionLogoutBroadcastEvent, type SessionManagementConfig, SessionManager, type SessionManagerOptions, type SessionStartedEvent, type SessionState, SessionStateCalculator, type SessionStateCalculatorOptions, type SessionStateParams, type SessionStateResult, type SessionSyncEvent, SilentAuthHandler, type SilentAuthOptions, type SilentAuthResult, type SilentAuthUrlResult, type SocialAuth, type SocialLoginOptions, type SocialProvider, type StandardClaims, type StateChangeEvent, StateManager, TOKEN_TYPE_URIS, type TimelineEntry, TokenApiClient, type TokenApiClientOptions, type TokenErrorEvent, type TokenExchangeRequest, type TokenExchangeResponse, type TokenExchangeResult, type TokenExchangedEvent, type TokenExpiredEvent, type TokenExpiringEvent, TokenIntrospector, type TokenIntrospectorOptions, TokenManager, type TokenManagerOptions, type TokenRefreshFailedEvent, type TokenRefreshedEvent, type TokenRefreshingEvent, type TokenResponse, TokenRevoker, type TokenRevokerOptions, type TokenSet, type TokenTypeHint, type TokenTypeUri, type User, type UserInfo, type UserVerificationRequirementType, type WarningITPEvent, type WarningPrivateModeEvent, type WarningStorageFallbackEvent, type WebOnlyEventName, base64urlDecode, base64urlEncode, base64urlToString, buildClientAuthentication, calculateBackoffDelay, calculateDsHash, classifyError, createAuthrimClient, createCancellableOperation, createConsoleLogger, createDebugLogger, createRetryFunction, decodeIdToken, decodeJwt, emitClassifiedError, getErrorMeta, getIdTokenNonce, isCancellationError, isJarRequired, isJwtExpired, isRetryableError, noopLogger, normalizeIssuer, parseRetryAfterHeader, raceWithCancellation, resolveConfig, sleep, stringToBase64url, timingSafeEqual, withAbortSignal, withRetry };