@better-auth/core 1.4.12 → 1.4.14

package/dist/oauth2/client-credentials-token.d.mts

@@ -0,0 +1,36 @@
+import { OAuth2Tokens, ProviderOptions } from "./oauth-provider.mjs";
+
+//#region src/oauth2/client-credentials-token.d.ts
+declare function createClientCredentialsTokenRequest({
+  options,
+  scope,
+  authentication,
+  resource
+}: {
+  options: ProviderOptions & {
+    clientSecret: string;
+  };
+  scope?: string | undefined;
+  authentication?: ("basic" | "post") | undefined;
+  resource?: (string | string[]) | undefined;
+}): {
+  body: URLSearchParams;
+  headers: Record<string, any>;
+};
+declare function clientCredentialsToken({
+  options,
+  tokenEndpoint,
+  scope,
+  authentication,
+  resource
+}: {
+  options: ProviderOptions & {
+    clientSecret: string;
+  };
+  tokenEndpoint: string;
+  scope: string;
+  authentication?: ("basic" | "post") | undefined;
+  resource?: (string | string[]) | undefined;
+}): Promise<OAuth2Tokens>;
+//#endregion
+export { clientCredentialsToken, createClientCredentialsTokenRequest };

package/dist/oauth2/client-credentials-token.mjs

@@ -0,0 +1,54 @@
+import { base64Url } from "@better-auth/utils/base64";
+import { betterFetch } from "@better-fetch/fetch";
+
+//#region src/oauth2/client-credentials-token.ts
+function createClientCredentialsTokenRequest({ options, scope, authentication, resource }) {
+	const body = new URLSearchParams();
+	const headers = {
+		"content-type": "application/x-www-form-urlencoded",
+		accept: "application/json"
+	};
+	body.set("grant_type", "client_credentials");
+	scope && body.set("scope", scope);
+	if (resource) if (typeof resource === "string") body.append("resource", resource);
+	else for (const _resource of resource) body.append("resource", _resource);
+	if (authentication === "basic") {
+		const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+		headers["authorization"] = `Basic ${base64Url.encode(`${primaryClientId}:${options.clientSecret}`)}`;
+	} else {
+		const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+		body.set("client_id", primaryClientId);
+		body.set("client_secret", options.clientSecret);
+	}
+	return {
+		body,
+		headers
+	};
+}
+async function clientCredentialsToken({ options, tokenEndpoint, scope, authentication, resource }) {
+	const { body, headers } = createClientCredentialsTokenRequest({
+		options,
+		scope,
+		authentication,
+		resource
+	});
+	const { data, error } = await betterFetch(tokenEndpoint, {
+		method: "POST",
+		body,
+		headers
+	});
+	if (error) throw error;
+	const tokens = {
+		accessToken: data.access_token,
+		tokenType: data.token_type,
+		scopes: data.scope?.split(" ")
+	};
+	if (data.expires_in) {
+		const now = /* @__PURE__ */ new Date();
+		tokens.accessTokenExpiresAt = new Date(now.getTime() + data.expires_in * 1e3);
+	}
+	return tokens;
+}
+
+//#endregion
+export { clientCredentialsToken, createClientCredentialsTokenRequest };

package/dist/oauth2/create-authorization-url.d.mts

@@ -0,0 +1,45 @@
+import { ProviderOptions } from "./oauth-provider.mjs";
+import "./index.mjs";
+
+//#region src/oauth2/create-authorization-url.d.ts
+declare function createAuthorizationURL({
+  id,
+  options,
+  authorizationEndpoint,
+  state,
+  codeVerifier,
+  scopes,
+  claims,
+  redirectURI,
+  duration,
+  prompt,
+  accessType,
+  responseType,
+  display,
+  loginHint,
+  hd,
+  responseMode,
+  additionalParams,
+  scopeJoiner
+}: {
+  id: string;
+  options: ProviderOptions;
+  redirectURI: string;
+  authorizationEndpoint: string;
+  state: string;
+  codeVerifier?: string | undefined;
+  scopes?: string[] | undefined;
+  claims?: string[] | undefined;
+  duration?: string | undefined;
+  prompt?: string | undefined;
+  accessType?: string | undefined;
+  responseType?: string | undefined;
+  display?: string | undefined;
+  loginHint?: string | undefined;
+  hd?: string | undefined;
+  responseMode?: string | undefined;
+  additionalParams?: Record<string, string> | undefined;
+  scopeJoiner?: string | undefined;
+}): Promise<URL>;
+//#endregion
+export { createAuthorizationURL };

package/dist/oauth2/create-authorization-url.mjs

@@ -0,0 +1,42 @@
+import { generateCodeChallenge } from "./utils.mjs";
+
+//#region src/oauth2/create-authorization-url.ts
+async function createAuthorizationURL({ id, options, authorizationEndpoint, state, codeVerifier, scopes, claims, redirectURI, duration, prompt, accessType, responseType, display, loginHint, hd, responseMode, additionalParams, scopeJoiner }) {
+	const url = new URL(options.authorizationEndpoint || authorizationEndpoint);
+	url.searchParams.set("response_type", responseType || "code");
+	const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+	url.searchParams.set("client_id", primaryClientId);
+	url.searchParams.set("state", state);
+	if (scopes) url.searchParams.set("scope", scopes.join(scopeJoiner || " "));
+	url.searchParams.set("redirect_uri", options.redirectURI || redirectURI);
+	duration && url.searchParams.set("duration", duration);
+	display && url.searchParams.set("display", display);
+	loginHint && url.searchParams.set("login_hint", loginHint);
+	prompt && url.searchParams.set("prompt", prompt);
+	hd && url.searchParams.set("hd", hd);
+	accessType && url.searchParams.set("access_type", accessType);
+	responseMode && url.searchParams.set("response_mode", responseMode);
+	if (codeVerifier) {
+		const codeChallenge = await generateCodeChallenge(codeVerifier);
+		url.searchParams.set("code_challenge_method", "S256");
+		url.searchParams.set("code_challenge", codeChallenge);
+	}
+	if (claims) {
+		const claimsObj = claims.reduce((acc, claim) => {
+			acc[claim] = null;
+			return acc;
+		}, {});
+		url.searchParams.set("claims", JSON.stringify({ id_token: {
+			email: null,
+			email_verified: null,
+			...claimsObj
+		} }));
+	}
+	if (additionalParams) Object.entries(additionalParams).forEach(([key, value]) => {
+		url.searchParams.set(key, value);
+	});
+	return url;
+}
+
+//#endregion
+export { createAuthorizationURL };

package/dist/oauth2/index.d.mts

@@ -1,2 +1,8 @@
-import { Bn as refreshAccessToken, Fn as validateAuthorizationCode, Gn as OAuth2UserInfo, Hn as clientCredentialsToken, In as validateToken, Kn as OAuthProvider, Ln as generateCodeChallenge, Mn as verifyAccessToken, Nn as verifyJwsAccessToken, Pn as createAuthorizationCodeRequest, Rn as getOAuth2Tokens, Un as createClientCredentialsTokenRequest, Vn as createAuthorizationURL, Wn as OAuth2Tokens, jn as getJwks, qn as ProviderOptions, zn as createRefreshAccessTokenRequest } from "../index-zgYuzZ7O.mjs";
-export { OAuth2Tokens, OAuth2UserInfo, OAuthProvider, ProviderOptions, clientCredentialsToken, createAuthorizationCodeRequest, createAuthorizationURL, createClientCredentialsTokenRequest, createRefreshAccessTokenRequest, generateCodeChallenge, getJwks, getOAuth2Tokens, refreshAccessToken, validateAuthorizationCode, validateToken, verifyAccessToken, verifyJwsAccessToken };
+import { OAuth2Tokens, OAuth2UserInfo, OAuthProvider, ProviderOptions } from "./oauth-provider.mjs";
+import { clientCredentialsToken, createClientCredentialsTokenRequest } from "./client-credentials-token.mjs";
+import { createAuthorizationURL } from "./create-authorization-url.mjs";
+import { createRefreshAccessTokenRequest, refreshAccessToken } from "./refresh-access-token.mjs";
+import { generateCodeChallenge, getOAuth2Tokens } from "./utils.mjs";
+import { createAuthorizationCodeRequest, validateAuthorizationCode, validateToken } from "./validate-authorization-code.mjs";
+import { getJwks, verifyAccessToken, verifyJwsAccessToken } from "./verify.mjs";
+export { type OAuth2Tokens, type OAuth2UserInfo, type OAuthProvider, type ProviderOptions, clientCredentialsToken, createAuthorizationCodeRequest, createAuthorizationURL, createClientCredentialsTokenRequest, createRefreshAccessTokenRequest, generateCodeChallenge, getJwks, getOAuth2Tokens, refreshAccessToken, validateAuthorizationCode, validateToken, verifyAccessToken, verifyJwsAccessToken };

package/dist/oauth2/index.mjs

@@ -1,4 +1,8 @@
-import "../env-DbssmzoK.mjs";
-import { a as validateAuthorizationCode, c as refreshAccessToken, d as getOAuth2Tokens, f as clientCredentialsToken, i as createAuthorizationCodeRequest, l as createAuthorizationURL, n as verifyAccessToken, o as validateToken, p as createClientCredentialsTokenRequest, r as verifyJwsAccessToken, s as createRefreshAccessTokenRequest, t as getJwks, u as generateCodeChallenge } from "../oauth2-COJkghlT.mjs";
+import { clientCredentialsToken, createClientCredentialsTokenRequest } from "./client-credentials-token.mjs";
+import { generateCodeChallenge, getOAuth2Tokens } from "./utils.mjs";
+import { createAuthorizationURL } from "./create-authorization-url.mjs";
+import { createRefreshAccessTokenRequest, refreshAccessToken } from "./refresh-access-token.mjs";
+import { createAuthorizationCodeRequest, validateAuthorizationCode, validateToken } from "./validate-authorization-code.mjs";
+import { getJwks, verifyAccessToken, verifyJwsAccessToken } from "./verify.mjs";
 
 export { clientCredentialsToken, createAuthorizationCodeRequest, createAuthorizationURL, createClientCredentialsTokenRequest, createRefreshAccessTokenRequest, generateCodeChallenge, getJwks, getOAuth2Tokens, refreshAccessToken, validateAuthorizationCode, validateToken, verifyAccessToken, verifyJwsAccessToken };

package/dist/oauth2/oauth-provider.d.mts

@@ -0,0 +1,194 @@
+import { Awaitable, LiteralString } from "../types/helper.mjs";
+import "../types/index.mjs";
+
+//#region src/oauth2/oauth-provider.d.ts
+interface OAuth2Tokens {
+  tokenType?: string | undefined;
+  accessToken?: string | undefined;
+  refreshToken?: string | undefined;
+  accessTokenExpiresAt?: Date | undefined;
+  refreshTokenExpiresAt?: Date | undefined;
+  scopes?: string[] | undefined;
+  idToken?: string | undefined;
+  /**
+   * Raw token response from the provider.
+   * Preserves provider-specific fields that are not part of the standard OAuth2 token response.
+   */
+  raw?: Record<string, unknown> | undefined;
+}
+type OAuth2UserInfo = {
+  id: string | number;
+  name?: string | undefined;
+  email?: (string | null) | undefined;
+  image?: string | undefined;
+  emailVerified: boolean;
+};
+interface OAuthProvider<T extends Record<string, any> = Record<string, any>, O extends Record<string, any> = Partial<ProviderOptions>> {
+  id: LiteralString;
+  createAuthorizationURL: (data: {
+    state: string;
+    codeVerifier: string;
+    scopes?: string[] | undefined;
+    redirectURI: string;
+    display?: string | undefined;
+    loginHint?: string | undefined;
+  }) => Awaitable<URL>;
+  name: string;
+  validateAuthorizationCode: (data: {
+    code: string;
+    redirectURI: string;
+    codeVerifier?: string | undefined;
+    deviceId?: string | undefined;
+  }) => Promise<OAuth2Tokens>;
+  getUserInfo: (token: OAuth2Tokens & {
+    /**
+     * The user object from the provider
+     * This is only available for some providers like Apple
+     */
+    user?: {
+      name?: {
+        firstName?: string;
+        lastName?: string;
+      };
+      email?: string;
+    } | undefined;
+  }) => Promise<{
+    user: OAuth2UserInfo;
+    data: T;
+  } | null>;
+  /**
+   * Custom function to refresh a token
+   */
+  refreshAccessToken?: ((refreshToken: string) => Promise<OAuth2Tokens>) | undefined;
+  revokeToken?: ((token: string) => Promise<void>) | undefined;
+  /**
+   * Verify the id token
+   * @param token - The id token
+   * @param nonce - The nonce
+   * @returns True if the id token is valid, false otherwise
+   */
+  verifyIdToken?: ((token: string, nonce?: string) => Promise<boolean>) | undefined;
+  /**
+   * Disable implicit sign up for new users. When set to true for the provider,
+   * sign-in need to be called with with requestSignUp as true to create new users.
+   */
+  disableImplicitSignUp?: boolean | undefined;
+  /**
+   * Disable sign up for new users.
+   */
+  disableSignUp?: boolean | undefined;
+  /**
+   * Options for the provider
+   */
+  options?: O | undefined;
+}
+type ProviderOptions<Profile extends Record<string, any> = any> = {
+  /**
+   * The client ID of your application.
+   *
+   * This is usually a string but can be any type depending on the provider.
+   */
+  clientId?: unknown | undefined;
+  /**
+   * The client secret of your application
+   */
+  clientSecret?: string | undefined;
+  /**
+   * The scopes you want to request from the provider
+   */
+  scope?: string[] | undefined;
+  /**
+   * Remove default scopes of the provider
+   */
+  disableDefaultScope?: boolean | undefined;
+  /**
+   * The redirect URL for your application. This is where the provider will
+   * redirect the user after the sign in process. Make sure this URL is
+   * whitelisted in the provider's dashboard.
+   */
+  redirectURI?: string | undefined;
+  /**
+   * Custom authorization endpoint URL.
+   * Use this to override the default authorization endpoint of the provider.
+   * Useful for testing with local OAuth servers or using sandbox environments.
+   */
+  authorizationEndpoint?: string | undefined;
+  /**
+   * The client key of your application
+   * Tiktok Social Provider uses this field instead of clientId
+   */
+  clientKey?: string | undefined;
+  /**
+   * Disable provider from allowing users to sign in
+   * with this provider with an id token sent from the
+   * client.
+   */
+  disableIdTokenSignIn?: boolean | undefined;
+  /**
+   * verifyIdToken function to verify the id token
+   */
+  verifyIdToken?: ((token: string, nonce?: string) => Promise<boolean>) | undefined;
+  /**
+   * Custom function to get user info from the provider
+   */
+  getUserInfo?: ((token: OAuth2Tokens) => Promise<{
+    user: {
+      id: string;
+      name?: string;
+      email?: string | null;
+      image?: string;
+      emailVerified: boolean;
+      [key: string]: any;
+    };
+    data: any;
+  } | null>) | undefined;
+  /**
+   * Custom function to refresh a token
+   */
+  refreshAccessToken?: ((refreshToken: string) => Promise<OAuth2Tokens>) | undefined;
+  /**
+   * Custom function to map the provider profile to a
+   * user.
+   */
+  mapProfileToUser?: ((profile: Profile) => {
+    id?: string;
+    name?: string;
+    email?: string | null;
+    image?: string;
+    emailVerified?: boolean;
+    [key: string]: any;
+  } | Promise<{
+    id?: string;
+    name?: string;
+    email?: string | null;
+    image?: string;
+    emailVerified?: boolean;
+    [key: string]: any;
+  }>) | undefined;
+  /**
+   * Disable implicit sign up for new users. When set to true for the provider,
+   * sign-in need to be called with with requestSignUp as true to create new users.
+   */
+  disableImplicitSignUp?: boolean | undefined;
+  /**
+   * Disable sign up for new users.
+   */
+  disableSignUp?: boolean | undefined;
+  /**
+   * The prompt to use for the authorization code request
+   */
+  prompt?: ("select_account" | "consent" | "login" | "none" | "select_account consent") | undefined;
+  /**
+   * The response mode to use for the authorization code request
+   */
+  responseMode?: ("query" | "form_post") | undefined;
+  /**
+   * If enabled, the user info will be overridden with the provider user info
+   * This is useful if you want to use the provider user info to update the user info
+   *
+   * @default false
+   */
+  overrideUserInfoOnSignIn?: boolean | undefined;
+};
+//#endregion
+export { OAuth2Tokens, OAuth2UserInfo, OAuthProvider, ProviderOptions };

package/dist/oauth2/refresh-access-token.d.mts

@@ -0,0 +1,36 @@
+import { OAuth2Tokens, ProviderOptions } from "./oauth-provider.mjs";
+
+//#region src/oauth2/refresh-access-token.d.ts
+declare function createRefreshAccessTokenRequest({
+  refreshToken,
+  options,
+  authentication,
+  extraParams,
+  resource
+}: {
+  refreshToken: string;
+  options: Partial<ProviderOptions>;
+  authentication?: ("basic" | "post") | undefined;
+  extraParams?: Record<string, string> | undefined;
+  resource?: (string | string[]) | undefined;
+}): {
+  body: URLSearchParams;
+  headers: Record<string, any>;
+};
+declare function refreshAccessToken({
+  refreshToken,
+  options,
+  tokenEndpoint,
+  authentication,
+  extraParams
+}: {
+  refreshToken: string;
+  options: Partial<ProviderOptions>;
+  tokenEndpoint: string;
+  authentication?: ("basic" | "post") | undefined;
+  extraParams?: Record<string, string> | undefined;
+  /** @deprecated always "refresh_token" */
+  grantType?: string | undefined;
+}): Promise<OAuth2Tokens>;
+//#endregion
+export { createRefreshAccessTokenRequest, refreshAccessToken };

package/dist/oauth2/refresh-access-token.mjs

@@ -0,0 +1,58 @@
+import { base64 } from "@better-auth/utils/base64";
+import { betterFetch } from "@better-fetch/fetch";
+
+//#region src/oauth2/refresh-access-token.ts
+function createRefreshAccessTokenRequest({ refreshToken, options, authentication, extraParams, resource }) {
+	const body = new URLSearchParams();
+	const headers = {
+		"content-type": "application/x-www-form-urlencoded",
+		accept: "application/json"
+	};
+	body.set("grant_type", "refresh_token");
+	body.set("refresh_token", refreshToken);
+	if (authentication === "basic") {
+		const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+		if (primaryClientId) headers["authorization"] = "Basic " + base64.encode(`${primaryClientId}:${options.clientSecret ?? ""}`);
+		else headers["authorization"] = "Basic " + base64.encode(`:${options.clientSecret ?? ""}`);
+	} else {
+		const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+		body.set("client_id", primaryClientId);
+		if (options.clientSecret) body.set("client_secret", options.clientSecret);
+	}
+	if (resource) if (typeof resource === "string") body.append("resource", resource);
+	else for (const _resource of resource) body.append("resource", _resource);
+	if (extraParams) for (const [key, value] of Object.entries(extraParams)) body.set(key, value);
+	return {
+		body,
+		headers
+	};
+}
+async function refreshAccessToken({ refreshToken, options, tokenEndpoint, authentication, extraParams }) {
+	const { body, headers } = createRefreshAccessTokenRequest({
+		refreshToken,
+		options,
+		authentication,
+		extraParams
+	});
+	const { data, error } = await betterFetch(tokenEndpoint, {
+		method: "POST",
+		body,
+		headers
+	});
+	if (error) throw error;
+	const tokens = {
+		accessToken: data.access_token,
+		refreshToken: data.refresh_token,
+		tokenType: data.token_type,
+		scopes: data.scope?.split(" "),
+		idToken: data.id_token
+	};
+	if (data.expires_in) {
+		const now = /* @__PURE__ */ new Date();
+		tokens.accessTokenExpiresAt = new Date(now.getTime() + data.expires_in * 1e3);
+	}
+	return tokens;
+}
+
+//#endregion
+export { createRefreshAccessTokenRequest, refreshAccessToken };

package/dist/oauth2/utils.d.mts

@@ -0,0 +1,7 @@
+import { OAuth2Tokens } from "./oauth-provider.mjs";
+
+//#region src/oauth2/utils.d.ts
+declare function getOAuth2Tokens(data: Record<string, any>): OAuth2Tokens;
+declare function generateCodeChallenge(codeVerifier: string): Promise<string>;
+//#endregion
+export { generateCodeChallenge, getOAuth2Tokens };

package/dist/oauth2/utils.mjs

@@ -0,0 +1,27 @@
+import { base64Url } from "@better-auth/utils/base64";
+
+//#region src/oauth2/utils.ts
+function getOAuth2Tokens(data) {
+	const getDate = (seconds) => {
+		const now = /* @__PURE__ */ new Date();
+		return new Date(now.getTime() + seconds * 1e3);
+	};
+	return {
+		tokenType: data.token_type,
+		accessToken: data.access_token,
+		refreshToken: data.refresh_token,
+		accessTokenExpiresAt: data.expires_in ? getDate(data.expires_in) : void 0,
+		refreshTokenExpiresAt: data.refresh_token_expires_in ? getDate(data.refresh_token_expires_in) : void 0,
+		scopes: data?.scope ? typeof data.scope === "string" ? data.scope.split(" ") : data.scope : [],
+		idToken: data.id_token,
+		raw: data
+	};
+}
+async function generateCodeChallenge(codeVerifier) {
+	const data = new TextEncoder().encode(codeVerifier);
+	const hash = await crypto.subtle.digest("SHA-256", data);
+	return base64Url.encode(new Uint8Array(hash), { padding: false });
+}
+
+//#endregion
+export { generateCodeChallenge, getOAuth2Tokens };

package/dist/oauth2/validate-authorization-code.d.mts

@@ -0,0 +1,55 @@
+import { OAuth2Tokens, ProviderOptions } from "./oauth-provider.mjs";
+import "./index.mjs";
+import * as jose0 from "jose";
+
+//#region src/oauth2/validate-authorization-code.d.ts
+declare function createAuthorizationCodeRequest({
+  code,
+  codeVerifier,
+  redirectURI,
+  options,
+  authentication,
+  deviceId,
+  headers,
+  additionalParams,
+  resource
+}: {
+  code: string;
+  redirectURI: string;
+  options: Partial<ProviderOptions>;
+  codeVerifier?: string | undefined;
+  deviceId?: string | undefined;
+  authentication?: ("basic" | "post") | undefined;
+  headers?: Record<string, string> | undefined;
+  additionalParams?: Record<string, string> | undefined;
+  resource?: (string | string[]) | undefined;
+}): {
+  body: URLSearchParams;
+  headers: Record<string, any>;
+};
+declare function validateAuthorizationCode({
+  code,
+  codeVerifier,
+  redirectURI,
+  options,
+  tokenEndpoint,
+  authentication,
+  deviceId,
+  headers,
+  additionalParams,
+  resource
+}: {
+  code: string;
+  redirectURI: string;
+  options: Partial<ProviderOptions>;
+  codeVerifier?: string | undefined;
+  deviceId?: string | undefined;
+  tokenEndpoint: string;
+  authentication?: ("basic" | "post") | undefined;
+  headers?: Record<string, string> | undefined;
+  additionalParams?: Record<string, string> | undefined;
+  resource?: (string | string[]) | undefined;
+}): Promise<OAuth2Tokens>;
+declare function validateToken(token: string, jwksEndpoint: string): Promise<jose0.JWTVerifyResult<jose0.JWTPayload>>;
+//#endregion
+export { createAuthorizationCodeRequest, validateAuthorizationCode, validateToken };

package/dist/oauth2/validate-authorization-code.mjs

@@ -0,0 +1,71 @@
+import { getOAuth2Tokens } from "./utils.mjs";
+import "./index.mjs";
+import { base64 } from "@better-auth/utils/base64";
+import { betterFetch } from "@better-fetch/fetch";
+import { jwtVerify } from "jose";
+
+//#region src/oauth2/validate-authorization-code.ts
+function createAuthorizationCodeRequest({ code, codeVerifier, redirectURI, options, authentication, deviceId, headers, additionalParams = {}, resource }) {
+	const body = new URLSearchParams();
+	const requestHeaders = {
+		"content-type": "application/x-www-form-urlencoded",
+		accept: "application/json",
+		...headers
+	};
+	body.set("grant_type", "authorization_code");
+	body.set("code", code);
+	codeVerifier && body.set("code_verifier", codeVerifier);
+	options.clientKey && body.set("client_key", options.clientKey);
+	deviceId && body.set("device_id", deviceId);
+	body.set("redirect_uri", options.redirectURI || redirectURI);
+	if (resource) if (typeof resource === "string") body.append("resource", resource);
+	else for (const _resource of resource) body.append("resource", _resource);
+	if (authentication === "basic") {
+		const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+		requestHeaders["authorization"] = `Basic ${base64.encode(`${primaryClientId}:${options.clientSecret ?? ""}`)}`;
+	} else {
+		const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+		body.set("client_id", primaryClientId);
+		if (options.clientSecret) body.set("client_secret", options.clientSecret);
+	}
+	for (const [key, value] of Object.entries(additionalParams)) if (!body.has(key)) body.append(key, value);
+	return {
+		body,
+		headers: requestHeaders
+	};
+}
+async function validateAuthorizationCode({ code, codeVerifier, redirectURI, options, tokenEndpoint, authentication, deviceId, headers, additionalParams = {}, resource }) {
+	const { body, headers: requestHeaders } = createAuthorizationCodeRequest({
+		code,
+		codeVerifier,
+		redirectURI,
+		options,
+		authentication,
+		deviceId,
+		headers,
+		additionalParams,
+		resource
+	});
+	const { data, error } = await betterFetch(tokenEndpoint, {
+		method: "POST",
+		body,
+		headers: requestHeaders
+	});
+	if (error) throw error;
+	return getOAuth2Tokens(data);
+}
+async function validateToken(token, jwksEndpoint) {
+	const { data, error } = await betterFetch(jwksEndpoint, {
+		method: "GET",
+		headers: { accept: "application/json" }
+	});
+	if (error) throw error;
+	const keys = data["keys"];
+	const header = JSON.parse(atob(token.split(".")[0]));
+	const key = keys.find((key$1) => key$1.kid === header.kid);
+	if (!key) throw new Error("Key not found");
+	return await jwtVerify(token, key);
+}
+
+//#endregion
+export { createAuthorizationCodeRequest, validateAuthorizationCode, validateToken };