@better-auth/oauth-provider 1.7.0-beta.4 → 1.7.0-beta.6

package/dist/index.mjs

@@ -1,25 +1,26 @@
-import { n as isPrivateHostname } from "./client-assertion-DLMKVgoj.mjs";
-import { n as mcpHandler } from "./mcp-CYnz-MXn.mjs";
-import { C as toAudienceClaim, D as verifyOAuthQueryParams, E as validateClientCredentials, S as storeToken, T as toResourceList, _ as resolveSessionAuthTime, a as getClient, b as signedQueryIssuedAtParam, c as getSignedQueryIssuedAt, d as mergeDiscoveryMetadata, f as normalizeTimestampValue, g as removePromptFromQuery, h as postLoginClearedParam, i as extractClientCredentials, l as getStoredToken, m as parsePrompt, n as decryptStoredClientSecret, o as getJwtPlugin, p as parseClientMetadata, r as destructureCredentials, t as checkResource, u as isPKCERequired, v as resolveSubjectIdentifier, w as toClientDiscoveryArray, x as storeClientSecret, y as searchParamsToQuery } from "./utils-DKBWQ8fe.mjs";
-import { t as PACKAGE_VERSION } from "./version-nFnRm-a3.mjs";
-import { APIError, createAuthEndpoint, createAuthMiddleware, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
-import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
-import { APIError as APIError$1 } from "better-call";
-import { PRIVATE_KEY_JWT_SIGNING_ALGORITHMS } from "@better-auth/core/oauth2";
+import { D as applyOAuthProviderMetadataExtensions, E as verifyOAuthQueryParams, F as getSupportedGrantTypes, L as isExtensionTokenEndpointAuthMethod, M as getClientDiscoveries, P as getSupportedAuthMethods, R as validateOAuthProviderExtensions, S as storeToken, T as validateClientCredentials, _ as removePromptFromQuery, a as getClient, b as searchParamsToQuery, c as getStoredToken, d as mergeDiscoveryMetadata, g as removeMaxAgeFromQuery, h as parsePrompt, i as extractClientCredentials, j as extendOAuthProvider, l as isPKCERequired, m as parseClientMetadata, n as decryptStoredClientSecret, o as getJwtPlugin, p as parseBearerToken, r as destructureCredentials, t as clientAllowsGrant, u as isSessionFreshForSignedQuery, w as toResourceList, x as storeClientSecret, y as resolveSubjectIdentifier } from "./utils-Baq6atYN.mjs";
+import { a as setSignedOAuthQueryParameterNames, i as postLoginClearedParam, n as canonicalizeOAuthQueryParams, o as signedQueryIssuedAtParam, r as getSignedQueryIssuedAt } from "./signed-query-CFv2jNMT.mjs";
+import { _ as invalidateResourceCache, a as invalidateRefreshFamily, b as resolveResourcePolicy, c as ResourceUriSchema, d as clientRegistrationRequestSchema, f as JWS_ALGORITHMS, g as getResource, h as extractRepeatedResourceFromForm, i as getOAuthProviderApi, l as SafeUrlSchema, m as buildClientResourceLinkId, o as tokenEndpoint, p as assertIdentifierValid, r as decodeRefreshToken, s as userInfoEndpoint, t as introspectEndpoint, u as authorizationQuerySchema, v as isAudienceClaimAllowed, x as seedResources, y as logEnforcePerClientResourcesResolution } from "./introspect-BXqKFUQZ.mjs";
+import { n as consumeClientAssertion, r as isPrivateHostname } from "./client-assertion-CctbJywV.mjs";
+import { t as PACKAGE_VERSION } from "./version-CUu3vBtU.mjs";
+import { t as raiseResourceServerChallenge } from "./resource-challenge-B-cqv4ur.mjs";
 import { isBrowserFetchRequest } from "@better-auth/core/utils/fetch-metadata";
 import { isLoopbackHost, isLoopbackIP } from "@better-auth/core/utils/host";
+import { APIError, NO_STORE_HEADERS, addOAuthServerContext, createAuthEndpoint, createAuthMiddleware, dispatchAuthEndpoint, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { generateRandomString, makeSignature } from "better-auth/crypto";
-import { defineRequestState } from "@better-auth/core/context";
+import { APIError as APIError$1 } from "better-call";
+import { defineRequestState, runWithTransaction } from "@better-auth/core/context";
 import { logger } from "@better-auth/core/env";
 import { BetterAuthError } from "@better-auth/core/error";
 import { parseSetCookieHeader } from "better-auth/cookies";
 import { mergeSchema } from "better-auth/db";
 import * as z from "zod";
+import { DPOP_SIGNING_ALGORITHMS, PRIVATE_KEY_JWT_SIGNING_ALGORITHMS } from "@better-auth/core/oauth2";
+import { getJwks, stripAccessTokenAuthorizationScheme } from "better-auth/oauth2";
+import { compactVerify, createLocalJWKSet, decodeJwt, jwtVerify } from "jose";
 import { resolveSigningKey, signJWT, toExpJWT } from "better-auth/plugins";
-import { SignJWT, base64url, compactVerify, createLocalJWKSet, decodeJwt, decodeProtectedHeader } from "jose";
-import { SafeUrlSchema } from "@better-auth/core/utils/redirect-uri";
 //#region src/consent.ts
-async function consentEndpoint(ctx, opts) {
+async function consentEndpoint(ctx, opts, authorize) {
 	const oauthRequest = await oAuthState.get();
 	const _query = oauthRequest?.query;
 	if (!_query) throw new APIError("BAD_REQUEST", {
@@ -46,15 +47,11 @@ async function consentEndpoint(ctx, opts) {
 	};
 	const session = await getSessionFromCtx(ctx);
 	const hasLoginPrompt = parsePrompt(query.get("prompt") ?? "").has("login");
-	const hasSatisfiedLoginPrompt = hasLoginPrompt && sessionSatisfiesLoginPrompt(session?.session.createdAt, oauthRequest?.signedQueryIssuedAt);
+	const hasSatisfiedLoginPrompt = hasLoginPrompt && isSessionFreshForSignedQuery(session?.session.createdAt, oauthRequest?.signedQueryIssuedAt);
 	if (hasLoginPrompt && !hasSatisfiedLoginPrompt) {
 		ctx?.headers?.set("accept", "application/json");
 		ctx.query = searchParamsToQuery(query);
-		const { url } = await authorizeEndpoint(ctx, opts);
-		return {
-			redirect: true,
-			url
-		};
+		return await authorize(ctx);
 	}
 	const referenceId = await opts.postLogin?.consentReferenceId?.({
 		user: session?.user,
@@ -110,32 +107,25 @@ async function consentEndpoint(ctx, opts) {
 	if (requestedScopes) query.set("scope", consent.scopes.join(" "));
 	ctx?.headers?.set("accept", "application/json");
 	let authorizationQuery = removePromptFromQuery(query, "consent");
-	if (hasSatisfiedLoginPrompt) authorizationQuery = removePromptFromQuery(authorizationQuery, "login");
+	if (hasSatisfiedLoginPrompt) {
+		authorizationQuery = removePromptFromQuery(authorizationQuery, "login");
+		authorizationQuery = removeMaxAgeFromQuery(authorizationQuery);
+	}
 	ctx.query = searchParamsToQuery(authorizationQuery);
-	const { url } = await authorizeEndpoint(ctx, opts, { postLogin: oauthRequest?.postLoginClearedForSession !== void 0 && oauthRequest.postLoginClearedForSession === session?.session.id });
-	return {
-		redirect: true,
-		url
-	};
-}
-function sessionSatisfiesLoginPrompt(sessionCreatedAt, signedQueryIssuedAt) {
-	if (!signedQueryIssuedAt) return false;
-	const normalized = normalizeTimestampValue(sessionCreatedAt);
-	if (!normalized) return false;
-	return normalized.getTime() >= signedQueryIssuedAt.getTime();
+	return await authorize(ctx, { postLogin: oauthRequest?.postLoginClearedForSession !== void 0 && oauthRequest.postLoginClearedForSession === session?.session.id });
 }
 //#endregion
 //#region src/continue.ts
-async function continueEndpoint(ctx, opts) {
-	if (ctx.body.selected === true) return await selected(ctx, opts);
-	else if (ctx.body.created === true) return await created(ctx, opts);
-	else if (ctx.body.postLogin === true) return await postLogin(ctx, opts);
+async function continueEndpoint(ctx, authorize) {
+	if (ctx.body.selected === true) return await selected(ctx, authorize);
+	else if (ctx.body.created === true) return await created(ctx, authorize);
+	else if (ctx.body.postLogin === true) return await postLogin(ctx, authorize);
 	else throw new APIError("BAD_REQUEST", {
 		error_description: "Missing parameters",
 		error: "invalid_request"
 	});
 }
-async function selected(ctx, opts) {
+async function selected(ctx, authorize) {
 	const _query = (await oAuthState.get())?.query;
 	if (!_query) throw new APIError("BAD_REQUEST", {
 		error_description: "missing oauth query",
@@ -143,13 +133,9 @@ async function selected(ctx, opts) {
 	});
 	ctx.headers?.set("accept", "application/json");
 	ctx.query = searchParamsToQuery(removePromptFromQuery(new URLSearchParams(_query), "select_account"));
-	const { url } = await authorizeEndpoint(ctx, opts);
-	return {
-		redirect: true,
-		url
-	};
+	return await authorize(ctx);
 }
-async function created(ctx, opts) {
+async function created(ctx, authorize) {
 	const _query = (await oAuthState.get())?.query;
 	if (!_query) throw new APIError("BAD_REQUEST", {
 		error_description: "missing oauth query",
@@ -158,14 +144,11 @@ async function created(ctx, opts) {
 	const query = new URLSearchParams(_query);
 	ctx.headers?.set("accept", "application/json");
 	ctx.query = searchParamsToQuery(removePromptFromQuery(query, "create"));
-	const { url } = await authorizeEndpoint(ctx, opts);
-	return {
-		redirect: true,
-		url
-	};
+	return await authorize(ctx);
 }
-async function postLogin(ctx, opts) {
-	const _query = (await oAuthState.get())?.query;
+async function postLogin(ctx, authorize) {
+	const state = await oAuthState.get();
+	const _query = state?.query;
 	if (!_query) throw new APIError("BAD_REQUEST", {
 		error_description: "missing oauth query",
 		error: "invalid_request"
@@ -173,981 +156,178 @@ async function postLogin(ctx, opts) {
 	const query = new URLSearchParams(_query);
 	ctx.headers?.set("accept", "application/json");
 	ctx.query = searchParamsToQuery(query);
-	const { url } = await authorizeEndpoint(ctx, opts, { postLogin: true });
-	return {
-		redirect: true,
-		url
-	};
+	const session = await getSessionFromCtx(ctx);
+	return await authorize(ctx, { postLogin: state?.postLoginClearedForSession !== void 0 && state.postLoginClearedForSession === session?.session.id });
 }
 //#endregion
-//#region src/types/zod.ts
-/**
-* Runtime schema for OAuthAuthorizationQuery.
-* Uses passthrough to tolerate fields added by future extensions (PAR, FPA, etc.)
-*/
-const oauthAuthorizationQuerySchema = z.object({
-	response_type: z.literal("code").optional(),
-	request_uri: z.string().optional(),
-	redirect_uri: z.string(),
-	scope: z.string().optional(),
-	state: z.string().optional(),
-	client_id: z.string(),
-	prompt: z.string().optional(),
-	display: z.string().optional(),
-	ui_locales: z.string().optional(),
-	max_age: z.coerce.number().optional(),
-	acr_values: z.string().optional(),
-	login_hint: z.string().optional(),
-	id_token_hint: z.string().optional(),
-	code_challenge: z.string().optional(),
-	code_challenge_method: z.literal("S256").optional(),
-	nonce: z.string().optional(),
-	resource: z.union([z.string(), z.array(z.string())]).optional()
-}).passthrough();
-/**
-* Runtime schema for the authorization code verification value.
-* Validates structure on deserialization from the JSON blob stored in the DB.
-* Uses passthrough so future fields (e.g. from authorization challenge) don't break parsing.
-*/
-const verificationValueSchema = z.object({
-	type: z.literal("authorization_code"),
-	query: oauthAuthorizationQuerySchema,
-	sessionId: z.string(),
-	userId: z.string(),
-	referenceId: z.string().optional(),
-	authTime: z.number().optional(),
-	resource: z.array(z.string()).optional()
-}).passthrough();
-const DANGEROUS_SCHEMES = [
-	"javascript:",
-	"data:",
-	"vbscript:"
-];
-/**
-* Validates an RFC 8707 resource indicator. The value must be an absolute URI
-* with no fragment (RFC 8707 §2). Unlike a redirect URI it is not restricted to
-* HTTPS, because a resource server identifier may use any absolute URI scheme;
-* the configured `validAudiences` allowlist is the authoritative control over
-* which resources a token may target.
-*/
-const ResourceUriSchema = z.string().superRefine((val, ctx) => {
-	if (!URL.canParse(val)) {
-		ctx.addIssue({
-			code: "custom",
-			message: "resource must be an absolute URI",
-			fatal: true
-		});
-		return z.NEVER;
-	}
-	if (val.includes("#")) {
-		ctx.addIssue({
-			code: "custom",
-			message: "resource must not contain a fragment"
-		});
-		return;
-	}
-	if (DANGEROUS_SCHEMES.includes(new URL(val).protocol)) ctx.addIssue({
-		code: "custom",
-		message: "resource cannot use javascript:, data:, or vbscript: scheme"
-	});
-});
-//#endregion
-//#region src/userinfo.ts
+//#region src/logout.ts
+const BACKCHANNEL_LOGOUT_EVENT_URI = "http://schemas.openid.net/event/backchannel-logout";
+const LOGOUT_TOKEN_JWT_TYP = "logout+jwt";
+const LOGOUT_TOKEN_LIFETIME_SECONDS = 120;
+const BACKCHANNEL_DISPATCH_TIMEOUT_MS = 5e3;
 /**
-* Provides shared /userinfo and id_token claims functionality
+* Signs a Back-Channel Logout Token per OIDC Back-Channel Logout 1.0 §2.4.
 *
-* @see https://openid.net/specs/openid-connect-core-1_0.html#NormalClaims
-*/
-function userNormalClaims(user, scopes) {
-	const name = user.name.split(" ").filter((v) => v !== "");
-	const profile = {
-		name: user.name ?? void 0,
-		picture: user.image ?? void 0,
-		given_name: name.length > 1 ? name.slice(0, -1).join(" ") : void 0,
-		family_name: name.length > 1 ? name.at(-1) : void 0
-	};
-	const email = {
-		email: user.email ?? void 0,
-		email_verified: user.emailVerified ?? false
-	};
-	return {
-		sub: user.id ?? void 0,
-		...scopes.includes("profile") ? profile : {},
-		...scopes.includes("email") ? email : {}
-	};
-}
-/**
-* Handles the /oauth2/userinfo endpoint
-*/
-async function userInfoEndpoint(ctx, opts) {
-	const authorization = ctx.headers?.get("authorization");
-	const token = typeof authorization === "string" && authorization?.startsWith("Bearer ") ? authorization?.replace("Bearer ", "") : authorization;
-	if (!token?.length) throw new APIError("UNAUTHORIZED", {
-		error_description: "authorization header not found",
-		error: "invalid_request"
-	});
-	const jwt = await validateAccessToken(ctx, opts, token);
-	const scopes = jwt.scope?.split(" ");
-	if (!scopes?.includes("openid")) throw new APIError("BAD_REQUEST", {
-		error_description: "Missing required scope",
-		error: "invalid_scope"
-	});
-	if (!jwt.sub) throw new APIError("BAD_REQUEST", {
-		error_description: "user not found",
-		error: "invalid_request"
-	});
-	const user = await ctx.context.internalAdapter.findUserById(jwt.sub);
-	if (!user) throw new APIError("BAD_REQUEST", {
-		error_description: "user not found",
-		error: "invalid_request"
-	});
-	const baseUserClaims = userNormalClaims(user, scopes ?? []);
-	if (opts.pairwiseSecret) {
-		const clientId = jwt.client_id ?? jwt.azp;
-		if (clientId) {
-			const client = await getClient(ctx, opts, clientId);
-			if (client) baseUserClaims.sub = await resolveSubjectIdentifier(user.id, client, opts);
-		}
-	}
-	const additionalInfoUserClaims = opts.customUserInfoClaims && scopes?.length ? await opts.customUserInfoClaims({
-		user,
-		scopes,
-		jwt
-	}) : {};
-	return {
-		...baseUserClaims,
-		...additionalInfoUserClaims
-	};
-}
-//#endregion
-//#region src/token.ts
-/**
-* Handles the /oauth2/token endpoint by delegating
-* the grant types
+* The token reuses the ID Token signing key so any RP that validates ID Tokens
+* from this OP can validate Logout Tokens without extra configuration. The
+* caller resolves that key once and passes it in so a fan-out to many RPs does
+* not re-read it per target.
+*
+* §2.4 mandates `iss`, `aud`, `iat`, `exp`, `jti`, `events`, and at least one
+* of `sub` / `sid` (we send both). A `nonce` claim MUST NOT be present, and
+* `alg: none` is forbidden (§2.6).
 */
-async function tokenEndpoint(ctx, opts) {
-	const grantType = ctx.body.grant_type;
-	if (opts.grantTypes && !opts.grantTypes.includes(grantType)) throw new APIError("BAD_REQUEST", {
-		error_description: `unsupported grant_type ${grantType}`,
-		error: "unsupported_grant_type"
-	});
-	switch (grantType) {
-		case "authorization_code": return handleAuthorizationCodeGrant(ctx, opts);
-		case "client_credentials": return handleClientCredentialsGrant(ctx, opts);
-		case "refresh_token": return handleRefreshTokenGrant(ctx, opts);
-	}
-}
-async function createJwtAccessToken(ctx, opts, user, client, audience, scopes, resources, referenceId, overrides) {
-	const iat = overrides?.iat ?? Math.floor(Date.now() / 1e3);
-	const exp = overrides?.exp ?? iat + (opts.accessTokenExpiresIn ?? 3600);
-	const customClaims = opts.customAccessTokenClaims ? await opts.customAccessTokenClaims({
-		user,
-		scopes,
-		resources,
-		referenceId,
-		metadata: parseClientMetadata(client.metadata)
-	}) : {};
-	const jwtPluginOptions = getJwtPlugin(ctx.context).options;
+async function signLogoutToken(ctx, options, resolvedKey, claims) {
 	return signJWT(ctx, {
-		options: jwtPluginOptions,
+		options,
 		payload: {
-			...customClaims,
-			sub: user?.id,
-			aud: toAudienceClaim(audience),
-			azp: client.clientId,
-			scope: scopes.join(" "),
-			sid: overrides?.sid,
-			iss: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL,
-			iat,
-			exp
-		}
-	});
-}
-/**
-* Computes an OIDC hash (at_hash, c_hash) per OIDC Core §3.1.3.6.
-* Hashes the token, takes the left half, and base64url-encodes it.
-*/
-async function computeOidcHash(token, signingAlg) {
-	let hashAlg;
-	if (signingAlg === "EdDSA") hashAlg = "SHA-512";
-	else if (signingAlg.endsWith("384")) hashAlg = "SHA-384";
-	else if (signingAlg.endsWith("512")) hashAlg = "SHA-512";
-	else hashAlg = "SHA-256";
-	const digest = new Uint8Array(await crypto.subtle.digest(hashAlg, new TextEncoder().encode(token)));
-	return base64url.encode(digest.slice(0, digest.length / 2));
-}
-/**
-* Creates a user id token in code_authorization with scope of 'openid'
-* and hybrid/implicit (not yet implemented) flows
-*/
-async function createIdToken(ctx, opts, user, client, scopes, nonce, sessionId, authTime, accessToken) {
-	const iat = Math.floor(Date.now() / 1e3);
-	const exp = iat + (opts.idTokenExpiresIn ?? 36e3);
-	const userClaims = userNormalClaims(user, scopes);
-	const resolvedSub = await resolveSubjectIdentifier(user.id, client, opts);
-	const authTimeSec = authTime != null ? Math.floor(authTime.getTime() / 1e3) : void 0;
-	const acr = "urn:mace:incommon:iap:bronze";
-	const customClaims = opts.customIdTokenClaims ? await opts.customIdTokenClaims({
-		user,
-		scopes,
-		metadata: parseClientMetadata(client.metadata)
-	}) : {};
-	const jwtPluginOptions = opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context).options;
-	const resolvedKey = !opts.disableJwtPlugin && !jwtPluginOptions?.jwt?.sign ? await resolveSigningKey(ctx, jwtPluginOptions) : void 0;
-	const signingAlg = opts.disableJwtPlugin ? "HS256" : resolvedKey?.alg ?? jwtPluginOptions?.jwks?.keyPairConfig?.alg;
-	const atHash = accessToken ? await computeOidcHash(accessToken, signingAlg) : void 0;
-	const payload = {
-		...userClaims,
-		auth_time: authTimeSec,
-		acr,
-		...customClaims,
-		at_hash: atHash,
-		iss: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL,
-		sub: resolvedSub,
-		aud: client.clientId,
-		nonce,
-		iat,
-		exp,
-		sid: client.enableEndSession ? sessionId : void 0
-	};
-	if (opts.disableJwtPlugin && !client.clientSecret) return;
-	const idToken = opts.disableJwtPlugin ? await new SignJWT(payload).setProtectedHeader({ alg: "HS256" }).sign(new TextEncoder().encode(await decryptStoredClientSecret(ctx, opts.storeClientSecret, client.clientSecret))) : await signJWT(ctx, {
-		options: jwtPluginOptions,
-		payload,
+			...claims,
+			events: { [BACKCHANNEL_LOGOUT_EVENT_URI]: {} }
+		},
+		header: { typ: LOGOUT_TOKEN_JWT_TYP },
 		resolvedKey: resolvedKey ?? void 0
 	});
-	if (idToken && atHash && jwtPluginOptions?.jwt?.sign) {
-		const header = decodeProtectedHeader(idToken);
-		if (header.alg !== signingAlg) throw new APIError("INTERNAL_SERVER_ERROR", {
-			error_description: `ID token signed with "${header.alg}" but at_hash was computed for "${signingAlg}". Ensure jwt.sign uses the algorithm declared in keyPairConfig.alg.`,
-			error: "server_error"
-		});
-	}
-	return idToken;
 }
 /**
-* Encodes a refresh token for a client
-*/
-async function encodeRefreshToken(opts, token, sessionId) {
-	return (opts.prefix?.refreshToken ?? "") + (opts.formatRefreshToken?.encrypt ? opts.formatRefreshToken.encrypt(token, sessionId) : token);
-}
-/**
-* Decodes a refresh token for a client
+* Synchronous phase: enumerate tokens for the session being terminated, revoke
+* them, and return a plan for the asynchronous delivery phase. Runs inline in
+* the `session.delete.before` hook so the DB state is consistent before the
+* session row disappears.
 *
-* @internal
-*/
-async function decodeRefreshToken(opts, token) {
-	if (opts.prefix?.refreshToken) if (token.startsWith(opts.prefix.refreshToken)) token = token.replace(opts.prefix.refreshToken, "");
-	else throw new APIError("BAD_REQUEST", {
-		error_description: "refresh token not found",
-		error: "invalid_token"
-	});
-	return opts.formatRefreshToken?.decrypt ? opts.formatRefreshToken?.decrypt(token) : { token };
-}
-async function createOpaqueAccessToken(ctx, opts, user, client, scopes, payload, resources, referenceId, refreshId) {
-	const iat = payload.iat ?? Math.floor(Date.now() / 1e3);
-	const exp = payload?.exp ?? iat + (opts.accessTokenExpiresIn ?? 3600);
-	const token = opts.generateOpaqueAccessToken ? await opts.generateOpaqueAccessToken() : generateRandomString(32, "A-Z", "a-z");
-	await ctx.context.adapter.create({
-		model: "oauthAccessToken",
-		data: {
-			token: await storeToken(opts.storeTokens, token, "access_token"),
-			clientId: client.clientId,
-			sessionId: payload?.sid,
-			userId: user?.id,
-			referenceId,
-			resources,
-			refreshId,
-			scopes,
-			createdAt: /* @__PURE__ */ new Date(iat * 1e3),
-			expiresAt: /* @__PURE__ */ new Date(exp * 1e3)
-		}
-	});
-	return (opts.prefix?.opaqueAccessToken ?? "") + token;
-}
-/**
-* Tear down the entire refresh-token family for a (client, user) pair, plus
-* any access tokens that reference those refresh rows, per RFC 9700 §4.14.
-* Access tokens are deleted first so the parent rows' foreign-key children
-* do not block the refresh-row delete.
+* Revocation is the stored backstop, not the primary enforcement: introspection
+* and `/userinfo` already treat a token whose session has ended as inactive
+* (see `validateOpaqueAccessToken` / `validateJwtAccessToken`), so a missed
+* `revoked` write cannot keep a session-bound token alive on its own. Access
+* tokens bound to the session are revoked as OP hardening. Refresh tokens
+* follow OIDC Back-Channel Logout 1.0 §2.7: those without `offline_access` are
+* revoked; `offline_access` refresh tokens survive so long-lived API access can
+* outlive the browser session.
 *
-* TODO(invalidate-family-race): the two `deleteMany` calls are not atomic
-* with respect to each other. Between them, a concurrent rotation in a
-* different worker can `create` a fresh refresh row (and, immediately after,
-* an access-token row referencing it) for the same (client, user) pair,
-* leaving the family partially rebuilt and the new refresh row orphaned of
-* any deletion. Closing this window requires the same transactional adapter
-* contract tracked under FIXME(strict-family-invalidation) in
-* `createRefreshToken`.
+* Revocation runs regardless of the JWT plugin (refresh-token revocation has no
+* dependency on signing). Only the Logout Token delivery plan needs the JWT
+* plugin, so when it is disabled we still revoke but never build a plan.
 *
-* @internal
+* Returns `null` when there is nothing to do, so the caller can skip the
+* background handoff entirely.
 */
-async function invalidateRefreshFamily(ctx, clientId, userId) {
-	const refreshTokens = await ctx.context.adapter.findMany({
-		model: "oauthRefreshToken",
-		where: [{
-			field: "clientId",
-			value: clientId
-		}, {
-			field: "userId",
-			value: userId
-		}]
-	});
-	if (refreshTokens.length) await ctx.context.adapter.deleteMany({
-		model: "oauthAccessToken",
-		where: [{
-			field: "refreshId",
-			operator: "in",
-			value: refreshTokens.map((r) => r.id)
-		}]
-	});
-	await ctx.context.adapter.deleteMany({
-		model: "oauthRefreshToken",
-		where: [{
-			field: "clientId",
-			value: clientId
-		}, {
-			field: "userId",
-			value: userId
-		}]
-	});
-}
-async function createRefreshToken(ctx, opts, user, referenceId, client, scopes, payload, originalRefresh, authTime, resources) {
-	const iat = payload.iat ?? Math.floor(Date.now() / 1e3);
-	const exp = payload?.exp ?? iat + (opts.refreshTokenExpiresIn ?? 2592e3);
-	const token = opts.generateRefreshToken ? await opts.generateRefreshToken() : generateRandomString(32, "A-Z", "a-z");
-	const sessionId = payload?.sid;
-	const newRow = {
-		token: await storeToken(opts.storeTokens, token, "refresh_token"),
-		clientId: client.clientId,
-		sessionId,
-		userId: user.id,
-		referenceId,
-		authTime,
-		scopes,
-		resources,
-		createdAt: /* @__PURE__ */ new Date(iat * 1e3),
-		expiresAt: /* @__PURE__ */ new Date(exp * 1e3)
-	};
-	if (!originalRefresh?.id) return {
-		id: (await ctx.context.adapter.create({
-			model: "oauthRefreshToken",
-			data: newRow
-		})).id,
-		token: await encodeRefreshToken(opts, token, sessionId)
-	};
-	if (!await ctx.context.adapter.update({
-		model: "oauthRefreshToken",
-		where: [{
-			field: "id",
-			value: originalRefresh.id
-		}, {
-			field: "revoked",
-			operator: "eq",
-			value: null
-		}],
-		update: { revoked: /* @__PURE__ */ new Date(iat * 1e3) }
-	})) throw new APIError("BAD_REQUEST", {
-		error_description: "invalid refresh token",
-		error: "invalid_grant"
-	});
-	return {
-		id: (await ctx.context.adapter.create({
-			model: "oauthRefreshToken",
-			data: newRow
-		})).id,
-		token: await encodeRefreshToken(opts, token, sessionId)
-	};
-}
-async function createUserTokens(ctx, opts, params) {
-	const { client, scopes, user, grantType, referenceId, sessionId, nonce, refreshToken: existingRefreshToken, authTime, verificationValue } = params;
-	const iat = Math.floor(Date.now() / 1e3);
-	const defaultExp = iat + (user ? opts.accessTokenExpiresIn ?? 3600 : opts.m2mAccessTokenExpiresIn ?? 3600);
-	const exp = opts.scopeExpirations ? scopes.map((sc) => opts.scopeExpirations?.[sc] ? toExpJWT(opts.scopeExpirations[sc], iat) : defaultExp).reduce((prev, curr) => {
-		return prev < curr ? prev : curr;
-	}, defaultExp) : defaultExp;
-	const resourceResult = await checkResource(ctx, opts, params?.resources, scopes);
-	if (!resourceResult.success) throw new APIError("BAD_REQUEST", {
-		error_description: "requested resource invalid",
-		error: "invalid_target"
-	});
-	const audience = resourceResult.audience;
-	const isRefreshToken = user && (existingRefreshToken?.scopes?.includes("offline_access") || scopes.includes("offline_access"));
-	const isJwtAccessToken = audience && !opts.disableJwtPlugin;
-	const isIdToken = user && scopes.includes("openid");
-	const customFields = opts.customTokenResponseFields ? await opts.customTokenResponseFields({
-		grantType,
-		user,
-		scopes,
-		metadata: parseClientMetadata(client.metadata),
-		verificationValue
-	}) : void 0;
-	const refreshResources = params?.refreshToken?.resources ?? params?.originalResources ?? params?.resources;
-	const earlyRefreshToken = isRefreshToken && user && !isJwtAccessToken ? await createRefreshToken(ctx, opts, user, referenceId, client, scopes, {
-		iat,
-		exp: iat + (opts.refreshTokenExpiresIn ?? 2592e3),
-		sid: sessionId
-	}, existingRefreshToken, authTime, refreshResources) : void 0;
-	const [accessToken, refreshToken] = await Promise.all([isJwtAccessToken ? createJwtAccessToken(ctx, opts, user, client, audience, scopes, params?.resources, referenceId, {
-		iat,
-		exp,
-		sid: sessionId
-	}) : createOpaqueAccessToken(ctx, opts, user, client, scopes, {
-		iat,
-		exp,
-		sid: sessionId
-	}, params?.resources, referenceId, earlyRefreshToken?.id), earlyRefreshToken ? earlyRefreshToken : isRefreshToken && user ? createRefreshToken(ctx, opts, user, referenceId, client, scopes, {
-		iat,
-		exp: iat + (opts.refreshTokenExpiresIn ?? 2592e3),
-		sid: sessionId
-	}, existingRefreshToken, authTime, refreshResources) : void 0]);
-	const idToken = isIdToken ? await createIdToken(ctx, opts, user, client, scopes, nonce, sessionId, authTime, accessToken) : void 0;
-	return ctx.json({
-		...customFields,
-		access_token: accessToken,
-		expires_in: exp - iat,
-		expires_at: exp,
-		token_type: "Bearer",
-		refresh_token: refreshToken?.token,
-		scope: scopes.join(" "),
-		id_token: idToken
-	}, { headers: {
-		"Cache-Control": "no-store",
-		Pragma: "no-cache"
-	} });
-}
-/** Checks verification value */
-async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri, resource) {
-	const verification = await ctx.context.internalAdapter.consumeVerificationValue(await storeToken(opts.storeTokens, code, "authorization_code"));
-	if (!verification) throw new APIError("UNAUTHORIZED", {
-		error_description: "invalid code",
-		error: "invalid_grant"
-	});
-	let rawValue;
+async function revokeAndPlanBackchannelLogout(ctx, opts, input) {
+	const { sessionId, userId } = input;
+	if (!userId) return null;
+	const logger = ctx.context.logger;
 	try {
-		rawValue = JSON.parse(verification.value);
-	} catch {
-		throw new APIError("UNAUTHORIZED", {
-			error_description: "malformed verification value",
-			error: "invalid_grant"
-		});
-	}
-	const parsed = verificationValueSchema.safeParse(rawValue);
-	if (!parsed.success) throw new APIError("UNAUTHORIZED", {
-		error_description: "malformed verification value",
-		error: "invalid_grant"
-	});
-	const verificationValue = parsed.data;
-	if (verificationValue.query.client_id !== client_id) throw new APIError("UNAUTHORIZED", {
-		error_description: "invalid client_id",
-		error: "invalid_client"
-	});
-	if (verificationValue.query?.redirect_uri && verificationValue.query?.redirect_uri !== redirect_uri) throw new APIError("BAD_REQUEST", {
-		error_description: "redirect_uri mismatch",
-		error: "invalid_request"
-	});
-	const storedResources = toResourceList(verificationValue.resource) ?? toResourceList(verificationValue.query.resource);
-	const effectiveResources = resource ?? storedResources;
-	if (resource && storedResources) {
-		const requestedSet = new Set(resource);
-		const authorizedSet = new Set(storedResources);
-		for (const r of requestedSet) if (!authorizedSet.has(r)) throw new APIError("BAD_REQUEST", {
-			error_description: "requested resource not authorized",
-			error: "invalid_target"
-		});
-	}
-	return {
-		verificationValue,
-		effectiveResources,
-		authorizedResources: storedResources
-	};
-}
-/**
-* Obtains new Session Jwt and Refresh Tokens using a code
-*/
-async function handleAuthorizationCodeGrant(ctx, opts) {
-	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/token`));
-	const { code, code_verifier, redirect_uri, resource } = ctx.body;
-	const resources = toResourceList(resource);
-	if (!client_id) throw new APIError("BAD_REQUEST", {
-		error_description: "client_id is required",
-		error: "invalid_request"
-	});
-	if (!code) throw new APIError("BAD_REQUEST", {
-		error_description: "code is required",
-		error: "invalid_request"
-	});
-	if (!redirect_uri) throw new APIError("BAD_REQUEST", {
-		error_description: "redirect_uri is required",
-		error: "invalid_request"
-	});
-	const isAuthCodeWithSecret = client_id && client_secret;
-	const isAuthCodeWithPkce = client_id && code && code_verifier;
-	if (!isAuthCodeWithSecret && !isAuthCodeWithPkce && !preVerifiedClient) throw new APIError("BAD_REQUEST", {
-		error_description: "Either code_verifier or client_secret is required",
-		error: "invalid_request"
-	});
-	/** Get and check Verification Value */
-	const { verificationValue, effectiveResources, authorizedResources } = await checkVerificationValue(ctx, opts, code, client_id, redirect_uri, resources);
-	const scopes = verificationValue.query.scope?.split(" ");
-	if (!scopes) throw new APIError("INTERNAL_SERVER_ERROR", {
-		error_description: "verification scope unset",
-		error: "invalid_scope"
-	});
-	/** Verify Client */
-	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, scopes, preVerifiedClient);
-	if (isPKCERequired(client, (verificationValue.query?.scope)?.split(" ") || [])) {
-		if (!isAuthCodeWithPkce) throw new APIError("BAD_REQUEST", {
-			error_description: "PKCE is required for this client",
-			error: "invalid_request"
-		});
-	} else if (!(isAuthCodeWithPkce || isAuthCodeWithSecret || preVerifiedClient)) throw new APIError("BAD_REQUEST", {
-		error_description: "Either PKCE (code_verifier) or client authentication (client_secret or client_assertion) is required",
-		error: "invalid_request"
-	});
-	/** Check PKCE challenge if verifier is provided */
-	const pkceUsedInAuth = !!verificationValue.query?.code_challenge;
-	const pkceUsedInToken = !!code_verifier;
-	if (pkceUsedInAuth || pkceUsedInToken) {
-		if (pkceUsedInAuth && !pkceUsedInToken) throw new APIError("UNAUTHORIZED", {
-			error_description: "code_verifier required because PKCE was used in authorization",
-			error: "invalid_request"
-		});
-		if (!pkceUsedInAuth && pkceUsedInToken) throw new APIError("UNAUTHORIZED", {
-			error_description: "code_verifier provided but PKCE was not used in authorization",
-			error: "invalid_request"
-		});
-		if ((verificationValue.query?.code_challenge_method === "S256" ? await generateCodeChallenge(code_verifier) : void 0) !== verificationValue.query?.code_challenge) throw new APIError("UNAUTHORIZED", {
-			error_description: "code verification failed",
-			error: "invalid_request"
-		});
-	}
-	/** Get user */
-	if (!verificationValue.userId) throw new APIError("BAD_REQUEST", {
-		error_description: "missing user, user may have been deleted",
-		error: "invalid_user"
-	});
-	const user = await ctx.context.internalAdapter.findUserById(verificationValue.userId);
-	if (!user) throw new APIError("BAD_REQUEST", {
-		error_description: "missing user, user may have been deleted",
-		error: "invalid_user"
-	});
-	const session = await ctx.context.adapter.findOne({
-		model: "session",
-		where: [{
-			field: "id",
-			value: verificationValue.sessionId
-		}]
-	});
-	if (!session || session.expiresAt < /* @__PURE__ */ new Date()) throw new APIError("BAD_REQUEST", {
-		error_description: "session no longer exists",
-		error: "invalid_request"
-	});
-	const authTime = verificationValue.authTime != null ? normalizeTimestampValue(verificationValue.authTime) : resolveSessionAuthTime(session);
-	return createUserTokens(ctx, opts, {
-		client,
-		scopes: verificationValue.query.scope?.split(" ") ?? [],
-		user,
-		grantType: "authorization_code",
-		referenceId: verificationValue.referenceId,
-		sessionId: session.id,
-		nonce: verificationValue.query?.nonce,
-		authTime,
-		verificationValue,
-		resources: effectiveResources,
-		originalResources: authorizedResources
-	});
-}
-/**
-* Grant that allows direct access to an API using the application's credentials
-* This grant is for M2M so the concept of a user id does not exist on the token.
-*
-* MUST follow https://datatracker.ietf.org/doc/html/rfc6749#section-4.4
-*/
-async function handleClientCredentialsGrant(ctx, opts) {
-	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/token`));
-	const { scope, resource } = ctx.body;
-	const resources = toResourceList(resource);
-	if (!client_id) throw new APIError("BAD_REQUEST", {
-		error_description: "Missing required client_id",
-		error: "invalid_grant"
-	});
-	if (!client_secret && !preVerifiedClient) throw new APIError("BAD_REQUEST", {
-		error_description: "Missing a required client_secret",
-		error: "invalid_grant"
-	});
-	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, void 0, preVerifiedClient);
-	let requestedScopes = scope?.split(" ");
-	if (requestedScopes) {
-		const validScopes = new Set(client.scopes ?? opts.scopes);
-		const oidcScopes = new Set([
-			"openid",
-			"profile",
-			"email",
-			"offline_access"
-		]);
-		const invalidScopes = requestedScopes.filter((scope) => {
-			return !validScopes?.has(scope) || oidcScopes.has(scope);
-		});
-		if (invalidScopes.length) throw new APIError("BAD_REQUEST", {
-			error_description: `The following scopes are invalid: ${invalidScopes.join(", ")}`,
-			error: "invalid_scope"
-		});
-	}
-	if (!requestedScopes) requestedScopes = client.scopes ?? opts.clientCredentialGrantDefaultScopes ?? opts.scopes ?? [];
-	return createUserTokens(ctx, opts, {
-		client,
-		scopes: requestedScopes,
-		grantType: "client_credentials",
-		resources
-	});
-}
-/**
-* Obtains new Session Jwt and Refresh Tokens using a refresh token
-*
-* Refresh tokens will only allow the same or lesser scopes as the initial authorize request.
-* To add scopes, you must restart the authorize process again.
-*/
-async function handleRefreshTokenGrant(ctx, opts) {
-	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/token`));
-	const { refresh_token, scope, resource } = ctx.body;
-	const resources = toResourceList(resource);
-	if (!client_id) throw new APIError("BAD_REQUEST", {
-		error_description: "Missing required client_id",
-		error: "invalid_grant"
-	});
-	if (!refresh_token) throw new APIError("BAD_REQUEST", {
-		error_description: "Missing a required refresh_token for refresh_token grant",
-		error: "invalid_grant"
-	});
-	const decodedRefresh = await decodeRefreshToken(opts, refresh_token);
-	const refreshToken = await ctx.context.adapter.findOne({
-		model: "oauthRefreshToken",
-		where: [{
-			field: "token",
-			value: await getStoredToken(opts.storeTokens, decodedRefresh.token, "refresh_token")
-		}]
-	});
-	if (!refreshToken) throw new APIError("BAD_REQUEST", {
-		error_description: "session not found",
-		error: "invalid_grant"
-	});
-	if (refreshToken.clientId !== client_id) throw new APIError("BAD_REQUEST", {
-		error_description: "invalid client_id",
-		error: "invalid_client"
-	});
-	if (refreshToken.expiresAt < /* @__PURE__ */ new Date()) throw new APIError("BAD_REQUEST", {
-		error_description: "invalid refresh token",
-		error: "invalid_grant"
-	});
-	if (refreshToken.revoked) {
-		await invalidateRefreshFamily(ctx, client_id, refreshToken.userId);
-		throw new APIError("BAD_REQUEST", {
-			error_description: "invalid refresh token",
-			error: "invalid_grant"
-		});
-	}
-	if (resources && refreshToken.resources && !resources.every((v) => refreshToken.resources?.includes(v))) throw new APIError("BAD_REQUEST", {
-		error_description: "requested resource invalid",
-		error: "invalid_target"
-	});
-	const scopes = refreshToken?.scopes;
-	const requestedScopes = scope?.split(" ");
-	if (requestedScopes) {
-		const validScopes = new Set(scopes);
-		for (const requestedScope of requestedScopes) if (!validScopes.has(requestedScope)) throw new APIError("BAD_REQUEST", {
-			error_description: `unable to issue scope ${requestedScope}`,
-			error: "invalid_scope"
-		});
-	}
-	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, requestedScopes ?? scopes, preVerifiedClient);
-	const user = await ctx.context.internalAdapter.findUserById(refreshToken.userId);
-	if (!user) throw new APIError("BAD_REQUEST", {
-		error_description: "user not found",
-		error: "invalid_request"
-	});
-	const authTime = refreshToken.authTime != null ? normalizeTimestampValue(refreshToken.authTime) : void 0;
-	return createUserTokens(ctx, opts, {
-		client,
-		scopes: requestedScopes ?? scopes,
-		user,
-		grantType: "refresh_token",
-		referenceId: refreshToken.referenceId,
-		sessionId: refreshToken.sessionId,
-		refreshToken,
-		resources: resources ?? refreshToken.resources,
-		authTime
-	});
-}
-//#endregion
-//#region src/introspect.ts
-/**
-* IMPORTANT NOTES:
-* Introspection follows RFC7662
-* https://datatracker.ietf.org/doc/html/rfc7662
-* - APIError: Continue catches (returnable to client)
-* - Error: Should immediately stop catches (internal error)
-*/
-/**
-* Validates a JWT access token against the configured JWKs.
-*
-* @returns RFC7662 introspection format
-*/
-async function validateJwtAccessToken(ctx, opts, token, clientId) {
-	const jwtPlugin = opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context);
-	const jwtPluginOptions = jwtPlugin?.options;
-	let jwtPayload;
-	try {
-		jwtPayload = await verifyJwsAccessToken(token, {
-			jwksFetch: jwtPluginOptions?.jwks?.remoteUrl ? jwtPluginOptions.jwks.remoteUrl : async () => {
-				return (await jwtPlugin?.endpoints.getJwks(ctx))?.response;
-			},
-			verifyOptions: {
-				audience: opts.validAudiences ?? ctx.context.baseURL,
-				issuer: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL
-			}
-		});
-	} catch (error) {
-		if (error instanceof Error) {
-			if (error.name === "TypeError" || error.name === "JWSInvalid") throw new APIError$1("BAD_REQUEST", {
-				error_description: "invalid JWT signature",
-				error: "invalid_request"
-			});
-			else if (error.name === "JWTExpired") return { active: false };
-			else if (error.name === "JWTInvalid") return { active: false };
-			throw error;
-		}
-		throw new Error(error);
-	}
-	let client;
-	if (jwtPayload.azp) {
-		client = await getClient(ctx, opts, jwtPayload.azp);
-		if (!client || client?.disabled) return { active: false };
-		if (clientId && jwtPayload.azp !== clientId) return { active: false };
-	}
-	const sessionId = jwtPayload.sid;
-	if (sessionId) {
-		const session = await ctx.context.adapter.findOne({
-			model: "session",
+		const where = [{
+			field: "sessionId",
+			value: sessionId
+		}];
+		const [accessTokens, refreshTokens] = await Promise.all([ctx.context.adapter.findMany({
+			model: "oauthAccessToken",
+			where
+		}), ctx.context.adapter.findMany({
+			model: "oauthRefreshToken",
+			where
+		})]);
+		const affectedClientIds = /* @__PURE__ */ new Set();
+		for (const t of accessTokens) affectedClientIds.add(t.clientId);
+		for (const t of refreshTokens) affectedClientIds.add(t.clientId);
+		if (affectedClientIds.size === 0) return null;
+		const clients = await ctx.context.adapter.findMany({
+			model: "oauthClient",
 			where: [{
-				field: "id",
-				value: sessionId
+				field: "clientId",
+				operator: "in",
+				value: Array.from(affectedClientIds)
 			}]
 		});
-		if (!session || session.expiresAt < /* @__PURE__ */ new Date()) jwtPayload.sid = void 0;
-	}
-	if (jwtPayload.azp) jwtPayload.client_id = jwtPayload.azp;
-	jwtPayload.active = true;
-	return jwtPayload;
-}
-/**
-* Searches for an opaque access token in the database and validates it
-*
-* @returns RFC7662 introspection format
-*/
-async function validateOpaqueAccessToken(ctx, opts, token, clientId) {
-	let tokenValue = token;
-	if (opts.prefix?.opaqueAccessToken) if (tokenValue.startsWith(opts.prefix.opaqueAccessToken)) tokenValue = tokenValue.replace(opts.prefix.opaqueAccessToken, "");
-	else throw new APIError$1("BAD_REQUEST", {
-		error_description: "opaque access token not found",
-		error: "invalid_request"
-	});
-	const accessToken = await ctx.context.adapter.findOne({
-		model: "oauthAccessToken",
-		where: [{
-			field: "token",
-			value: await getStoredToken(opts.storeTokens, tokenValue, "access_token")
-		}]
-	});
-	if (!accessToken) throw new APIError$1("BAD_REQUEST", {
-		error_description: "opaque access token not found",
-		error: "invalid_token"
-	});
-	if (!accessToken.expiresAt || accessToken.expiresAt < /* @__PURE__ */ new Date()) return { active: false };
-	let client;
-	if (accessToken.clientId) {
-		client = await getClient(ctx, opts, accessToken.clientId);
-		if (!client || client?.disabled) return { active: false };
-		if (clientId && accessToken.clientId !== clientId) return { active: false };
-	}
-	let sessionId = accessToken.sessionId ?? void 0;
-	if (sessionId) {
-		const session = await ctx.context.adapter.findOne({
-			model: "session",
+		const revokedAt = /* @__PURE__ */ new Date();
+		const accessToRevokeIds = accessTokens.filter((t) => !t.revoked).map((t) => t.id);
+		const refreshToRevokeIds = refreshTokens.filter((t) => !t.revoked && !t.scopes?.includes("offline_access")).map((t) => t.id);
+		const revocations = await Promise.allSettled([accessToRevokeIds.length > 0 ? ctx.context.adapter.updateMany({
+			model: "oauthAccessToken",
 			where: [{
 				field: "id",
-				value: sessionId
-			}]
-		});
-		if (!session || session.expiresAt < /* @__PURE__ */ new Date()) sessionId = void 0;
-	}
-	let user;
-	if (accessToken.userId) user = await ctx.context.internalAdapter.findUserById(accessToken?.userId);
-	const resources = Array.isArray(accessToken.resources) ? accessToken.resources : void 0;
-	const audience = resources ? [...resources] : void 0;
-	if (audience?.length && accessToken.scopes?.includes("openid")) {
-		const userInfoEndpoint = `${ctx.context.baseURL}/oauth2/userinfo`;
-		if (!audience.includes(userInfoEndpoint)) audience.push(userInfoEndpoint);
-	}
-	const customClaims = opts.customAccessTokenClaims ? await opts.customAccessTokenClaims({
-		user,
-		scopes: accessToken.scopes,
-		referenceId: accessToken?.referenceId,
-		resources,
-		metadata: parseClientMetadata(client?.metadata)
-	}) : {};
-	const jwtPluginOptions = (opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context))?.options;
-	return {
-		...customClaims,
-		active: true,
-		iss: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL,
-		aud: toAudienceClaim(audience),
-		client_id: accessToken.clientId,
-		sub: user?.id,
-		sid: sessionId,
-		exp: Math.floor(new Date(accessToken.expiresAt).getTime() / 1e3),
-		iat: Math.floor(new Date(accessToken.createdAt).getTime() / 1e3),
-		scope: accessToken.scopes?.join(" ")
-	};
-}
-/**
-* Validates a refresh token in the session store.
-*
-* @returns payload in RFC7662 introspection format
-*/
-async function validateRefreshToken(ctx, opts, token, clientId) {
-	const refreshToken = await ctx.context.adapter.findOne({
-		model: "oauthRefreshToken",
-		where: [{
-			field: "token",
-			value: await getStoredToken(opts.storeTokens, token, "refresh_token")
-		}]
-	});
-	if (!refreshToken) throw new APIError$1("BAD_REQUEST", {
-		error_description: "token not found",
-		error: "invalid_token"
-	});
-	if (!refreshToken.clientId || refreshToken.clientId !== clientId) return { active: false };
-	if (!refreshToken.expiresAt || refreshToken.expiresAt < /* @__PURE__ */ new Date()) return { active: false };
-	if (refreshToken.revoked) return { active: false };
-	let sessionId = refreshToken.sessionId ?? void 0;
-	if (sessionId) {
-		const session = await ctx.context.adapter.findOne({
-			model: "session",
+				operator: "in",
+				value: accessToRevokeIds
+			}],
+			update: { revoked: revokedAt }
+		}) : Promise.resolve(), refreshToRevokeIds.length > 0 ? ctx.context.adapter.updateMany({
+			model: "oauthRefreshToken",
 			where: [{
 				field: "id",
-				value: sessionId
-			}]
-		});
-		if (!session || session.expiresAt < /* @__PURE__ */ new Date()) sessionId = void 0;
+				operator: "in",
+				value: refreshToRevokeIds
+			}],
+			update: { revoked: revokedAt }
+		}) : Promise.resolve()]);
+		for (const result of revocations) if (result.status === "rejected") logger.error("back-channel logout: token revocation update failed", result.reason);
+		const eligibleClients = opts.disableJwtPlugin ? [] : clients.filter((c) => Boolean(c.backchannelLogoutUri) && !c.disabled);
+		if (eligibleClients.length === 0) return null;
+		return {
+			sessionId,
+			targets: await Promise.all(eligibleClients.map(async (client) => ({
+				client,
+				sub: await resolveSubjectIdentifier(userId, client, opts)
+			})))
+		};
+	} catch (error) {
+		logger.error("back-channel logout revocation failed", error);
+		return null;
 	}
-	let user = void 0;
-	if (refreshToken.userId) user = await ctx.context.internalAdapter.findUserById(refreshToken?.userId) ?? void 0;
-	return {
-		active: true,
-		client_id: clientId,
-		iss: ((opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context))?.options)?.jwt?.issuer ?? ctx.context.baseURL,
-		sub: user?.id,
-		sid: sessionId,
-		exp: Math.floor(new Date(refreshToken.expiresAt).getTime() / 1e3),
-		iat: Math.floor(new Date(refreshToken.createdAt).getTime() / 1e3),
-		scope: refreshToken.scopes?.join(" ")
-	};
 }
 /**
-* We don't know the access token format so we try to validate it
-* as a JWT first, then as an opaque token.
+* Asynchronous phase: sign one Logout Token per target client and POST it to
+* the registered `backchannel_logout_uri`. The caller hands this to
+* `runInBackgroundOrAwait`, so when a background handler is configured (Vercel
+* `waitUntil`, Cloudflare `ctx.waitUntil`) it runs after the response; without
+* one it completes inline so delivery is not lost on request teardown.
 *
-* @returns RFC7662 introspection format
-*
-* @internal
+* Spec §2.5: "the OP SHOULD NOT retransmit", so each RP gets a single attempt
+* within `BACKCHANNEL_DISPATCH_TIMEOUT_MS`. Every per-client failure (fetch
+* error, non-2xx response, signing error, subject resolution error) is
+* logged; none of them can reject the outer promise.
 */
-async function validateAccessToken(ctx, opts, token, clientId) {
-	try {
-		return await validateJwtAccessToken(ctx, opts, token, clientId);
-	} catch (err) {
-		if (err instanceof APIError$1) {} else if (err instanceof Error) throw err;
-		else throw new Error(err);
-	}
-	try {
-		return await validateOpaqueAccessToken(ctx, opts, token, clientId);
-	} catch (err) {
-		if (err instanceof APIError$1) {} else if (err instanceof Error) throw err;
-		else throw new Error("Unknown error validating access token");
-	}
-	throw new APIError$1("BAD_REQUEST", {
-		error_description: "Invalid access token",
-		error: "invalid_request"
-	});
-}
-/**
-* Resolves pairwise sub on an introspection payload.
-* Applied at the presentation layer so internal validation functions
-* keep real user.id (needed for user lookup in /userinfo).
-*/
-async function resolveIntrospectionSub(opts, payload, client) {
-	if (payload.active && payload.sub) {
-		const resolvedSub = await resolveSubjectIdentifier(payload.sub, client, opts);
-		return {
-			...payload,
-			sub: resolvedSub
-		};
-	}
-	return payload;
-}
-async function introspectEndpoint(ctx, opts) {
-	let { token, token_type_hint } = ctx.body;
-	if (token_type_hint !== "access_token" && token_type_hint !== "refresh_token") token_type_hint = void 0;
-	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/introspect`));
-	if (!client_id || !client_secret && !preVerifiedClient) throw new APIError$1("UNAUTHORIZED", {
-		error_description: "missing required credentials",
-		error: "invalid_client"
-	});
-	if (token && typeof token === "string" && token.startsWith("Bearer ")) token = token.replace("Bearer ", "");
-	if (!token?.length) throw new APIError$1("BAD_REQUEST", {
-		error_description: "missing a required token for introspection",
-		error: "invalid_request"
-	});
-	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, void 0, preVerifiedClient);
-	try {
-		if (token_type_hint === void 0 || token_type_hint === "access_token") try {
-			return resolveIntrospectionSub(opts, await validateAccessToken(ctx, opts, token, client.clientId), client);
-		} catch (error) {
-			if (error instanceof APIError$1) {
-				if (token_type_hint === "access_token") throw error;
-			} else if (error instanceof Error) throw error;
-			else throw new Error(error);
-		}
-		if (token_type_hint === void 0 || token_type_hint === "refresh_token") try {
-			return resolveIntrospectionSub(opts, await validateRefreshToken(ctx, opts, (await decodeRefreshToken(opts, token)).token, client.clientId), client);
+async function deliverBackchannelLogoutTokens(ctx, plan) {
+	const logger = ctx.context.logger;
+	const jwtPluginOptions = getJwtPlugin(ctx.context)?.options;
+	const iss = jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL;
+	const iat = Math.floor(Date.now() / 1e3);
+	const exp = iat + LOGOUT_TOKEN_LIFETIME_SECONDS;
+	const resolvedKey = jwtPluginOptions?.jwt?.sign ? null : await resolveSigningKey(ctx, jwtPluginOptions);
+	await Promise.allSettled(plan.targets.map(async ({ client, sub }) => {
+		try {
+			const jti = generateRandomString(32, "a-z", "A-Z", "0-9");
+			const token = await signLogoutToken(ctx, jwtPluginOptions, resolvedKey, {
+				iss,
+				aud: client.clientId,
+				sub,
+				sid: plan.sessionId,
+				iat,
+				exp,
+				jti
+			});
+			const response = await fetch(client.backchannelLogoutUri, {
+				method: "POST",
+				headers: {
+					"Content-Type": "application/x-www-form-urlencoded",
+					Accept: "application/json"
+				},
+				body: new URLSearchParams({ logout_token: token }),
+				signal: AbortSignal.timeout(BACKCHANNEL_DISPATCH_TIMEOUT_MS),
+				redirect: "error"
+			});
+			if (response.status !== 200 && response.status !== 204) logger.warn(`back-channel logout to client ${client.clientId} returned ${response.status}`);
 		} catch (error) {
-			if (error instanceof APIError$1) {
-				if (token_type_hint === "refresh_token") throw error;
-			} else if (error instanceof Error) throw error;
-			else throw new Error(error);
-		}
-		throw new APIError$1("BAD_REQUEST", {
-			error_description: "token not found",
-			error: "invalid_request"
-		});
-	} catch (error) {
-		if (error instanceof APIError$1) {
-			if (error.name === "BAD_REQUEST") return { active: false };
-			throw error;
-		} else if (error instanceof Error) {
-			logger.error("Introspection error:", error.message, error.stack);
-			throw new APIError$1("INTERNAL_SERVER_ERROR");
-		} else {
-			logger.error("Introspection error:", error);
-			throw new APIError$1("INTERNAL_SERVER_ERROR");
+			logger.warn(`back-channel logout to client ${client.clientId} failed`, error);
 		}
-	}
+	}));
 }
-//#endregion
-//#region src/logout.ts
 /**
-* IMPORTANT NOTES:
-* Follows OIDC RP-Initiated Logout
+* RP-Initiated Logout (OIDC RP-Initiated Logout 1.0). The RP presents a signed
+* `id_token_hint`; after verification, the OP terminates the matching session
+* and optionally redirects to `post_logout_redirect_uri`.
+*
+* Session termination goes through `internalAdapter.deleteSession`, which fires
+* `session.delete.before` so the hook drives revocation and back-channel
+* notifications to every RP with tokens on the session.
 *
 * @see https://openid.net/specs/openid-connect-rpinitiated-1_0.html
 */
@@ -1195,12 +375,10 @@ async function rpInitiatedLogoutEndpoint(ctx, opts) {
 		});
 		const secret = await decryptStoredClientSecret(ctx, opts.storeClientSecret, clientSecret);
 		const { payload } = await compactVerify(id_token_hint, new TextEncoder().encode(secret));
-		const idToken = new TextDecoder().decode(payload);
-		idTokenPayload = JSON.parse(idToken);
+		idTokenPayload = JSON.parse(new TextDecoder().decode(payload));
 	} else {
 		const { payload } = await compactVerify(id_token_hint, createLocalJWKSet(await getJwks(id_token_hint, { jwksFetch: jwksUrl })));
-		const idToken = new TextDecoder().decode(payload);
-		idTokenPayload = JSON.parse(idToken);
+		idTokenPayload = JSON.parse(new TextDecoder().decode(payload));
 	}
 	if (!idTokenPayload) throw new APIError$1("INTERNAL_SERVER_ERROR", {
 		error_description: "missing payload",
@@ -1232,18 +410,13 @@ async function rpInitiatedLogoutEndpoint(ctx, opts) {
 				value: sessionId
 			}]
 		});
-		session?.token ? await ctx.context.internalAdapter.deleteSession(session?.token) : session?.id ? await ctx.context.adapter.delete({
+		if (session?.token) await ctx.context.internalAdapter.deleteSession(session.token);
+		else if (session) await ctx.context.adapter.delete({
 			model: "session",
 			where: [{
 				field: "id",
 				value: session.id
 			}]
-		}) : await ctx.context.adapter.delete({
-			model: "session",
-			where: [{
-				field: "id",
-				value: sessionId
-			}]
 		});
 	} catch {}
 	if (post_logout_redirect_uri) {
@@ -1255,6 +428,155 @@ async function rpInitiatedLogoutEndpoint(ctx, opts) {
 	}
 }
 //#endregion
+//#region src/metadata.ts
+function authServerMetadata(ctx, opts, overrides) {
+	const baseURL = ctx.context.baseURL;
+	const backchannelSupported = !overrides?.jwt_disabled;
+	return {
+		scopes_supported: overrides?.scopes_supported,
+		issuer: validateIssuerUrl(opts?.jwt?.issuer ?? baseURL),
+		authorization_endpoint: `${baseURL}/oauth2/authorize`,
+		token_endpoint: `${baseURL}/oauth2/token`,
+		jwks_uri: overrides?.jwt_disabled ? void 0 : opts?.jwks?.remoteUrl ?? `${baseURL}${opts?.jwks?.jwksPath ?? "/jwks"}`,
+		registration_endpoint: overrides?.dynamic_client_registration_supported ? `${baseURL}/oauth2/register` : void 0,
+		introspection_endpoint: `${baseURL}/oauth2/introspect`,
+		revocation_endpoint: `${baseURL}/oauth2/revoke`,
+		response_types_supported: overrides?.grant_types_supported && !overrides.grant_types_supported.includes("authorization_code") ? [] : ["code"],
+		response_modes_supported: ["query"],
+		grant_types_supported: overrides?.grant_types_supported ?? [
+			"authorization_code",
+			"client_credentials",
+			"refresh_token"
+		],
+		token_endpoint_auth_methods_supported: overrides?.token_endpoint_auth_methods_supported ?? [
+			...overrides?.public_client_supported ? ["none"] : [],
+			"client_secret_basic",
+			"client_secret_post",
+			"private_key_jwt"
+		],
+		token_endpoint_auth_signing_alg_values_supported: [...PRIVATE_KEY_JWT_SIGNING_ALGORITHMS],
+		introspection_endpoint_auth_methods_supported: overrides?.endpoint_auth_methods_supported ?? [
+			"client_secret_basic",
+			"client_secret_post",
+			"private_key_jwt"
+		],
+		introspection_endpoint_auth_signing_alg_values_supported: [...PRIVATE_KEY_JWT_SIGNING_ALGORITHMS],
+		revocation_endpoint_auth_methods_supported: overrides?.endpoint_auth_methods_supported ?? [
+			"client_secret_basic",
+			"client_secret_post",
+			"private_key_jwt"
+		],
+		revocation_endpoint_auth_signing_alg_values_supported: [...PRIVATE_KEY_JWT_SIGNING_ALGORITHMS],
+		code_challenge_methods_supported: ["S256"],
+		authorization_response_iss_parameter_supported: true,
+		dpop_signing_alg_values_supported: overrides?.dpop_signing_alg_values_supported ?? [...DPOP_SIGNING_ALGORITHMS],
+		backchannel_logout_supported: backchannelSupported,
+		backchannel_logout_session_supported: backchannelSupported
+	};
+}
+/**
+* Builds the authorization-server metadata shared by the
+* `/.well-known/oauth-authorization-server` and `/.well-known/openid-configuration`
+* responses, plus the inputs both need to finish their own document.
+*/
+function buildAuthServerMetadata(ctx, opts) {
+	const jwtPluginOptions = opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context).options;
+	const clientDiscoveries = getClientDiscoveries(opts);
+	const publicClientSupported = opts.allowUnauthenticatedClientRegistration || clientDiscoveries.length > 0;
+	return {
+		jwtPluginOptions,
+		clientDiscoveries,
+		authMetadata: authServerMetadata(ctx, jwtPluginOptions, {
+			scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
+			dynamic_client_registration_supported: opts.allowDynamicClientRegistration,
+			public_client_supported: publicClientSupported,
+			grant_types_supported: getSupportedGrantTypes(opts),
+			token_endpoint_auth_methods_supported: getSupportedAuthMethods(opts, { includeNone: publicClientSupported }),
+			endpoint_auth_methods_supported: getSupportedAuthMethods(opts),
+			jwt_disabled: opts.disableJwtPlugin,
+			dpop_signing_alg_values_supported: opts.dpop?.signingAlgorithms
+		})
+	};
+}
+function oauthAuthorizationServerMetadata(ctx, opts) {
+	const { clientDiscoveries, authMetadata } = buildAuthServerMetadata(ctx, opts);
+	return applyOAuthProviderMetadataExtensions(ctx, opts, "oauth-authorization-server", {
+		...mergeDiscoveryMetadata(clientDiscoveries),
+		...authMetadata
+	});
+}
+function oidcServerMetadata(ctx, opts) {
+	const baseURL = ctx.context.baseURL;
+	const { jwtPluginOptions, clientDiscoveries, authMetadata } = buildAuthServerMetadata(ctx, opts);
+	const metadata = {
+		...authMetadata,
+		claims_supported: opts?.advertisedMetadata?.claims_supported ?? opts?.claims ?? [],
+		userinfo_endpoint: `${baseURL}/oauth2/userinfo`,
+		subject_types_supported: opts.pairwiseSecret ? ["public", "pairwise"] : ["public"],
+		id_token_signing_alg_values_supported: (() => {
+			if (opts.disableJwtPlugin) return ["HS256"];
+			const primary = jwtPluginOptions?.jwks?.keyPairConfig?.alg ?? "EdDSA";
+			const extras = jwtPluginOptions?.jwks?.keyPairConfigs?.map((c) => c.alg) ?? [];
+			return Array.from(new Set([primary, ...extras]));
+		})(),
+		end_session_endpoint: `${baseURL}/oauth2/end-session`,
+		acr_values_supported: ["urn:mace:incommon:iap:bronze"],
+		prompt_values_supported: [
+			"login",
+			"consent",
+			"create",
+			"select_account",
+			"none"
+		]
+	};
+	return applyOAuthProviderMetadataExtensions(ctx, opts, "openid-configuration", {
+		...mergeDiscoveryMetadata(clientDiscoveries),
+		...metadata
+	});
+}
+const METADATA_CACHE_CONTROL = "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400";
+function metadataResponse(body, extraHeaders) {
+	const headers = new Headers(extraHeaders);
+	if (!headers.has("Cache-Control")) headers.set("Cache-Control", METADATA_CACHE_CONTROL);
+	headers.set("Content-Type", "application/json");
+	return new Response(JSON.stringify(body), {
+		status: 200,
+		headers
+	});
+}
+/**
+* Provides an exportable `/.well-known/oauth-authorization-server`.
+*
+* Useful when basePath prevents the endpoint from being located at the root
+* and must be provided manually.
+*
+* @external
+*/
+const oauthProviderAuthServerMetadata = (auth, opts) => {
+	return async (request) => {
+		return metadataResponse(await auth.api.getOAuthServerConfig({
+			request,
+			asResponse: false
+		}), opts?.headers);
+	};
+};
+/**
+* Provides an exportable `/.well-known/openid-configuration`.
+*
+* Useful when basePath prevents the endpoint from being located at the root
+* and must be provided manually.
+*
+* @external
+*/
+const oauthProviderOpenIdConfigMetadata = (auth, opts) => {
+	return async (request) => {
+		return metadataResponse(await auth.api.getOpenIdConfig({
+			request,
+			asResponse: false
+		}), opts?.headers);
+	};
+};
+//#endregion
 //#region src/oauth-endpoint.ts
 /**
 * Wraps `createAuthEndpoint` so zod schemas stay the single source of truth
@@ -1387,6 +709,64 @@ async function assertClientPrivileges(ctx, session, opts, action) {
 	})) throw new APIError("UNAUTHORIZED");
 }
 //#endregion
+//#region src/utils/initial-access-token.ts
+/**
+* Builds an RFC 6750 §3 Bearer challenge for the registration endpoint. The
+* `error` code maps to the status per RFC 6750 §3.1 (`invalid_request` → 400,
+* `invalid_token` → 401) and is echoed in both the `WWW-Authenticate` challenge
+* and the JSON body.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc6750#section-3
+*/
+function registrationBearerError(status, error, errorDescription) {
+	return new APIError$1(status, {
+		error,
+		error_description: errorDescription
+	}, {
+		"WWW-Authenticate": `Bearer error="${error}"`,
+		...NO_STORE_HEADERS
+	});
+}
+/**
+* Resolves an RFC 7591 initial access token from the request and authorizes it
+* against the deployment-supplied validator.
+*
+* Returns the authorization (optionally carrying a `referenceId`) when a valid
+* token is present, or `undefined` when no Bearer credentials were sent so the
+* caller can fall back to session or open registration. Throws an RFC 6750
+* Bearer challenge when the header is malformed, no validator is configured, or
+* the token is rejected.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc7591#section-3
+*/
+async function authorizeInitialAccessToken(ctx, opts, clientMetadata) {
+	const headers = ctx.headers;
+	let initialAccessToken;
+	try {
+		initialAccessToken = parseBearerToken(headers?.get("authorization"));
+	} catch {
+		throw registrationBearerError("BAD_REQUEST", "invalid_request", "Malformed initial access token Authorization header");
+	}
+	if (!initialAccessToken || !headers) return;
+	if (!opts.validateInitialAccessToken) throw registrationBearerError("UNAUTHORIZED", "invalid_token", "Invalid initial access token");
+	let authorization;
+	try {
+		authorization = await opts.validateInitialAccessToken({
+			initialAccessToken,
+			headers,
+			clientMetadata
+		});
+	} catch (error) {
+		if (error instanceof APIError$1) throw error;
+		throw new APIError$1("INTERNAL_SERVER_ERROR", {
+			error: "server_error",
+			error_description: "Initial access token validation failed"
+		});
+	}
+	if (!authorization) throw registrationBearerError("UNAUTHORIZED", "invalid_token", "Invalid initial access token");
+	return authorization;
+}
+//#endregion
 //#region src/register.ts
 /**
 * Resolves the auth method and type for unauthenticated DCR.
@@ -1403,18 +783,42 @@ function resolveUnauthenticatedAuth(body) {
 		type: body.type === "web" ? void 0 : body.type
 	};
 }
+const DEFAULT_REGISTRATION_GRANT_TYPES = ["authorization_code"];
+function resolveRegistrationGrantTypes(client) {
+	const grantTypes = client.grant_types ?? [...DEFAULT_REGISTRATION_GRANT_TYPES];
+	if (grantTypes.length > 0) return grantTypes;
+	throw new APIError("BAD_REQUEST", {
+		error: "invalid_client_metadata",
+		error_description: "grant_types must contain at least one grant type"
+	});
+}
+function resolveRegistrationResponseTypes(client, grantTypes) {
+	if (client.response_types) return client.response_types;
+	return grantTypes.includes("authorization_code") ? ["code"] : void 0;
+}
+function applyOAuthClientRegistrationDefaults(client) {
+	const grantTypes = resolveRegistrationGrantTypes(client);
+	return {
+		...client,
+		token_endpoint_auth_method: client.token_endpoint_auth_method ?? "client_secret_basic",
+		grant_types: grantTypes,
+		response_types: resolveRegistrationResponseTypes(client, grantTypes)
+	};
+}
 async function registerEndpoint(ctx, opts) {
+	const body = ctx.body;
 	if (!opts.allowDynamicClientRegistration) throw new APIError("FORBIDDEN", {
 		error: "access_denied",
 		error_description: "Client registration is disabled"
 	});
-	const body = ctx.body;
 	const session = await getSessionFromCtx(ctx);
-	if (!(session || opts.allowUnauthenticatedClientRegistration)) throw new APIError("UNAUTHORIZED", {
-		error: "invalid_token",
-		error_description: "Authentication required for client registration"
+	const tokenAuthorization = session ? void 0 : await authorizeInitialAccessToken(ctx, opts, body);
+	const isTokenAuthorized = Boolean(tokenAuthorization);
+	if (!(session || isTokenAuthorized || opts.allowUnauthenticatedClientRegistration)) throw new APIError("UNAUTHORIZED", { error_description: "Authentication required for client registration" }, {
+		"WWW-Authenticate": "Bearer",
+		...NO_STORE_HEADERS
 	});
-	if (!session) {
+	if (!session && !isTokenAuthorized) {
 		if (body.grant_types?.includes("client_credentials")) throw new APIError("BAD_REQUEST", {
 			error: "invalid_client_metadata",
 			error_description: "client_credentials grant requires authenticated registration"
@@ -1424,47 +828,83 @@ async function registerEndpoint(ctx, opts) {
 		body.type = resolved.type;
 	}
 	if (!body.scope) body.scope = (opts.clientRegistrationDefaultScopes ?? opts.scopes)?.join(" ");
-	return createOAuthClientEndpoint(ctx, opts, { isRegister: true });
+	const requestedResources = Array.isArray(body.resources) ? [...new Set(body.resources.filter((resource) => typeof resource === "string" && resource.length > 0))] : [];
+	if (requestedResources.length > 0) for (const identifier of requestedResources) {
+		const row = await getResource(ctx, opts, identifier);
+		if (!row) throw new APIError("BAD_REQUEST", {
+			error: "invalid_target",
+			error_description: `requested resource ${identifier} does not exist`
+		});
+		if (row.disabled) throw new APIError("BAD_REQUEST", {
+			error: "invalid_target",
+			error_description: `requested resource ${identifier} is disabled`
+		});
+	}
+	return createOAuthClientEndpoint(ctx, opts, {
+		isRegister: true,
+		session,
+		referenceId: tokenAuthorization?.referenceId,
+		resources: requestedResources.length > 0 ? requestedResources : void 0
+	});
 }
 async function checkOAuthClient(client, opts, settings) {
-	const isPublic = client.token_endpoint_auth_method === "none";
-	if (client.type) {
-		if (isPublic && !(client.type === "native" || client.type === "user-agent-based")) throw new APIError("BAD_REQUEST", {
+	const clientWithDefaults = applyOAuthClientRegistrationDefaults(client);
+	const isPublic = clientWithDefaults.token_endpoint_auth_method === "none";
+	const tokenEndpointAuthMethod = clientWithDefaults.token_endpoint_auth_method ?? "client_secret_basic";
+	if (!new Set(getSupportedAuthMethods(opts, { includeNone: true })).has(tokenEndpointAuthMethod)) throw new APIError("BAD_REQUEST", {
+		error: "invalid_client_metadata",
+		error_description: `unsupported token_endpoint_auth_method ${tokenEndpointAuthMethod}`
+	});
+	if (clientWithDefaults.dpop_bound_access_tokens !== void 0 && typeof clientWithDefaults.dpop_bound_access_tokens !== "boolean") throw new APIError("BAD_REQUEST", {
+		error: "invalid_client_metadata",
+		error_description: "dpop_bound_access_tokens must be a boolean"
+	});
+	if (clientWithDefaults.type) {
+		if (isPublic && !(clientWithDefaults.type === "native" || clientWithDefaults.type === "user-agent-based")) throw new APIError("BAD_REQUEST", {
 			error: "invalid_client_metadata",
 			error_description: `Type must be 'native' or 'user-agent-based' for public applications`
 		});
-		else if (!isPublic && !(client.type === "web")) throw new APIError("BAD_REQUEST", {
+		else if (!isPublic && !(clientWithDefaults.type === "web")) throw new APIError("BAD_REQUEST", {
 			error: "invalid_client_metadata",
 			error_description: `Type must be 'web' for confidential applications`
 		});
 	}
-	if ((!client.grant_types || client.grant_types.includes("authorization_code")) && (!client.redirect_uris || client.redirect_uris.length === 0)) throw new APIError("BAD_REQUEST", {
+	const grantTypes = clientWithDefaults.grant_types ?? [];
+	const responseTypes = clientWithDefaults.response_types;
+	if (grantTypes.includes("authorization_code") && (!clientWithDefaults.redirect_uris || clientWithDefaults.redirect_uris.length === 0)) throw new APIError("BAD_REQUEST", {
 		error: "invalid_redirect_uri",
 		error_description: "Redirect URIs are required for authorization_code and implicit grant types"
 	});
-	const grantTypes = client.grant_types ?? ["authorization_code"];
-	const responseTypes = client.response_types ?? ["code"];
-	if (grantTypes.includes("authorization_code") && !responseTypes.includes("code")) throw new APIError("BAD_REQUEST", {
+	const supportedGrantTypes = new Set(getSupportedGrantTypes(opts));
+	for (const grantType of grantTypes) if (!supportedGrantTypes.has(grantType)) throw new APIError("BAD_REQUEST", {
+		error: "invalid_client_metadata",
+		error_description: `unsupported grant_type ${grantType}`
+	});
+	if (grantTypes.includes("authorization_code") && !responseTypes?.includes("code")) throw new APIError("BAD_REQUEST", {
 		error: "invalid_client_metadata",
 		error_description: "When 'authorization_code' grant type is used, 'code' response type must be included"
 	});
-	if (client.subject_type !== void 0) {
-		if (client.subject_type !== "public" && client.subject_type !== "pairwise") throw new APIError("BAD_REQUEST", {
+	if (!grantTypes.includes("authorization_code") && responseTypes?.includes("code")) throw new APIError("BAD_REQUEST", {
+		error: "invalid_client_metadata",
+		error_description: "When 'code' response type is used, 'authorization_code' grant type must be included"
+	});
+	if (clientWithDefaults.subject_type !== void 0) {
+		if (clientWithDefaults.subject_type !== "public" && clientWithDefaults.subject_type !== "pairwise") throw new APIError("BAD_REQUEST", {
 			error: "invalid_client_metadata",
 			error_description: `subject_type must be "public" or "pairwise"`
 		});
-		if (client.subject_type === "pairwise" && !opts.pairwiseSecret) throw new APIError("BAD_REQUEST", {
+		if (clientWithDefaults.subject_type === "pairwise" && !opts.pairwiseSecret) throw new APIError("BAD_REQUEST", {
 			error: "invalid_client_metadata",
 			error_description: "pairwise subject_type requires server pairwiseSecret configuration"
 		});
-		if (client.subject_type === "pairwise" && client.redirect_uris && client.redirect_uris.length > 1) {
-			if (new Set(client.redirect_uris.map((uri) => new URL(uri).host)).size > 1) throw new APIError("BAD_REQUEST", {
+		if (clientWithDefaults.subject_type === "pairwise" && clientWithDefaults.redirect_uris && clientWithDefaults.redirect_uris.length > 1) {
+			if (new Set(clientWithDefaults.redirect_uris.map((uri) => new URL(uri).host)).size > 1) throw new APIError("BAD_REQUEST", {
 				error: "invalid_client_metadata",
 				error_description: "pairwise clients with redirect_uris on different hosts require a sector_identifier_uri, which is not yet supported. All redirect_uris must share the same host."
 			});
 		}
 	}
-	const requestedScopes = (client?.scope)?.split(" ").filter((v) => v.length);
+	const requestedScopes = (clientWithDefaults?.scope)?.split(" ").filter((v) => v.length);
 	const allowedScopes = settings?.isRegister ? opts.clientRegistrationAllowedScopes ?? opts.scopes : opts.scopes;
 	if (allowedScopes) {
 		const validScopes = new Set(allowedScopes);
@@ -1473,21 +913,22 @@ async function checkOAuthClient(client, opts, settings) {
 			error_description: `cannot request scope ${requestedScope}`
 		});
 	}
-	if (settings?.isRegister && client.require_pkce === false) throw new APIError("BAD_REQUEST", {
+	if (settings?.isRegister && clientWithDefaults.require_pkce === false) throw new APIError("BAD_REQUEST", {
 		error: "invalid_client_metadata",
 		error_description: `pkce is required for registered clients.`
 	});
-	if (client.token_endpoint_auth_method === "private_key_jwt") {
-		if (client.jwks && client.jwks_uri) throw new APIError("BAD_REQUEST", {
+	const usesAssertionKeyMaterial = tokenEndpointAuthMethod === "private_key_jwt" || isExtensionTokenEndpointAuthMethod(opts, tokenEndpointAuthMethod);
+	if (clientWithDefaults.jwks || clientWithDefaults.jwks_uri) {
+		if (!usesAssertionKeyMaterial) throw new APIError("BAD_REQUEST", {
 			error: "invalid_client_metadata",
-			error_description: "jwks and jwks_uri are mutually exclusive"
+			error_description: "jwks and jwks_uri are only allowed with private_key_jwt or an assertion-based authentication method"
 		});
-		if (!client.jwks && !client.jwks_uri) throw new APIError("BAD_REQUEST", {
+		if (clientWithDefaults.jwks && clientWithDefaults.jwks_uri) throw new APIError("BAD_REQUEST", {
 			error: "invalid_client_metadata",
-			error_description: "private_key_jwt requires either jwks or jwks_uri"
+			error_description: "jwks and jwks_uri are mutually exclusive"
 		});
-		if (client.jwks_uri) try {
-			const uri = new URL(client.jwks_uri);
+		if (clientWithDefaults.jwks_uri) try {
+			const uri = new URL(clientWithDefaults.jwks_uri);
 			if (uri.protocol !== "https:") throw new APIError("BAD_REQUEST", {
 				error: "invalid_client_metadata",
 				error_description: "jwks_uri must use HTTPS"
@@ -1507,40 +948,73 @@ async function checkOAuthClient(client, opts, settings) {
 				error_description: "jwks_uri must be a valid URL"
 			});
 		}
-		if (client.jwks) {
-			const keys = Array.isArray(client.jwks) ? client.jwks : client.jwks.keys;
+		if (clientWithDefaults.jwks) {
+			const keys = Array.isArray(clientWithDefaults.jwks) ? clientWithDefaults.jwks : clientWithDefaults.jwks.keys;
 			if (!Array.isArray(keys) || keys.length === 0) throw new APIError("BAD_REQUEST", {
 				error: "invalid_client_metadata",
 				error_description: "jwks must be a non-empty array of JWK objects or a JWKS document {keys:[...]}"
 			});
 		}
-	} else if (client.jwks || client.jwks_uri) throw new APIError("BAD_REQUEST", {
+	}
+	if (tokenEndpointAuthMethod === "private_key_jwt" && !clientWithDefaults.jwks && !clientWithDefaults.jwks_uri) throw new APIError("BAD_REQUEST", {
 		error: "invalid_client_metadata",
-		error_description: "jwks and jwks_uri are only allowed with private_key_jwt authentication"
+		error_description: "private_key_jwt requires either jwks or jwks_uri"
 	});
+	if (clientWithDefaults.backchannel_logout_uri !== void 0) {
+		if (opts.disableJwtPlugin) throw new APIError("BAD_REQUEST", {
+			error: "invalid_client_metadata",
+			error_description: "backchannel_logout_uri requires the jwt plugin (disableJwtPlugin must be false)"
+		});
+		let url;
+		try {
+			url = new URL(clientWithDefaults.backchannel_logout_uri);
+		} catch {
+			throw new APIError("BAD_REQUEST", {
+				error: "invalid_client_metadata",
+				error_description: "backchannel_logout_uri must be an absolute URL"
+			});
+		}
+		if (url.protocol !== "https:" && url.protocol !== "http:") throw new APIError("BAD_REQUEST", {
+			error: "invalid_client_metadata",
+			error_description: "backchannel_logout_uri must use http or https"
+		});
+		if (clientWithDefaults.backchannel_logout_uri.includes("#")) throw new APIError("BAD_REQUEST", {
+			error: "invalid_client_metadata",
+			error_description: "backchannel_logout_uri must not include a fragment component"
+		});
+		const loopback = isLoopbackHost(url.hostname);
+		if (!isPublic && url.protocol !== "https:" && !loopback) throw new APIError("BAD_REQUEST", {
+			error: "invalid_client_metadata",
+			error_description: "backchannel_logout_uri must use https for confidential clients"
+		});
+		if (isPrivateHostname(url.hostname) && !loopback) throw new APIError("BAD_REQUEST", {
+			error: "invalid_client_metadata",
+			error_description: "backchannel_logout_uri must not point to a private or reserved address"
+		});
+	}
 }
 async function createOAuthClientEndpoint(ctx, opts, settings) {
-	const body = ctx.body;
-	const session = await getSessionFromCtx(ctx);
-	if (settings.isRegister) {
-		if (session) await assertClientPrivileges(ctx, session, opts, "create");
-	} else await assertClientPrivileges(ctx, session, opts, "create");
+	const body = applyOAuthClientRegistrationDefaults(ctx.body);
+	const session = settings.session !== void 0 ? settings.session : await getSessionFromCtx(ctx);
+	if (!settings.isRegister || session) await assertClientPrivileges(ctx, session, opts, "create");
 	const isPublic = body.token_endpoint_auth_method === "none";
 	const isPrivateKeyJwt = body.token_endpoint_auth_method === "private_key_jwt";
-	await checkOAuthClient(ctx.body, opts, {
+	const isExtensionAuthMethod = isExtensionTokenEndpointAuthMethod(opts, body.token_endpoint_auth_method);
+	await checkOAuthClient(body, opts, {
 		...settings,
 		ctx
 	});
 	const clientId = opts.generateClientId?.() || generateRandomString(32, "a-z", "A-Z");
-	const clientSecret = isPublic || isPrivateKeyJwt ? void 0 : opts.generateClientSecret?.() || generateRandomString(32, "a-z", "A-Z");
+	const clientSecret = isPublic || isPrivateKeyJwt || isExtensionAuthMethod ? void 0 : opts.generateClientSecret?.() || generateRandomString(32, "a-z", "A-Z");
 	const storedClientSecret = clientSecret ? await storeClientSecret(ctx, opts, clientSecret) : void 0;
 	const iat = Math.floor(Date.now() / 1e3);
-	const referenceId = opts.clientReference ? await opts.clientReference({
-		user: session?.user,
-		session: session?.session
-	}) : void 0;
+	const referenceId = settings.referenceId ?? (session && opts.clientReference ? await opts.clientReference({
+		user: session.user,
+		session: session.session
+	}) : void 0);
 	const schema = oauthToSchema({
-		...body ?? {},
+		...body,
+		redirect_uris: body.redirect_uris ?? [],
 		disabled: void 0,
 		client_secret_expires_at: storedClientSecret ? settings.isRegister && opts?.clientRegistrationClientSecretExpiration ? toExpJWT(opts.clientRegistrationClientSecretExpiration, iat) : 0 : void 0,
 		client_id: clientId,
@@ -1550,24 +1024,38 @@ async function createOAuthClientEndpoint(ctx, opts, settings) {
 		user_id: referenceId ? void 0 : session?.session.userId,
 		reference_id: referenceId
 	});
-	const client = await ctx.context.adapter.create({
-		model: "oauthClient",
-		data: {
-			...schema,
-			createdAt: /* @__PURE__ */ new Date(iat * 1e3),
-			updatedAt: /* @__PURE__ */ new Date(iat * 1e3)
-		}
-	});
-	return ctx.json(schemaToOAuth({
-		...client,
+	const resources = settings.resources ?? [];
+	const responseBody = schemaToOAuth({
+		...await runWithTransaction(ctx.context.adapter, async () => {
+			const createdClient = await ctx.context.adapter.create({
+				model: "oauthClient",
+				data: {
+					...schema,
+					createdAt: /* @__PURE__ */ new Date(iat * 1e3),
+					updatedAt: /* @__PURE__ */ new Date(iat * 1e3)
+				}
+			});
+			if (resources.length > 0) {
+				const linkModel = opts.schema?.oauthClientResource?.modelName ?? "oauthClientResource";
+				const now = /* @__PURE__ */ new Date();
+				for (const resourceId of resources) await ctx.context.adapter.create({
+					model: linkModel,
+					forceAllowId: true,
+					data: {
+						id: buildClientResourceLinkId(clientId, resourceId),
+						clientId,
+						resourceId,
+						createdAt: now
+					}
+				});
+			}
+			return createdClient;
+		}),
 		clientSecret: clientSecret ? (opts.prefix?.clientSecret ?? "") + clientSecret : void 0
-	}), {
-		status: 201,
-		headers: {
-			"Cache-Control": "no-store",
-			Pragma: "no-cache"
-		}
 	});
+	if (resources.length > 0) responseBody.resources = resources;
+	ctx.setStatus(201);
+	return ctx.json(responseBody);
 }
 /**
 * Converts an OAuth 2.0 Dynamic Client Schema to a Database Schema
@@ -1576,7 +1064,7 @@ async function createOAuthClientEndpoint(ctx, opts, settings) {
 * @returns
 */
 function oauthToSchema(input) {
-	const { client_id: clientId, client_secret: clientSecret, client_secret_expires_at: _expiresAt, scope: _scope, user_id: userId, client_id_issued_at: _createdAt, client_name: name, client_uri: uri, logo_uri: icon, contacts, tos_uri: tos, policy_uri: policy, jwks: inputJwks, jwks_uri: jwksUri, software_id: softwareId, software_version: softwareVersion, software_statement: softwareStatement, redirect_uris: redirectUris, post_logout_redirect_uris: postLogoutRedirectUris, token_endpoint_auth_method: tokenEndpointAuthMethod, grant_types: grantTypes, response_types: responseTypes, public: _public, type, disabled, skip_consent: skipConsent, enable_end_session: enableEndSession, require_pkce: requirePKCE, subject_type: subjectType, reference_id: referenceId, metadata: inputMetadata, ...rest } = input;
+	const { client_id: clientId, client_secret: clientSecret, client_secret_expires_at: _expiresAt, scope: _scope, user_id: userId, client_id_issued_at: _createdAt, client_name: name, client_uri: uri, logo_uri: icon, contacts, tos_uri: tos, policy_uri: policy, jwks: inputJwks, jwks_uri: jwksUri, software_id: softwareId, software_version: softwareVersion, software_statement: softwareStatement, redirect_uris: redirectUris, post_logout_redirect_uris: postLogoutRedirectUris, backchannel_logout_uri: backchannelLogoutUri, backchannel_logout_session_required: backchannelLogoutSessionRequired, token_endpoint_auth_method: tokenEndpointAuthMethod, grant_types: grantTypes, response_types: responseTypes, public: _public, type, disabled, skip_consent: skipConsent, enable_end_session: enableEndSession, require_pkce: requirePKCE, dpop_bound_access_tokens: dpopBoundAccessTokens, subject_type: subjectType, reference_id: referenceId, metadata: inputMetadata, ...rest } = input;
 	const expiresAt = _expiresAt ? /* @__PURE__ */ new Date(_expiresAt * 1e3) : void 0;
 	const createdAt = _createdAt ? /* @__PURE__ */ new Date(_createdAt * 1e3) : void 0;
 	const scopes = _scope?.split(" ");
@@ -1604,6 +1092,8 @@ function oauthToSchema(input) {
 		softwareStatement,
 		redirectUris,
 		postLogoutRedirectUris,
+		backchannelLogoutUri,
+		backchannelLogoutSessionRequired,
 		tokenEndpointAuthMethod,
 		grantTypes,
 		responseTypes,
@@ -1614,6 +1104,7 @@ function oauthToSchema(input) {
 		skipConsent,
 		enableEndSession,
 		requirePKCE,
+		dpopBoundAccessTokens,
 		subjectType,
 		referenceId,
 		metadata
@@ -1626,7 +1117,7 @@ function oauthToSchema(input) {
 * @returns
 */
 function schemaToOAuth(input) {
-	const { clientId, clientSecret, disabled, scopes, userId, createdAt, updatedAt: _updatedAt, expiresAt, name, uri, icon, contacts, tos, policy, softwareId, softwareVersion, softwareStatement, redirectUris, postLogoutRedirectUris, tokenEndpointAuthMethod, grantTypes, responseTypes, public: _public, type, jwks, jwksUri, skipConsent, enableEndSession, requirePKCE, subjectType, referenceId, metadata } = input;
+	const { clientId, clientSecret, disabled, scopes, userId, createdAt, updatedAt: _updatedAt, expiresAt, name, uri, icon, contacts, tos, policy, softwareId, softwareVersion, softwareStatement, redirectUris, postLogoutRedirectUris, backchannelLogoutUri, backchannelLogoutSessionRequired, tokenEndpointAuthMethod, grantTypes, responseTypes, public: _public, type, jwks, jwksUri, skipConsent, enableEndSession, requirePKCE, dpopBoundAccessTokens, subjectType, referenceId, metadata } = input;
 	const _expiresAt = expiresAt ? Math.round(new Date(expiresAt).getTime() / 1e3) : void 0;
 	const _createdAt = createdAt ? Math.round(new Date(createdAt).getTime() / 1e3) : void 0;
 	const _scopes = scopes?.join(" ");
@@ -1651,6 +1142,8 @@ function schemaToOAuth(input) {
 		software_statement: softwareStatement ?? void 0,
 		redirect_uris: redirectUris ?? [],
 		post_logout_redirect_uris: postLogoutRedirectUris ?? void 0,
+		backchannel_logout_uri: backchannelLogoutUri ?? void 0,
+		backchannel_logout_session_required: backchannelLogoutSessionRequired ?? void 0,
 		token_endpoint_auth_method: tokenEndpointAuthMethod ?? void 0,
 		grant_types: grantTypes ?? void 0,
 		response_types: responseTypes ?? void 0,
@@ -1660,6 +1153,7 @@ function schemaToOAuth(input) {
 		skip_consent: skipConsent ?? void 0,
 		enable_end_session: enableEndSession ?? void 0,
 		require_pkce: requirePKCE ?? void 0,
+		dpop_bound_access_tokens: dpopBoundAccessTokens ?? void 0,
 		subject_type: subjectType ?? void 0,
 		reference_id: referenceId ?? void 0
 	};
@@ -1860,22 +1354,193 @@ async function rotateClientSecretEndpoint(ctx, opts) {
 			clientSecret: storedClientSecret,
 			updatedAt: /* @__PURE__ */ new Date(Math.floor(Date.now() / 1e3) * 1e3)
 		}
-	});
-	if (!updatedClient) throw new APIError("INTERNAL_SERVER_ERROR", {
-		error_description: "unable to update client",
-		error: "invalid_client"
-	});
-	return schemaToOAuth({
-		...updatedClient,
-		clientSecret: (opts.prefix?.clientSecret ?? "") + clientSecret
-	});
-}
-//#endregion
-//#region src/oauthClient/index.ts
-const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/create-client", {
+	});
+	if (!updatedClient) throw new APIError("INTERNAL_SERVER_ERROR", {
+		error_description: "unable to update client",
+		error: "invalid_client"
+	});
+	return schemaToOAuth({
+		...updatedClient,
+		clientSecret: (opts.prefix?.clientSecret ?? "") + clientSecret
+	});
+}
+//#endregion
+//#region src/oauthClient/index.ts
+const tokenEndpointAuthMethodSchema = z.string().trim().min(1);
+const grantTypesSchema = z.array(z.string().trim().min(1)).min(1);
+const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/create-client", {
+	method: "POST",
+	body: z.object({
+		redirect_uris: z.array(SafeUrlSchema).min(1).optional(),
+		scope: z.string().optional(),
+		client_name: z.string().optional(),
+		client_uri: z.string().optional(),
+		logo_uri: z.string().optional(),
+		contacts: z.array(z.string().min(1)).min(1).optional(),
+		tos_uri: z.string().optional(),
+		policy_uri: z.string().optional(),
+		software_id: z.string().optional(),
+		software_version: z.string().optional(),
+		software_statement: z.string().optional(),
+		post_logout_redirect_uris: z.array(SafeUrlSchema).min(1).optional(),
+		backchannel_logout_uri: SafeUrlSchema.optional(),
+		backchannel_logout_session_required: z.boolean().optional(),
+		token_endpoint_auth_method: tokenEndpointAuthMethodSchema.optional(),
+		jwks: z.union([z.array(z.record(z.string(), z.unknown())).min(1), z.object({ keys: z.array(z.record(z.string(), z.unknown())).min(1) })]).optional(),
+		jwks_uri: z.string().optional(),
+		grant_types: grantTypesSchema.optional(),
+		response_types: z.array(z.enum(["code"])).optional(),
+		type: z.enum([
+			"web",
+			"native",
+			"user-agent-based"
+		]).optional(),
+		client_secret_expires_at: z.union([z.string(), z.number()]).optional().default(0),
+		skip_consent: z.boolean().optional(),
+		enable_end_session: z.boolean().optional(),
+		require_pkce: z.boolean().optional(),
+		dpop_bound_access_tokens: z.boolean().optional(),
+		subject_type: z.enum(["public", "pairwise"]).optional(),
+		metadata: z.record(z.string(), z.unknown()).optional()
+	}),
+	metadata: {
+		noStore: true,
+		SERVER_ONLY: true,
+		openapi: {
+			description: "Register an OAuth2 application",
+			responses: { "201": {
+				description: "OAuth2 application registered successfully",
+				content: { "application/json": { schema: {
+					type: "object",
+					properties: {
+						client_id: {
+							type: "string",
+							description: "Unique identifier for the client"
+						},
+						client_secret: {
+							type: "string",
+							description: "Secret key for the client"
+						},
+						client_secret_expires_at: {
+							type: "number",
+							description: "Time the client secret will expire. If 0, the client secret will never expire."
+						},
+						scope: {
+							type: "string",
+							description: "Space-separated scopes allowed by the client"
+						},
+						user_id: {
+							type: "string",
+							description: "ID of the user who registered the client, null if registered anonymously"
+						},
+						client_id_issued_at: {
+							type: "number",
+							description: "Creation timestamp of this client"
+						},
+						client_name: {
+							type: "string",
+							description: "Name of the OAuth2 application"
+						},
+						client_uri: {
+							type: "string",
+							description: "URI of the OAuth2 application"
+						},
+						logo_uri: {
+							type: "string",
+							description: "Icon URI for the application"
+						},
+						contacts: {
+							type: "array",
+							items: { type: "string" },
+							description: "List representing ways to contact people responsible for this client, typically email addresses"
+						},
+						tos_uri: {
+							type: "string",
+							description: "Client's terms of service uri"
+						},
+						policy_uri: {
+							type: "string",
+							description: "Client's policy uri"
+						},
+						software_id: {
+							type: "string",
+							description: "Unique identifier assigned by the developer to help in the dynamic registration process"
+						},
+						software_version: {
+							type: "string",
+							description: "Version identifier for the software_id"
+						},
+						software_statement: {
+							type: "string",
+							description: "JWT containing metadata values about the client software as claims"
+						},
+						redirect_uris: {
+							type: "array",
+							items: {
+								type: "string",
+								format: "uri"
+							},
+							description: "List of allowed redirect uris"
+						},
+						token_endpoint_auth_method: {
+							type: "string",
+							description: "Requested authentication method for the token endpoint"
+						},
+						grant_types: {
+							type: "array",
+							items: { type: "string" },
+							description: "Grant types the client may use at the token endpoint"
+						},
+						response_types: {
+							type: "array",
+							items: {
+								type: "string",
+								enum: ["code"]
+							},
+							description: "Response types the client may use at the authorization endpoint"
+						},
+						public: {
+							type: "boolean",
+							description: "Whether the client is public as determined by the type"
+						},
+						type: {
+							type: "string",
+							description: "Type of the client",
+							enum: [
+								"web",
+								"native",
+								"user-agent-based"
+							]
+						},
+						disabled: {
+							type: "boolean",
+							description: "Whether the client is disabled"
+						},
+						require_pkce: {
+							type: "boolean",
+							description: "Whether the client requires PKCE",
+							default: true
+						},
+						metadata: {
+							type: "object",
+							additionalProperties: true,
+							nullable: true,
+							description: "Additional metadata for the application"
+						}
+					},
+					required: ["client_id"]
+				} } }
+			} }
+		}
+	}
+}, async (ctx) => {
+	return createOAuthClientEndpoint(ctx, opts, { isRegister: false });
+});
+const createOAuthClient = (opts) => createAuthEndpoint("/oauth2/create-client", {
 	method: "POST",
+	use: [sessionMiddleware],
 	body: z.object({
-		redirect_uris: z.array(SafeUrlSchema).min(1),
+		redirect_uris: z.array(SafeUrlSchema).min(1).optional(),
 		scope: z.string().optional(),
 		client_name: z.string().optional(),
 		client_uri: z.string().optional(),
@@ -1887,37 +1552,25 @@ const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/creat
 		software_version: z.string().optional(),
 		software_statement: z.string().optional(),
 		post_logout_redirect_uris: z.array(SafeUrlSchema).min(1).optional(),
-		token_endpoint_auth_method: z.enum([
-			"none",
-			"client_secret_basic",
-			"client_secret_post",
-			"private_key_jwt"
-		]).default("client_secret_basic").optional(),
+		backchannel_logout_uri: SafeUrlSchema.optional(),
+		backchannel_logout_session_required: z.boolean().optional(),
+		token_endpoint_auth_method: tokenEndpointAuthMethodSchema.optional(),
 		jwks: z.union([z.array(z.record(z.string(), z.unknown())).min(1), z.object({ keys: z.array(z.record(z.string(), z.unknown())).min(1) })]).optional(),
 		jwks_uri: z.string().optional(),
-		grant_types: z.array(z.enum([
-			"authorization_code",
-			"client_credentials",
-			"refresh_token"
-		])).default(["authorization_code"]).optional(),
-		response_types: z.array(z.enum(["code"])).default(["code"]).optional(),
+		grant_types: grantTypesSchema.optional(),
+		response_types: z.array(z.enum(["code"])).optional(),
 		type: z.enum([
 			"web",
 			"native",
 			"user-agent-based"
 		]).optional(),
-		client_secret_expires_at: z.union([z.string(), z.number()]).optional().default(0),
-		skip_consent: z.boolean().optional(),
-		enable_end_session: z.boolean().optional(),
-		require_pkce: z.boolean().optional(),
-		subject_type: z.enum(["public", "pairwise"]).optional(),
-		metadata: z.record(z.string(), z.unknown()).optional()
+		dpop_bound_access_tokens: z.boolean().optional()
 	}),
 	metadata: {
-		SERVER_ONLY: true,
+		noStore: true,
 		openapi: {
 			description: "Register an OAuth2 application",
-			responses: { "200": {
+			responses: { "201": {
 				description: "OAuth2 application registered successfully",
 				content: { "application/json": { schema: {
 					type: "object",
@@ -1993,24 +1646,12 @@ const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/creat
 						},
 						token_endpoint_auth_method: {
 							type: "string",
-							description: "Requested authentication method for the token endpoint",
-							enum: [
-								"none",
-								"client_secret_basic",
-								"client_secret_post"
-							]
+							description: "Requested authentication method for the token endpoint"
 						},
 						grant_types: {
 							type: "array",
-							items: {
-								type: "string",
-								enum: [
-									"authorization_code",
-									"client_credentials",
-									"refresh_token"
-								]
-							},
-							description: "Requested authentication method for the token endpoint"
+							items: { type: "string" },
+							description: "Grant types the client may use at the token endpoint"
 						},
 						response_types: {
 							type: "array",
@@ -2018,7 +1659,7 @@ const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/creat
 								type: "string",
 								enum: ["code"]
 							},
-							description: "Requested authentication method for the token endpoint"
+							description: "Response types the client may use at the authorization endpoint"
 						},
 						public: {
 							type: "boolean",
@@ -2037,11 +1678,6 @@ const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/creat
 							type: "boolean",
 							description: "Whether the client is disabled"
 						},
-						require_pkce: {
-							type: "boolean",
-							description: "Whether the client requires PKCE",
-							default: true
-						},
 						metadata: {
 							type: "object",
 							additionalProperties: true,
@@ -2057,178 +1693,6 @@ const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/creat
 }, async (ctx) => {
 	return createOAuthClientEndpoint(ctx, opts, { isRegister: false });
 });
-const createOAuthClient = (opts) => createAuthEndpoint("/oauth2/create-client", {
-	method: "POST",
-	use: [sessionMiddleware],
-	body: z.object({
-		redirect_uris: z.array(SafeUrlSchema).min(1),
-		scope: z.string().optional(),
-		client_name: z.string().optional(),
-		client_uri: z.string().optional(),
-		logo_uri: z.string().optional(),
-		contacts: z.array(z.string().min(1)).min(1).optional(),
-		tos_uri: z.string().optional(),
-		policy_uri: z.string().optional(),
-		software_id: z.string().optional(),
-		software_version: z.string().optional(),
-		software_statement: z.string().optional(),
-		post_logout_redirect_uris: z.array(SafeUrlSchema).min(1).optional(),
-		token_endpoint_auth_method: z.enum([
-			"none",
-			"client_secret_basic",
-			"client_secret_post",
-			"private_key_jwt"
-		]).default("client_secret_basic").optional(),
-		jwks: z.union([z.array(z.record(z.string(), z.unknown())).min(1), z.object({ keys: z.array(z.record(z.string(), z.unknown())).min(1) })]).optional(),
-		jwks_uri: z.string().optional(),
-		grant_types: z.array(z.enum([
-			"authorization_code",
-			"client_credentials",
-			"refresh_token"
-		])).default(["authorization_code"]).optional(),
-		response_types: z.array(z.enum(["code"])).default(["code"]).optional(),
-		type: z.enum([
-			"web",
-			"native",
-			"user-agent-based"
-		]).optional()
-	}),
-	metadata: { openapi: {
-		description: "Register an OAuth2 application",
-		responses: { "200": {
-			description: "OAuth2 application registered successfully",
-			content: { "application/json": { schema: {
-				type: "object",
-				properties: {
-					client_id: {
-						type: "string",
-						description: "Unique identifier for the client"
-					},
-					client_secret: {
-						type: "string",
-						description: "Secret key for the client"
-					},
-					client_secret_expires_at: {
-						type: "number",
-						description: "Time the client secret will expire. If 0, the client secret will never expire."
-					},
-					scope: {
-						type: "string",
-						description: "Space-separated scopes allowed by the client"
-					},
-					user_id: {
-						type: "string",
-						description: "ID of the user who registered the client, null if registered anonymously"
-					},
-					client_id_issued_at: {
-						type: "number",
-						description: "Creation timestamp of this client"
-					},
-					client_name: {
-						type: "string",
-						description: "Name of the OAuth2 application"
-					},
-					client_uri: {
-						type: "string",
-						description: "URI of the OAuth2 application"
-					},
-					logo_uri: {
-						type: "string",
-						description: "Icon URI for the application"
-					},
-					contacts: {
-						type: "array",
-						items: { type: "string" },
-						description: "List representing ways to contact people responsible for this client, typically email addresses"
-					},
-					tos_uri: {
-						type: "string",
-						description: "Client's terms of service uri"
-					},
-					policy_uri: {
-						type: "string",
-						description: "Client's policy uri"
-					},
-					software_id: {
-						type: "string",
-						description: "Unique identifier assigned by the developer to help in the dynamic registration process"
-					},
-					software_version: {
-						type: "string",
-						description: "Version identifier for the software_id"
-					},
-					software_statement: {
-						type: "string",
-						description: "JWT containing metadata values about the client software as claims"
-					},
-					redirect_uris: {
-						type: "array",
-						items: {
-							type: "string",
-							format: "uri"
-						},
-						description: "List of allowed redirect uris"
-					},
-					token_endpoint_auth_method: {
-						type: "string",
-						description: "Response types the client may use",
-						enum: [
-							"none",
-							"client_secret_basic",
-							"client_secret_post"
-						]
-					},
-					grant_types: {
-						type: "array",
-						items: {
-							type: "string",
-							enum: [
-								"authorization_code",
-								"client_credentials",
-								"refresh_token"
-							]
-						},
-						description: "Requested authentication method for the token endpoint"
-					},
-					response_types: {
-						type: "array",
-						items: {
-							type: "string",
-							enum: ["code"]
-						},
-						description: "Requested authentication method for the token endpoint"
-					},
-					public: {
-						type: "boolean",
-						description: "Whether the client is public as determined by the type"
-					},
-					type: {
-						type: "string",
-						description: "Type of the client",
-						enum: [
-							"web",
-							"native",
-							"user-agent-based"
-						]
-					},
-					disabled: {
-						type: "boolean",
-						description: "Whether the client is disabled"
-					},
-					metadata: {
-						type: "object",
-						additionalProperties: true,
-						nullable: true,
-						description: "Additional metadata for the application"
-					}
-				},
-				required: ["client_id"]
-			} } }
-		} }
-	} }
-}, async (ctx) => {
-	return createOAuthClientEndpoint(ctx, opts, { isRegister: false });
-});
 const getOAuthClient = (opts) => createAuthEndpoint("/oauth2/get-client", {
 	method: "GET",
 	use: [sessionMiddleware],
@@ -2282,11 +1746,9 @@ const adminUpdateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/updat
 			software_version: z.string().optional(),
 			software_statement: z.string().optional(),
 			post_logout_redirect_uris: z.array(SafeUrlSchema).min(1).optional(),
-			grant_types: z.array(z.enum([
-				"authorization_code",
-				"client_credentials",
-				"refresh_token"
-			])).optional(),
+			backchannel_logout_uri: SafeUrlSchema.optional(),
+			backchannel_logout_session_required: z.boolean().optional(),
+			grant_types: grantTypesSchema.optional(),
 			response_types: z.array(z.enum(["code"])).optional(),
 			type: z.enum([
 				"web",
@@ -2296,6 +1758,7 @@ const adminUpdateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/updat
 			client_secret_expires_at: z.union([z.string(), z.number()]).optional(),
 			skip_consent: z.boolean().optional(),
 			enable_end_session: z.boolean().optional(),
+			dpop_bound_access_tokens: z.boolean().optional(),
 			metadata: z.record(z.string(), z.unknown()).optional()
 		})
 	}),
@@ -2324,11 +1787,9 @@ const updateOAuthClient = (opts) => createAuthEndpoint("/oauth2/update-client",
 			software_version: z.string().optional(),
 			software_statement: z.string().optional(),
 			post_logout_redirect_uris: z.array(SafeUrlSchema).min(1).optional(),
-			grant_types: z.array(z.enum([
-				"authorization_code",
-				"client_credentials",
-				"refresh_token"
-			])).optional(),
+			backchannel_logout_uri: SafeUrlSchema.optional(),
+			backchannel_logout_session_required: z.boolean().optional(),
+			grant_types: grantTypesSchema.optional(),
 			response_types: z.array(z.enum(["code"])).optional(),
 			type: z.enum([
 				"web",
@@ -2345,7 +1806,10 @@ const rotateClientSecret = (opts) => createAuthEndpoint("/oauth2/client/rotate-s
 	method: "POST",
 	use: [sessionMiddleware],
 	body: z.object({ client_id: z.string() }),
-	metadata: { openapi: { description: "Rotates a confidential client's secret" } }
+	metadata: {
+		noStore: true,
+		openapi: { description: "Rotates a confidential client's secret" }
+	}
 }, async (ctx) => {
 	return rotateClientSecretEndpoint(ctx, opts);
 });
@@ -2484,14 +1948,341 @@ const updateOAuthConsent = (opts) => createAuthEndpoint("/oauth2/update-consent"
 }, async (ctx) => {
 	return updateConsentEndpoint(ctx, opts);
 });
-const deleteOAuthConsent = (opts) => createAuthEndpoint("/oauth2/delete-consent", {
+const deleteOAuthConsent = (opts) => createAuthEndpoint("/oauth2/delete-consent", {
+	method: "POST",
+	use: [sessionMiddleware],
+	body: z.object({ id: z.string() }),
+	metadata: { openapi: { description: "Deletes consent granted to a client" } }
+}, async (ctx) => {
+	return deleteConsentEndpoint(ctx, opts);
+});
+//#endregion
+//#region src/oauthResource/endpoints.ts
+/**
+* Gate every admin resource endpoint. Mirrors `assertClientPrivileges`:
+* a missing session → 401; a defined `resourcePrivileges` callback that
+* returns falsy → 401 with the original action context preserved.
+*
+* When `resourcePrivileges` is undefined, the gate degrades to "any
+* authenticated session can manage resources" — same forgiving default
+* as `clientPrivileges`. Operators who care about RBAC must define the
+* callback.
+*
+* @internal
+*/
+async function assertResourcePrivileges(ctx, session, opts, action, resourceId) {
+	if (!session) throw new APIError("UNAUTHORIZED");
+	if (!ctx.headers) throw new APIError("BAD_REQUEST");
+	if (!opts.resourcePrivileges) return;
+	if (!await opts.resourcePrivileges({
+		headers: ctx.headers,
+		action,
+		session: session.session,
+		user: session.user,
+		resourceId
+	})) throw new APIError("UNAUTHORIZED");
+}
+const resourceModel = (opts) => opts.schema?.oauthResource?.modelName ?? "oauthResource";
+const linkModel = (opts) => opts.schema?.oauthClientResource?.modelName ?? "oauthClientResource";
+const clientModel = (opts) => opts.schema?.oauthClient?.modelName ?? "oauthClient";
+/**
+* Decode a URL path-segment parameter.
+*
+* better-call's router (better-call@1.3.5) does NOT decode path params —
+* `tryDecode` is wired into cookie parsing only. So a raw HTTP caller hitting
+* `/admin/oauth2/resources/https%3A%2F%2Fapi.example.com` lands here with
+* `ctx.params.identifier === "https%3A%2F%2Fapi.example.com"`, which never
+* matches the stored `https://api.example.com` row. Decode every path
+* segment that holds a URI-valued identifier so the admin handlers behave
+* identically to in-process `auth.api.*` calls (which pass already-decoded
+* JS strings).
+*
+* Falls back to the raw string when decode fails so a malformed identifier
+* surfaces as a clean NOT_FOUND from the row lookup rather than a 500.
+*
+* @internal
+*/
+function decodePathParam(value) {
+	try {
+		return decodeURIComponent(value);
+	} catch {
+		return value;
+	}
+}
+/**
+* Builds the create-payload from a normalized input. Fills in defaults
+* for the fields seedResources uses so the admin-CRUD and seed paths
+* write identical rows.
+*
+* @internal
+*/
+function buildResourceRow(input, now) {
+	return {
+		identifier: input.identifier,
+		name: input.name ?? input.identifier,
+		accessTokenTtl: input.accessTokenTtl ?? null,
+		refreshTokenTtl: input.refreshTokenTtl ?? null,
+		signingAlgorithm: input.signingAlgorithm ?? null,
+		signingKeyId: input.signingKeyId ?? null,
+		allowedScopes: input.allowedScopes ?? null,
+		customClaims: input.customClaims ?? null,
+		dpopBoundAccessTokensRequired: input.dpopBoundAccessTokensRequired ?? false,
+		disabled: input.disabled ?? false,
+		policyVersion: 1,
+		metadata: input.metadata ?? null,
+		createdAt: now,
+		updatedAt: now
+	};
+}
+async function createResourceEndpoint(ctx, opts) {
+	await assertResourcePrivileges(ctx, await getSessionFromCtx(ctx), opts, "create");
+	const input = ctx.body;
+	if (!input?.identifier) throw new APIError("BAD_REQUEST", {
+		error: "invalid_request",
+		error_description: "identifier is required"
+	});
+	await assertIdentifierValid(opts, input.identifier);
+	const now = /* @__PURE__ */ new Date();
+	let created;
+	try {
+		created = await ctx.context.adapter.create({
+			model: resourceModel(opts),
+			data: buildResourceRow(input, now)
+		});
+	} catch (err) {
+		const message = err instanceof Error ? err.message : String(err);
+		if (/unique|duplicate|UNIQUE/i.test(message)) throw new APIError("BAD_REQUEST", {
+			error: "invalid_request",
+			error_description: `resource ${input.identifier} already exists`
+		});
+		throw err;
+	}
+	if (!created) throw new APIError("BAD_REQUEST", {
+		error: "invalid_request",
+		error_description: `resource ${input.identifier} could not be created`
+	});
+	invalidateResourceCache(created.identifier);
+	return ctx.json(created, { status: 201 });
+}
+async function listResourcesEndpoint(ctx, opts) {
+	await assertResourcePrivileges(ctx, await getSessionFromCtx(ctx), opts, "list");
+	const rows = await ctx.context.adapter.findMany({ model: resourceModel(opts) });
+	return ctx.json(rows ?? []);
+}
+async function getResourceByIdentifierEndpoint(ctx, opts) {
+	const identifier = decodePathParam(ctx.params.identifier);
+	await assertResourcePrivileges(ctx, await getSessionFromCtx(ctx), opts, "read", identifier);
+	const row = await ctx.context.adapter.findOne({
+		model: resourceModel(opts),
+		where: [{
+			field: "identifier",
+			value: identifier
+		}]
+	});
+	if (!row) throw new APIError("NOT_FOUND", {
+		error: "not_found",
+		error_description: `resource ${identifier} not found`
+	});
+	return ctx.json(row);
+}
+async function updateResourceEndpoint(ctx, opts) {
+	const identifier = decodePathParam(ctx.params.identifier);
+	await assertResourcePrivileges(ctx, await getSessionFromCtx(ctx), opts, "update", identifier);
+	if (!await ctx.context.adapter.findOne({
+		model: resourceModel(opts),
+		where: [{
+			field: "identifier",
+			value: identifier
+		}]
+	})) throw new APIError("NOT_FOUND", {
+		error: "not_found",
+		error_description: `resource ${identifier} not found`
+	});
+	const update = { updatedAt: /* @__PURE__ */ new Date() };
+	for (const key of [
+		"name",
+		"accessTokenTtl",
+		"refreshTokenTtl",
+		"signingAlgorithm",
+		"signingKeyId",
+		"allowedScopes",
+		"customClaims",
+		"dpopBoundAccessTokensRequired",
+		"disabled",
+		"metadata"
+	]) if (Object.prototype.hasOwnProperty.call(ctx.body, key)) update[key] = ctx.body[key];
+	await ctx.context.adapter.update({
+		model: resourceModel(opts),
+		where: [{
+			field: "identifier",
+			value: identifier
+		}],
+		update
+	});
+	invalidateResourceCache(identifier);
+	const refreshed = await ctx.context.adapter.findOne({
+		model: resourceModel(opts),
+		where: [{
+			field: "identifier",
+			value: identifier
+		}]
+	});
+	if (!refreshed) throw new APIError("NOT_FOUND", {
+		error: "not_found",
+		error_description: `resource ${identifier} not found`
+	});
+	return ctx.json(refreshed);
+}
+async function deleteResourceEndpoint(ctx, opts) {
+	const identifier = decodePathParam(ctx.params.identifier);
+	await assertResourcePrivileges(ctx, await getSessionFromCtx(ctx), opts, "delete", identifier);
+	if (!await ctx.context.adapter.findOne({
+		model: resourceModel(opts),
+		where: [{
+			field: "identifier",
+			value: identifier
+		}]
+	})) throw new APIError("NOT_FOUND", {
+		error: "not_found",
+		error_description: `resource ${identifier} not found`
+	});
+	await ctx.context.adapter.delete({
+		model: resourceModel(opts),
+		where: [{
+			field: "identifier",
+			value: identifier
+		}]
+	});
+	invalidateResourceCache(identifier);
+	return ctx.json({ deleted: true });
+}
+/**
+* Link a client to a resource.
+*
+* Route: `POST /admin/oauth2/resources/:identifier/clients/:client_id`.
+* Path params carry the identifiers (RESTful linkage) — no body required.
+* Used by admins when {@link OAuthOptions.enforcePerClientResources} is on.
+*/
+async function linkClientResourceEndpoint(ctx, opts) {
+	const session = await getSessionFromCtx(ctx);
+	const resourceId = decodePathParam(ctx.params.identifier);
+	const clientId = decodePathParam(ctx.params.client_id);
+	await assertResourcePrivileges(ctx, session, opts, "link", resourceId);
+	if (!await ctx.context.adapter.findOne({
+		model: resourceModel(opts),
+		where: [{
+			field: "identifier",
+			value: resourceId
+		}]
+	})) throw new APIError("NOT_FOUND", {
+		error: "not_found",
+		error_description: `resource ${resourceId} not found`
+	});
+	if (!await ctx.context.adapter.findOne({
+		model: clientModel(opts),
+		where: [{
+			field: "clientId",
+			value: clientId
+		}]
+	})) throw new APIError("NOT_FOUND", {
+		error: "not_found",
+		error_description: `client ${clientId} not found`
+	});
+	const id = buildClientResourceLinkId(clientId, resourceId);
+	try {
+		await ctx.context.adapter.create({
+			model: linkModel(opts),
+			forceAllowId: true,
+			data: {
+				id,
+				clientId,
+				resourceId,
+				createdAt: /* @__PURE__ */ new Date()
+			}
+		});
+	} catch (err) {
+		const message = err instanceof Error ? err.message : String(err);
+		if (/unique|duplicate|UNIQUE/i.test(message)) return ctx.json({
+			linked: true,
+			alreadyLinked: true
+		});
+		throw err;
+	}
+	return ctx.json({ linked: true });
+}
+/**
+* Unlink a client from a resource.
+*
+* Route: `DELETE /admin/oauth2/resources/:identifier/clients/:client_id`.
+* Path params carry the identifiers (RESTful linkage) — no body required.
+*/
+async function unlinkClientResourceEndpoint(ctx, opts) {
+	const session = await getSessionFromCtx(ctx);
+	const resourceId = decodePathParam(ctx.params.identifier);
+	const clientId = decodePathParam(ctx.params.client_id);
+	await assertResourcePrivileges(ctx, session, opts, "unlink", resourceId);
+	await ctx.context.adapter.deleteMany({
+		model: linkModel(opts),
+		where: [{
+			field: "clientId",
+			value: clientId
+		}, {
+			field: "resourceId",
+			value: resourceId
+		}]
+	});
+	return ctx.json({ unlinked: true });
+}
+//#endregion
+//#region src/oauthResource/index.ts
+/**
+* Shared body schema for create/update — every field is optional except
+* `identifier` on create (validated in the handler). Update accepts a
+* subset; the handler only writes fields that are explicitly present.
+*/
+const resourceBodySchema = z.object({
+	identifier: z.string().min(1).optional(),
+	name: z.string().optional(),
+	accessTokenTtl: z.number().int().positive().nullable().optional(),
+	refreshTokenTtl: z.number().int().positive().nullable().optional(),
+	signingAlgorithm: z.enum(JWS_ALGORITHMS).nullable().optional(),
+	signingKeyId: z.string().nullable().optional(),
+	allowedScopes: z.array(z.string()).nullable().optional(),
+	customClaims: z.record(z.string(), z.unknown()).nullable().optional(),
+	dpopBoundAccessTokensRequired: z.boolean().optional(),
+	disabled: z.boolean().optional(),
+	metadata: z.record(z.string(), z.unknown()).nullable().optional()
+});
+const adminCreateOAuthResource = (opts) => createAuthEndpoint("/admin/oauth2/resources", {
 	method: "POST",
-	use: [sessionMiddleware],
-	body: z.object({ id: z.string() }),
-	metadata: { openapi: { description: "Deletes consent granted to a client" } }
-}, async (ctx) => {
-	return deleteConsentEndpoint(ctx, opts);
-});
+	body: resourceBodySchema.required({ identifier: true }),
+	metadata: { SERVER_ONLY: true }
+}, async (ctx) => createResourceEndpoint(ctx, opts));
+const adminListOAuthResources = (opts) => createAuthEndpoint("/admin/oauth2/resources", {
+	method: "GET",
+	metadata: { SERVER_ONLY: true }
+}, async (ctx) => listResourcesEndpoint(ctx, opts));
+const adminGetOAuthResource = (opts) => createAuthEndpoint("/admin/oauth2/resources/:identifier", {
+	method: "GET",
+	metadata: { SERVER_ONLY: true }
+}, async (ctx) => getResourceByIdentifierEndpoint(ctx, opts));
+const adminUpdateOAuthResource = (opts) => createAuthEndpoint("/admin/oauth2/resources/:identifier", {
+	method: "PATCH",
+	body: resourceBodySchema,
+	metadata: { SERVER_ONLY: true }
+}, async (ctx) => updateResourceEndpoint(ctx, opts));
+const adminDeleteOAuthResource = (opts) => createAuthEndpoint("/admin/oauth2/resources/:identifier", {
+	method: "DELETE",
+	metadata: { SERVER_ONLY: true }
+}, async (ctx) => deleteResourceEndpoint(ctx, opts));
+const adminLinkClientResource = (opts) => createAuthEndpoint("/admin/oauth2/resources/:identifier/clients/:client_id", {
+	method: "POST",
+	metadata: { SERVER_ONLY: true }
+}, async (ctx) => linkClientResourceEndpoint(ctx, opts));
+const adminUnlinkClientResource = (opts) => createAuthEndpoint("/admin/oauth2/resources/:identifier/clients/:client_id", {
+	method: "DELETE",
+	metadata: { SERVER_ONLY: true }
+}, async (ctx) => unlinkClientResourceEndpoint(ctx, opts));
 //#endregion
 //#region src/revoke.ts
 /**
@@ -2503,21 +2294,28 @@ const deleteOAuthConsent = (opts) => createAuthEndpoint("/oauth2/delete-consent"
 */
 /**
 * Revokes a JWT access token against the configured JWKs.
-* (does nothing if successful since a JWT is not stored on the server)
+*
+* A JWT access token is self-contained and never stored, so there is nothing to
+* delete. Once the token is confirmed to be a valid JWT for this server, the
+* endpoint reports `unsupported_token_type` (RFC 7009 §2.2.1) instead of a
+* silent success, so callers can tell that no server-side revocation happened.
+* An expired JWT or a JWT with an audience rejected by the OAuth resource model
+* is already inactive and still resolves as a successful no-op. Session-bound
+* tokens (carrying `sid`) are cut off early by the session-liveness check in
+* introspection and userinfo.
 */
 async function revokeJwtAccessToken(ctx, opts, token) {
 	const jwtPlugin = opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context);
 	const jwtPluginOptions = jwtPlugin?.options;
 	try {
-		await verifyJwsAccessToken(token, {
+		const verified = await jwtVerify(token, createLocalJWKSet(await getJwks(token, {
 			jwksFetch: jwtPluginOptions?.jwks?.remoteUrl ? jwtPluginOptions.jwks.remoteUrl : async () => {
 				return (await jwtPlugin?.endpoints.getJwks(ctx))?.response;
 			},
-			verifyOptions: {
-				audience: opts.validAudiences ?? ctx.context.baseURL,
-				issuer: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL
-			}
-		});
+			jwksCacheKey: jwtPlugin
+		})), { issuer: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL });
+		const userInfoAudience = `${ctx.context.baseURL}/oauth2/userinfo`;
+		if (!verified.payload.azp || !await isAudienceClaimAllowed(ctx, opts, verified.payload.aud, [userInfoAudience])) return null;
 	} catch (error) {
 		if (error instanceof Error) {
 			if (error.name === "TypeError" || error.name === "JWSInvalid") throw new APIError$1("BAD_REQUEST", {
@@ -2530,6 +2328,10 @@ async function revokeJwtAccessToken(ctx, opts, token) {
 		}
 		throw new Error(error);
 	}
+	throw new APIError$1("BAD_REQUEST", {
+		error_description: "JWT access tokens are self-contained and cannot be revoked server-side",
+		error: "unsupported_token_type"
+	});
 }
 /**
 * Searches for an opaque access token in the database and validates it
@@ -2591,7 +2393,7 @@ async function revokeRefreshToken(ctx, opts, token, clientId) {
 	}
 	if (!refreshToken.clientId || refreshToken.clientId !== clientId) return null;
 	const iat = Math.floor(Date.now() / 1e3);
-	if (!await ctx.context.adapter.update({
+	if (!await ctx.context.adapter.incrementOne({
 		model: "oauthRefreshToken",
 		where: [{
 			field: "id",
@@ -2601,7 +2403,8 @@ async function revokeRefreshToken(ctx, opts, token, clientId) {
 			operator: "eq",
 			value: null
 		}],
-		update: { revoked: /* @__PURE__ */ new Date(iat * 1e3) }
+		increment: {},
+		set: { revoked: /* @__PURE__ */ new Date(iat * 1e3) }
 	})) {
 		await invalidateRefreshFamily(ctx, clientId, refreshToken.userId);
 		throw new APIError$1("BAD_REQUEST", {
@@ -2625,7 +2428,9 @@ async function revokeAccessToken(ctx, opts, clientId, token) {
 	try {
 		return await revokeJwtAccessToken(ctx, opts, token);
 	} catch (err) {
-		if (err instanceof APIError$1) {} else if (err instanceof Error) throw err;
+		if (err instanceof APIError$1) {
+			if (err.body?.error === "unsupported_token_type") throw err;
+		} else if (err instanceof Error) throw err;
 		else throw new Error(err);
 	}
 	try {
@@ -2642,23 +2447,23 @@ async function revokeAccessToken(ctx, opts, clientId, token) {
 async function revokeEndpoint(ctx, opts) {
 	let { token, token_type_hint } = ctx.body;
 	if (token_type_hint !== "access_token" && token_type_hint !== "refresh_token") token_type_hint = void 0;
-	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/revoke`));
+	const { clientId: client_id, clientSecret: client_secret, preVerified, authMethod } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/revoke`));
 	if (!client_id) throw new APIError$1("UNAUTHORIZED", {
 		error_description: "missing required credentials",
 		error: "invalid_client"
 	});
-	if (typeof token === "string" && token.startsWith("Bearer ")) token = token.replace("Bearer ", "");
+	if (typeof token === "string") token = stripAccessTokenAuthorizationScheme(token);
 	if (!token?.length) throw new APIError$1("BAD_REQUEST", {
 		error_description: "missing a required token for introspection",
 		error: "invalid_request"
 	});
-	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, void 0, preVerifiedClient);
+	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, void 0, preVerified, void 0, authMethod);
 	try {
 		if (token_type_hint === void 0 || token_type_hint === "access_token") try {
 			return await revokeAccessToken(ctx, opts, client.clientId, token);
 		} catch (error) {
 			if (error instanceof APIError$1) {
-				if (token_type_hint === "access_token") throw error;
+				if (token_type_hint === "access_token" || error.body?.error === "unsupported_token_type") throw error;
 			} else if (error instanceof Error) throw error;
 			else throw new Error(error);
 		}
@@ -2676,6 +2481,7 @@ async function revokeEndpoint(ctx, opts) {
 		});
 	} catch (error) {
 		if (error instanceof APIError$1) {
+			if (error.body?.error === "unsupported_token_type") throw error;
 			if (error.name === "BAD_REQUEST") return null;
 			throw error;
 		} else if (error instanceof Error) {
@@ -2784,6 +2590,14 @@ const schema = {
 				type: "string[]",
 				required: false
 			},
+			backchannelLogoutUri: {
+				type: "string",
+				required: false
+			},
+			backchannelLogoutSessionRequired: {
+				type: "boolean",
+				required: false
+			},
 			tokenEndpointAuthMethod: {
 				type: "string",
 				required: false
@@ -2816,6 +2630,11 @@ const schema = {
 				type: "boolean",
 				required: false
 			},
+			dpopBoundAccessTokens: {
+				type: "boolean",
+				required: false,
+				defaultValue: false
+			},
 			referenceId: {
 				type: "string",
 				required: false
@@ -2826,6 +2645,104 @@ const schema = {
 			}
 		}
 	},
+	oauthResource: {
+		modelName: "oauthResource",
+		fields: {
+			identifier: {
+				type: "string",
+				required: true,
+				unique: true
+			},
+			name: {
+				type: "string",
+				required: true
+			},
+			accessTokenTtl: {
+				type: "number",
+				required: false
+			},
+			refreshTokenTtl: {
+				type: "number",
+				required: false
+			},
+			signingAlgorithm: {
+				type: "string",
+				required: false
+			},
+			signingKeyId: {
+				type: "string",
+				required: false
+			},
+			allowedScopes: {
+				type: "string[]",
+				required: false
+			},
+			customClaims: {
+				type: "json",
+				required: false
+			},
+			dpopBoundAccessTokensRequired: {
+				type: "boolean",
+				required: false,
+				defaultValue: false
+			},
+			disabled: {
+				type: "boolean",
+				required: false,
+				defaultValue: false
+			},
+			createdAt: {
+				type: "date",
+				required: false
+			},
+			updatedAt: {
+				type: "date",
+				required: false
+			},
+			policyVersion: {
+				type: "number",
+				required: false,
+				defaultValue: 1
+			},
+			metadata: {
+				type: "json",
+				required: false
+			}
+		}
+	},
+	oauthClientResource: {
+		modelName: "oauthClientResource",
+		fields: {
+			clientId: {
+				type: "string",
+				required: true,
+				references: {
+					model: "oauthClient",
+					field: "clientId",
+					onDelete: "cascade"
+				},
+				index: true
+			},
+			resourceId: {
+				type: "string",
+				required: true,
+				references: {
+					model: "oauthResource",
+					field: "identifier",
+					onDelete: "cascade"
+				},
+				index: true
+			},
+			metadata: {
+				type: "json",
+				required: false
+			},
+			createdAt: {
+				type: "date",
+				required: false
+			}
+		}
+	},
 	oauthRefreshToken: { fields: {
 		token: {
 			type: "string",
@@ -2878,6 +2795,10 @@ const schema = {
 			type: "date",
 			required: false
 		},
+		confirmation: {
+			type: "json",
+			required: false
+		},
 		scopes: {
 			type: "string[]",
 			required: true
@@ -2937,6 +2858,14 @@ const schema = {
 			},
 			expiresAt: { type: "date" },
 			createdAt: { type: "date" },
+			revoked: {
+				type: "date",
+				required: false
+			},
+			confirmation: {
+				type: "json",
+				required: false
+			},
 			scopes: {
 				type: "string[]",
 				required: true
@@ -2979,12 +2908,36 @@ const schema = {
 			createdAt: { type: "date" },
 			updatedAt: { type: "date" }
 		}
+	},
+	oauthClientAssertion: {
+		modelName: "oauthClientAssertion",
+		fields: { expiresAt: {
+			type: "date",
+			required: true
+		} }
 	}
 };
 //#endregion
 //#region src/oauth.ts
+/**
+* Default scopes advertised and accepted when a configuration sets none. Shared
+* with the MCP preset so the resource metadata it serves matches what the
+* authorization-server metadata advertises.
+*/
+const DEFAULT_OAUTH_SCOPES = [
+	"openid",
+	"profile",
+	"email",
+	"offline_access"
+];
 const oAuthState = defineRequestState(() => null);
 const getOAuthProviderState = oAuthState.get;
+const signedQueryIssuedAtMsKey = "signedQueryIssuedAtMs";
+function getServerContextSignedQueryIssuedAt(value) {
+	const issuedAtMs = typeof value === "number" ? value : typeof value === "string" ? Number(value) : void 0;
+	if (!issuedAtMs || !Number.isFinite(issuedAtMs) || issuedAtMs <= 0) return;
+	return new Date(issuedAtMs);
+}
 /**
 * oAuth 2.1 provider plugin for Better Auth.
 *
@@ -2998,12 +2951,7 @@ const oauthProvider = (options) => {
 		const _allowedScopes = clientRegistrationAllowedScopes ? new Set([...clientRegistrationAllowedScopes, ...options.clientRegistrationDefaultScopes]) : new Set([...options.clientRegistrationDefaultScopes]);
 		clientRegistrationAllowedScopes = Array.from(_allowedScopes);
 	}
-	const scopes = new Set((options.scopes ?? [
-		"openid",
-		"profile",
-		"email",
-		"offline_access"
-	]).filter((val) => val.length));
+	const scopes = new Set((options.scopes ?? DEFAULT_OAUTH_SCOPES).filter((val) => val.length));
 	if (clientRegistrationAllowedScopes) {
 		for (const sc of clientRegistrationAllowedScopes) if (!scopes.has(sc)) throw new BetterAuthError(`clientRegistrationAllowedScope ${sc} not found in scopes`);
 	}
@@ -3045,6 +2993,7 @@ const oauthProvider = (options) => {
 		claims: Array.from(claims),
 		clientRegistrationAllowedScopes
 	};
+	validateOAuthProviderExtensions(opts.extensions);
 	if (opts.pairwiseSecret && opts.pairwiseSecret.length < 32) throw new BetterAuthError("pairwiseSecret must be at least 32 characters long for adequate HMAC-SHA256 security");
 	if (opts.grantTypes && opts.grantTypes.includes("refresh_token") && !opts.grantTypes.includes("authorization_code")) throw new BetterAuthError("refresh_token grant requires authorization_code grant");
 	if (opts.disableJwtPlugin && (opts.storeClientSecret === "hashed" || typeof opts.storeClientSecret === "object" && "hash" in opts.storeClientSecret)) throw new BetterAuthError("unable to store hashed secrets because id tokens will be signed with secret");
@@ -3080,26 +3029,159 @@ const oauthProvider = (options) => {
 		}
 		if (isAuthServerMetadataRequest) {
 			if (opts.scopes?.includes("openid")) return { response: createMetadataResponse(oidcServerMetadata(endpointCtx, opts)) };
-			return { response: createMetadataResponse({
-				...authServerMetadata(endpointCtx, opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx)?.options, {
-					scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
-					dynamic_client_registration_supported: opts.allowDynamicClientRegistration,
-					public_client_supported: opts.allowUnauthenticatedClientRegistration || toClientDiscoveryArray(opts.clientDiscovery).length > 0,
-					grant_types_supported: opts.grantTypes,
-					jwt_disabled: opts.disableJwtPlugin
-				}),
-				...mergeDiscoveryMetadata(opts.clientDiscovery)
-			}) };
+			return { response: createMetadataResponse(oauthAuthorizationServerMetadata(endpointCtx, opts)) };
 		}
 		if (isOpenIdConfigRequest) return { response: createMetadataResponse(oidcServerMetadata(endpointCtx, opts)) };
 	};
+	const oauth2AuthorizeEndpoint = createOAuthEndpoint("/oauth2/authorize", {
+		method: "GET",
+		query: authorizationQuerySchema,
+		redirectOnError: authorizeRedirectOnError(opts),
+		errorCodesByField: {
+			response_type: { invalid: "unsupported_response_type" },
+			resource: { invalid: "invalid_target" }
+		},
+		metadata: { openapi: {
+			description: "Authorize an OAuth2 request",
+			parameters: [
+				{
+					name: "response_type",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "OAuth2 response type (e.g., 'code')"
+				},
+				{
+					name: "client_id",
+					in: "query",
+					required: true,
+					schema: { type: "string" },
+					description: "OAuth2 client ID"
+				},
+				{
+					name: "redirect_uri",
+					in: "query",
+					required: false,
+					schema: {
+						type: "string",
+						format: "uri"
+					},
+					description: "OAuth2 redirect URI"
+				},
+				{
+					name: "scope",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "OAuth2 scopes (space-separated)"
+				},
+				{
+					name: "state",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "OAuth2 state parameter"
+				},
+				{
+					name: "request_uri",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "Pushed Authorization Request URI referencing stored parameters"
+				},
+				{
+					name: "code_challenge",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "PKCE code challenge"
+				},
+				{
+					name: "code_challenge_method",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "PKCE code challenge method"
+				},
+				{
+					name: "nonce",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "OpenID Connect nonce"
+				},
+				{
+					name: "max_age",
+					in: "query",
+					required: false,
+					schema: {
+						type: "integer",
+						minimum: 0
+					},
+					description: "Maximum authentication age in seconds; forces re-authentication when exceeded"
+				},
+				{
+					name: "resource",
+					in: "query",
+					required: false,
+					schema: {
+						type: "array",
+						items: { type: "string" }
+					},
+					description: "Requested protected resource(s) for the access token. May be supplied multiple times as repeated 'resource' query parameters (RFC 8707) or as an array of strings."
+				},
+				{
+					name: "prompt",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "OAuth2 prompt parameter"
+				}
+			],
+			responses: {
+				"302": {
+					description: "Redirect to client with code or error",
+					headers: { Location: {
+						description: "Redirect URI with code or error",
+						schema: {
+							type: "string",
+							format: "uri"
+						}
+					} }
+				},
+				"400": {
+					description: "Invalid request",
+					content: { "application/json": { schema: {
+						type: "object",
+						properties: {
+							error: { type: "string" },
+							error_description: { type: "string" },
+							state: { type: "string" }
+						},
+						required: ["error"]
+					} } }
+				}
+			}
+		} }
+	}, async (ctx) => {
+		return authorizeEndpoint(ctx, opts, ctx.authorizeSettings ?? { isAuthorize: true });
+	});
+	const runOAuth2Authorize = (ctx, settings) => dispatchAuthEndpoint(oauth2AuthorizeEndpoint, {
+		...ctx,
+		asResponse: false,
+		returnHeaders: false,
+		returnStatus: false,
+		authorizeSettings: settings ?? {}
+	});
 	return {
 		id: "oauth-provider",
 		version: PACKAGE_VERSION,
 		options: opts,
 		onRequest: handleIssuerMetadataRequest,
-		init: (ctx) => {
+		init: async (ctx) => {
 			if (ctx.options.secondaryStorage && ctx.options.session?.storeSessionInDatabase !== true) throw new BetterAuthError("OAuth Provider requires `session.storeSessionInDatabase: true` when using secondaryStorage");
+			await seedResources(ctx, opts);
+			logEnforcePerClientResourcesResolution(opts);
 			if (!opts.disableJwtPlugin) {
 				const jwtPluginOptions = getJwtPlugin(ctx)?.options;
 				const issuer = jwtPluginOptions?.jwt?.issuer ?? ctx.baseURL;
@@ -3108,12 +3190,20 @@ const oauthProvider = (options) => {
 				try {
 					issuerPath = new URL(issuer).pathname;
 				} catch (error) {
-					if (isDynamicBaseURLInit && issuer === "") return;
-					throw error;
+					if (!isDynamicBaseURLInit || issuer !== "") throw error;
 				}
-				if (!opts.silenceWarnings?.oauthAuthServerConfig && !(ctx.options.basePath === "/" && issuerPath === "/")) logger.warn(`Please ensure '/.well-known/oauth-authorization-server${issuerPath === "/" ? "" : issuerPath}' exists. Upon completion, clear with silenceWarnings.oauthAuthServerConfig.`);
-				if (!opts.silenceWarnings?.openidConfig && ctx.options.basePath !== issuerPath && opts.scopes?.includes("openid")) logger.warn(`Please ensure '${issuerPath}${issuerPath.endsWith("/") ? "" : "/"}.well-known/openid-configuration' exists. Upon completion, clear with silenceWarnings.openidConfig.`);
+				if (issuerPath !== void 0 && !opts.silenceWarnings?.oauthAuthServerConfig && !(ctx.options.basePath === "/" && issuerPath === "/")) logger.warn(`Please ensure '/.well-known/oauth-authorization-server${issuerPath === "/" ? "" : issuerPath}' exists. Upon completion, clear with silenceWarnings.oauthAuthServerConfig.`);
+				if (issuerPath !== void 0 && !opts.silenceWarnings?.openidConfig && ctx.options.basePath !== issuerPath && opts.scopes?.includes("openid")) logger.warn(`Please ensure '${issuerPath}${issuerPath.endsWith("/") ? "" : "/"}.well-known/openid-configuration' exists. Upon completion, clear with silenceWarnings.openidConfig.`);
 			}
+			return { options: { databaseHooks: { session: { delete: { async before(session, hookCtx) {
+				if (!hookCtx) return;
+				const plan = await revokeAndPlanBackchannelLogout(hookCtx, opts, {
+					sessionId: session.id,
+					userId: session.userId
+				});
+				if (!plan) return;
+				await hookCtx.context.runInBackgroundOrAwait(deliverBackchannelLogoutTokens(hookCtx, plan));
+			} } } } } };
 		},
 		hooks: {
 			before: [{
@@ -3135,11 +3225,10 @@ const oauthProvider = (options) => {
 						signedQueryIssuedAt: signedQueryIssuedAt ?? void 0,
 						postLoginClearedForSession
 					});
-					if (ctx.path === "/sign-in/social") {
-						if (ctx.body.additionalData?.query) return;
-						if (!ctx.body.additionalData) ctx.body.additionalData = {};
-						ctx.body.additionalData.query = queryParams.toString();
-					}
+					if (ctx.path === "/sign-in/social") await addOAuthServerContext({
+						query: queryParams.toString(),
+						...signedQueryIssuedAt ? { [signedQueryIssuedAtMsKey]: signedQueryIssuedAt.getTime() } : {}
+					});
 				})
 			}],
 			after: [{
@@ -3149,7 +3238,9 @@ const oauthProvider = (options) => {
 				handler: createAuthMiddleware(async (ctx) => {
 					const sessionToken = parseSetCookieHeader(ctx.context.responseHeaders?.get("set-cookie") || "").get(ctx.context.authCookies.sessionToken.name)?.value.split(".")[0];
 					if (!sessionToken) return;
-					const _query = (await oAuthState.get())?.query ?? (await getOAuthState())?.query;
+					const oauthRequest = await oAuthState.get();
+					const serverContext = (await getOAuthState())?.serverContext;
+					const _query = oauthRequest?.query ?? serverContext?.query;
 					if (!_query) return;
 					const query = new URLSearchParams(_query);
 					const session = await ctx.context.internalAdapter.findSession(sessionToken);
@@ -3158,8 +3249,11 @@ const oauthProvider = (options) => {
 					const secFetchMode = ctx.request?.headers?.get("sec-fetch-mode")?.toLowerCase();
 					const acceptHeader = ctx.request?.headers?.get("accept")?.toLowerCase() ?? "";
 					if (!(secFetchMode === "navigate" || !secFetchMode && (acceptHeader.includes("text/html") || acceptHeader.includes("application/xhtml+xml")))) ctx.headers?.set("accept", "application/json");
-					ctx.query = searchParamsToQuery(removePromptFromQuery(query, "login"));
-					return await authorizeEndpoint(ctx, opts);
+					const signedQueryIssuedAt = oauthRequest?.signedQueryIssuedAt ?? getServerContextSignedQueryIssuedAt(serverContext?.[signedQueryIssuedAtMsKey]);
+					let authorizationQuery = removePromptFromQuery(query, "login");
+					if (isSessionFreshForSignedQuery(session.session.createdAt, signedQueryIssuedAt)) authorizationQuery = removeMaxAgeFromQuery(authorizationQuery);
+					ctx.query = searchParamsToQuery(authorizationQuery);
+					return await runOAuth2Authorize(ctx);
 				})
 			}]
 		},
@@ -3169,16 +3263,7 @@ const oauthProvider = (options) => {
 				metadata: { SERVER_ONLY: true }
 			}, async (ctx) => {
 				if (opts.scopes && opts.scopes.includes("openid")) return oidcServerMetadata(ctx, opts);
-				else return {
-					...authServerMetadata(ctx, opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context)?.options, {
-						scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
-						dynamic_client_registration_supported: opts.allowDynamicClientRegistration,
-						public_client_supported: opts.allowUnauthenticatedClientRegistration || toClientDiscoveryArray(opts.clientDiscovery).length > 0,
-						grant_types_supported: opts.grantTypes,
-						jwt_disabled: opts.disableJwtPlugin
-					}),
-					...mergeDiscoveryMetadata(opts.clientDiscovery)
-				};
+				else return oauthAuthorizationServerMetadata(ctx, opts);
 			}),
 			getOpenIdConfig: createAuthEndpoint("/.well-known/openid-configuration", {
 				method: "GET",
@@ -3187,149 +3272,7 @@ const oauthProvider = (options) => {
 				if (opts.scopes && !opts.scopes.includes("openid")) throw new APIError("NOT_FOUND");
 				return oidcServerMetadata(ctx, opts);
 			}),
-			oauth2Authorize: createOAuthEndpoint("/oauth2/authorize", {
-				method: "GET",
-				query: z.object({
-					response_type: z.string().pipe(z.enum(["code"])).optional(),
-					client_id: z.string(),
-					redirect_uri: SafeUrlSchema.optional(),
-					scope: z.string().optional(),
-					state: z.string().optional(),
-					request_uri: z.string().optional(),
-					code_challenge: z.string().optional(),
-					code_challenge_method: z.string().pipe(z.enum(["S256"])).optional(),
-					nonce: z.string().optional(),
-					resource: z.union([ResourceUriSchema, z.array(ResourceUriSchema).min(1)]).optional(),
-					prompt: z.string().pipe(z.enum([
-						"none",
-						"consent",
-						"login",
-						"create",
-						"select_account",
-						"login consent",
-						"select_account consent"
-					])).optional()
-				}),
-				redirectOnError: authorizeRedirectOnError(opts),
-				errorCodesByField: {
-					response_type: { invalid: "unsupported_response_type" },
-					resource: { invalid: "invalid_target" }
-				},
-				metadata: { openapi: {
-					description: "Authorize an OAuth2 request",
-					parameters: [
-						{
-							name: "response_type",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "OAuth2 response type (e.g., 'code')"
-						},
-						{
-							name: "client_id",
-							in: "query",
-							required: true,
-							schema: { type: "string" },
-							description: "OAuth2 client ID"
-						},
-						{
-							name: "redirect_uri",
-							in: "query",
-							required: false,
-							schema: {
-								type: "string",
-								format: "uri"
-							},
-							description: "OAuth2 redirect URI"
-						},
-						{
-							name: "scope",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "OAuth2 scopes (space-separated)"
-						},
-						{
-							name: "state",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "OAuth2 state parameter"
-						},
-						{
-							name: "request_uri",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "Pushed Authorization Request URI referencing stored parameters"
-						},
-						{
-							name: "code_challenge",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "PKCE code challenge"
-						},
-						{
-							name: "code_challenge_method",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "PKCE code challenge method"
-						},
-						{
-							name: "nonce",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "OpenID Connect nonce"
-						},
-						{
-							name: "resource",
-							in: "query",
-							required: false,
-							schema: {
-								type: "array",
-								items: { type: "string" }
-							},
-							description: "Requested token resource(s) (ie audience) to obtain a JWT formatted access token. May be supplied multiple times as repeated 'resource' query parameters (RFC 8707) or as an array of strings."
-						},
-						{
-							name: "prompt",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "OAuth2 prompt parameter"
-						}
-					],
-					responses: {
-						"302": {
-							description: "Redirect to client with code or error",
-							headers: { Location: {
-								description: "Redirect URI with code or error",
-								schema: {
-									type: "string",
-									format: "uri"
-								}
-							} }
-						},
-						"400": {
-							description: "Invalid request",
-							content: { "application/json": { schema: {
-								type: "object",
-								properties: {
-									error: { type: "string" },
-									error_description: { type: "string" },
-									state: { type: "string" }
-								},
-								required: ["error"]
-							} } }
-						}
-					}
-				} }
-			}, async (ctx) => {
-				return authorizeEndpoint(ctx, opts, { isAuthorize: true });
-			}),
+			oauth2Authorize: oauth2AuthorizeEndpoint,
 			oauth2Consent: createAuthEndpoint("/oauth2/consent", {
 				method: "POST",
 				body: z.object({
@@ -3354,7 +3297,7 @@ const oauthProvider = (options) => {
 					} }
 				} }
 			}, async (ctx) => {
-				return consentEndpoint(ctx, opts);
+				return consentEndpoint(ctx, opts, runOAuth2Authorize);
 			}),
 			oauth2Continue: createAuthEndpoint("/oauth2/continue", {
 				method: "POST",
@@ -3381,16 +3324,13 @@ const oauthProvider = (options) => {
 					} }
 				} }
 			}, async (ctx) => {
-				return continueEndpoint(ctx, opts);
+				return continueEndpoint(ctx, runOAuth2Authorize);
 			}),
 			oauth2Token: createOAuthEndpoint("/oauth2/token", {
 				method: "POST",
+				cloneRequest: true,
 				body: z.object({
-					grant_type: z.string().pipe(z.enum([
-						"authorization_code",
-						"client_credentials",
-						"refresh_token"
-					])),
+					grant_type: z.string().trim().min(1),
 					client_id: z.string().optional(),
 					client_secret: z.string().optional(),
 					client_assertion: z.string().optional(),
@@ -3401,7 +3341,7 @@ const oauthProvider = (options) => {
 					refresh_token: z.string().optional(),
 					resource: z.union([ResourceUriSchema, z.array(ResourceUriSchema).min(1)]).optional(),
 					scope: z.string().optional()
-				}),
+				}).passthrough(),
 				errorCodesByField: {
 					grant_type: {
 						missing: "invalid_request",
@@ -3410,9 +3350,17 @@ const oauthProvider = (options) => {
 					resource: { invalid: "invalid_target" }
 				},
 				metadata: {
+					noStore: true,
 					allowedMediaTypes: ["application/x-www-form-urlencoded"],
 					openapi: {
 						description: "Obtain an OAuth2.1 access token",
+						parameters: [{
+							name: "DPoP",
+							in: "header",
+							required: false,
+							schema: { type: "string" },
+							description: "RFC 9449 DPoP proof JWT for issuing DPoP-bound tokens"
+						}],
 						requestBody: {
 							required: true,
 							content: { "application/json": { schema: {
@@ -3420,11 +3368,6 @@ const oauthProvider = (options) => {
 								properties: {
 									grant_type: {
 										type: "string",
-										enum: [
-											"authorization_code",
-											"client_credentials",
-											"refresh_token"
-										],
 										description: "OAuth2 grant type"
 									},
 									client_id: {
@@ -3461,7 +3404,7 @@ const oauthProvider = (options) => {
 											items: { type: "string" },
 											description: "Multiple resources (URLs)"
 										}],
-										description: "Requested token resource(s) (ie audience) to obtain a JWT formatted access token"
+										description: "Requested protected resource(s) for the access token"
 									},
 									scope: {
 										type: "string",
@@ -3484,7 +3427,7 @@ const oauthProvider = (options) => {
 										token_type: {
 											type: "string",
 											description: "The type of the token issued",
-											enum: ["Bearer"]
+											enum: ["Bearer", "DPoP"]
 										},
 										expires_in: {
 											type: "number",
@@ -3526,6 +3469,10 @@ const oauthProvider = (options) => {
 					}
 				}
 			}, async (ctx) => {
+				if (ctx.request) {
+					const repeated = await extractRepeatedResourceFromForm(ctx.request);
+					if (repeated && repeated.length > 1) ctx.body.resource = repeated;
+				}
 				return tokenEndpoint(ctx, opts);
 			}),
 			oauth2Introspect: createOAuthEndpoint("/oauth2/introspect", {
@@ -3539,6 +3486,7 @@ const oauthProvider = (options) => {
 					token_type_hint: z.string().optional()
 				}),
 				metadata: {
+					noStore: true,
 					allowedMediaTypes: ["application/x-www-form-urlencoded"],
 					openapi: {
 						description: "Introspect an OAuth2 access or refresh token",
@@ -3709,91 +3657,100 @@ const oauthProvider = (options) => {
 				return revokeEndpoint(ctx, opts);
 			}),
 			oauth2UserInfo: createAuthEndpoint("/oauth2/userinfo", {
-				method: "GET",
-				metadata: { openapi: {
-					description: "Get OpenID Connect user information (UserInfo endpoint)",
-					security: [{ bearerAuth: [] }, { OAuth2: [
-						"openid",
-						"profile",
-						"email"
-					] }],
-					parameters: [{
-						name: "Authorization",
-						in: "header",
-						required: false,
-						schema: { type: "string" },
-						description: "Bearer access token"
-					}],
-					responses: {
-						"200": {
-							description: "User information retrieved successfully",
-							content: { "application/json": { schema: {
-								type: "object",
-								properties: {
-									sub: {
-										type: "string",
-										description: "Subject identifier (user ID)"
-									},
-									email: {
-										type: "string",
-										format: "email",
-										nullable: true,
-										description: "User's email address, included if 'email' scope is granted"
-									},
-									name: {
-										type: "string",
-										nullable: true,
-										description: "User's full name, included if 'profile' scope is granted"
-									},
-									picture: {
-										type: "string",
-										format: "uri",
-										nullable: true,
-										description: "User's profile picture URL, included if 'profile' scope is granted"
+				method: ["GET", "POST"],
+				metadata: {
+					noStore: true,
+					openapi: {
+						description: "Get OpenID Connect user information (UserInfo endpoint)",
+						security: [{ bearerAuth: [] }, { OAuth2: [
+							"openid",
+							"profile",
+							"email"
+						] }],
+						parameters: [{
+							name: "Authorization",
+							in: "header",
+							required: false,
+							schema: { type: "string" },
+							description: "Bearer or DPoP access token"
+						}, {
+							name: "DPoP",
+							in: "header",
+							required: false,
+							schema: { type: "string" },
+							description: "RFC 9449 DPoP proof JWT when using a DPoP-bound access token"
+						}],
+						responses: {
+							"200": {
+								description: "User information retrieved successfully",
+								content: { "application/json": { schema: {
+									type: "object",
+									properties: {
+										sub: {
+											type: "string",
+											description: "Subject identifier (user ID)"
+										},
+										email: {
+											type: "string",
+											format: "email",
+											nullable: true,
+											description: "User's email address, included if 'email' scope is granted"
+										},
+										name: {
+											type: "string",
+											nullable: true,
+											description: "User's full name, included if 'profile' scope is granted"
+										},
+										picture: {
+											type: "string",
+											format: "uri",
+											nullable: true,
+											description: "User's profile picture URL, included if 'profile' scope is granted"
+										},
+										given_name: {
+											type: "string",
+											nullable: true,
+											description: "User's given name, included if 'profile' scope is granted"
+										},
+										family_name: {
+											type: "string",
+											nullable: true,
+											description: "User's family name, included if 'profile' scope is granted"
+										},
+										email_verified: {
+											type: "boolean",
+											nullable: true,
+											description: "Whether the email is verified, included if 'email' scope is granted"
+										}
 									},
-									given_name: {
-										type: "string",
-										nullable: true,
-										description: "User's given name, included if 'profile' scope is granted"
+									required: ["sub"]
+								} } }
+							},
+							"401": {
+								description: "Unauthorized - invalid or missing access token",
+								content: { "application/json": { schema: {
+									type: "object",
+									properties: {
+										error: { type: "string" },
+										error_description: { type: "string" }
 									},
-									family_name: {
-										type: "string",
-										nullable: true,
-										description: "User's family name, included if 'profile' scope is granted"
+									required: ["error"]
+								} } }
+							},
+							"403": {
+								description: "Forbidden - insufficient scope",
+								content: { "application/json": { schema: {
+									type: "object",
+									properties: {
+										error: { type: "string" },
+										error_description: { type: "string" }
 									},
-									email_verified: {
-										type: "boolean",
-										nullable: true,
-										description: "Whether the email is verified, included if 'email' scope is granted"
-									}
-								},
-								required: ["sub"]
-							} } }
-						},
-						"401": {
-							description: "Unauthorized - invalid or missing access token",
-							content: { "application/json": { schema: {
-								type: "object",
-								properties: {
-									error: { type: "string" },
-									error_description: { type: "string" }
-								},
-								required: ["error"]
-							} } }
-						},
-						"403": {
-							description: "Forbidden - insufficient scope",
-							content: { "application/json": { schema: {
-								type: "object",
-								properties: {
-									error: { type: "string" },
-									error_description: { type: "string" }
-								},
-								required: ["error"]
-							} } }
+									required: ["error"]
+								} } }
+							}
 						}
 					}
-				} }
+				}
 			}, async (ctx) => {
 				return userInfoEndpoint(ctx, opts);
 			}),
@@ -3830,183 +3787,149 @@ const oauthProvider = (options) => {
 			}),
 			registerOAuthClient: createOAuthEndpoint("/oauth2/register", {
 				method: "POST",
-				body: z.object({
-					redirect_uris: z.array(SafeUrlSchema).min(1).min(1),
-					scope: z.string().optional(),
-					client_name: z.string().optional(),
-					client_uri: z.string().optional(),
-					logo_uri: z.string().optional(),
-					contacts: z.array(z.string().min(1)).min(1).optional(),
-					tos_uri: z.string().optional(),
-					policy_uri: z.string().optional(),
-					software_id: z.string().optional(),
-					software_version: z.string().optional(),
-					software_statement: z.string().optional(),
-					post_logout_redirect_uris: z.array(SafeUrlSchema).min(1).optional(),
-					token_endpoint_auth_method: z.enum([
-						"none",
-						"client_secret_basic",
-						"client_secret_post",
-						"private_key_jwt"
-					]).default("client_secret_basic").optional(),
-					jwks: z.union([z.array(z.record(z.string(), z.unknown())).min(1), z.object({ keys: z.array(z.record(z.string(), z.unknown())).min(1) })]).optional(),
-					jwks_uri: z.string().optional(),
-					grant_types: z.array(z.enum([
-						"authorization_code",
-						"client_credentials",
-						"refresh_token"
-					])).default(["authorization_code"]).optional(),
-					response_types: z.array(z.enum(["code"])).default(["code"]).optional(),
-					type: z.enum([
-						"web",
-						"native",
-						"user-agent-based"
-					]).optional(),
-					subject_type: z.enum(["public", "pairwise"]).optional(),
-					skip_consent: z.never({ error: "skip_consent cannot be set during dynamic client registration" }).optional()
-				}),
+				body: clientRegistrationRequestSchema,
 				errorCodesByField: {
 					redirect_uris: "invalid_redirect_uri",
 					post_logout_redirect_uris: "invalid_redirect_uri",
-					software_statement: "invalid_software_statement"
+					software_statement: "invalid_software_statement",
+					resources: "invalid_target"
 				},
 				defaultError: "invalid_client_metadata",
-				metadata: { openapi: {
-					description: "Register an OAuth2 application",
-					responses: { "200": {
-						description: "OAuth2 application registered successfully",
-						content: { "application/json": { schema: {
-							type: "object",
-							properties: {
-								client_id: {
-									type: "string",
-									description: "Unique identifier for the client"
-								},
-								client_secret: {
-									type: "string",
-									description: "Secret key for the client"
-								},
-								client_secret_expires_at: {
-									type: "number",
-									description: "Time the client secret will expire. If 0, the client secret will never expire."
-								},
-								scope: {
-									type: "string",
-									description: "Space-separated scopes allowed by the client"
-								},
-								user_id: {
-									type: "string",
-									description: "ID of the user who registered the client, null if registered anonymously"
-								},
-								client_id_issued_at: {
-									type: "number",
-									description: "Creation timestamp of this client"
-								},
-								client_name: {
-									type: "string",
-									description: "Name of the OAuth2 application"
-								},
-								client_uri: {
-									type: "string",
-									description: "Name of the OAuth2 application"
-								},
-								logo_uri: {
-									type: "string",
-									description: "Icon URL for the application"
-								},
-								contacts: {
-									type: "array",
-									items: { type: "string" },
-									description: "List representing ways to contact people responsible for this client, typically email addresses"
-								},
-								tos_uri: {
-									type: "string",
-									description: "Client's terms of service uri"
-								},
-								policy_uri: {
-									type: "string",
-									description: "Client's policy uri"
-								},
-								software_id: {
-									type: "string",
-									description: "Unique identifier assigned by the developer to help in the dynamic registration process"
-								},
-								software_version: {
-									type: "string",
-									description: "Version identifier for the software_id"
-								},
-								software_statement: {
-									type: "string",
-									description: "JWT containing metadata values about the client software as claims"
-								},
-								redirect_uris: {
-									type: "array",
-									items: {
+				metadata: {
+					noStore: true,
+					openapi: {
+						description: "Register an OAuth2 application",
+						responses: { "201": {
+							description: "OAuth2 application registered successfully",
+							content: { "application/json": { schema: {
+								type: "object",
+								properties: {
+									client_id: {
 										type: "string",
-										format: "uri"
+										description: "Unique identifier for the client"
 									},
-									description: "List of allowed redirect uris"
-								},
-								post_logout_redirect_uris: {
-									type: "array",
-									items: {
+									client_secret: {
 										type: "string",
-										format: "uri"
+										description: "Secret key for the client"
 									},
-									description: "List of allowed logout redirect uris"
-								},
-								token_endpoint_auth_method: {
-									type: "string",
-									description: "Requested authentication method for the token endpoint",
-									enum: [
-										"none",
-										"client_secret_basic",
-										"client_secret_post",
-										"private_key_jwt"
-									]
-								},
-								grant_types: {
-									type: "array",
-									items: {
+									client_secret_expires_at: {
+										type: "number",
+										description: "Time the client secret will expire. If 0, the client secret will never expire."
+									},
+									scope: {
 										type: "string",
-										enum: [
-											"authorization_code",
-											"client_credentials",
-											"refresh_token"
-										]
+										description: "Space-separated scopes allowed by the client"
 									},
-									description: "Requested authentication method for the token endpoint"
-								},
-								response_types: {
-									type: "array",
-									items: {
+									user_id: {
 										type: "string",
-										enum: ["code"]
+										description: "ID of the user who registered the client, null if registered anonymously"
 									},
-									description: "Requested authentication method for the token endpoint"
-								},
-								public: {
-									type: "boolean",
-									description: "Whether the client is public as determined by the type"
-								},
-								type: {
-									type: "string",
-									description: "Type of the client",
-									enum: [
-										"web",
-										"native",
-										"user-agent-based"
-									]
+									client_id_issued_at: {
+										type: "number",
+										description: "Creation timestamp of this client"
+									},
+									client_name: {
+										type: "string",
+										description: "Name of the OAuth2 application"
+									},
+									client_uri: {
+										type: "string",
+										description: "Name of the OAuth2 application"
+									},
+									logo_uri: {
+										type: "string",
+										description: "Icon URL for the application"
+									},
+									contacts: {
+										type: "array",
+										items: { type: "string" },
+										description: "List representing ways to contact people responsible for this client, typically email addresses"
+									},
+									tos_uri: {
+										type: "string",
+										description: "Client's terms of service uri"
+									},
+									policy_uri: {
+										type: "string",
+										description: "Client's policy uri"
+									},
+									software_id: {
+										type: "string",
+										description: "Unique identifier assigned by the developer to help in the dynamic registration process"
+									},
+									software_version: {
+										type: "string",
+										description: "Version identifier for the software_id"
+									},
+									software_statement: {
+										type: "string",
+										description: "JWT containing metadata values about the client software as claims"
+									},
+									redirect_uris: {
+										type: "array",
+										items: {
+											type: "string",
+											format: "uri"
+										},
+										description: "List of allowed redirect uris"
+									},
+									post_logout_redirect_uris: {
+										type: "array",
+										items: {
+											type: "string",
+											format: "uri"
+										},
+										description: "List of allowed logout redirect uris"
+									},
+									backchannel_logout_uri: {
+										type: "string",
+										format: "uri",
+										description: "RP URL to receive signed Logout Tokens when the end-user's OP session terminates"
+									},
+									backchannel_logout_session_required: {
+										type: "boolean",
+										description: "Whether the RP requires a `sid` claim in every Logout Token"
+									},
+									token_endpoint_auth_method: {
+										type: "string",
+										description: "Requested authentication method for the token endpoint"
+									},
+									grant_types: {
+										type: "array",
+										items: { type: "string" },
+										description: "Grant types the client may use at the token endpoint"
+									},
+									response_types: {
+										type: "array",
+										items: {
+											type: "string",
+											enum: ["code"]
+										},
+										description: "Response types the client may use at the authorization endpoint"
+									},
+									public: {
+										type: "boolean",
+										description: "Whether the client is public as determined by the type"
+									},
+									type: {
+										type: "string",
+										description: "Type of the client",
+										enum: [
+											"web",
+											"native",
+											"user-agent-based"
+										]
+									},
+									disabled: {
+										type: "boolean",
+										description: "Whether the client is disabled"
+									}
 								},
-								disabled: {
-									type: "boolean",
-									description: "Whether the client is disabled"
-								}
-							},
-							required: ["client_id"]
-						} } }
-					} }
-				} }
+								required: ["client_id"]
+							} } }
+						} }
+					}
+				}
 			}, async (ctx) => {
 				return registerEndpoint(ctx, opts);
 			}),
@@ -4023,7 +3946,14 @@ const oauthProvider = (options) => {
 			getOAuthConsent: getOAuthConsent(opts),
 			getOAuthConsents: getOAuthConsents(opts),
 			updateOAuthConsent: updateOAuthConsent(opts),
-			deleteOAuthConsent: deleteOAuthConsent(opts)
+			deleteOAuthConsent: deleteOAuthConsent(opts),
+			adminCreateOAuthResource: adminCreateOAuthResource(opts),
+			adminListOAuthResources: adminListOAuthResources(opts),
+			adminGetOAuthResource: adminGetOAuthResource(opts),
+			adminUpdateOAuthResource: adminUpdateOAuthResource(opts),
+			adminDeleteOAuthResource: adminDeleteOAuthResource(opts),
+			adminLinkClientResource: adminLinkClientResource(opts),
+			adminUnlinkClientResource: adminUnlinkClientResource(opts)
 		},
 		schema: mergeSchema(schema, opts?.schema),
 		rateLimit: [
@@ -4063,6 +3993,19 @@ const oauthProvider = (options) => {
 //#endregion
 //#region src/authorize.ts
 /**
+* Whether a past authentication is still fresh enough for an OIDC `max_age`
+* request: true when no more than `maxAge` seconds have elapsed since the user
+* last authenticated. The caller supplies `now`, keeping this pure.
+*/
+function isWithinMaxAge(sessionCreatedAt, maxAgeSeconds, now) {
+	if (maxAgeSeconds === 0) return false;
+	return now.getTime() - sessionCreatedAt.getTime() <= maxAgeSeconds * 1e3;
+}
+function removeMaxAgeFromAuthorizationQuery(query) {
+	const { max_age: _maxAge, ...queryWithoutMaxAge } = query;
+	return queryWithoutMaxAge;
+}
+/**
 * Formats an error url. Per OIDC Core 1.0 §5 / RFC 6749 §4.2.2.1, errors on
 * implicit and hybrid flows are delivered in the URL fragment, not the query.
 * Callers on the code flow (default) omit `mode` and get query delivery.
@@ -4209,6 +4152,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		error_description: "request not found",
 		error: "invalid_request"
 	});
+	const request = ctx.request;
 	let query = ctx.query;
 	if (query.request_uri) {
 		if (!opts.requestUriResolver) return handleRedirect(ctx, getErrorURL(ctx, "invalid_request_uri", "request_uri not supported"));
@@ -4223,6 +4167,14 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		if (urlClientId) query.client_id = urlClientId;
 	}
 	ctx.query = query;
+	const parsedQuery = authorizationQuerySchema.safeParse(query);
+	if (!parsedQuery.success) return authorizeRedirectOnError(opts)({
+		error: "invalid_request",
+		error_description: "invalid authorization request",
+		ctx
+	});
+	query = parsedQuery.data;
+	ctx.query = query;
 	await oAuthState.set({ query: serializeAuthorizationQuery(query).toString() });
 	if (!query.client_id) return handleRedirect(ctx, getErrorURL(ctx, "invalid_client", "client_id is required"));
 	if (!query.response_type) return handleRedirect(ctx, getErrorURL(ctx, "invalid_request", "response_type is required"));
@@ -4233,6 +4185,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 	const client = await getClient(ctx, opts, query.client_id);
 	if (!client) return handleRedirect(ctx, getErrorURL(ctx, "invalid_client", "client_id is required"));
 	if (client.disabled) return handleRedirect(ctx, getErrorURL(ctx, "client_disabled", "client is disabled"));
+	if (!clientAllowsGrant(client, "authorization_code")) return handleRedirect(ctx, getErrorURL(ctx, "unauthorized_client", "client is not authorized to use the authorization_code grant"));
 	if (!findRegisteredRedirectUri(client.redirectUris, query.redirect_uri) || !query.redirect_uri) return handleRedirect(ctx, getErrorURL(ctx, "invalid_redirect", "invalid redirect uri"));
 	let requestedScopes = query.scope?.split(" ").filter((s) => s);
 	if (requestedScopes) {
@@ -4246,6 +4199,20 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		requestedScopes = client.scopes ?? opts.scopes ?? [];
 		query.scope = requestedScopes.join(" ");
 	}
+	if (query.resource !== void 0) try {
+		await resolveResourcePolicy(ctx, opts, {
+			resource: query.resource,
+			clientId: client.clientId,
+			requestedScopes
+		});
+	} catch (err) {
+		if (err instanceof APIError$1) {
+			const error = err.body?.error ?? "invalid_target";
+			const description = err.body?.error_description ?? "requested resource invalid";
+			return handleRedirect(ctx, formatErrorURL(query.redirect_uri, error, description, query.state, getIssuer(ctx, opts)));
+		}
+		throw err;
+	}
 	const pkceRequired = isPKCERequired(client, requestedScopes);
 	if (pkceRequired) {
 		if (!query.code_challenge || !query.code_challenge_method) return handleRedirect(ctx, formatErrorURL(query.redirect_uri, "invalid_request", pkceRequired.valueOf(), query.state, getIssuer(ctx, opts)));
@@ -4254,18 +4221,22 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		if (!query.code_challenge || !query.code_challenge_method) return handleRedirect(ctx, formatErrorURL(query.redirect_uri, "invalid_request", "code_challenge and code_challenge_method must both be provided", query.state, getIssuer(ctx, opts)));
 		if (!["S256"].includes(query.code_challenge_method)) return handleRedirect(ctx, formatErrorURL(query.redirect_uri, "invalid_request", "invalid code_challenge method, only S256 is supported", query.state, getIssuer(ctx, opts)));
 	}
-	const resource = query.resource;
-	if (!(await checkResource(ctx, opts, resource, requestedScopes)).success) return handleRedirect(ctx, formatErrorURL(query.redirect_uri, "invalid_target", "requested resource invalid", query.state, getIssuer(ctx, opts)));
-	const requestedResources = toResourceList(resource) ?? [];
+	const requestedResources = toResourceList(query.resource) ?? [];
 	const session = await getSessionFromCtx(ctx);
-	if (!session || promptSet?.has("login") || promptSet?.has("create")) {
+	const maxAgeSeconds = query.max_age;
+	const hasSatisfiedMaxAge = session != null && maxAgeSeconds !== void 0 && isWithinMaxAge(new Date(session.session.createdAt), maxAgeSeconds, /* @__PURE__ */ new Date());
+	if (!session || session != null && maxAgeSeconds !== void 0 && !hasSatisfiedMaxAge || promptSet?.has("login") || promptSet?.has("create")) {
 		if (promptNone) return redirectWithPromptNoneError(ctx, opts, query, "login_required", "authentication required");
 		return redirectWithPromptCode(ctx, opts, promptSet?.has("create") ? "create" : "login");
 	}
+	if (hasSatisfiedMaxAge) {
+		query = removeMaxAgeFromAuthorizationQuery(query);
+		ctx.query = query;
+	}
 	if (settings?.isAuthorize && promptSet?.has("select_account")) return redirectWithPromptCode(ctx, opts, "select_account");
 	if (settings?.isAuthorize && opts.selectAccount) {
 		if (await opts.selectAccount.shouldRedirect({
-			headers: ctx.request.headers,
+			headers: request.headers,
 			user: session.user,
 			session: session.session,
 			scopes: requestedScopes
@@ -4276,7 +4247,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 	}
 	if (opts.signup?.shouldRedirect) {
 		const signupRedirect = await opts.signup.shouldRedirect({
-			headers: ctx.request.headers,
+			headers: request.headers,
 			user: session.user,
 			session: session.session,
 			scopes: requestedScopes
@@ -4288,7 +4259,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 	}
 	if (!settings?.postLogin && opts.postLogin) {
 		if (await opts.postLogin.shouldRedirect({
-			headers: ctx.request.headers,
+			headers: request.headers,
 			user: session.user,
 			session: session.session,
 			scopes: requestedScopes
@@ -4402,123 +4373,13 @@ async function signParams(ctx, opts, flags) {
 	const params = serializeAuthorizationQuery(ctx.query);
 	params.set("exp", String(exp));
 	params.set(signedQueryIssuedAtParam, String(issuedAt));
+	params.delete("sig");
 	params.delete(postLoginClearedParam);
 	if (flags?.postLoginClearedForSession) params.set(postLoginClearedParam, flags.postLoginClearedForSession);
-	const signature = await makeSignature(params.toString(), ctx.context.secret);
-	params.append("sig", signature);
+	setSignedOAuthQueryParameterNames(params);
+	const signature = await makeSignature(canonicalizeOAuthQueryParams(params).toString(), ctx.context.secret);
+	params.set("sig", signature);
 	return params.toString();
 }
 //#endregion
-//#region src/metadata.ts
-function authServerMetadata(ctx, opts, overrides) {
-	const baseURL = ctx.context.baseURL;
-	return {
-		scopes_supported: overrides?.scopes_supported,
-		issuer: validateIssuerUrl(opts?.jwt?.issuer ?? baseURL),
-		authorization_endpoint: `${baseURL}/oauth2/authorize`,
-		token_endpoint: `${baseURL}/oauth2/token`,
-		jwks_uri: overrides?.jwt_disabled ? void 0 : opts?.jwks?.remoteUrl ?? `${baseURL}${opts?.jwks?.jwksPath ?? "/jwks"}`,
-		registration_endpoint: overrides?.dynamic_client_registration_supported ? `${baseURL}/oauth2/register` : void 0,
-		introspection_endpoint: `${baseURL}/oauth2/introspect`,
-		revocation_endpoint: `${baseURL}/oauth2/revoke`,
-		response_types_supported: overrides?.grant_types_supported && !overrides.grant_types_supported.includes("authorization_code") ? [] : ["code"],
-		response_modes_supported: ["query"],
-		grant_types_supported: overrides?.grant_types_supported ?? [
-			"authorization_code",
-			"client_credentials",
-			"refresh_token"
-		],
-		token_endpoint_auth_methods_supported: [
-			...overrides?.public_client_supported ? ["none"] : [],
-			"client_secret_basic",
-			"client_secret_post",
-			"private_key_jwt"
-		],
-		token_endpoint_auth_signing_alg_values_supported: [...PRIVATE_KEY_JWT_SIGNING_ALGORITHMS],
-		introspection_endpoint_auth_methods_supported: [
-			"client_secret_basic",
-			"client_secret_post",
-			"private_key_jwt"
-		],
-		introspection_endpoint_auth_signing_alg_values_supported: [...PRIVATE_KEY_JWT_SIGNING_ALGORITHMS],
-		revocation_endpoint_auth_methods_supported: [
-			"client_secret_basic",
-			"client_secret_post",
-			"private_key_jwt"
-		],
-		revocation_endpoint_auth_signing_alg_values_supported: [...PRIVATE_KEY_JWT_SIGNING_ALGORITHMS],
-		code_challenge_methods_supported: ["S256"],
-		authorization_response_iss_parameter_supported: true
-	};
-}
-function oidcServerMetadata(ctx, opts) {
-	const baseURL = ctx.context.baseURL;
-	const jwtPluginOptions = opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context).options;
-	return {
-		...authServerMetadata(ctx, jwtPluginOptions, {
-			scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
-			dynamic_client_registration_supported: opts.allowDynamicClientRegistration,
-			public_client_supported: opts.allowUnauthenticatedClientRegistration || toClientDiscoveryArray(opts.clientDiscovery).length > 0,
-			grant_types_supported: opts.grantTypes,
-			jwt_disabled: opts.disableJwtPlugin
-		}),
-		claims_supported: opts?.advertisedMetadata?.claims_supported ?? opts?.claims ?? [],
-		userinfo_endpoint: `${baseURL}/oauth2/userinfo`,
-		subject_types_supported: opts.pairwiseSecret ? ["public", "pairwise"] : ["public"],
-		id_token_signing_alg_values_supported: jwtPluginOptions?.jwks?.keyPairConfig?.alg ? [jwtPluginOptions?.jwks?.keyPairConfig?.alg] : opts.disableJwtPlugin ? ["HS256"] : ["EdDSA"],
-		end_session_endpoint: `${baseURL}/oauth2/end-session`,
-		acr_values_supported: ["urn:mace:incommon:iap:bronze"],
-		prompt_values_supported: [
-			"login",
-			"consent",
-			"create",
-			"select_account",
-			"none"
-		],
-		...mergeDiscoveryMetadata(opts.clientDiscovery)
-	};
-}
-const METADATA_CACHE_CONTROL = "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400";
-function metadataResponse(body, extraHeaders) {
-	const headers = new Headers(extraHeaders);
-	if (!headers.has("Cache-Control")) headers.set("Cache-Control", METADATA_CACHE_CONTROL);
-	headers.set("Content-Type", "application/json");
-	return new Response(JSON.stringify(body), {
-		status: 200,
-		headers
-	});
-}
-/**
-* Provides an exportable `/.well-known/oauth-authorization-server`.
-*
-* Useful when basePath prevents the endpoint from being located at the root
-* and must be provided manually.
-*
-* @external
-*/
-const oauthProviderAuthServerMetadata = (auth, opts) => {
-	return async (request) => {
-		return metadataResponse(await auth.api.getOAuthServerConfig({
-			request,
-			asResponse: false
-		}), opts?.headers);
-	};
-};
-/**
-* Provides an exportable `/.well-known/openid-configuration`.
-*
-* Useful when basePath prevents the endpoint from being located at the root
-* and must be provided manually.
-*
-* @external
-*/
-const oauthProviderOpenIdConfigMetadata = (auth, opts) => {
-	return async (request) => {
-		return metadataResponse(await auth.api.getOpenIdConfig({
-			request,
-			asResponse: false
-		}), opts?.headers);
-	};
-};
-//#endregion
-export { authServerMetadata, checkOAuthClient, getOAuthProviderState, mcpHandler, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oauthToSchema, oidcServerMetadata };
+export { DEFAULT_OAUTH_SCOPES, ResourceUriSchema, authServerMetadata, checkOAuthClient, consumeClientAssertion, extendOAuthProvider, getIssuer, getOAuthProviderApi, getOAuthProviderState, metadataResponse, oauthAuthorizationServerMetadata, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oauthToSchema, oidcServerMetadata, raiseResourceServerChallenge };