npm - @better-auth/oauth-provider - Versions diffs - 1.7.0-beta.5 → 1.7.0-beta.6 - Mend

@better-auth/oauth-provider 1.7.0-beta.5 → 1.7.0-beta.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/dist/{client-assertion-DmT1B6_6.mjs → client-assertion-CctbJywV.mjs} +88 -64
package/dist/client-resource.d.mts +17 -2
package/dist/client-resource.mjs +45 -25
package/dist/client.d.mts +1 -1
package/dist/client.mjs +3 -13
package/dist/index.d.mts +100 -17
package/dist/index.mjs +1239 -1699
package/dist/introspect-BXqKFUQZ.mjs +2115 -0
package/dist/{oauth-DU6NeviY.d.mts → oauth-CAeemjD7.d.mts} +265 -148
package/dist/{oauth-BXrYl5x6.d.mts → oauth-CaXmZpoL.d.mts} +829 -33
package/dist/resource-challenge-B-cqv4ur.mjs +63 -0
package/dist/rolldown-runtime-wcPFST8Q.mjs +13 -0
package/dist/signed-query-CFv2jNMT.mjs +44 -0
package/dist/{utils-D2dLqo7f.mjs → utils-Baq6atYN.mjs} +310 -68
package/dist/{version-B1ZiRmxj.mjs → version-CUu3vBtU.mjs} +1 -1
package/package.json +7 -8
package/dist/mcp-CYnz-MXn.mjs +0 -56

package/dist/index.mjs CHANGED Viewed

@@ -1,23 +1,24 @@
-import { n as isPrivateHostname } from "./client-assertion-DmT1B6_6.mjs";
-import { n as mcpHandler } from "./mcp-CYnz-MXn.mjs";
-import { A as verifyOAuthQueryParams, C as signedQueryIssuedAtParam, D as toClientDiscoveryArray, E as toAudienceClaim, O as toResourceList, S as searchParamsToQuery, T as storeToken, _ as postLoginClearedParam, a as extractClientCredentials, b as resolveSessionAuthTime, d as isPKCERequired, f as isSessionFreshForSignedQuery, g as parsePrompt, h as parseClientMetadata, i as destructureCredentials, k as validateClientCredentials, l as getSignedQueryIssuedAt, m as normalizeTimestampValue, n as clientAllowsGrant, o as getClient, p as mergeDiscoveryMetadata, r as decryptStoredClientSecret, s as getJwtPlugin, t as checkResource, u as getStoredToken, v as removeMaxAgeFromQuery, w as storeClientSecret, x as resolveSubjectIdentifier, y as removePromptFromQuery } from "./utils-D2dLqo7f.mjs";
-import { t as PACKAGE_VERSION } from "./version-B1ZiRmxj.mjs";
-import { APIError, addOAuthServerContext, createAuthEndpoint, createAuthMiddleware, dispatchAuthEndpoint, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
-import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
-import { APIError as APIError$1 } from "better-call";
-import { PRIVATE_KEY_JWT_SIGNING_ALGORITHMS } from "@better-auth/core/oauth2";
+import { D as applyOAuthProviderMetadataExtensions, E as verifyOAuthQueryParams, F as getSupportedGrantTypes, L as isExtensionTokenEndpointAuthMethod, M as getClientDiscoveries, P as getSupportedAuthMethods, R as validateOAuthProviderExtensions, S as storeToken, T as validateClientCredentials, _ as removePromptFromQuery, a as getClient, b as searchParamsToQuery, c as getStoredToken, d as mergeDiscoveryMetadata, g as removeMaxAgeFromQuery, h as parsePrompt, i as extractClientCredentials, j as extendOAuthProvider, l as isPKCERequired, m as parseClientMetadata, n as decryptStoredClientSecret, o as getJwtPlugin, p as parseBearerToken, r as destructureCredentials, t as clientAllowsGrant, u as isSessionFreshForSignedQuery, w as toResourceList, x as storeClientSecret, y as resolveSubjectIdentifier } from "./utils-Baq6atYN.mjs";
+import { a as setSignedOAuthQueryParameterNames, i as postLoginClearedParam, n as canonicalizeOAuthQueryParams, o as signedQueryIssuedAtParam, r as getSignedQueryIssuedAt } from "./signed-query-CFv2jNMT.mjs";
+import { _ as invalidateResourceCache, a as invalidateRefreshFamily, b as resolveResourcePolicy, c as ResourceUriSchema, d as clientRegistrationRequestSchema, f as JWS_ALGORITHMS, g as getResource, h as extractRepeatedResourceFromForm, i as getOAuthProviderApi, l as SafeUrlSchema, m as buildClientResourceLinkId, o as tokenEndpoint, p as assertIdentifierValid, r as decodeRefreshToken, s as userInfoEndpoint, t as introspectEndpoint, u as authorizationQuerySchema, v as isAudienceClaimAllowed, x as seedResources, y as logEnforcePerClientResourcesResolution } from "./introspect-BXqKFUQZ.mjs";
+import { n as consumeClientAssertion, r as isPrivateHostname } from "./client-assertion-CctbJywV.mjs";
+import { t as PACKAGE_VERSION } from "./version-CUu3vBtU.mjs";
+import { t as raiseResourceServerChallenge } from "./resource-challenge-B-cqv4ur.mjs";
 import { isBrowserFetchRequest } from "@better-auth/core/utils/fetch-metadata";
 import { isLoopbackHost, isLoopbackIP } from "@better-auth/core/utils/host";
+import { APIError, NO_STORE_HEADERS, addOAuthServerContext, createAuthEndpoint, createAuthMiddleware, dispatchAuthEndpoint, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { generateRandomString, makeSignature } from "better-auth/crypto";
-import { defineRequestState } from "@better-auth/core/context";
+import { APIError as APIError$1 } from "better-call";
+import { defineRequestState, runWithTransaction } from "@better-auth/core/context";
 import { logger } from "@better-auth/core/env";
 import { BetterAuthError } from "@better-auth/core/error";
 import { parseSetCookieHeader } from "better-auth/cookies";
 import { mergeSchema } from "better-auth/db";
 import * as z from "zod";
+import { DPOP_SIGNING_ALGORITHMS, PRIVATE_KEY_JWT_SIGNING_ALGORITHMS } from "@better-auth/core/oauth2";
+import { getJwks, stripAccessTokenAuthorizationScheme } from "better-auth/oauth2";
+import { compactVerify, createLocalJWKSet, decodeJwt, jwtVerify } from "jose";
 import { resolveSigningKey, signJWT, toExpJWT } from "better-auth/plugins";
-import { SignJWT, base64url, compactVerify, createLocalJWKSet, decodeJwt, decodeProtectedHeader } from "jose";
-import { SafeUrlSchema } from "@better-auth/core/utils/redirect-uri";
 //#region src/consent.ts
 async function consentEndpoint(ctx, opts, authorize) {
 	const oauthRequest = await oAuthState.get();
@@ -159,1019 +160,6 @@ async function postLogin(ctx, authorize) {
 	return await authorize(ctx, { postLogin: state?.postLoginClearedForSession !== void 0 && state.postLoginClearedForSession === session?.session.id });
 }
 //#endregion
-//#region src/types/zod.ts
-const DANGEROUS_SCHEMES = [
-	"javascript:",
-	"data:",
-	"vbscript:"
-];
-/**
-* Validates an RFC 8707 resource indicator. The value must be an absolute URI
-* with no fragment (RFC 8707 §2). Unlike a redirect URI it is not restricted to
-* HTTPS, because a resource server identifier may use any absolute URI scheme;
-* the configured `validAudiences` allowlist is the authoritative control over
-* which resources a token may target.
-*/
-const ResourceUriSchema = z.string().superRefine((val, ctx) => {
-	if (!URL.canParse(val)) {
-		ctx.addIssue({
-			code: "custom",
-			message: "resource must be an absolute URI",
-			fatal: true
-		});
-		return z.NEVER;
-	}
-	if (val.includes("#")) {
-		ctx.addIssue({
-			code: "custom",
-			message: "resource must not contain a fragment"
-		});
-		return;
-	}
-	if (DANGEROUS_SCHEMES.includes(new URL(val).protocol)) ctx.addIssue({
-		code: "custom",
-		message: "resource cannot use javascript:, data:, or vbscript: scheme"
-	});
-});
-const authorizationPromptTokenSchema = z.enum([
-	"none",
-	"consent",
-	"login",
-	"create",
-	"select_account"
-]);
-const authorizationPromptSchema = z.string().superRefine((value, ctx) => {
-	const promptTokens = value.split(" ").map((token) => token.trim()).filter(Boolean);
-	const promptSet = /* @__PURE__ */ new Set();
-	if (!promptTokens.length) {
-		ctx.addIssue({
-			code: "custom",
-			message: "prompt must include at least one value"
-		});
-		return;
-	}
-	for (const token of promptTokens) {
-		const result = authorizationPromptTokenSchema.safeParse(token);
-		if (!result.success) {
-			ctx.addIssue({
-				code: "custom",
-				message: `unsupported prompt value: ${token}`
-			});
-			continue;
-		}
-		promptSet.add(result.data);
-	}
-	if (promptSet.has("none") && promptSet.size > 1) ctx.addIssue({
-		code: "custom",
-		message: "prompt=none cannot be combined with other prompt values"
-	});
-});
-const maxAgeSchema = z.union([z.number(), z.string().trim().min(1)]).transform((value, ctx) => {
-	const maxAge = typeof value === "number" ? value : Number(value);
-	if (!Number.isInteger(maxAge) || maxAge < 0) {
-		ctx.addIssue({
-			code: "custom",
-			message: "max_age must be a non-negative integer"
-		});
-		return z.NEVER;
-	}
-	return maxAge;
-});
-/**
-* Runtime schema for OAuthAuthorizationQuery.
-* Uses passthrough to tolerate fields added by future extensions (PAR, FPA, etc.)
-*/
-const authorizationQuerySchema = z.object({
-	response_type: z.string().pipe(z.enum(["code"])).optional(),
-	request_uri: z.string().optional(),
-	redirect_uri: SafeUrlSchema.optional(),
-	scope: z.string().optional(),
-	state: z.string().optional(),
-	client_id: z.string(),
-	prompt: authorizationPromptSchema.optional(),
-	display: z.string().optional(),
-	ui_locales: z.string().optional(),
-	max_age: maxAgeSchema.optional(),
-	acr_values: z.string().optional(),
-	login_hint: z.string().optional(),
-	id_token_hint: z.string().optional(),
-	code_challenge: z.string().optional(),
-	code_challenge_method: z.string().pipe(z.enum(["S256"])).optional(),
-	nonce: z.string().optional(),
-	resource: z.union([ResourceUriSchema, z.array(ResourceUriSchema).min(1)]).optional()
-}).passthrough();
-const storedAuthorizationQuerySchema = authorizationQuerySchema.extend({ redirect_uri: SafeUrlSchema });
-/**
-* Runtime schema for the authorization code verification value.
-* Validates structure on deserialization from the JSON blob stored in the DB.
-* Uses passthrough so future fields (e.g. from authorization challenge) don't break parsing.
-*/
-const verificationValueSchema = z.object({
-	type: z.literal("authorization_code"),
-	query: storedAuthorizationQuerySchema,
-	sessionId: z.string(),
-	userId: z.string(),
-	referenceId: z.string().optional(),
-	authTime: z.number().optional(),
-	resource: z.array(z.string()).optional()
-}).passthrough();
-//#endregion
-//#region src/userinfo.ts
-/**
-* Provides shared /userinfo and id_token claims functionality
-*
-* @see https://openid.net/specs/openid-connect-core-1_0.html#NormalClaims
-*/
-function userNormalClaims(user, scopes) {
-	const name = user.name.split(" ").filter((v) => v !== "");
-	const profile = {
-		name: user.name ?? void 0,
-		picture: user.image ?? void 0,
-		given_name: name.length > 1 ? name.slice(0, -1).join(" ") : void 0,
-		family_name: name.length > 1 ? name.at(-1) : void 0
-	};
-	const email = {
-		email: user.email ?? void 0,
-		email_verified: user.emailVerified ?? false
-	};
-	return {
-		sub: user.id ?? void 0,
-		...scopes.includes("profile") ? profile : {},
-		...scopes.includes("email") ? email : {}
-	};
-}
-/**
-* Handles the /oauth2/userinfo endpoint
-*/
-async function userInfoEndpoint(ctx, opts) {
-	const authorization = ctx.headers?.get("authorization");
-	const token = typeof authorization === "string" && authorization?.startsWith("Bearer ") ? authorization?.replace("Bearer ", "") : authorization;
-	if (!token?.length) throw new APIError("UNAUTHORIZED", {
-		error_description: "authorization header not found",
-		error: "invalid_request"
-	});
-	const jwt = await validateAccessToken(ctx, opts, token);
-	if (!jwt.active) throw new APIError("UNAUTHORIZED", {
-		error_description: "the access token is invalid or has been revoked",
-		error: "invalid_token"
-	});
-	const scopes = jwt.scope?.split(" ");
-	if (!scopes?.includes("openid")) throw new APIError("BAD_REQUEST", {
-		error_description: "Missing required scope",
-		error: "invalid_scope"
-	});
-	if (!jwt.sub) throw new APIError("BAD_REQUEST", {
-		error_description: "user not found",
-		error: "invalid_request"
-	});
-	const user = await ctx.context.internalAdapter.findUserById(jwt.sub);
-	if (!user) throw new APIError("BAD_REQUEST", {
-		error_description: "user not found",
-		error: "invalid_request"
-	});
-	const baseUserClaims = userNormalClaims(user, scopes ?? []);
-	if (opts.pairwiseSecret) {
-		const clientId = jwt.client_id ?? jwt.azp;
-		if (clientId) {
-			const client = await getClient(ctx, opts, clientId);
-			if (client) baseUserClaims.sub = await resolveSubjectIdentifier(user.id, client, opts);
-		}
-	}
-	const additionalInfoUserClaims = opts.customUserInfoClaims && scopes?.length ? await opts.customUserInfoClaims({
-		user,
-		scopes,
-		jwt
-	}) : {};
-	return {
-		...baseUserClaims,
-		...additionalInfoUserClaims
-	};
-}
-//#endregion
-//#region src/token.ts
-/**
-* Handles the /oauth2/token endpoint by delegating
-* the grant types
-*/
-async function tokenEndpoint(ctx, opts) {
-	const grantType = ctx.body.grant_type;
-	if (opts.grantTypes && !opts.grantTypes.includes(grantType)) throw new APIError("BAD_REQUEST", {
-		error_description: `unsupported grant_type ${grantType}`,
-		error: "unsupported_grant_type"
-	});
-	switch (grantType) {
-		case "authorization_code": return handleAuthorizationCodeGrant(ctx, opts);
-		case "client_credentials": return handleClientCredentialsGrant(ctx, opts);
-		case "refresh_token": return handleRefreshTokenGrant(ctx, opts);
-	}
-}
-async function createJwtAccessToken(ctx, opts, user, client, audience, scopes, resources, referenceId, overrides) {
-	const iat = overrides?.iat ?? Math.floor(Date.now() / 1e3);
-	const exp = overrides?.exp ?? iat + (opts.accessTokenExpiresIn ?? 3600);
-	const customClaims = opts.customAccessTokenClaims ? await opts.customAccessTokenClaims({
-		user,
-		scopes,
-		resources,
-		referenceId,
-		metadata: parseClientMetadata(client.metadata)
-	}) : {};
-	const jwtPluginOptions = getJwtPlugin(ctx.context).options;
-	return signJWT(ctx, {
-		options: jwtPluginOptions,
-		payload: {
-			...customClaims,
-			sub: user?.id,
-			aud: toAudienceClaim(audience),
-			azp: client.clientId,
-			scope: scopes.join(" "),
-			sid: overrides?.sid,
-			iss: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL,
-			iat,
-			exp
-		}
-	});
-}
-/**
-* Computes an OIDC hash (at_hash, c_hash) per OIDC Core §3.1.3.6.
-* Hashes the token, takes the left half, and base64url-encodes it.
-*/
-async function computeOidcHash(token, signingAlg) {
-	let hashAlg;
-	if (signingAlg === "EdDSA") hashAlg = "SHA-512";
-	else if (signingAlg.endsWith("384")) hashAlg = "SHA-384";
-	else if (signingAlg.endsWith("512")) hashAlg = "SHA-512";
-	else hashAlg = "SHA-256";
-	const digest = new Uint8Array(await crypto.subtle.digest(hashAlg, new TextEncoder().encode(token)));
-	return base64url.encode(digest.slice(0, digest.length / 2));
-}
-/**
-* Creates a user id token in code_authorization with scope of 'openid'
-* and hybrid/implicit (not yet implemented) flows
-*/
-async function createIdToken(ctx, opts, user, client, scopes, nonce, sessionId, authTime, accessToken) {
-	const iat = Math.floor(Date.now() / 1e3);
-	const exp = iat + (opts.idTokenExpiresIn ?? 36e3);
-	const userClaims = userNormalClaims(user, scopes);
-	const resolvedSub = await resolveSubjectIdentifier(user.id, client, opts);
-	const authTimeSec = authTime != null ? Math.floor(authTime.getTime() / 1e3) : void 0;
-	const acr = "urn:mace:incommon:iap:bronze";
-	const customClaims = opts.customIdTokenClaims ? await opts.customIdTokenClaims({
-		user,
-		scopes,
-		metadata: parseClientMetadata(client.metadata)
-	}) : {};
-	const jwtPluginOptions = opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context).options;
-	const resolvedKey = !opts.disableJwtPlugin && !jwtPluginOptions?.jwt?.sign ? await resolveSigningKey(ctx, jwtPluginOptions) : void 0;
-	const signingAlg = opts.disableJwtPlugin ? "HS256" : resolvedKey?.alg ?? jwtPluginOptions?.jwks?.keyPairConfig?.alg;
-	const atHash = accessToken ? await computeOidcHash(accessToken, signingAlg) : void 0;
-	const emitSid = Boolean(client.enableEndSession || client.backchannelLogoutUri);
-	const payload = {
-		...userClaims,
-		auth_time: authTimeSec,
-		acr,
-		...customClaims,
-		at_hash: atHash,
-		iss: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL,
-		sub: resolvedSub,
-		aud: client.clientId,
-		nonce,
-		iat,
-		exp,
-		sid: emitSid ? sessionId : void 0
-	};
-	if (opts.disableJwtPlugin && !client.clientSecret) return;
-	const idToken = opts.disableJwtPlugin ? await new SignJWT(payload).setProtectedHeader({ alg: "HS256" }).sign(new TextEncoder().encode(await decryptStoredClientSecret(ctx, opts.storeClientSecret, client.clientSecret))) : await signJWT(ctx, {
-		options: jwtPluginOptions,
-		payload,
-		resolvedKey: resolvedKey ?? void 0
-	});
-	if (idToken && atHash && jwtPluginOptions?.jwt?.sign) {
-		const header = decodeProtectedHeader(idToken);
-		if (header.alg !== signingAlg) throw new APIError("INTERNAL_SERVER_ERROR", {
-			error_description: `ID token signed with "${header.alg}" but at_hash was computed for "${signingAlg}". Ensure jwt.sign uses the algorithm declared in keyPairConfig.alg.`,
-			error: "server_error"
-		});
-	}
-	return idToken;
-}
-/**
-* Encodes a refresh token for a client
-*/
-async function encodeRefreshToken(opts, token, sessionId) {
-	return (opts.prefix?.refreshToken ?? "") + (opts.formatRefreshToken?.encrypt ? opts.formatRefreshToken.encrypt(token, sessionId) : token);
-}
-/**
-* Decodes a refresh token for a client
-*
-* @internal
-*/
-async function decodeRefreshToken(opts, token) {
-	if (opts.prefix?.refreshToken) if (token.startsWith(opts.prefix.refreshToken)) token = token.replace(opts.prefix.refreshToken, "");
-	else throw new APIError("BAD_REQUEST", {
-		error_description: "refresh token not found",
-		error: "invalid_token"
-	});
-	return opts.formatRefreshToken?.decrypt ? opts.formatRefreshToken?.decrypt(token) : { token };
-}
-async function createOpaqueAccessToken(ctx, opts, user, client, scopes, payload, resources, referenceId, refreshId) {
-	const iat = payload.iat ?? Math.floor(Date.now() / 1e3);
-	const exp = payload?.exp ?? iat + (opts.accessTokenExpiresIn ?? 3600);
-	const token = opts.generateOpaqueAccessToken ? await opts.generateOpaqueAccessToken() : generateRandomString(32, "A-Z", "a-z");
-	await ctx.context.adapter.create({
-		model: "oauthAccessToken",
-		data: {
-			token: await storeToken(opts.storeTokens, token, "access_token"),
-			clientId: client.clientId,
-			sessionId: payload?.sid,
-			userId: user?.id,
-			referenceId,
-			resources,
-			refreshId,
-			scopes,
-			createdAt: /* @__PURE__ */ new Date(iat * 1e3),
-			expiresAt: /* @__PURE__ */ new Date(exp * 1e3)
-		}
-	});
-	return (opts.prefix?.opaqueAccessToken ?? "") + token;
-}
-/**
-* Tear down the entire refresh-token family for a (client, user) pair, plus
-* any access tokens that reference those refresh rows, per RFC 9700 §4.14.
-* Access tokens are deleted first so the parent rows' foreign-key children
-* do not block the refresh-row delete.
-*
-* TODO(invalidate-family-race): the two `deleteMany` calls are not atomic
-* with respect to each other. Between them, a concurrent rotation in a
-* different worker can `create` a fresh refresh row (and, immediately after,
-* an access-token row referencing it) for the same (client, user) pair,
-* leaving the family partially rebuilt and the new refresh row orphaned of
-* any deletion. Closing this window requires the same transactional adapter
-* contract tracked under FIXME(strict-family-invalidation) in
-* `createRefreshToken`.
-*
-* @internal
-*/
-async function invalidateRefreshFamily(ctx, clientId, userId) {
-	const refreshTokens = await ctx.context.adapter.findMany({
-		model: "oauthRefreshToken",
-		where: [{
-			field: "clientId",
-			value: clientId
-		}, {
-			field: "userId",
-			value: userId
-		}]
-	});
-	if (refreshTokens.length) await ctx.context.adapter.deleteMany({
-		model: "oauthAccessToken",
-		where: [{
-			field: "refreshId",
-			operator: "in",
-			value: refreshTokens.map((r) => r.id)
-		}]
-	});
-	await ctx.context.adapter.deleteMany({
-		model: "oauthRefreshToken",
-		where: [{
-			field: "clientId",
-			value: clientId
-		}, {
-			field: "userId",
-			value: userId
-		}]
-	});
-}
-async function createRefreshToken(ctx, opts, user, referenceId, client, scopes, payload, originalRefresh, authTime, resources) {
-	const iat = payload.iat ?? Math.floor(Date.now() / 1e3);
-	const exp = payload?.exp ?? iat + (opts.refreshTokenExpiresIn ?? 2592e3);
-	const token = opts.generateRefreshToken ? await opts.generateRefreshToken() : generateRandomString(32, "A-Z", "a-z");
-	const sessionId = payload?.sid;
-	const newRow = {
-		token: await storeToken(opts.storeTokens, token, "refresh_token"),
-		clientId: client.clientId,
-		sessionId,
-		userId: user.id,
-		referenceId,
-		authTime,
-		scopes,
-		resources,
-		createdAt: /* @__PURE__ */ new Date(iat * 1e3),
-		expiresAt: /* @__PURE__ */ new Date(exp * 1e3)
-	};
-	if (!originalRefresh?.id) return {
-		id: (await ctx.context.adapter.create({
-			model: "oauthRefreshToken",
-			data: newRow
-		})).id,
-		token: await encodeRefreshToken(opts, token, sessionId)
-	};
-	if (!await ctx.context.adapter.update({
-		model: "oauthRefreshToken",
-		where: [{
-			field: "id",
-			value: originalRefresh.id
-		}, {
-			field: "revoked",
-			operator: "eq",
-			value: null
-		}],
-		update: { revoked: /* @__PURE__ */ new Date(iat * 1e3) }
-	})) throw new APIError("BAD_REQUEST", {
-		error_description: "invalid refresh token",
-		error: "invalid_grant"
-	});
-	return {
-		id: (await ctx.context.adapter.create({
-			model: "oauthRefreshToken",
-			data: newRow
-		})).id,
-		token: await encodeRefreshToken(opts, token, sessionId)
-	};
-}
-async function createUserTokens(ctx, opts, params) {
-	const { client, scopes, user, grantType, referenceId, sessionId, nonce, refreshToken: existingRefreshToken, authTime, verificationValue } = params;
-	const iat = Math.floor(Date.now() / 1e3);
-	const defaultExp = iat + (user ? opts.accessTokenExpiresIn ?? 3600 : opts.m2mAccessTokenExpiresIn ?? 3600);
-	const exp = opts.scopeExpirations ? scopes.map((sc) => opts.scopeExpirations?.[sc] ? toExpJWT(opts.scopeExpirations[sc], iat) : defaultExp).reduce((prev, curr) => {
-		return prev < curr ? prev : curr;
-	}, defaultExp) : defaultExp;
-	const resourceResult = await checkResource(ctx, opts, params?.resources, scopes);
-	if (!resourceResult.success) throw new APIError("BAD_REQUEST", {
-		error_description: "requested resource invalid",
-		error: "invalid_target"
-	});
-	const audience = resourceResult.audience;
-	const isRefreshToken = user && clientAllowsGrant(client, "refresh_token") && (existingRefreshToken?.scopes?.includes("offline_access") || scopes.includes("offline_access"));
-	const isJwtAccessToken = audience && !opts.disableJwtPlugin;
-	const isIdToken = user && scopes.includes("openid");
-	const customFields = opts.customTokenResponseFields ? await opts.customTokenResponseFields({
-		grantType,
-		user,
-		scopes,
-		metadata: parseClientMetadata(client.metadata),
-		verificationValue
-	}) : void 0;
-	const refreshResources = params?.refreshToken?.resources ?? params?.originalResources ?? params?.resources;
-	const earlyRefreshToken = isRefreshToken && user && !isJwtAccessToken ? await createRefreshToken(ctx, opts, user, referenceId, client, scopes, {
-		iat,
-		exp: iat + (opts.refreshTokenExpiresIn ?? 2592e3),
-		sid: sessionId
-	}, existingRefreshToken, authTime, refreshResources) : void 0;
-	const [accessToken, refreshToken] = await Promise.all([isJwtAccessToken ? createJwtAccessToken(ctx, opts, user, client, audience, scopes, params?.resources, referenceId, {
-		iat,
-		exp,
-		sid: sessionId
-	}) : createOpaqueAccessToken(ctx, opts, user, client, scopes, {
-		iat,
-		exp,
-		sid: sessionId
-	}, params?.resources, referenceId, earlyRefreshToken?.id), earlyRefreshToken ? earlyRefreshToken : isRefreshToken && user ? createRefreshToken(ctx, opts, user, referenceId, client, scopes, {
-		iat,
-		exp: iat + (opts.refreshTokenExpiresIn ?? 2592e3),
-		sid: sessionId
-	}, existingRefreshToken, authTime, refreshResources) : void 0]);
-	const idToken = isIdToken ? await createIdToken(ctx, opts, user, client, scopes, nonce, sessionId, authTime, accessToken) : void 0;
-	return ctx.json({
-		...customFields,
-		access_token: accessToken,
-		expires_in: exp - iat,
-		expires_at: exp,
-		token_type: "Bearer",
-		refresh_token: refreshToken?.token,
-		scope: scopes.join(" "),
-		id_token: idToken
-	}, { headers: {
-		"Cache-Control": "no-store",
-		Pragma: "no-cache"
-	} });
-}
-/** Checks verification value */
-async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri, resource) {
-	const verification = await ctx.context.internalAdapter.consumeVerificationValue(await storeToken(opts.storeTokens, code, "authorization_code"));
-	if (!verification) throw new APIError("UNAUTHORIZED", {
-		error_description: "invalid code",
-		error: "invalid_grant"
-	});
-	let rawValue;
-	try {
-		rawValue = JSON.parse(verification.value);
-	} catch {
-		throw new APIError("UNAUTHORIZED", {
-			error_description: "malformed verification value",
-			error: "invalid_grant"
-		});
-	}
-	const parsed = verificationValueSchema.safeParse(rawValue);
-	if (!parsed.success) throw new APIError("UNAUTHORIZED", {
-		error_description: "malformed verification value",
-		error: "invalid_grant"
-	});
-	const verificationValue = parsed.data;
-	if (verificationValue.query.client_id !== client_id) throw new APIError("UNAUTHORIZED", {
-		error_description: "invalid client_id",
-		error: "invalid_client"
-	});
-	if (verificationValue.query?.redirect_uri && verificationValue.query?.redirect_uri !== redirect_uri) throw new APIError("BAD_REQUEST", {
-		error_description: "redirect_uri mismatch",
-		error: "invalid_request"
-	});
-	const storedResources = toResourceList(verificationValue.resource) ?? toResourceList(verificationValue.query.resource);
-	const effectiveResources = resource ?? storedResources;
-	if (resource && storedResources) {
-		const requestedSet = new Set(resource);
-		const authorizedSet = new Set(storedResources);
-		for (const r of requestedSet) if (!authorizedSet.has(r)) throw new APIError("BAD_REQUEST", {
-			error_description: "requested resource not authorized",
-			error: "invalid_target"
-		});
-	}
-	return {
-		verificationValue,
-		effectiveResources,
-		authorizedResources: storedResources
-	};
-}
-/**
-* Obtains new Session Jwt and Refresh Tokens using a code
-*/
-async function handleAuthorizationCodeGrant(ctx, opts) {
-	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/token`));
-	const { code, code_verifier, redirect_uri, resource } = ctx.body;
-	const resources = toResourceList(resource);
-	if (!client_id) throw new APIError("BAD_REQUEST", {
-		error_description: "client_id is required",
-		error: "invalid_request"
-	});
-	if (!code) throw new APIError("BAD_REQUEST", {
-		error_description: "code is required",
-		error: "invalid_request"
-	});
-	if (!redirect_uri) throw new APIError("BAD_REQUEST", {
-		error_description: "redirect_uri is required",
-		error: "invalid_request"
-	});
-	const isAuthCodeWithSecret = client_id && client_secret;
-	const isAuthCodeWithPkce = client_id && code && code_verifier;
-	if (!isAuthCodeWithSecret && !isAuthCodeWithPkce && !preVerifiedClient) throw new APIError("BAD_REQUEST", {
-		error_description: "Either code_verifier or client_secret is required",
-		error: "invalid_request"
-	});
-	/** Get and check Verification Value */
-	const { verificationValue, effectiveResources, authorizedResources } = await checkVerificationValue(ctx, opts, code, client_id, redirect_uri, resources);
-	const scopes = verificationValue.query.scope?.split(" ");
-	if (!scopes) throw new APIError("INTERNAL_SERVER_ERROR", {
-		error_description: "verification scope unset",
-		error: "invalid_scope"
-	});
-	/** Verify Client */
-	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, scopes, preVerifiedClient, "authorization_code");
-	if (isPKCERequired(client, (verificationValue.query?.scope)?.split(" ") || [])) {
-		if (!isAuthCodeWithPkce) throw new APIError("BAD_REQUEST", {
-			error_description: "PKCE is required for this client",
-			error: "invalid_request"
-		});
-	} else if (!(isAuthCodeWithPkce || isAuthCodeWithSecret || preVerifiedClient)) throw new APIError("BAD_REQUEST", {
-		error_description: "Either PKCE (code_verifier) or client authentication (client_secret or client_assertion) is required",
-		error: "invalid_request"
-	});
-	/** Check PKCE challenge if verifier is provided */
-	const pkceUsedInAuth = !!verificationValue.query?.code_challenge;
-	const pkceUsedInToken = !!code_verifier;
-	if (pkceUsedInAuth || pkceUsedInToken) {
-		if (pkceUsedInAuth && !pkceUsedInToken) throw new APIError("UNAUTHORIZED", {
-			error_description: "code_verifier required because PKCE was used in authorization",
-			error: "invalid_request"
-		});
-		if (!pkceUsedInAuth && pkceUsedInToken) throw new APIError("UNAUTHORIZED", {
-			error_description: "code_verifier provided but PKCE was not used in authorization",
-			error: "invalid_request"
-		});
-		if ((verificationValue.query?.code_challenge_method === "S256" ? await generateCodeChallenge(code_verifier) : void 0) !== verificationValue.query?.code_challenge) throw new APIError("UNAUTHORIZED", {
-			error_description: "code verification failed",
-			error: "invalid_request"
-		});
-	}
-	/** Get user */
-	if (!verificationValue.userId) throw new APIError("BAD_REQUEST", {
-		error_description: "missing user, user may have been deleted",
-		error: "invalid_user"
-	});
-	const user = await ctx.context.internalAdapter.findUserById(verificationValue.userId);
-	if (!user) throw new APIError("BAD_REQUEST", {
-		error_description: "missing user, user may have been deleted",
-		error: "invalid_user"
-	});
-	const session = await ctx.context.adapter.findOne({
-		model: "session",
-		where: [{
-			field: "id",
-			value: verificationValue.sessionId
-		}]
-	});
-	if (!session || session.expiresAt < /* @__PURE__ */ new Date()) throw new APIError("BAD_REQUEST", {
-		error_description: "session no longer exists",
-		error: "invalid_request"
-	});
-	const authTime = verificationValue.authTime != null ? normalizeTimestampValue(verificationValue.authTime) : resolveSessionAuthTime(session);
-	return createUserTokens(ctx, opts, {
-		client,
-		scopes: verificationValue.query.scope?.split(" ") ?? [],
-		user,
-		grantType: "authorization_code",
-		referenceId: verificationValue.referenceId,
-		sessionId: session.id,
-		nonce: verificationValue.query?.nonce,
-		authTime,
-		verificationValue,
-		resources: effectiveResources,
-		originalResources: authorizedResources
-	});
-}
-/**
-* Grant that allows direct access to an API using the application's credentials
-* This grant is for M2M so the concept of a user id does not exist on the token.
-*
-* MUST follow https://datatracker.ietf.org/doc/html/rfc6749#section-4.4
-*/
-async function handleClientCredentialsGrant(ctx, opts) {
-	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/token`));
-	const { scope, resource } = ctx.body;
-	const resources = toResourceList(resource);
-	if (!client_id) throw new APIError("BAD_REQUEST", {
-		error_description: "Missing required client_id",
-		error: "invalid_grant"
-	});
-	if (!client_secret && !preVerifiedClient) throw new APIError("BAD_REQUEST", {
-		error_description: "Missing a required client_secret",
-		error: "invalid_grant"
-	});
-	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, void 0, preVerifiedClient, "client_credentials");
-	let requestedScopes = scope?.split(" ");
-	if (requestedScopes) {
-		const validScopes = new Set(client.scopes ?? opts.scopes);
-		const oidcScopes = new Set([
-			"openid",
-			"profile",
-			"email",
-			"offline_access"
-		]);
-		const invalidScopes = requestedScopes.filter((scope) => {
-			return !validScopes?.has(scope) || oidcScopes.has(scope);
-		});
-		if (invalidScopes.length) throw new APIError("BAD_REQUEST", {
-			error_description: `The following scopes are invalid: ${invalidScopes.join(", ")}`,
-			error: "invalid_scope"
-		});
-	}
-	if (!requestedScopes) requestedScopes = client.scopes ?? opts.clientCredentialGrantDefaultScopes ?? opts.scopes ?? [];
-	return createUserTokens(ctx, opts, {
-		client,
-		scopes: requestedScopes,
-		grantType: "client_credentials",
-		resources
-	});
-}
-/**
-* Obtains new Session Jwt and Refresh Tokens using a refresh token
-*
-* Refresh tokens will only allow the same or lesser scopes as the initial authorize request.
-* To add scopes, you must restart the authorize process again.
-*/
-async function handleRefreshTokenGrant(ctx, opts) {
-	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/token`));
-	const { refresh_token, scope, resource } = ctx.body;
-	const resources = toResourceList(resource);
-	if (!client_id) throw new APIError("BAD_REQUEST", {
-		error_description: "Missing required client_id",
-		error: "invalid_grant"
-	});
-	if (!refresh_token) throw new APIError("BAD_REQUEST", {
-		error_description: "Missing a required refresh_token for refresh_token grant",
-		error: "invalid_grant"
-	});
-	const decodedRefresh = await decodeRefreshToken(opts, refresh_token);
-	const refreshToken = await ctx.context.adapter.findOne({
-		model: "oauthRefreshToken",
-		where: [{
-			field: "token",
-			value: await getStoredToken(opts.storeTokens, decodedRefresh.token, "refresh_token")
-		}]
-	});
-	if (!refreshToken) throw new APIError("BAD_REQUEST", {
-		error_description: "session not found",
-		error: "invalid_grant"
-	});
-	if (refreshToken.clientId !== client_id) throw new APIError("BAD_REQUEST", {
-		error_description: "invalid client_id",
-		error: "invalid_client"
-	});
-	if (refreshToken.expiresAt < /* @__PURE__ */ new Date()) throw new APIError("BAD_REQUEST", {
-		error_description: "invalid refresh token",
-		error: "invalid_grant"
-	});
-	if (refreshToken.revoked) {
-		await invalidateRefreshFamily(ctx, client_id, refreshToken.userId);
-		throw new APIError("BAD_REQUEST", {
-			error_description: "invalid refresh token",
-			error: "invalid_grant"
-		});
-	}
-	if (resources && refreshToken.resources && !resources.every((v) => refreshToken.resources?.includes(v))) throw new APIError("BAD_REQUEST", {
-		error_description: "requested resource invalid",
-		error: "invalid_target"
-	});
-	const scopes = refreshToken?.scopes;
-	const requestedScopes = scope?.split(" ");
-	if (requestedScopes) {
-		const validScopes = new Set(scopes);
-		for (const requestedScope of requestedScopes) if (!validScopes.has(requestedScope)) throw new APIError("BAD_REQUEST", {
-			error_description: `unable to issue scope ${requestedScope}`,
-			error: "invalid_scope"
-		});
-	}
-	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, requestedScopes ?? scopes, preVerifiedClient, "refresh_token");
-	const user = await ctx.context.internalAdapter.findUserById(refreshToken.userId);
-	if (!user) throw new APIError("BAD_REQUEST", {
-		error_description: "user not found",
-		error: "invalid_request"
-	});
-	const authTime = refreshToken.authTime != null ? normalizeTimestampValue(refreshToken.authTime) : void 0;
-	return createUserTokens(ctx, opts, {
-		client,
-		scopes: requestedScopes ?? scopes,
-		user,
-		grantType: "refresh_token",
-		referenceId: refreshToken.referenceId,
-		sessionId: refreshToken.sessionId,
-		refreshToken,
-		resources: resources ?? refreshToken.resources,
-		authTime
-	});
-}
-//#endregion
-//#region src/introspect.ts
-/**
-* IMPORTANT NOTES:
-* Introspection follows RFC7662
-* https://datatracker.ietf.org/doc/html/rfc7662
-* - APIError: Continue catches (returnable to client)
-* - Error: Should immediately stop catches (internal error)
-*/
-/**
-* Validates a JWT access token against the configured JWKs.
-*
-* @returns RFC7662 introspection format
-*/
-async function validateJwtAccessToken(ctx, opts, token, clientId) {
-	const jwtPlugin = opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context);
-	const jwtPluginOptions = jwtPlugin?.options;
-	let jwtPayload;
-	try {
-		jwtPayload = await verifyJwsAccessToken(token, {
-			jwksFetch: jwtPluginOptions?.jwks?.remoteUrl ? jwtPluginOptions.jwks.remoteUrl : async () => {
-				return (await jwtPlugin?.endpoints.getJwks(ctx))?.response;
-			},
-			verifyOptions: {
-				audience: opts.validAudiences ?? ctx.context.baseURL,
-				issuer: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL
-			}
-		});
-	} catch (error) {
-		if (error instanceof Error) {
-			if (error.name === "TypeError" || error.name === "JWSInvalid") throw new APIError$1("BAD_REQUEST", {
-				error_description: "invalid JWT signature",
-				error: "invalid_request"
-			});
-			else if (error.name === "JWTExpired") return { active: false };
-			else if (error.name === "JWTInvalid") return { active: false };
-			throw error;
-		}
-		throw new Error(error);
-	}
-	if (!jwtPayload.azp) return { active: false };
-	const client = await getClient(ctx, opts, jwtPayload.azp);
-	if (!client || client?.disabled) return { active: false };
-	if (clientId && jwtPayload.azp !== clientId) return { active: false };
-	const sessionId = jwtPayload.sid;
-	if (sessionId) {
-		const session = await ctx.context.adapter.findOne({
-			model: "session",
-			where: [{
-				field: "id",
-				value: sessionId
-			}]
-		});
-		if (!session || session.expiresAt < /* @__PURE__ */ new Date()) return { active: false };
-	}
-	jwtPayload.client_id = jwtPayload.azp;
-	jwtPayload.active = true;
-	return jwtPayload;
-}
-/**
-* Searches for an opaque access token in the database and validates it
-*
-* @returns RFC7662 introspection format
-*/
-async function validateOpaqueAccessToken(ctx, opts, token, clientId) {
-	let tokenValue = token;
-	if (opts.prefix?.opaqueAccessToken) if (tokenValue.startsWith(opts.prefix.opaqueAccessToken)) tokenValue = tokenValue.replace(opts.prefix.opaqueAccessToken, "");
-	else throw new APIError$1("BAD_REQUEST", {
-		error_description: "opaque access token not found",
-		error: "invalid_request"
-	});
-	const accessToken = await ctx.context.adapter.findOne({
-		model: "oauthAccessToken",
-		where: [{
-			field: "token",
-			value: await getStoredToken(opts.storeTokens, tokenValue, "access_token")
-		}]
-	});
-	if (!accessToken) throw new APIError$1("BAD_REQUEST", {
-		error_description: "opaque access token not found",
-		error: "invalid_token"
-	});
-	if (!accessToken.expiresAt || accessToken.expiresAt < /* @__PURE__ */ new Date()) return { active: false };
-	if (accessToken.revoked) return { active: false };
-	let client;
-	if (accessToken.clientId) {
-		client = await getClient(ctx, opts, accessToken.clientId);
-		if (!client || client?.disabled) return { active: false };
-		if (clientId && accessToken.clientId !== clientId) return { active: false };
-	}
-	const sessionId = accessToken.sessionId ?? void 0;
-	if (sessionId) {
-		const session = await ctx.context.adapter.findOne({
-			model: "session",
-			where: [{
-				field: "id",
-				value: sessionId
-			}]
-		});
-		if (!session || session.expiresAt < /* @__PURE__ */ new Date()) return { active: false };
-	}
-	let user;
-	if (accessToken.userId) user = await ctx.context.internalAdapter.findUserById(accessToken?.userId);
-	const resources = Array.isArray(accessToken.resources) ? accessToken.resources : void 0;
-	const audience = resources ? [...resources] : void 0;
-	if (audience?.length && accessToken.scopes?.includes("openid")) {
-		const userInfoEndpoint = `${ctx.context.baseURL}/oauth2/userinfo`;
-		if (!audience.includes(userInfoEndpoint)) audience.push(userInfoEndpoint);
-	}
-	const customClaims = opts.customAccessTokenClaims ? await opts.customAccessTokenClaims({
-		user,
-		scopes: accessToken.scopes,
-		referenceId: accessToken?.referenceId,
-		resources,
-		metadata: parseClientMetadata(client?.metadata)
-	}) : {};
-	const jwtPluginOptions = (opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context))?.options;
-	return {
-		...customClaims,
-		active: true,
-		iss: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL,
-		aud: toAudienceClaim(audience),
-		client_id: accessToken.clientId,
-		sub: user?.id,
-		sid: sessionId,
-		exp: Math.floor(new Date(accessToken.expiresAt).getTime() / 1e3),
-		iat: Math.floor(new Date(accessToken.createdAt).getTime() / 1e3),
-		scope: accessToken.scopes?.join(" ")
-	};
-}
-/**
-* Validates a refresh token in the session store.
-*
-* @returns payload in RFC7662 introspection format
-*/
-async function validateRefreshToken(ctx, opts, token, clientId) {
-	const refreshToken = await ctx.context.adapter.findOne({
-		model: "oauthRefreshToken",
-		where: [{
-			field: "token",
-			value: await getStoredToken(opts.storeTokens, token, "refresh_token")
-		}]
-	});
-	if (!refreshToken) throw new APIError$1("BAD_REQUEST", {
-		error_description: "token not found",
-		error: "invalid_token"
-	});
-	if (!refreshToken.clientId || refreshToken.clientId !== clientId) return { active: false };
-	if (!refreshToken.expiresAt || refreshToken.expiresAt < /* @__PURE__ */ new Date()) return { active: false };
-	if (refreshToken.revoked) return { active: false };
-	let sessionId = refreshToken.sessionId ?? void 0;
-	if (sessionId) {
-		const session = await ctx.context.adapter.findOne({
-			model: "session",
-			where: [{
-				field: "id",
-				value: sessionId
-			}]
-		});
-		if (!session || session.expiresAt < /* @__PURE__ */ new Date()) sessionId = void 0;
-	}
-	let user = void 0;
-	if (refreshToken.userId) user = await ctx.context.internalAdapter.findUserById(refreshToken?.userId) ?? void 0;
-	return {
-		active: true,
-		client_id: clientId,
-		iss: ((opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context))?.options)?.jwt?.issuer ?? ctx.context.baseURL,
-		sub: user?.id,
-		sid: sessionId,
-		exp: Math.floor(new Date(refreshToken.expiresAt).getTime() / 1e3),
-		iat: Math.floor(new Date(refreshToken.createdAt).getTime() / 1e3),
-		scope: refreshToken.scopes?.join(" ")
-	};
-}
-/**
-* We don't know the access token format so we try to validate it
-* as a JWT first, then as an opaque token.
-*
-* @returns RFC7662 introspection format
-*
-* @internal
-*/
-async function validateAccessToken(ctx, opts, token, clientId) {
-	try {
-		return await validateJwtAccessToken(ctx, opts, token, clientId);
-	} catch (err) {
-		if (err instanceof APIError$1) {} else if (err instanceof Error) throw err;
-		else throw new Error(err);
-	}
-	try {
-		return await validateOpaqueAccessToken(ctx, opts, token, clientId);
-	} catch (err) {
-		if (err instanceof APIError$1) {} else if (err instanceof Error) throw err;
-		else throw new Error("Unknown error validating access token");
-	}
-	throw new APIError$1("BAD_REQUEST", {
-		error_description: "Invalid access token",
-		error: "invalid_request"
-	});
-}
-/**
-* Resolves pairwise sub on an introspection payload.
-* Applied at the presentation layer so internal validation functions
-* keep real user.id (needed for user lookup in /userinfo).
-*/
-async function resolveIntrospectionSub(opts, payload, client) {
-	if (payload.active && payload.sub) {
-		const resolvedSub = await resolveSubjectIdentifier(payload.sub, client, opts);
-		return {
-			...payload,
-			sub: resolvedSub
-		};
-	}
-	return payload;
-}
-async function introspectEndpoint(ctx, opts) {
-	let { token, token_type_hint } = ctx.body;
-	if (token_type_hint !== "access_token" && token_type_hint !== "refresh_token") token_type_hint = void 0;
-	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/introspect`));
-	if (!client_id || !client_secret && !preVerifiedClient) throw new APIError$1("UNAUTHORIZED", {
-		error_description: "missing required credentials",
-		error: "invalid_client"
-	});
-	if (token && typeof token === "string" && token.startsWith("Bearer ")) token = token.replace("Bearer ", "");
-	if (!token?.length) throw new APIError$1("BAD_REQUEST", {
-		error_description: "missing a required token for introspection",
-		error: "invalid_request"
-	});
-	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, void 0, preVerifiedClient);
-	try {
-		if (token_type_hint === void 0 || token_type_hint === "access_token") try {
-			return resolveIntrospectionSub(opts, await validateAccessToken(ctx, opts, token, client.clientId), client);
-		} catch (error) {
-			if (error instanceof APIError$1) {
-				if (token_type_hint === "access_token") throw error;
-			} else if (error instanceof Error) throw error;
-			else throw new Error(error);
-		}
-		if (token_type_hint === void 0 || token_type_hint === "refresh_token") try {
-			return resolveIntrospectionSub(opts, await validateRefreshToken(ctx, opts, (await decodeRefreshToken(opts, token)).token, client.clientId), client);
-		} catch (error) {
-			if (error instanceof APIError$1) {
-				if (token_type_hint === "refresh_token") throw error;
-			} else if (error instanceof Error) throw error;
-			else throw new Error(error);
-		}
-		throw new APIError$1("BAD_REQUEST", {
-			error_description: "token not found",
-			error: "invalid_request"
-		});
-	} catch (error) {
-		if (error instanceof APIError$1) {
-			if (error.name === "BAD_REQUEST") return { active: false };
-			throw error;
-		} else if (error instanceof Error) {
-			logger.error("Introspection error:", error.message, error.stack);
-			throw new APIError$1("INTERNAL_SERVER_ERROR");
-		} else {
-			logger.error("Introspection error:", error);
-			throw new APIError$1("INTERNAL_SERVER_ERROR");
-		}
-	}
-}
-//#endregion
 //#region src/logout.ts
 const BACKCHANNEL_LOGOUT_EVENT_URI = "http://schemas.openid.net/event/backchannel-logout";
 const LOGOUT_TOKEN_JWT_TYP = "logout+jwt";
@@ -1440,6 +428,155 @@ async function rpInitiatedLogoutEndpoint(ctx, opts) {
 	}
 }
 //#endregion
+//#region src/metadata.ts
+function authServerMetadata(ctx, opts, overrides) {
+	const baseURL = ctx.context.baseURL;
+	const backchannelSupported = !overrides?.jwt_disabled;
+	return {
+		scopes_supported: overrides?.scopes_supported,
+		issuer: validateIssuerUrl(opts?.jwt?.issuer ?? baseURL),
+		authorization_endpoint: `${baseURL}/oauth2/authorize`,
+		token_endpoint: `${baseURL}/oauth2/token`,
+		jwks_uri: overrides?.jwt_disabled ? void 0 : opts?.jwks?.remoteUrl ?? `${baseURL}${opts?.jwks?.jwksPath ?? "/jwks"}`,
+		registration_endpoint: overrides?.dynamic_client_registration_supported ? `${baseURL}/oauth2/register` : void 0,
+		introspection_endpoint: `${baseURL}/oauth2/introspect`,
+		revocation_endpoint: `${baseURL}/oauth2/revoke`,
+		response_types_supported: overrides?.grant_types_supported && !overrides.grant_types_supported.includes("authorization_code") ? [] : ["code"],
+		response_modes_supported: ["query"],
+		grant_types_supported: overrides?.grant_types_supported ?? [
+			"authorization_code",
+			"client_credentials",
+			"refresh_token"
+		],
+		token_endpoint_auth_methods_supported: overrides?.token_endpoint_auth_methods_supported ?? [
+			...overrides?.public_client_supported ? ["none"] : [],
+			"client_secret_basic",
+			"client_secret_post",
+			"private_key_jwt"
+		],
+		token_endpoint_auth_signing_alg_values_supported: [...PRIVATE_KEY_JWT_SIGNING_ALGORITHMS],
+		introspection_endpoint_auth_methods_supported: overrides?.endpoint_auth_methods_supported ?? [
+			"client_secret_basic",
+			"client_secret_post",
+			"private_key_jwt"
+		],
+		introspection_endpoint_auth_signing_alg_values_supported: [...PRIVATE_KEY_JWT_SIGNING_ALGORITHMS],
+		revocation_endpoint_auth_methods_supported: overrides?.endpoint_auth_methods_supported ?? [
+			"client_secret_basic",
+			"client_secret_post",
+			"private_key_jwt"
+		],
+		revocation_endpoint_auth_signing_alg_values_supported: [...PRIVATE_KEY_JWT_SIGNING_ALGORITHMS],
+		code_challenge_methods_supported: ["S256"],
+		authorization_response_iss_parameter_supported: true,
+		dpop_signing_alg_values_supported: overrides?.dpop_signing_alg_values_supported ?? [...DPOP_SIGNING_ALGORITHMS],
+		backchannel_logout_supported: backchannelSupported,
+		backchannel_logout_session_supported: backchannelSupported
+	};
+}
+/**
+* Builds the authorization-server metadata shared by the
+* `/.well-known/oauth-authorization-server` and `/.well-known/openid-configuration`
+* responses, plus the inputs both need to finish their own document.
+*/
+function buildAuthServerMetadata(ctx, opts) {
+	const jwtPluginOptions = opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context).options;
+	const clientDiscoveries = getClientDiscoveries(opts);
+	const publicClientSupported = opts.allowUnauthenticatedClientRegistration || clientDiscoveries.length > 0;
+	return {
+		jwtPluginOptions,
+		clientDiscoveries,
+		authMetadata: authServerMetadata(ctx, jwtPluginOptions, {
+			scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
+			dynamic_client_registration_supported: opts.allowDynamicClientRegistration,
+			public_client_supported: publicClientSupported,
+			grant_types_supported: getSupportedGrantTypes(opts),
+			token_endpoint_auth_methods_supported: getSupportedAuthMethods(opts, { includeNone: publicClientSupported }),
+			endpoint_auth_methods_supported: getSupportedAuthMethods(opts),
+			jwt_disabled: opts.disableJwtPlugin,
+			dpop_signing_alg_values_supported: opts.dpop?.signingAlgorithms
+		})
+	};
+}
+function oauthAuthorizationServerMetadata(ctx, opts) {
+	const { clientDiscoveries, authMetadata } = buildAuthServerMetadata(ctx, opts);
+	return applyOAuthProviderMetadataExtensions(ctx, opts, "oauth-authorization-server", {
+		...mergeDiscoveryMetadata(clientDiscoveries),
+		...authMetadata
+	});
+}
+function oidcServerMetadata(ctx, opts) {
+	const baseURL = ctx.context.baseURL;
+	const { jwtPluginOptions, clientDiscoveries, authMetadata } = buildAuthServerMetadata(ctx, opts);
+	const metadata = {
+		...authMetadata,
+		claims_supported: opts?.advertisedMetadata?.claims_supported ?? opts?.claims ?? [],
+		userinfo_endpoint: `${baseURL}/oauth2/userinfo`,
+		subject_types_supported: opts.pairwiseSecret ? ["public", "pairwise"] : ["public"],
+		id_token_signing_alg_values_supported: (() => {
+			if (opts.disableJwtPlugin) return ["HS256"];
+			const primary = jwtPluginOptions?.jwks?.keyPairConfig?.alg ?? "EdDSA";
+			const extras = jwtPluginOptions?.jwks?.keyPairConfigs?.map((c) => c.alg) ?? [];
+			return Array.from(new Set([primary, ...extras]));
+		})(),
+		end_session_endpoint: `${baseURL}/oauth2/end-session`,
+		acr_values_supported: ["urn:mace:incommon:iap:bronze"],
+		prompt_values_supported: [
+			"login",
+			"consent",
+			"create",
+			"select_account",
+			"none"
+		]
+	};
+	return applyOAuthProviderMetadataExtensions(ctx, opts, "openid-configuration", {
+		...mergeDiscoveryMetadata(clientDiscoveries),
+		...metadata
+	});
+}
+const METADATA_CACHE_CONTROL = "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400";
+function metadataResponse(body, extraHeaders) {
+	const headers = new Headers(extraHeaders);
+	if (!headers.has("Cache-Control")) headers.set("Cache-Control", METADATA_CACHE_CONTROL);
+	headers.set("Content-Type", "application/json");
+	return new Response(JSON.stringify(body), {
+		status: 200,
+		headers
+	});
+}
+/**
+* Provides an exportable `/.well-known/oauth-authorization-server`.
+*
+* Useful when basePath prevents the endpoint from being located at the root
+* and must be provided manually.
+*
+* @external
+*/
+const oauthProviderAuthServerMetadata = (auth, opts) => {
+	return async (request) => {
+		return metadataResponse(await auth.api.getOAuthServerConfig({
+			request,
+			asResponse: false
+		}), opts?.headers);
+	};
+};
+/**
+* Provides an exportable `/.well-known/openid-configuration`.
+*
+* Useful when basePath prevents the endpoint from being located at the root
+* and must be provided manually.
+*
+* @external
+*/
+const oauthProviderOpenIdConfigMetadata = (auth, opts) => {
+	return async (request) => {
+		return metadataResponse(await auth.api.getOpenIdConfig({
+			request,
+			asResponse: false
+		}), opts?.headers);
+	};
+};
+//#endregion
 //#region src/oauth-endpoint.ts
 /**
 * Wraps `createAuthEndpoint` so zod schemas stay the single source of truth
@@ -1572,6 +709,64 @@ async function assertClientPrivileges(ctx, session, opts, action) {
 	})) throw new APIError("UNAUTHORIZED");
 }
 //#endregion
+//#region src/utils/initial-access-token.ts
+/**
+* Builds an RFC 6750 §3 Bearer challenge for the registration endpoint. The
+* `error` code maps to the status per RFC 6750 §3.1 (`invalid_request` → 400,
+* `invalid_token` → 401) and is echoed in both the `WWW-Authenticate` challenge
+* and the JSON body.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc6750#section-3
+*/
+function registrationBearerError(status, error, errorDescription) {
+	return new APIError$1(status, {
+		error,
+		error_description: errorDescription
+	}, {
+		"WWW-Authenticate": `Bearer error="${error}"`,
+		...NO_STORE_HEADERS
+	});
+}
+/**
+* Resolves an RFC 7591 initial access token from the request and authorizes it
+* against the deployment-supplied validator.
+*
+* Returns the authorization (optionally carrying a `referenceId`) when a valid
+* token is present, or `undefined` when no Bearer credentials were sent so the
+* caller can fall back to session or open registration. Throws an RFC 6750
+* Bearer challenge when the header is malformed, no validator is configured, or
+* the token is rejected.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc7591#section-3
+*/
+async function authorizeInitialAccessToken(ctx, opts, clientMetadata) {
+	const headers = ctx.headers;
+	let initialAccessToken;
+	try {
+		initialAccessToken = parseBearerToken(headers?.get("authorization"));
+	} catch {
+		throw registrationBearerError("BAD_REQUEST", "invalid_request", "Malformed initial access token Authorization header");
+	}
+	if (!initialAccessToken || !headers) return;
+	if (!opts.validateInitialAccessToken) throw registrationBearerError("UNAUTHORIZED", "invalid_token", "Invalid initial access token");
+	let authorization;
+	try {
+		authorization = await opts.validateInitialAccessToken({
+			initialAccessToken,
+			headers,
+			clientMetadata
+		});
+	} catch (error) {
+		if (error instanceof APIError$1) throw error;
+		throw new APIError$1("INTERNAL_SERVER_ERROR", {
+			error: "server_error",
+			error_description: "Initial access token validation failed"
+		});
+	}
+	if (!authorization) throw registrationBearerError("UNAUTHORIZED", "invalid_token", "Invalid initial access token");
+	return authorization;
+}
+//#endregion
 //#region src/register.ts
 /**
 * Resolves the auth method and type for unauthenticated DCR.
@@ -1588,18 +783,42 @@ function resolveUnauthenticatedAuth(body) {
 		type: body.type === "web" ? void 0 : body.type
 	};
 }
+const DEFAULT_REGISTRATION_GRANT_TYPES = ["authorization_code"];
+function resolveRegistrationGrantTypes(client) {
+	const grantTypes = client.grant_types ?? [...DEFAULT_REGISTRATION_GRANT_TYPES];
+	if (grantTypes.length > 0) return grantTypes;
+	throw new APIError("BAD_REQUEST", {
+		error: "invalid_client_metadata",
+		error_description: "grant_types must contain at least one grant type"
+	});
+}
+function resolveRegistrationResponseTypes(client, grantTypes) {
+	if (client.response_types) return client.response_types;
+	return grantTypes.includes("authorization_code") ? ["code"] : void 0;
+}
+function applyOAuthClientRegistrationDefaults(client) {
+	const grantTypes = resolveRegistrationGrantTypes(client);
+	return {
+		...client,
+		token_endpoint_auth_method: client.token_endpoint_auth_method ?? "client_secret_basic",
+		grant_types: grantTypes,
+		response_types: resolveRegistrationResponseTypes(client, grantTypes)
+	};
+}
 async function registerEndpoint(ctx, opts) {
+	const body = ctx.body;
 	if (!opts.allowDynamicClientRegistration) throw new APIError("FORBIDDEN", {
 		error: "access_denied",
 		error_description: "Client registration is disabled"
 	});
-	const body = ctx.body;
 	const session = await getSessionFromCtx(ctx);
-	if (!(session || opts.allowUnauthenticatedClientRegistration)) throw new APIError("UNAUTHORIZED", {
-		error: "invalid_token",
-		error_description: "Authentication required for client registration"
+	const tokenAuthorization = session ? void 0 : await authorizeInitialAccessToken(ctx, opts, body);
+	const isTokenAuthorized = Boolean(tokenAuthorization);
+	if (!(session || isTokenAuthorized || opts.allowUnauthenticatedClientRegistration)) throw new APIError("UNAUTHORIZED", { error_description: "Authentication required for client registration" }, {
+		"WWW-Authenticate": "Bearer",
+		...NO_STORE_HEADERS
 	});
-	if (!session) {
+	if (!session && !isTokenAuthorized) {
 		if (body.grant_types?.includes("client_credentials")) throw new APIError("BAD_REQUEST", {
 			error: "invalid_client_metadata",
 			error_description: "client_credentials grant requires authenticated registration"
@@ -1609,47 +828,83 @@ async function registerEndpoint(ctx, opts) {
 		body.type = resolved.type;
 	}
 	if (!body.scope) body.scope = (opts.clientRegistrationDefaultScopes ?? opts.scopes)?.join(" ");
-	return createOAuthClientEndpoint(ctx, opts, { isRegister: true });
+	const requestedResources = Array.isArray(body.resources) ? [...new Set(body.resources.filter((resource) => typeof resource === "string" && resource.length > 0))] : [];
+	if (requestedResources.length > 0) for (const identifier of requestedResources) {
+		const row = await getResource(ctx, opts, identifier);
+		if (!row) throw new APIError("BAD_REQUEST", {
+			error: "invalid_target",
+			error_description: `requested resource ${identifier} does not exist`
+		});
+		if (row.disabled) throw new APIError("BAD_REQUEST", {
+			error: "invalid_target",
+			error_description: `requested resource ${identifier} is disabled`
+		});
+	}
+	return createOAuthClientEndpoint(ctx, opts, {
+		isRegister: true,
+		session,
+		referenceId: tokenAuthorization?.referenceId,
+		resources: requestedResources.length > 0 ? requestedResources : void 0
+	});
 }
 async function checkOAuthClient(client, opts, settings) {
-	const isPublic = client.token_endpoint_auth_method === "none";
-	if (client.type) {
-		if (isPublic && !(client.type === "native" || client.type === "user-agent-based")) throw new APIError("BAD_REQUEST", {
+	const clientWithDefaults = applyOAuthClientRegistrationDefaults(client);
+	const isPublic = clientWithDefaults.token_endpoint_auth_method === "none";
+	const tokenEndpointAuthMethod = clientWithDefaults.token_endpoint_auth_method ?? "client_secret_basic";
+	if (!new Set(getSupportedAuthMethods(opts, { includeNone: true })).has(tokenEndpointAuthMethod)) throw new APIError("BAD_REQUEST", {
+		error: "invalid_client_metadata",
+		error_description: `unsupported token_endpoint_auth_method ${tokenEndpointAuthMethod}`
+	});
+	if (clientWithDefaults.dpop_bound_access_tokens !== void 0 && typeof clientWithDefaults.dpop_bound_access_tokens !== "boolean") throw new APIError("BAD_REQUEST", {
+		error: "invalid_client_metadata",
+		error_description: "dpop_bound_access_tokens must be a boolean"
+	});
+	if (clientWithDefaults.type) {
+		if (isPublic && !(clientWithDefaults.type === "native" || clientWithDefaults.type === "user-agent-based")) throw new APIError("BAD_REQUEST", {
 			error: "invalid_client_metadata",
 			error_description: `Type must be 'native' or 'user-agent-based' for public applications`
 		});
-		else if (!isPublic && !(client.type === "web")) throw new APIError("BAD_REQUEST", {
+		else if (!isPublic && !(clientWithDefaults.type === "web")) throw new APIError("BAD_REQUEST", {
 			error: "invalid_client_metadata",
 			error_description: `Type must be 'web' for confidential applications`
 		});
 	}
-	if ((!client.grant_types || client.grant_types.includes("authorization_code")) && (!client.redirect_uris || client.redirect_uris.length === 0)) throw new APIError("BAD_REQUEST", {
+	const grantTypes = clientWithDefaults.grant_types ?? [];
+	const responseTypes = clientWithDefaults.response_types;
+	if (grantTypes.includes("authorization_code") && (!clientWithDefaults.redirect_uris || clientWithDefaults.redirect_uris.length === 0)) throw new APIError("BAD_REQUEST", {
 		error: "invalid_redirect_uri",
 		error_description: "Redirect URIs are required for authorization_code and implicit grant types"
 	});
-	const grantTypes = client.grant_types ?? ["authorization_code"];
-	const responseTypes = client.response_types ?? ["code"];
-	if (grantTypes.includes("authorization_code") && !responseTypes.includes("code")) throw new APIError("BAD_REQUEST", {
+	const supportedGrantTypes = new Set(getSupportedGrantTypes(opts));
+	for (const grantType of grantTypes) if (!supportedGrantTypes.has(grantType)) throw new APIError("BAD_REQUEST", {
+		error: "invalid_client_metadata",
+		error_description: `unsupported grant_type ${grantType}`
+	});
+	if (grantTypes.includes("authorization_code") && !responseTypes?.includes("code")) throw new APIError("BAD_REQUEST", {
 		error: "invalid_client_metadata",
 		error_description: "When 'authorization_code' grant type is used, 'code' response type must be included"
 	});
-	if (client.subject_type !== void 0) {
-		if (client.subject_type !== "public" && client.subject_type !== "pairwise") throw new APIError("BAD_REQUEST", {
+	if (!grantTypes.includes("authorization_code") && responseTypes?.includes("code")) throw new APIError("BAD_REQUEST", {
+		error: "invalid_client_metadata",
+		error_description: "When 'code' response type is used, 'authorization_code' grant type must be included"
+	});
+	if (clientWithDefaults.subject_type !== void 0) {
+		if (clientWithDefaults.subject_type !== "public" && clientWithDefaults.subject_type !== "pairwise") throw new APIError("BAD_REQUEST", {
 			error: "invalid_client_metadata",
 			error_description: `subject_type must be "public" or "pairwise"`
 		});
-		if (client.subject_type === "pairwise" && !opts.pairwiseSecret) throw new APIError("BAD_REQUEST", {
+		if (clientWithDefaults.subject_type === "pairwise" && !opts.pairwiseSecret) throw new APIError("BAD_REQUEST", {
 			error: "invalid_client_metadata",
 			error_description: "pairwise subject_type requires server pairwiseSecret configuration"
 		});
-		if (client.subject_type === "pairwise" && client.redirect_uris && client.redirect_uris.length > 1) {
-			if (new Set(client.redirect_uris.map((uri) => new URL(uri).host)).size > 1) throw new APIError("BAD_REQUEST", {
+		if (clientWithDefaults.subject_type === "pairwise" && clientWithDefaults.redirect_uris && clientWithDefaults.redirect_uris.length > 1) {
+			if (new Set(clientWithDefaults.redirect_uris.map((uri) => new URL(uri).host)).size > 1) throw new APIError("BAD_REQUEST", {
 				error: "invalid_client_metadata",
 				error_description: "pairwise clients with redirect_uris on different hosts require a sector_identifier_uri, which is not yet supported. All redirect_uris must share the same host."
 			});
 		}
 	}
-	const requestedScopes = (client?.scope)?.split(" ").filter((v) => v.length);
+	const requestedScopes = (clientWithDefaults?.scope)?.split(" ").filter((v) => v.length);
 	const allowedScopes = settings?.isRegister ? opts.clientRegistrationAllowedScopes ?? opts.scopes : opts.scopes;
 	if (allowedScopes) {
 		const validScopes = new Set(allowedScopes);
@@ -1658,21 +913,22 @@ async function checkOAuthClient(client, opts, settings) {
 			error_description: `cannot request scope ${requestedScope}`
 		});
 	}
-	if (settings?.isRegister && client.require_pkce === false) throw new APIError("BAD_REQUEST", {
+	if (settings?.isRegister && clientWithDefaults.require_pkce === false) throw new APIError("BAD_REQUEST", {
 		error: "invalid_client_metadata",
 		error_description: `pkce is required for registered clients.`
 	});
-	if (client.token_endpoint_auth_method === "private_key_jwt") {
-		if (client.jwks && client.jwks_uri) throw new APIError("BAD_REQUEST", {
+	const usesAssertionKeyMaterial = tokenEndpointAuthMethod === "private_key_jwt" || isExtensionTokenEndpointAuthMethod(opts, tokenEndpointAuthMethod);
+	if (clientWithDefaults.jwks || clientWithDefaults.jwks_uri) {
+		if (!usesAssertionKeyMaterial) throw new APIError("BAD_REQUEST", {
 			error: "invalid_client_metadata",
-			error_description: "jwks and jwks_uri are mutually exclusive"
+			error_description: "jwks and jwks_uri are only allowed with private_key_jwt or an assertion-based authentication method"
 		});
-		if (!client.jwks && !client.jwks_uri) throw new APIError("BAD_REQUEST", {
+		if (clientWithDefaults.jwks && clientWithDefaults.jwks_uri) throw new APIError("BAD_REQUEST", {
 			error: "invalid_client_metadata",
-			error_description: "private_key_jwt requires either jwks or jwks_uri"
+			error_description: "jwks and jwks_uri are mutually exclusive"
 		});
-		if (client.jwks_uri) try {
-			const uri = new URL(client.jwks_uri);
+		if (clientWithDefaults.jwks_uri) try {
+			const uri = new URL(clientWithDefaults.jwks_uri);
 			if (uri.protocol !== "https:") throw new APIError("BAD_REQUEST", {
 				error: "invalid_client_metadata",
 				error_description: "jwks_uri must use HTTPS"
@@ -1692,25 +948,26 @@ async function checkOAuthClient(client, opts, settings) {
 				error_description: "jwks_uri must be a valid URL"
 			});
 		}
-		if (client.jwks) {
-			const keys = Array.isArray(client.jwks) ? client.jwks : client.jwks.keys;
+		if (clientWithDefaults.jwks) {
+			const keys = Array.isArray(clientWithDefaults.jwks) ? clientWithDefaults.jwks : clientWithDefaults.jwks.keys;
 			if (!Array.isArray(keys) || keys.length === 0) throw new APIError("BAD_REQUEST", {
 				error: "invalid_client_metadata",
 				error_description: "jwks must be a non-empty array of JWK objects or a JWKS document {keys:[...]}"
 			});
 		}
-	} else if (client.jwks || client.jwks_uri) throw new APIError("BAD_REQUEST", {
+	}
+	if (tokenEndpointAuthMethod === "private_key_jwt" && !clientWithDefaults.jwks && !clientWithDefaults.jwks_uri) throw new APIError("BAD_REQUEST", {
 		error: "invalid_client_metadata",
-		error_description: "jwks and jwks_uri are only allowed with private_key_jwt authentication"
+		error_description: "private_key_jwt requires either jwks or jwks_uri"
 	});
-	if (client.backchannel_logout_uri !== void 0) {
+	if (clientWithDefaults.backchannel_logout_uri !== void 0) {
 		if (opts.disableJwtPlugin) throw new APIError("BAD_REQUEST", {
 			error: "invalid_client_metadata",
 			error_description: "backchannel_logout_uri requires the jwt plugin (disableJwtPlugin must be false)"
 		});
 		let url;
 		try {
-			url = new URL(client.backchannel_logout_uri);
+			url = new URL(clientWithDefaults.backchannel_logout_uri);
 		} catch {
 			throw new APIError("BAD_REQUEST", {
 				error: "invalid_client_metadata",
@@ -1721,7 +978,7 @@ async function checkOAuthClient(client, opts, settings) {
 			error: "invalid_client_metadata",
 			error_description: "backchannel_logout_uri must use http or https"
 		});
-		if (client.backchannel_logout_uri.includes("#")) throw new APIError("BAD_REQUEST", {
+		if (clientWithDefaults.backchannel_logout_uri.includes("#")) throw new APIError("BAD_REQUEST", {
 			error: "invalid_client_metadata",
 			error_description: "backchannel_logout_uri must not include a fragment component"
 		});
@@ -1737,27 +994,27 @@ async function checkOAuthClient(client, opts, settings) {
 	}
 }
 async function createOAuthClientEndpoint(ctx, opts, settings) {
-	const body = ctx.body;
-	const session = await getSessionFromCtx(ctx);
-	if (settings.isRegister) {
-		if (session) await assertClientPrivileges(ctx, session, opts, "create");
-	} else await assertClientPrivileges(ctx, session, opts, "create");
+	const body = applyOAuthClientRegistrationDefaults(ctx.body);
+	const session = settings.session !== void 0 ? settings.session : await getSessionFromCtx(ctx);
+	if (!settings.isRegister || session) await assertClientPrivileges(ctx, session, opts, "create");
 	const isPublic = body.token_endpoint_auth_method === "none";
 	const isPrivateKeyJwt = body.token_endpoint_auth_method === "private_key_jwt";
-	await checkOAuthClient(ctx.body, opts, {
+	const isExtensionAuthMethod = isExtensionTokenEndpointAuthMethod(opts, body.token_endpoint_auth_method);
+	await checkOAuthClient(body, opts, {
 		...settings,
 		ctx
 	});
 	const clientId = opts.generateClientId?.() || generateRandomString(32, "a-z", "A-Z");
-	const clientSecret = isPublic || isPrivateKeyJwt ? void 0 : opts.generateClientSecret?.() || generateRandomString(32, "a-z", "A-Z");
+	const clientSecret = isPublic || isPrivateKeyJwt || isExtensionAuthMethod ? void 0 : opts.generateClientSecret?.() || generateRandomString(32, "a-z", "A-Z");
 	const storedClientSecret = clientSecret ? await storeClientSecret(ctx, opts, clientSecret) : void 0;
 	const iat = Math.floor(Date.now() / 1e3);
-	const referenceId = opts.clientReference ? await opts.clientReference({
-		user: session?.user,
-		session: session?.session
-	}) : void 0;
+	const referenceId = settings.referenceId ?? (session && opts.clientReference ? await opts.clientReference({
+		user: session.user,
+		session: session.session
+	}) : void 0);
 	const schema = oauthToSchema({
-		...body ?? {},
+		...body,
+		redirect_uris: body.redirect_uris ?? [],
 		disabled: void 0,
 		client_secret_expires_at: storedClientSecret ? settings.isRegister && opts?.clientRegistrationClientSecretExpiration ? toExpJWT(opts.clientRegistrationClientSecretExpiration, iat) : 0 : void 0,
 		client_id: clientId,
@@ -1767,24 +1024,38 @@ async function createOAuthClientEndpoint(ctx, opts, settings) {
 		user_id: referenceId ? void 0 : session?.session.userId,
 		reference_id: referenceId
 	});
-	const client = await ctx.context.adapter.create({
-		model: "oauthClient",
-		data: {
-			...schema,
-			createdAt: /* @__PURE__ */ new Date(iat * 1e3),
-			updatedAt: /* @__PURE__ */ new Date(iat * 1e3)
-		}
-	});
-	return ctx.json(schemaToOAuth({
-		...client,
+	const resources = settings.resources ?? [];
+	const responseBody = schemaToOAuth({
+		...await runWithTransaction(ctx.context.adapter, async () => {
+			const createdClient = await ctx.context.adapter.create({
+				model: "oauthClient",
+				data: {
+					...schema,
+					createdAt: /* @__PURE__ */ new Date(iat * 1e3),
+					updatedAt: /* @__PURE__ */ new Date(iat * 1e3)
+				}
+			});
+			if (resources.length > 0) {
+				const linkModel = opts.schema?.oauthClientResource?.modelName ?? "oauthClientResource";
+				const now = /* @__PURE__ */ new Date();
+				for (const resourceId of resources) await ctx.context.adapter.create({
+					model: linkModel,
+					forceAllowId: true,
+					data: {
+						id: buildClientResourceLinkId(clientId, resourceId),
+						clientId,
+						resourceId,
+						createdAt: now
+					}
+				});
+			}
+			return createdClient;
+		}),
 		clientSecret: clientSecret ? (opts.prefix?.clientSecret ?? "") + clientSecret : void 0
-	}), {
-		status: 201,
-		headers: {
-			"Cache-Control": "no-store",
-			Pragma: "no-cache"
-		}
 	});
+	if (resources.length > 0) responseBody.resources = resources;
+	ctx.setStatus(201);
+	return ctx.json(responseBody);
 }
 /**
 * Converts an OAuth 2.0 Dynamic Client Schema to a Database Schema
@@ -1793,7 +1064,7 @@ async function createOAuthClientEndpoint(ctx, opts, settings) {
 * @returns
 */
 function oauthToSchema(input) {
-	const { client_id: clientId, client_secret: clientSecret, client_secret_expires_at: _expiresAt, scope: _scope, user_id: userId, client_id_issued_at: _createdAt, client_name: name, client_uri: uri, logo_uri: icon, contacts, tos_uri: tos, policy_uri: policy, jwks: inputJwks, jwks_uri: jwksUri, software_id: softwareId, software_version: softwareVersion, software_statement: softwareStatement, redirect_uris: redirectUris, post_logout_redirect_uris: postLogoutRedirectUris, backchannel_logout_uri: backchannelLogoutUri, backchannel_logout_session_required: backchannelLogoutSessionRequired, token_endpoint_auth_method: tokenEndpointAuthMethod, grant_types: grantTypes, response_types: responseTypes, public: _public, type, disabled, skip_consent: skipConsent, enable_end_session: enableEndSession, require_pkce: requirePKCE, subject_type: subjectType, reference_id: referenceId, metadata: inputMetadata, ...rest } = input;
+	const { client_id: clientId, client_secret: clientSecret, client_secret_expires_at: _expiresAt, scope: _scope, user_id: userId, client_id_issued_at: _createdAt, client_name: name, client_uri: uri, logo_uri: icon, contacts, tos_uri: tos, policy_uri: policy, jwks: inputJwks, jwks_uri: jwksUri, software_id: softwareId, software_version: softwareVersion, software_statement: softwareStatement, redirect_uris: redirectUris, post_logout_redirect_uris: postLogoutRedirectUris, backchannel_logout_uri: backchannelLogoutUri, backchannel_logout_session_required: backchannelLogoutSessionRequired, token_endpoint_auth_method: tokenEndpointAuthMethod, grant_types: grantTypes, response_types: responseTypes, public: _public, type, disabled, skip_consent: skipConsent, enable_end_session: enableEndSession, require_pkce: requirePKCE, dpop_bound_access_tokens: dpopBoundAccessTokens, subject_type: subjectType, reference_id: referenceId, metadata: inputMetadata, ...rest } = input;
 	const expiresAt = _expiresAt ? /* @__PURE__ */ new Date(_expiresAt * 1e3) : void 0;
 	const createdAt = _createdAt ? /* @__PURE__ */ new Date(_createdAt * 1e3) : void 0;
 	const scopes = _scope?.split(" ");
@@ -1833,6 +1104,7 @@ function oauthToSchema(input) {
 		skipConsent,
 		enableEndSession,
 		requirePKCE,
+		dpopBoundAccessTokens,
 		subjectType,
 		referenceId,
 		metadata
@@ -1845,7 +1117,7 @@ function oauthToSchema(input) {
 * @returns
 */
 function schemaToOAuth(input) {
-	const { clientId, clientSecret, disabled, scopes, userId, createdAt, updatedAt: _updatedAt, expiresAt, name, uri, icon, contacts, tos, policy, softwareId, softwareVersion, softwareStatement, redirectUris, postLogoutRedirectUris, backchannelLogoutUri, backchannelLogoutSessionRequired, tokenEndpointAuthMethod, grantTypes, responseTypes, public: _public, type, jwks, jwksUri, skipConsent, enableEndSession, requirePKCE, subjectType, referenceId, metadata } = input;
+	const { clientId, clientSecret, disabled, scopes, userId, createdAt, updatedAt: _updatedAt, expiresAt, name, uri, icon, contacts, tos, policy, softwareId, softwareVersion, softwareStatement, redirectUris, postLogoutRedirectUris, backchannelLogoutUri, backchannelLogoutSessionRequired, tokenEndpointAuthMethod, grantTypes, responseTypes, public: _public, type, jwks, jwksUri, skipConsent, enableEndSession, requirePKCE, dpopBoundAccessTokens, subjectType, referenceId, metadata } = input;
 	const _expiresAt = expiresAt ? Math.round(new Date(expiresAt).getTime() / 1e3) : void 0;
 	const _createdAt = createdAt ? Math.round(new Date(createdAt).getTime() / 1e3) : void 0;
 	const _scopes = scopes?.join(" ");
@@ -1881,6 +1153,7 @@ function schemaToOAuth(input) {
 		skip_consent: skipConsent ?? void 0,
 		enable_end_session: enableEndSession ?? void 0,
 		require_pkce: requirePKCE ?? void 0,
+		dpop_bound_access_tokens: dpopBoundAccessTokens ?? void 0,
 		subject_type: subjectType ?? void 0,
 		reference_id: referenceId ?? void 0
 	};
@@ -2093,10 +1366,12 @@ async function rotateClientSecretEndpoint(ctx, opts) {
 }
 //#endregion
 //#region src/oauthClient/index.ts
+const tokenEndpointAuthMethodSchema = z.string().trim().min(1);
+const grantTypesSchema = z.array(z.string().trim().min(1)).min(1);
 const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/create-client", {
 	method: "POST",
 	body: z.object({
-		redirect_uris: z.array(SafeUrlSchema).min(1),
+		redirect_uris: z.array(SafeUrlSchema).min(1).optional(),
 		scope: z.string().optional(),
 		client_name: z.string().optional(),
 		client_uri: z.string().optional(),
@@ -2110,20 +1385,11 @@ const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/creat
 		post_logout_redirect_uris: z.array(SafeUrlSchema).min(1).optional(),
 		backchannel_logout_uri: SafeUrlSchema.optional(),
 		backchannel_logout_session_required: z.boolean().optional(),
-		token_endpoint_auth_method: z.enum([
-			"none",
-			"client_secret_basic",
-			"client_secret_post",
-			"private_key_jwt"
-		]).default("client_secret_basic").optional(),
+		token_endpoint_auth_method: tokenEndpointAuthMethodSchema.optional(),
 		jwks: z.union([z.array(z.record(z.string(), z.unknown())).min(1), z.object({ keys: z.array(z.record(z.string(), z.unknown())).min(1) })]).optional(),
 		jwks_uri: z.string().optional(),
-		grant_types: z.array(z.enum([
-			"authorization_code",
-			"client_credentials",
-			"refresh_token"
-		])).default(["authorization_code"]).optional(),
-		response_types: z.array(z.enum(["code"])).default(["code"]).optional(),
+		grant_types: grantTypesSchema.optional(),
+		response_types: z.array(z.enum(["code"])).optional(),
 		type: z.enum([
 			"web",
 			"native",
@@ -2133,14 +1399,16 @@ const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/creat
 		skip_consent: z.boolean().optional(),
 		enable_end_session: z.boolean().optional(),
 		require_pkce: z.boolean().optional(),
+		dpop_bound_access_tokens: z.boolean().optional(),
 		subject_type: z.enum(["public", "pairwise"]).optional(),
 		metadata: z.record(z.string(), z.unknown()).optional()
 	}),
 	metadata: {
+		noStore: true,
 		SERVER_ONLY: true,
 		openapi: {
 			description: "Register an OAuth2 application",
-			responses: { "200": {
+			responses: { "201": {
 				description: "OAuth2 application registered successfully",
 				content: { "application/json": { schema: {
 					type: "object",
@@ -2216,24 +1484,12 @@ const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/creat
 						},
 						token_endpoint_auth_method: {
 							type: "string",
-							description: "Requested authentication method for the token endpoint",
-							enum: [
-								"none",
-								"client_secret_basic",
-								"client_secret_post"
-							]
+							description: "Requested authentication method for the token endpoint"
 						},
 						grant_types: {
 							type: "array",
-							items: {
-								type: "string",
-								enum: [
-									"authorization_code",
-									"client_credentials",
-									"refresh_token"
-								]
-							},
-							description: "Requested authentication method for the token endpoint"
+							items: { type: "string" },
+							description: "Grant types the client may use at the token endpoint"
 						},
 						response_types: {
 							type: "array",
@@ -2241,7 +1497,7 @@ const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/creat
 								type: "string",
 								enum: ["code"]
 							},
-							description: "Requested authentication method for the token endpoint"
+							description: "Response types the client may use at the authorization endpoint"
 						},
 						public: {
 							type: "boolean",
@@ -2284,7 +1540,7 @@ const createOAuthClient = (opts) => createAuthEndpoint("/oauth2/create-client",
 	method: "POST",
 	use: [sessionMiddleware],
 	body: z.object({
-		redirect_uris: z.array(SafeUrlSchema).min(1),
+		redirect_uris: z.array(SafeUrlSchema).min(1).optional(),
 		scope: z.string().optional(),
 		client_name: z.string().optional(),
 		client_uri: z.string().optional(),
@@ -2298,159 +1554,142 @@ const createOAuthClient = (opts) => createAuthEndpoint("/oauth2/create-client",
 		post_logout_redirect_uris: z.array(SafeUrlSchema).min(1).optional(),
 		backchannel_logout_uri: SafeUrlSchema.optional(),
 		backchannel_logout_session_required: z.boolean().optional(),
-		token_endpoint_auth_method: z.enum([
-			"none",
-			"client_secret_basic",
-			"client_secret_post",
-			"private_key_jwt"
-		]).default("client_secret_basic").optional(),
+		token_endpoint_auth_method: tokenEndpointAuthMethodSchema.optional(),
 		jwks: z.union([z.array(z.record(z.string(), z.unknown())).min(1), z.object({ keys: z.array(z.record(z.string(), z.unknown())).min(1) })]).optional(),
 		jwks_uri: z.string().optional(),
-		grant_types: z.array(z.enum([
-			"authorization_code",
-			"client_credentials",
-			"refresh_token"
-		])).default(["authorization_code"]).optional(),
-		response_types: z.array(z.enum(["code"])).default(["code"]).optional(),
+		grant_types: grantTypesSchema.optional(),
+		response_types: z.array(z.enum(["code"])).optional(),
 		type: z.enum([
 			"web",
 			"native",
 			"user-agent-based"
-		]).optional()
+		]).optional(),
+		dpop_bound_access_tokens: z.boolean().optional()
 	}),
-	metadata: { openapi: {
-		description: "Register an OAuth2 application",
-		responses: { "200": {
-			description: "OAuth2 application registered successfully",
-			content: { "application/json": { schema: {
-				type: "object",
-				properties: {
-					client_id: {
-						type: "string",
-						description: "Unique identifier for the client"
-					},
-					client_secret: {
-						type: "string",
-						description: "Secret key for the client"
-					},
-					client_secret_expires_at: {
-						type: "number",
-						description: "Time the client secret will expire. If 0, the client secret will never expire."
-					},
-					scope: {
-						type: "string",
-						description: "Space-separated scopes allowed by the client"
-					},
-					user_id: {
-						type: "string",
-						description: "ID of the user who registered the client, null if registered anonymously"
-					},
-					client_id_issued_at: {
-						type: "number",
-						description: "Creation timestamp of this client"
-					},
-					client_name: {
-						type: "string",
-						description: "Name of the OAuth2 application"
-					},
-					client_uri: {
-						type: "string",
-						description: "URI of the OAuth2 application"
-					},
-					logo_uri: {
-						type: "string",
-						description: "Icon URI for the application"
-					},
-					contacts: {
-						type: "array",
-						items: { type: "string" },
-						description: "List representing ways to contact people responsible for this client, typically email addresses"
-					},
-					tos_uri: {
-						type: "string",
-						description: "Client's terms of service uri"
-					},
-					policy_uri: {
-						type: "string",
-						description: "Client's policy uri"
-					},
-					software_id: {
-						type: "string",
-						description: "Unique identifier assigned by the developer to help in the dynamic registration process"
-					},
-					software_version: {
-						type: "string",
-						description: "Version identifier for the software_id"
-					},
-					software_statement: {
-						type: "string",
-						description: "JWT containing metadata values about the client software as claims"
-					},
-					redirect_uris: {
-						type: "array",
-						items: {
+	metadata: {
+		noStore: true,
+		openapi: {
+			description: "Register an OAuth2 application",
+			responses: { "201": {
+				description: "OAuth2 application registered successfully",
+				content: { "application/json": { schema: {
+					type: "object",
+					properties: {
+						client_id: {
 							type: "string",
-							format: "uri"
+							description: "Unique identifier for the client"
 						},
-						description: "List of allowed redirect uris"
-					},
-					token_endpoint_auth_method: {
-						type: "string",
-						description: "Response types the client may use",
-						enum: [
-							"none",
-							"client_secret_basic",
-							"client_secret_post"
-						]
-					},
-					grant_types: {
-						type: "array",
-						items: {
+						client_secret: {
+							type: "string",
+							description: "Secret key for the client"
+						},
+						client_secret_expires_at: {
+							type: "number",
+							description: "Time the client secret will expire. If 0, the client secret will never expire."
+						},
+						scope: {
+							type: "string",
+							description: "Space-separated scopes allowed by the client"
+						},
+						user_id: {
+							type: "string",
+							description: "ID of the user who registered the client, null if registered anonymously"
+						},
+						client_id_issued_at: {
+							type: "number",
+							description: "Creation timestamp of this client"
+						},
+						client_name: {
+							type: "string",
+							description: "Name of the OAuth2 application"
+						},
+						client_uri: {
+							type: "string",
+							description: "URI of the OAuth2 application"
+						},
+						logo_uri: {
+							type: "string",
+							description: "Icon URI for the application"
+						},
+						contacts: {
+							type: "array",
+							items: { type: "string" },
+							description: "List representing ways to contact people responsible for this client, typically email addresses"
+						},
+						tos_uri: {
+							type: "string",
+							description: "Client's terms of service uri"
+						},
+						policy_uri: {
+							type: "string",
+							description: "Client's policy uri"
+						},
+						software_id: {
+							type: "string",
+							description: "Unique identifier assigned by the developer to help in the dynamic registration process"
+						},
+						software_version: {
+							type: "string",
+							description: "Version identifier for the software_id"
+						},
+						software_statement: {
+							type: "string",
+							description: "JWT containing metadata values about the client software as claims"
+						},
+						redirect_uris: {
+							type: "array",
+							items: {
+								type: "string",
+								format: "uri"
+							},
+							description: "List of allowed redirect uris"
+						},
+						token_endpoint_auth_method: {
+							type: "string",
+							description: "Requested authentication method for the token endpoint"
+						},
+						grant_types: {
+							type: "array",
+							items: { type: "string" },
+							description: "Grant types the client may use at the token endpoint"
+						},
+						response_types: {
+							type: "array",
+							items: {
+								type: "string",
+								enum: ["code"]
+							},
+							description: "Response types the client may use at the authorization endpoint"
+						},
+						public: {
+							type: "boolean",
+							description: "Whether the client is public as determined by the type"
+						},
+						type: {
 							type: "string",
+							description: "Type of the client",
 							enum: [
-								"authorization_code",
-								"client_credentials",
-								"refresh_token"
+								"web",
+								"native",
+								"user-agent-based"
 							]
 						},
-						description: "Requested authentication method for the token endpoint"
-					},
-					response_types: {
-						type: "array",
-						items: {
-							type: "string",
-							enum: ["code"]
+						disabled: {
+							type: "boolean",
+							description: "Whether the client is disabled"
 						},
-						description: "Requested authentication method for the token endpoint"
-					},
-					public: {
-						type: "boolean",
-						description: "Whether the client is public as determined by the type"
-					},
-					type: {
-						type: "string",
-						description: "Type of the client",
-						enum: [
-							"web",
-							"native",
-							"user-agent-based"
-						]
-					},
-					disabled: {
-						type: "boolean",
-						description: "Whether the client is disabled"
+						metadata: {
+							type: "object",
+							additionalProperties: true,
+							nullable: true,
+							description: "Additional metadata for the application"
+						}
 					},
-					metadata: {
-						type: "object",
-						additionalProperties: true,
-						nullable: true,
-						description: "Additional metadata for the application"
-					}
-				},
-				required: ["client_id"]
-			} } }
-		} }
-	} }
+					required: ["client_id"]
+				} } }
+			} }
+		}
+	}
 }, async (ctx) => {
 	return createOAuthClientEndpoint(ctx, opts, { isRegister: false });
 });
@@ -2509,11 +1748,7 @@ const adminUpdateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/updat
 			post_logout_redirect_uris: z.array(SafeUrlSchema).min(1).optional(),
 			backchannel_logout_uri: SafeUrlSchema.optional(),
 			backchannel_logout_session_required: z.boolean().optional(),
-			grant_types: z.array(z.enum([
-				"authorization_code",
-				"client_credentials",
-				"refresh_token"
-			])).optional(),
+			grant_types: grantTypesSchema.optional(),
 			response_types: z.array(z.enum(["code"])).optional(),
 			type: z.enum([
 				"web",
@@ -2523,6 +1758,7 @@ const adminUpdateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/updat
 			client_secret_expires_at: z.union([z.string(), z.number()]).optional(),
 			skip_consent: z.boolean().optional(),
 			enable_end_session: z.boolean().optional(),
+			dpop_bound_access_tokens: z.boolean().optional(),
 			metadata: z.record(z.string(), z.unknown()).optional()
 		})
 	}),
@@ -2553,11 +1789,7 @@ const updateOAuthClient = (opts) => createAuthEndpoint("/oauth2/update-client",
 			post_logout_redirect_uris: z.array(SafeUrlSchema).min(1).optional(),
 			backchannel_logout_uri: SafeUrlSchema.optional(),
 			backchannel_logout_session_required: z.boolean().optional(),
-			grant_types: z.array(z.enum([
-				"authorization_code",
-				"client_credentials",
-				"refresh_token"
-			])).optional(),
+			grant_types: grantTypesSchema.optional(),
 			response_types: z.array(z.enum(["code"])).optional(),
 			type: z.enum([
 				"web",
@@ -2574,7 +1806,10 @@ const rotateClientSecret = (opts) => createAuthEndpoint("/oauth2/client/rotate-s
 	method: "POST",
 	use: [sessionMiddleware],
 	body: z.object({ client_id: z.string() }),
-	metadata: { openapi: { description: "Rotates a confidential client's secret" } }
+	metadata: {
+		noStore: true,
+		openapi: { description: "Rotates a confidential client's secret" }
+	}
 }, async (ctx) => {
 	return rotateClientSecretEndpoint(ctx, opts);
 });
@@ -2722,6 +1957,333 @@ const deleteOAuthConsent = (opts) => createAuthEndpoint("/oauth2/delete-consent"
 	return deleteConsentEndpoint(ctx, opts);
 });
 //#endregion
+//#region src/oauthResource/endpoints.ts
+/**
+* Gate every admin resource endpoint. Mirrors `assertClientPrivileges`:
+* a missing session → 401; a defined `resourcePrivileges` callback that
+* returns falsy → 401 with the original action context preserved.
+*
+* When `resourcePrivileges` is undefined, the gate degrades to "any
+* authenticated session can manage resources" — same forgiving default
+* as `clientPrivileges`. Operators who care about RBAC must define the
+* callback.
+*
+* @internal
+*/
+async function assertResourcePrivileges(ctx, session, opts, action, resourceId) {
+	if (!session) throw new APIError("UNAUTHORIZED");
+	if (!ctx.headers) throw new APIError("BAD_REQUEST");
+	if (!opts.resourcePrivileges) return;
+	if (!await opts.resourcePrivileges({
+		headers: ctx.headers,
+		action,
+		session: session.session,
+		user: session.user,
+		resourceId
+	})) throw new APIError("UNAUTHORIZED");
+}
+const resourceModel = (opts) => opts.schema?.oauthResource?.modelName ?? "oauthResource";
+const linkModel = (opts) => opts.schema?.oauthClientResource?.modelName ?? "oauthClientResource";
+const clientModel = (opts) => opts.schema?.oauthClient?.modelName ?? "oauthClient";
+/**
+* Decode a URL path-segment parameter.
+*
+* better-call's router (better-call@1.3.5) does NOT decode path params —
+* `tryDecode` is wired into cookie parsing only. So a raw HTTP caller hitting
+* `/admin/oauth2/resources/https%3A%2F%2Fapi.example.com` lands here with
+* `ctx.params.identifier === "https%3A%2F%2Fapi.example.com"`, which never
+* matches the stored `https://api.example.com` row. Decode every path
+* segment that holds a URI-valued identifier so the admin handlers behave
+* identically to in-process `auth.api.*` calls (which pass already-decoded
+* JS strings).
+*
+* Falls back to the raw string when decode fails so a malformed identifier
+* surfaces as a clean NOT_FOUND from the row lookup rather than a 500.
+*
+* @internal
+*/
+function decodePathParam(value) {
+	try {
+		return decodeURIComponent(value);
+	} catch {
+		return value;
+	}
+}
+/**
+* Builds the create-payload from a normalized input. Fills in defaults
+* for the fields seedResources uses so the admin-CRUD and seed paths
+* write identical rows.
+*
+* @internal
+*/
+function buildResourceRow(input, now) {
+	return {
+		identifier: input.identifier,
+		name: input.name ?? input.identifier,
+		accessTokenTtl: input.accessTokenTtl ?? null,
+		refreshTokenTtl: input.refreshTokenTtl ?? null,
+		signingAlgorithm: input.signingAlgorithm ?? null,
+		signingKeyId: input.signingKeyId ?? null,
+		allowedScopes: input.allowedScopes ?? null,
+		customClaims: input.customClaims ?? null,
+		dpopBoundAccessTokensRequired: input.dpopBoundAccessTokensRequired ?? false,
+		disabled: input.disabled ?? false,
+		policyVersion: 1,
+		metadata: input.metadata ?? null,
+		createdAt: now,
+		updatedAt: now
+	};
+}
+async function createResourceEndpoint(ctx, opts) {
+	await assertResourcePrivileges(ctx, await getSessionFromCtx(ctx), opts, "create");
+	const input = ctx.body;
+	if (!input?.identifier) throw new APIError("BAD_REQUEST", {
+		error: "invalid_request",
+		error_description: "identifier is required"
+	});
+	await assertIdentifierValid(opts, input.identifier);
+	const now = /* @__PURE__ */ new Date();
+	let created;
+	try {
+		created = await ctx.context.adapter.create({
+			model: resourceModel(opts),
+			data: buildResourceRow(input, now)
+		});
+	} catch (err) {
+		const message = err instanceof Error ? err.message : String(err);
+		if (/unique|duplicate|UNIQUE/i.test(message)) throw new APIError("BAD_REQUEST", {
+			error: "invalid_request",
+			error_description: `resource ${input.identifier} already exists`
+		});
+		throw err;
+	}
+	if (!created) throw new APIError("BAD_REQUEST", {
+		error: "invalid_request",
+		error_description: `resource ${input.identifier} could not be created`
+	});
+	invalidateResourceCache(created.identifier);
+	return ctx.json(created, { status: 201 });
+}
+async function listResourcesEndpoint(ctx, opts) {
+	await assertResourcePrivileges(ctx, await getSessionFromCtx(ctx), opts, "list");
+	const rows = await ctx.context.adapter.findMany({ model: resourceModel(opts) });
+	return ctx.json(rows ?? []);
+}
+async function getResourceByIdentifierEndpoint(ctx, opts) {
+	const identifier = decodePathParam(ctx.params.identifier);
+	await assertResourcePrivileges(ctx, await getSessionFromCtx(ctx), opts, "read", identifier);
+	const row = await ctx.context.adapter.findOne({
+		model: resourceModel(opts),
+		where: [{
+			field: "identifier",
+			value: identifier
+		}]
+	});
+	if (!row) throw new APIError("NOT_FOUND", {
+		error: "not_found",
+		error_description: `resource ${identifier} not found`
+	});
+	return ctx.json(row);
+}
+async function updateResourceEndpoint(ctx, opts) {
+	const identifier = decodePathParam(ctx.params.identifier);
+	await assertResourcePrivileges(ctx, await getSessionFromCtx(ctx), opts, "update", identifier);
+	if (!await ctx.context.adapter.findOne({
+		model: resourceModel(opts),
+		where: [{
+			field: "identifier",
+			value: identifier
+		}]
+	})) throw new APIError("NOT_FOUND", {
+		error: "not_found",
+		error_description: `resource ${identifier} not found`
+	});
+	const update = { updatedAt: /* @__PURE__ */ new Date() };
+	for (const key of [
+		"name",
+		"accessTokenTtl",
+		"refreshTokenTtl",
+		"signingAlgorithm",
+		"signingKeyId",
+		"allowedScopes",
+		"customClaims",
+		"dpopBoundAccessTokensRequired",
+		"disabled",
+		"metadata"
+	]) if (Object.prototype.hasOwnProperty.call(ctx.body, key)) update[key] = ctx.body[key];
+	await ctx.context.adapter.update({
+		model: resourceModel(opts),
+		where: [{
+			field: "identifier",
+			value: identifier
+		}],
+		update
+	});
+	invalidateResourceCache(identifier);
+	const refreshed = await ctx.context.adapter.findOne({
+		model: resourceModel(opts),
+		where: [{
+			field: "identifier",
+			value: identifier
+		}]
+	});
+	if (!refreshed) throw new APIError("NOT_FOUND", {
+		error: "not_found",
+		error_description: `resource ${identifier} not found`
+	});
+	return ctx.json(refreshed);
+}
+async function deleteResourceEndpoint(ctx, opts) {
+	const identifier = decodePathParam(ctx.params.identifier);
+	await assertResourcePrivileges(ctx, await getSessionFromCtx(ctx), opts, "delete", identifier);
+	if (!await ctx.context.adapter.findOne({
+		model: resourceModel(opts),
+		where: [{
+			field: "identifier",
+			value: identifier
+		}]
+	})) throw new APIError("NOT_FOUND", {
+		error: "not_found",
+		error_description: `resource ${identifier} not found`
+	});
+	await ctx.context.adapter.delete({
+		model: resourceModel(opts),
+		where: [{
+			field: "identifier",
+			value: identifier
+		}]
+	});
+	invalidateResourceCache(identifier);
+	return ctx.json({ deleted: true });
+}
+/**
+* Link a client to a resource.
+*
+* Route: `POST /admin/oauth2/resources/:identifier/clients/:client_id`.
+* Path params carry the identifiers (RESTful linkage) — no body required.
+* Used by admins when {@link OAuthOptions.enforcePerClientResources} is on.
+*/
+async function linkClientResourceEndpoint(ctx, opts) {
+	const session = await getSessionFromCtx(ctx);
+	const resourceId = decodePathParam(ctx.params.identifier);
+	const clientId = decodePathParam(ctx.params.client_id);
+	await assertResourcePrivileges(ctx, session, opts, "link", resourceId);
+	if (!await ctx.context.adapter.findOne({
+		model: resourceModel(opts),
+		where: [{
+			field: "identifier",
+			value: resourceId
+		}]
+	})) throw new APIError("NOT_FOUND", {
+		error: "not_found",
+		error_description: `resource ${resourceId} not found`
+	});
+	if (!await ctx.context.adapter.findOne({
+		model: clientModel(opts),
+		where: [{
+			field: "clientId",
+			value: clientId
+		}]
+	})) throw new APIError("NOT_FOUND", {
+		error: "not_found",
+		error_description: `client ${clientId} not found`
+	});
+	const id = buildClientResourceLinkId(clientId, resourceId);
+	try {
+		await ctx.context.adapter.create({
+			model: linkModel(opts),
+			forceAllowId: true,
+			data: {
+				id,
+				clientId,
+				resourceId,
+				createdAt: /* @__PURE__ */ new Date()
+			}
+		});
+	} catch (err) {
+		const message = err instanceof Error ? err.message : String(err);
+		if (/unique|duplicate|UNIQUE/i.test(message)) return ctx.json({
+			linked: true,
+			alreadyLinked: true
+		});
+		throw err;
+	}
+	return ctx.json({ linked: true });
+}
+/**
+* Unlink a client from a resource.
+*
+* Route: `DELETE /admin/oauth2/resources/:identifier/clients/:client_id`.
+* Path params carry the identifiers (RESTful linkage) — no body required.
+*/
+async function unlinkClientResourceEndpoint(ctx, opts) {
+	const session = await getSessionFromCtx(ctx);
+	const resourceId = decodePathParam(ctx.params.identifier);
+	const clientId = decodePathParam(ctx.params.client_id);
+	await assertResourcePrivileges(ctx, session, opts, "unlink", resourceId);
+	await ctx.context.adapter.deleteMany({
+		model: linkModel(opts),
+		where: [{
+			field: "clientId",
+			value: clientId
+		}, {
+			field: "resourceId",
+			value: resourceId
+		}]
+	});
+	return ctx.json({ unlinked: true });
+}
+//#endregion
+//#region src/oauthResource/index.ts
+/**
+* Shared body schema for create/update — every field is optional except
+* `identifier` on create (validated in the handler). Update accepts a
+* subset; the handler only writes fields that are explicitly present.
+*/
+const resourceBodySchema = z.object({
+	identifier: z.string().min(1).optional(),
+	name: z.string().optional(),
+	accessTokenTtl: z.number().int().positive().nullable().optional(),
+	refreshTokenTtl: z.number().int().positive().nullable().optional(),
+	signingAlgorithm: z.enum(JWS_ALGORITHMS).nullable().optional(),
+	signingKeyId: z.string().nullable().optional(),
+	allowedScopes: z.array(z.string()).nullable().optional(),
+	customClaims: z.record(z.string(), z.unknown()).nullable().optional(),
+	dpopBoundAccessTokensRequired: z.boolean().optional(),
+	disabled: z.boolean().optional(),
+	metadata: z.record(z.string(), z.unknown()).nullable().optional()
+});
+const adminCreateOAuthResource = (opts) => createAuthEndpoint("/admin/oauth2/resources", {
+	method: "POST",
+	body: resourceBodySchema.required({ identifier: true }),
+	metadata: { SERVER_ONLY: true }
+}, async (ctx) => createResourceEndpoint(ctx, opts));
+const adminListOAuthResources = (opts) => createAuthEndpoint("/admin/oauth2/resources", {
+	method: "GET",
+	metadata: { SERVER_ONLY: true }
+}, async (ctx) => listResourcesEndpoint(ctx, opts));
+const adminGetOAuthResource = (opts) => createAuthEndpoint("/admin/oauth2/resources/:identifier", {
+	method: "GET",
+	metadata: { SERVER_ONLY: true }
+}, async (ctx) => getResourceByIdentifierEndpoint(ctx, opts));
+const adminUpdateOAuthResource = (opts) => createAuthEndpoint("/admin/oauth2/resources/:identifier", {
+	method: "PATCH",
+	body: resourceBodySchema,
+	metadata: { SERVER_ONLY: true }
+}, async (ctx) => updateResourceEndpoint(ctx, opts));
+const adminDeleteOAuthResource = (opts) => createAuthEndpoint("/admin/oauth2/resources/:identifier", {
+	method: "DELETE",
+	metadata: { SERVER_ONLY: true }
+}, async (ctx) => deleteResourceEndpoint(ctx, opts));
+const adminLinkClientResource = (opts) => createAuthEndpoint("/admin/oauth2/resources/:identifier/clients/:client_id", {
+	method: "POST",
+	metadata: { SERVER_ONLY: true }
+}, async (ctx) => linkClientResourceEndpoint(ctx, opts));
+const adminUnlinkClientResource = (opts) => createAuthEndpoint("/admin/oauth2/resources/:identifier/clients/:client_id", {
+	method: "DELETE",
+	metadata: { SERVER_ONLY: true }
+}, async (ctx) => unlinkClientResourceEndpoint(ctx, opts));
+//#endregion
 //#region src/revoke.ts
 /**
 * IMPORTANT NOTES:
@@ -2737,23 +2299,23 @@ const deleteOAuthConsent = (opts) => createAuthEndpoint("/oauth2/delete-consent"
 * delete. Once the token is confirmed to be a valid JWT for this server, the
 * endpoint reports `unsupported_token_type` (RFC 7009 §2.2.1) instead of a
 * silent success, so callers can tell that no server-side revocation happened.
-* An expired or wrong-audience JWT is already inactive and still resolves as a
-* successful no-op. Session-bound tokens (carrying `sid`) are cut off early by
-* the session-liveness check in introspection and userinfo.
+* An expired JWT or a JWT with an audience rejected by the OAuth resource model
+* is already inactive and still resolves as a successful no-op. Session-bound
+* tokens (carrying `sid`) are cut off early by the session-liveness check in
+* introspection and userinfo.
 */
 async function revokeJwtAccessToken(ctx, opts, token) {
 	const jwtPlugin = opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context);
 	const jwtPluginOptions = jwtPlugin?.options;
 	try {
-		await verifyJwsAccessToken(token, {
+		const verified = await jwtVerify(token, createLocalJWKSet(await getJwks(token, {
 			jwksFetch: jwtPluginOptions?.jwks?.remoteUrl ? jwtPluginOptions.jwks.remoteUrl : async () => {
 				return (await jwtPlugin?.endpoints.getJwks(ctx))?.response;
 			},
-			verifyOptions: {
-				audience: opts.validAudiences ?? ctx.context.baseURL,
-				issuer: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL
-			}
-		});
+			jwksCacheKey: jwtPlugin
+		})), { issuer: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL });
+		const userInfoAudience = `${ctx.context.baseURL}/oauth2/userinfo`;
+		if (!verified.payload.azp || !await isAudienceClaimAllowed(ctx, opts, verified.payload.aud, [userInfoAudience])) return null;
 	} catch (error) {
 		if (error instanceof Error) {
 			if (error.name === "TypeError" || error.name === "JWSInvalid") throw new APIError$1("BAD_REQUEST", {
@@ -2831,7 +2393,7 @@ async function revokeRefreshToken(ctx, opts, token, clientId) {
 	}
 	if (!refreshToken.clientId || refreshToken.clientId !== clientId) return null;
 	const iat = Math.floor(Date.now() / 1e3);
-	if (!await ctx.context.adapter.update({
+	if (!await ctx.context.adapter.incrementOne({
 		model: "oauthRefreshToken",
 		where: [{
 			field: "id",
@@ -2841,7 +2403,8 @@ async function revokeRefreshToken(ctx, opts, token, clientId) {
 			operator: "eq",
 			value: null
 		}],
-		update: { revoked: /* @__PURE__ */ new Date(iat * 1e3) }
+		increment: {},
+		set: { revoked: /* @__PURE__ */ new Date(iat * 1e3) }
 	})) {
 		await invalidateRefreshFamily(ctx, clientId, refreshToken.userId);
 		throw new APIError$1("BAD_REQUEST", {
@@ -2884,17 +2447,17 @@ async function revokeAccessToken(ctx, opts, clientId, token) {
 async function revokeEndpoint(ctx, opts) {
 	let { token, token_type_hint } = ctx.body;
 	if (token_type_hint !== "access_token" && token_type_hint !== "refresh_token") token_type_hint = void 0;
-	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/revoke`));
+	const { clientId: client_id, clientSecret: client_secret, preVerified, authMethod } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/revoke`));
 	if (!client_id) throw new APIError$1("UNAUTHORIZED", {
 		error_description: "missing required credentials",
 		error: "invalid_client"
 	});
-	if (typeof token === "string" && token.startsWith("Bearer ")) token = token.replace("Bearer ", "");
+	if (typeof token === "string") token = stripAccessTokenAuthorizationScheme(token);
 	if (!token?.length) throw new APIError$1("BAD_REQUEST", {
 		error_description: "missing a required token for introspection",
 		error: "invalid_request"
 	});
-	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, void 0, preVerifiedClient);
+	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, void 0, preVerified, void 0, authMethod);
 	try {
 		if (token_type_hint === void 0 || token_type_hint === "access_token") try {
 			return await revokeAccessToken(ctx, opts, client.clientId, token);
@@ -3067,6 +2630,11 @@ const schema = {
 				type: "boolean",
 				required: false
 			},
+			dpopBoundAccessTokens: {
+				type: "boolean",
+				required: false,
+				defaultValue: false
+			},
 			referenceId: {
 				type: "string",
 				required: false
@@ -3077,6 +2645,104 @@ const schema = {
 			}
 		}
 	},
+	oauthResource: {
+		modelName: "oauthResource",
+		fields: {
+			identifier: {
+				type: "string",
+				required: true,
+				unique: true
+			},
+			name: {
+				type: "string",
+				required: true
+			},
+			accessTokenTtl: {
+				type: "number",
+				required: false
+			},
+			refreshTokenTtl: {
+				type: "number",
+				required: false
+			},
+			signingAlgorithm: {
+				type: "string",
+				required: false
+			},
+			signingKeyId: {
+				type: "string",
+				required: false
+			},
+			allowedScopes: {
+				type: "string[]",
+				required: false
+			},
+			customClaims: {
+				type: "json",
+				required: false
+			},
+			dpopBoundAccessTokensRequired: {
+				type: "boolean",
+				required: false,
+				defaultValue: false
+			},
+			disabled: {
+				type: "boolean",
+				required: false,
+				defaultValue: false
+			},
+			createdAt: {
+				type: "date",
+				required: false
+			},
+			updatedAt: {
+				type: "date",
+				required: false
+			},
+			policyVersion: {
+				type: "number",
+				required: false,
+				defaultValue: 1
+			},
+			metadata: {
+				type: "json",
+				required: false
+			}
+		}
+	},
+	oauthClientResource: {
+		modelName: "oauthClientResource",
+		fields: {
+			clientId: {
+				type: "string",
+				required: true,
+				references: {
+					model: "oauthClient",
+					field: "clientId",
+					onDelete: "cascade"
+				},
+				index: true
+			},
+			resourceId: {
+				type: "string",
+				required: true,
+				references: {
+					model: "oauthResource",
+					field: "identifier",
+					onDelete: "cascade"
+				},
+				index: true
+			},
+			metadata: {
+				type: "json",
+				required: false
+			},
+			createdAt: {
+				type: "date",
+				required: false
+			}
+		}
+	},
 	oauthRefreshToken: { fields: {
 		token: {
 			type: "string",
@@ -3129,6 +2795,10 @@ const schema = {
 			type: "date",
 			required: false
 		},
+		confirmation: {
+			type: "json",
+			required: false
+		},
 		scopes: {
 			type: "string[]",
 			required: true
@@ -3192,6 +2862,10 @@ const schema = {
 				type: "date",
 				required: false
 			},
+			confirmation: {
+				type: "json",
+				required: false
+			},
 			scopes: {
 				type: "string[]",
 				required: true
@@ -3245,6 +2919,17 @@ const schema = {
 };
 //#endregion
 //#region src/oauth.ts
+/**
+* Default scopes advertised and accepted when a configuration sets none. Shared
+* with the MCP preset so the resource metadata it serves matches what the
+* authorization-server metadata advertises.
+*/
+const DEFAULT_OAUTH_SCOPES = [
+	"openid",
+	"profile",
+	"email",
+	"offline_access"
+];
 const oAuthState = defineRequestState(() => null);
 const getOAuthProviderState = oAuthState.get;
 const signedQueryIssuedAtMsKey = "signedQueryIssuedAtMs";
@@ -3266,12 +2951,7 @@ const oauthProvider = (options) => {
 		const _allowedScopes = clientRegistrationAllowedScopes ? new Set([...clientRegistrationAllowedScopes, ...options.clientRegistrationDefaultScopes]) : new Set([...options.clientRegistrationDefaultScopes]);
 		clientRegistrationAllowedScopes = Array.from(_allowedScopes);
 	}
-	const scopes = new Set((options.scopes ?? [
-		"openid",
-		"profile",
-		"email",
-		"offline_access"
-	]).filter((val) => val.length));
+	const scopes = new Set((options.scopes ?? DEFAULT_OAUTH_SCOPES).filter((val) => val.length));
 	if (clientRegistrationAllowedScopes) {
 		for (const sc of clientRegistrationAllowedScopes) if (!scopes.has(sc)) throw new BetterAuthError(`clientRegistrationAllowedScope ${sc} not found in scopes`);
 	}
@@ -3313,6 +2993,7 @@ const oauthProvider = (options) => {
 		claims: Array.from(claims),
 		clientRegistrationAllowedScopes
 	};
+	validateOAuthProviderExtensions(opts.extensions);
 	if (opts.pairwiseSecret && opts.pairwiseSecret.length < 32) throw new BetterAuthError("pairwiseSecret must be at least 32 characters long for adequate HMAC-SHA256 security");
 	if (opts.grantTypes && opts.grantTypes.includes("refresh_token") && !opts.grantTypes.includes("authorization_code")) throw new BetterAuthError("refresh_token grant requires authorization_code grant");
 	if (opts.disableJwtPlugin && (opts.storeClientSecret === "hashed" || typeof opts.storeClientSecret === "object" && "hash" in opts.storeClientSecret)) throw new BetterAuthError("unable to store hashed secrets because id tokens will be signed with secret");
@@ -3348,16 +3029,7 @@ const oauthProvider = (options) => {
 		}
 		if (isAuthServerMetadataRequest) {
 			if (opts.scopes?.includes("openid")) return { response: createMetadataResponse(oidcServerMetadata(endpointCtx, opts)) };
-			return { response: createMetadataResponse({
-				...authServerMetadata(endpointCtx, opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx)?.options, {
-					scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
-					dynamic_client_registration_supported: opts.allowDynamicClientRegistration,
-					public_client_supported: opts.allowUnauthenticatedClientRegistration || toClientDiscoveryArray(opts.clientDiscovery).length > 0,
-					grant_types_supported: opts.grantTypes,
-					jwt_disabled: opts.disableJwtPlugin
-				}),
-				...mergeDiscoveryMetadata(opts.clientDiscovery)
-			}) };
+			return { response: createMetadataResponse(oauthAuthorizationServerMetadata(endpointCtx, opts)) };
 		}
 		if (isOpenIdConfigRequest) return { response: createMetadataResponse(oidcServerMetadata(endpointCtx, opts)) };
 	};
@@ -3456,7 +3128,7 @@ const oauthProvider = (options) => {
 						type: "array",
 						items: { type: "string" }
 					},
-					description: "Requested token resource(s) (ie audience) to obtain a JWT formatted access token. May be supplied multiple times as repeated 'resource' query parameters (RFC 8707) or as an array of strings."
+					description: "Requested protected resource(s) for the access token. May be supplied multiple times as repeated 'resource' query parameters (RFC 8707) or as an array of strings."
 				},
 				{
 					name: "prompt",
@@ -3506,8 +3178,10 @@ const oauthProvider = (options) => {
 		version: PACKAGE_VERSION,
 		options: opts,
 		onRequest: handleIssuerMetadataRequest,
-		init: (ctx) => {
+		init: async (ctx) => {
 			if (ctx.options.secondaryStorage && ctx.options.session?.storeSessionInDatabase !== true) throw new BetterAuthError("OAuth Provider requires `session.storeSessionInDatabase: true` when using secondaryStorage");
+			await seedResources(ctx, opts);
+			logEnforcePerClientResourcesResolution(opts);
 			if (!opts.disableJwtPlugin) {
 				const jwtPluginOptions = getJwtPlugin(ctx)?.options;
 				const issuer = jwtPluginOptions?.jwt?.issuer ?? ctx.baseURL;
@@ -3589,16 +3263,7 @@ const oauthProvider = (options) => {
 				metadata: { SERVER_ONLY: true }
 			}, async (ctx) => {
 				if (opts.scopes && opts.scopes.includes("openid")) return oidcServerMetadata(ctx, opts);
-				else return {
-					...authServerMetadata(ctx, opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context)?.options, {
-						scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
-						dynamic_client_registration_supported: opts.allowDynamicClientRegistration,
-						public_client_supported: opts.allowUnauthenticatedClientRegistration || toClientDiscoveryArray(opts.clientDiscovery).length > 0,
-						grant_types_supported: opts.grantTypes,
-						jwt_disabled: opts.disableJwtPlugin
-					}),
-					...mergeDiscoveryMetadata(opts.clientDiscovery)
-				};
+				else return oauthAuthorizationServerMetadata(ctx, opts);
 			}),
 			getOpenIdConfig: createAuthEndpoint("/.well-known/openid-configuration", {
 				method: "GET",
@@ -3663,12 +3328,9 @@ const oauthProvider = (options) => {
 			}),
 			oauth2Token: createOAuthEndpoint("/oauth2/token", {
 				method: "POST",
+				cloneRequest: true,
 				body: z.object({
-					grant_type: z.string().pipe(z.enum([
-						"authorization_code",
-						"client_credentials",
-						"refresh_token"
-					])),
+					grant_type: z.string().trim().min(1),
 					client_id: z.string().optional(),
 					client_secret: z.string().optional(),
 					client_assertion: z.string().optional(),
@@ -3679,7 +3341,7 @@ const oauthProvider = (options) => {
 					refresh_token: z.string().optional(),
 					resource: z.union([ResourceUriSchema, z.array(ResourceUriSchema).min(1)]).optional(),
 					scope: z.string().optional()
-				}),
+				}).passthrough(),
 				errorCodesByField: {
 					grant_type: {
 						missing: "invalid_request",
@@ -3688,9 +3350,17 @@ const oauthProvider = (options) => {
 					resource: { invalid: "invalid_target" }
 				},
 				metadata: {
+					noStore: true,
 					allowedMediaTypes: ["application/x-www-form-urlencoded"],
 					openapi: {
 						description: "Obtain an OAuth2.1 access token",
+						parameters: [{
+							name: "DPoP",
+							in: "header",
+							required: false,
+							schema: { type: "string" },
+							description: "RFC 9449 DPoP proof JWT for issuing DPoP-bound tokens"
+						}],
 						requestBody: {
 							required: true,
 							content: { "application/json": { schema: {
@@ -3698,11 +3368,6 @@ const oauthProvider = (options) => {
 								properties: {
 									grant_type: {
 										type: "string",
-										enum: [
-											"authorization_code",
-											"client_credentials",
-											"refresh_token"
-										],
 										description: "OAuth2 grant type"
 									},
 									client_id: {
@@ -3739,7 +3404,7 @@ const oauthProvider = (options) => {
 											items: { type: "string" },
 											description: "Multiple resources (URLs)"
 										}],
-										description: "Requested token resource(s) (ie audience) to obtain a JWT formatted access token"
+										description: "Requested protected resource(s) for the access token"
 									},
 									scope: {
 										type: "string",
@@ -3762,7 +3427,7 @@ const oauthProvider = (options) => {
 										token_type: {
 											type: "string",
 											description: "The type of the token issued",
-											enum: ["Bearer"]
+											enum: ["Bearer", "DPoP"]
 										},
 										expires_in: {
 											type: "number",
@@ -3804,6 +3469,10 @@ const oauthProvider = (options) => {
 					}
 				}
 			}, async (ctx) => {
+				if (ctx.request) {
+					const repeated = await extractRepeatedResourceFromForm(ctx.request);
+					if (repeated && repeated.length > 1) ctx.body.resource = repeated;
+				}
 				return tokenEndpoint(ctx, opts);
 			}),
 			oauth2Introspect: createOAuthEndpoint("/oauth2/introspect", {
@@ -3817,6 +3486,7 @@ const oauthProvider = (options) => {
 					token_type_hint: z.string().optional()
 				}),
 				metadata: {
+					noStore: true,
 					allowedMediaTypes: ["application/x-www-form-urlencoded"],
 					openapi: {
 						description: "Introspect an OAuth2 access or refresh token",
@@ -3988,90 +3658,99 @@ const oauthProvider = (options) => {
 			}),
 			oauth2UserInfo: createAuthEndpoint("/oauth2/userinfo", {
 				method: ["GET", "POST"],
-				metadata: { openapi: {
-					description: "Get OpenID Connect user information (UserInfo endpoint)",
-					security: [{ bearerAuth: [] }, { OAuth2: [
-						"openid",
-						"profile",
-						"email"
-					] }],
-					parameters: [{
-						name: "Authorization",
-						in: "header",
-						required: false,
-						schema: { type: "string" },
-						description: "Bearer access token"
-					}],
-					responses: {
-						"200": {
-							description: "User information retrieved successfully",
-							content: { "application/json": { schema: {
-								type: "object",
-								properties: {
-									sub: {
-										type: "string",
-										description: "Subject identifier (user ID)"
-									},
-									email: {
-										type: "string",
-										format: "email",
-										nullable: true,
-										description: "User's email address, included if 'email' scope is granted"
-									},
-									name: {
-										type: "string",
-										nullable: true,
-										description: "User's full name, included if 'profile' scope is granted"
-									},
-									picture: {
-										type: "string",
-										format: "uri",
-										nullable: true,
-										description: "User's profile picture URL, included if 'profile' scope is granted"
+				metadata: {
+					noStore: true,
+					openapi: {
+						description: "Get OpenID Connect user information (UserInfo endpoint)",
+						security: [{ bearerAuth: [] }, { OAuth2: [
+							"openid",
+							"profile",
+							"email"
+						] }],
+						parameters: [{
+							name: "Authorization",
+							in: "header",
+							required: false,
+							schema: { type: "string" },
+							description: "Bearer or DPoP access token"
+						}, {
+							name: "DPoP",
+							in: "header",
+							required: false,
+							schema: { type: "string" },
+							description: "RFC 9449 DPoP proof JWT when using a DPoP-bound access token"
+						}],
+						responses: {
+							"200": {
+								description: "User information retrieved successfully",
+								content: { "application/json": { schema: {
+									type: "object",
+									properties: {
+										sub: {
+											type: "string",
+											description: "Subject identifier (user ID)"
+										},
+										email: {
+											type: "string",
+											format: "email",
+											nullable: true,
+											description: "User's email address, included if 'email' scope is granted"
+										},
+										name: {
+											type: "string",
+											nullable: true,
+											description: "User's full name, included if 'profile' scope is granted"
+										},
+										picture: {
+											type: "string",
+											format: "uri",
+											nullable: true,
+											description: "User's profile picture URL, included if 'profile' scope is granted"
+										},
+										given_name: {
+											type: "string",
+											nullable: true,
+											description: "User's given name, included if 'profile' scope is granted"
+										},
+										family_name: {
+											type: "string",
+											nullable: true,
+											description: "User's family name, included if 'profile' scope is granted"
+										},
+										email_verified: {
+											type: "boolean",
+											nullable: true,
+											description: "Whether the email is verified, included if 'email' scope is granted"
+										}
 									},
-									given_name: {
-										type: "string",
-										nullable: true,
-										description: "User's given name, included if 'profile' scope is granted"
+									required: ["sub"]
+								} } }
+							},
+							"401": {
+								description: "Unauthorized - invalid or missing access token",
+								content: { "application/json": { schema: {
+									type: "object",
+									properties: {
+										error: { type: "string" },
+										error_description: { type: "string" }
 									},
-									family_name: {
-										type: "string",
-										nullable: true,
-										description: "User's family name, included if 'profile' scope is granted"
+									required: ["error"]
+								} } }
+							},
+							"403": {
+								description: "Forbidden - insufficient scope",
+								content: { "application/json": { schema: {
+									type: "object",
+									properties: {
+										error: { type: "string" },
+										error_description: { type: "string" }
 									},
-									email_verified: {
-										type: "boolean",
-										nullable: true,
-										description: "Whether the email is verified, included if 'email' scope is granted"
-									}
-								},
-								required: ["sub"]
-							} } }
-						},
-						"401": {
-							description: "Unauthorized - invalid or missing access token",
-							content: { "application/json": { schema: {
-								type: "object",
-								properties: {
-									error: { type: "string" },
-									error_description: { type: "string" }
-								},
-								required: ["error"]
-							} } }
-						},
-						"403": {
-							description: "Forbidden - insufficient scope",
-							content: { "application/json": { schema: {
-								type: "object",
-								properties: {
-									error: { type: "string" },
-									error_description: { type: "string" }
-								},
-								required: ["error"]
-							} } }
+									required: ["error"]
+								} } }
+							}
 						}
 					}
-				} }
+				}
 			}, async (ctx) => {
 				return userInfoEndpoint(ctx, opts);
 			}),
@@ -4108,194 +3787,149 @@ const oauthProvider = (options) => {
 			}),
 			registerOAuthClient: createOAuthEndpoint("/oauth2/register", {
 				method: "POST",
-				body: z.object({
-					redirect_uris: z.array(SafeUrlSchema).min(1).min(1),
-					scope: z.string().optional(),
-					client_name: z.string().optional(),
-					client_uri: z.string().optional(),
-					logo_uri: z.string().optional(),
-					contacts: z.array(z.string().min(1)).min(1).optional(),
-					tos_uri: z.string().optional(),
-					policy_uri: z.string().optional(),
-					software_id: z.string().optional(),
-					software_version: z.string().optional(),
-					software_statement: z.string().optional(),
-					post_logout_redirect_uris: z.array(SafeUrlSchema).min(1).optional(),
-					backchannel_logout_uri: SafeUrlSchema.optional(),
-					backchannel_logout_session_required: z.boolean().optional(),
-					token_endpoint_auth_method: z.enum([
-						"none",
-						"client_secret_basic",
-						"client_secret_post",
-						"private_key_jwt"
-					]).default("client_secret_basic").optional(),
-					jwks: z.union([z.array(z.record(z.string(), z.unknown())).min(1), z.object({ keys: z.array(z.record(z.string(), z.unknown())).min(1) })]).optional(),
-					jwks_uri: z.string().optional(),
-					grant_types: z.array(z.enum([
-						"authorization_code",
-						"client_credentials",
-						"refresh_token"
-					])).default(["authorization_code"]).optional(),
-					response_types: z.array(z.enum(["code"])).default(["code"]).optional(),
-					type: z.enum([
-						"web",
-						"native",
-						"user-agent-based"
-					]).optional(),
-					subject_type: z.enum(["public", "pairwise"]).optional(),
-					skip_consent: z.never({ error: "skip_consent cannot be set during dynamic client registration" }).optional()
-				}),
+				body: clientRegistrationRequestSchema,
 				errorCodesByField: {
 					redirect_uris: "invalid_redirect_uri",
 					post_logout_redirect_uris: "invalid_redirect_uri",
-					software_statement: "invalid_software_statement"
+					software_statement: "invalid_software_statement",
+					resources: "invalid_target"
 				},
 				defaultError: "invalid_client_metadata",
-				metadata: { openapi: {
-					description: "Register an OAuth2 application",
-					responses: { "200": {
-						description: "OAuth2 application registered successfully",
-						content: { "application/json": { schema: {
-							type: "object",
-							properties: {
-								client_id: {
-									type: "string",
-									description: "Unique identifier for the client"
-								},
-								client_secret: {
-									type: "string",
-									description: "Secret key for the client"
-								},
-								client_secret_expires_at: {
-									type: "number",
-									description: "Time the client secret will expire. If 0, the client secret will never expire."
-								},
-								scope: {
-									type: "string",
-									description: "Space-separated scopes allowed by the client"
-								},
-								user_id: {
-									type: "string",
-									description: "ID of the user who registered the client, null if registered anonymously"
-								},
-								client_id_issued_at: {
-									type: "number",
-									description: "Creation timestamp of this client"
-								},
-								client_name: {
-									type: "string",
-									description: "Name of the OAuth2 application"
-								},
-								client_uri: {
-									type: "string",
-									description: "Name of the OAuth2 application"
-								},
-								logo_uri: {
-									type: "string",
-									description: "Icon URL for the application"
-								},
-								contacts: {
-									type: "array",
-									items: { type: "string" },
-									description: "List representing ways to contact people responsible for this client, typically email addresses"
-								},
-								tos_uri: {
-									type: "string",
-									description: "Client's terms of service uri"
-								},
-								policy_uri: {
-									type: "string",
-									description: "Client's policy uri"
-								},
-								software_id: {
-									type: "string",
-									description: "Unique identifier assigned by the developer to help in the dynamic registration process"
-								},
-								software_version: {
-									type: "string",
-									description: "Version identifier for the software_id"
-								},
-								software_statement: {
-									type: "string",
-									description: "JWT containing metadata values about the client software as claims"
-								},
-								redirect_uris: {
-									type: "array",
-									items: {
+				metadata: {
+					noStore: true,
+					openapi: {
+						description: "Register an OAuth2 application",
+						responses: { "201": {
+							description: "OAuth2 application registered successfully",
+							content: { "application/json": { schema: {
+								type: "object",
+								properties: {
+									client_id: {
 										type: "string",
-										format: "uri"
+										description: "Unique identifier for the client"
 									},
-									description: "List of allowed redirect uris"
-								},
-								post_logout_redirect_uris: {
-									type: "array",
-									items: {
+									client_secret: {
 										type: "string",
-										format: "uri"
+										description: "Secret key for the client"
 									},
-									description: "List of allowed logout redirect uris"
-								},
-								backchannel_logout_uri: {
-									type: "string",
-									format: "uri",
-									description: "RP URL to receive signed Logout Tokens when the end-user's OP session terminates"
-								},
-								backchannel_logout_session_required: {
-									type: "boolean",
-									description: "Whether the RP requires a `sid` claim in every Logout Token"
-								},
-								token_endpoint_auth_method: {
-									type: "string",
-									description: "Requested authentication method for the token endpoint",
-									enum: [
-										"none",
-										"client_secret_basic",
-										"client_secret_post",
-										"private_key_jwt"
-									]
-								},
-								grant_types: {
-									type: "array",
-									items: {
+									client_secret_expires_at: {
+										type: "number",
+										description: "Time the client secret will expire. If 0, the client secret will never expire."
+									},
+									scope: {
 										type: "string",
-										enum: [
-											"authorization_code",
-											"client_credentials",
-											"refresh_token"
-										]
+										description: "Space-separated scopes allowed by the client"
 									},
-									description: "Requested authentication method for the token endpoint"
-								},
-								response_types: {
-									type: "array",
-									items: {
+									user_id: {
 										type: "string",
-										enum: ["code"]
+										description: "ID of the user who registered the client, null if registered anonymously"
 									},
-									description: "Requested authentication method for the token endpoint"
-								},
-								public: {
-									type: "boolean",
-									description: "Whether the client is public as determined by the type"
-								},
-								type: {
-									type: "string",
-									description: "Type of the client",
-									enum: [
-										"web",
-										"native",
-										"user-agent-based"
-									]
+									client_id_issued_at: {
+										type: "number",
+										description: "Creation timestamp of this client"
+									},
+									client_name: {
+										type: "string",
+										description: "Name of the OAuth2 application"
+									},
+									client_uri: {
+										type: "string",
+										description: "Name of the OAuth2 application"
+									},
+									logo_uri: {
+										type: "string",
+										description: "Icon URL for the application"
+									},
+									contacts: {
+										type: "array",
+										items: { type: "string" },
+										description: "List representing ways to contact people responsible for this client, typically email addresses"
+									},
+									tos_uri: {
+										type: "string",
+										description: "Client's terms of service uri"
+									},
+									policy_uri: {
+										type: "string",
+										description: "Client's policy uri"
+									},
+									software_id: {
+										type: "string",
+										description: "Unique identifier assigned by the developer to help in the dynamic registration process"
+									},
+									software_version: {
+										type: "string",
+										description: "Version identifier for the software_id"
+									},
+									software_statement: {
+										type: "string",
+										description: "JWT containing metadata values about the client software as claims"
+									},
+									redirect_uris: {
+										type: "array",
+										items: {
+											type: "string",
+											format: "uri"
+										},
+										description: "List of allowed redirect uris"
+									},
+									post_logout_redirect_uris: {
+										type: "array",
+										items: {
+											type: "string",
+											format: "uri"
+										},
+										description: "List of allowed logout redirect uris"
+									},
+									backchannel_logout_uri: {
+										type: "string",
+										format: "uri",
+										description: "RP URL to receive signed Logout Tokens when the end-user's OP session terminates"
+									},
+									backchannel_logout_session_required: {
+										type: "boolean",
+										description: "Whether the RP requires a `sid` claim in every Logout Token"
+									},
+									token_endpoint_auth_method: {
+										type: "string",
+										description: "Requested authentication method for the token endpoint"
+									},
+									grant_types: {
+										type: "array",
+										items: { type: "string" },
+										description: "Grant types the client may use at the token endpoint"
+									},
+									response_types: {
+										type: "array",
+										items: {
+											type: "string",
+											enum: ["code"]
+										},
+										description: "Response types the client may use at the authorization endpoint"
+									},
+									public: {
+										type: "boolean",
+										description: "Whether the client is public as determined by the type"
+									},
+									type: {
+										type: "string",
+										description: "Type of the client",
+										enum: [
+											"web",
+											"native",
+											"user-agent-based"
+										]
+									},
+									disabled: {
+										type: "boolean",
+										description: "Whether the client is disabled"
+									}
 								},
-								disabled: {
-									type: "boolean",
-									description: "Whether the client is disabled"
-								}
-							},
-							required: ["client_id"]
-						} } }
-					} }
-				} }
+								required: ["client_id"]
+							} } }
+						} }
+					}
+				}
 			}, async (ctx) => {
 				return registerEndpoint(ctx, opts);
 			}),
@@ -4312,7 +3946,14 @@ const oauthProvider = (options) => {
 			getOAuthConsent: getOAuthConsent(opts),
 			getOAuthConsents: getOAuthConsents(opts),
 			updateOAuthConsent: updateOAuthConsent(opts),
-			deleteOAuthConsent: deleteOAuthConsent(opts)
+			deleteOAuthConsent: deleteOAuthConsent(opts),
+			adminCreateOAuthResource: adminCreateOAuthResource(opts),
+			adminListOAuthResources: adminListOAuthResources(opts),
+			adminGetOAuthResource: adminGetOAuthResource(opts),
+			adminUpdateOAuthResource: adminUpdateOAuthResource(opts),
+			adminDeleteOAuthResource: adminDeleteOAuthResource(opts),
+			adminLinkClientResource: adminLinkClientResource(opts),
+			adminUnlinkClientResource: adminUnlinkClientResource(opts)
 		},
 		schema: mergeSchema(schema, opts?.schema),
 		rateLimit: [
@@ -4558,6 +4199,20 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		requestedScopes = client.scopes ?? opts.scopes ?? [];
 		query.scope = requestedScopes.join(" ");
 	}
+	if (query.resource !== void 0) try {
+		await resolveResourcePolicy(ctx, opts, {
+			resource: query.resource,
+			clientId: client.clientId,
+			requestedScopes
+		});
+	} catch (err) {
+		if (err instanceof APIError$1) {
+			const error = err.body?.error ?? "invalid_target";
+			const description = err.body?.error_description ?? "requested resource invalid";
+			return handleRedirect(ctx, formatErrorURL(query.redirect_uri, error, description, query.state, getIssuer(ctx, opts)));
+		}
+		throw err;
+	}
 	const pkceRequired = isPKCERequired(client, requestedScopes);
 	if (pkceRequired) {
 		if (!query.code_challenge || !query.code_challenge_method) return handleRedirect(ctx, formatErrorURL(query.redirect_uri, "invalid_request", pkceRequired.valueOf(), query.state, getIssuer(ctx, opts)));
@@ -4566,9 +4221,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		if (!query.code_challenge || !query.code_challenge_method) return handleRedirect(ctx, formatErrorURL(query.redirect_uri, "invalid_request", "code_challenge and code_challenge_method must both be provided", query.state, getIssuer(ctx, opts)));
 		if (!["S256"].includes(query.code_challenge_method)) return handleRedirect(ctx, formatErrorURL(query.redirect_uri, "invalid_request", "invalid code_challenge method, only S256 is supported", query.state, getIssuer(ctx, opts)));
 	}
-	const resource = query.resource;
-	if (!(await checkResource(ctx, opts, resource, requestedScopes)).success) return handleRedirect(ctx, formatErrorURL(query.redirect_uri, "invalid_target", "requested resource invalid", query.state, getIssuer(ctx, opts)));
-	const requestedResources = toResourceList(resource) ?? [];
+	const requestedResources = toResourceList(query.resource) ?? [];
 	const session = await getSessionFromCtx(ctx);
 	const maxAgeSeconds = query.max_age;
 	const hasSatisfiedMaxAge = session != null && maxAgeSeconds !== void 0 && isWithinMaxAge(new Date(session.session.createdAt), maxAgeSeconds, /* @__PURE__ */ new Date());
@@ -4720,126 +4373,13 @@ async function signParams(ctx, opts, flags) {
 	const params = serializeAuthorizationQuery(ctx.query);
 	params.set("exp", String(exp));
 	params.set(signedQueryIssuedAtParam, String(issuedAt));
+	params.delete("sig");
 	params.delete(postLoginClearedParam);
 	if (flags?.postLoginClearedForSession) params.set(postLoginClearedParam, flags.postLoginClearedForSession);
-	const signature = await makeSignature(params.toString(), ctx.context.secret);
-	params.append("sig", signature);
+	setSignedOAuthQueryParameterNames(params);
+	const signature = await makeSignature(canonicalizeOAuthQueryParams(params).toString(), ctx.context.secret);
+	params.set("sig", signature);
 	return params.toString();
 }
 //#endregion
-//#region src/metadata.ts
-function authServerMetadata(ctx, opts, overrides) {
-	const baseURL = ctx.context.baseURL;
-	const backchannelSupported = !overrides?.jwt_disabled;
-	return {
-		scopes_supported: overrides?.scopes_supported,
-		issuer: validateIssuerUrl(opts?.jwt?.issuer ?? baseURL),
-		authorization_endpoint: `${baseURL}/oauth2/authorize`,
-		token_endpoint: `${baseURL}/oauth2/token`,
-		jwks_uri: overrides?.jwt_disabled ? void 0 : opts?.jwks?.remoteUrl ?? `${baseURL}${opts?.jwks?.jwksPath ?? "/jwks"}`,
-		registration_endpoint: overrides?.dynamic_client_registration_supported ? `${baseURL}/oauth2/register` : void 0,
-		introspection_endpoint: `${baseURL}/oauth2/introspect`,
-		revocation_endpoint: `${baseURL}/oauth2/revoke`,
-		response_types_supported: overrides?.grant_types_supported && !overrides.grant_types_supported.includes("authorization_code") ? [] : ["code"],
-		response_modes_supported: ["query"],
-		grant_types_supported: overrides?.grant_types_supported ?? [
-			"authorization_code",
-			"client_credentials",
-			"refresh_token"
-		],
-		token_endpoint_auth_methods_supported: [
-			...overrides?.public_client_supported ? ["none"] : [],
-			"client_secret_basic",
-			"client_secret_post",
-			"private_key_jwt"
-		],
-		token_endpoint_auth_signing_alg_values_supported: [...PRIVATE_KEY_JWT_SIGNING_ALGORITHMS],
-		introspection_endpoint_auth_methods_supported: [
-			"client_secret_basic",
-			"client_secret_post",
-			"private_key_jwt"
-		],
-		introspection_endpoint_auth_signing_alg_values_supported: [...PRIVATE_KEY_JWT_SIGNING_ALGORITHMS],
-		revocation_endpoint_auth_methods_supported: [
-			"client_secret_basic",
-			"client_secret_post",
-			"private_key_jwt"
-		],
-		revocation_endpoint_auth_signing_alg_values_supported: [...PRIVATE_KEY_JWT_SIGNING_ALGORITHMS],
-		code_challenge_methods_supported: ["S256"],
-		authorization_response_iss_parameter_supported: true,
-		backchannel_logout_supported: backchannelSupported,
-		backchannel_logout_session_supported: backchannelSupported
-	};
-}
-function oidcServerMetadata(ctx, opts) {
-	const baseURL = ctx.context.baseURL;
-	const jwtPluginOptions = opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context).options;
-	return {
-		...authServerMetadata(ctx, jwtPluginOptions, {
-			scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
-			dynamic_client_registration_supported: opts.allowDynamicClientRegistration,
-			public_client_supported: opts.allowUnauthenticatedClientRegistration || toClientDiscoveryArray(opts.clientDiscovery).length > 0,
-			grant_types_supported: opts.grantTypes,
-			jwt_disabled: opts.disableJwtPlugin
-		}),
-		claims_supported: opts?.advertisedMetadata?.claims_supported ?? opts?.claims ?? [],
-		userinfo_endpoint: `${baseURL}/oauth2/userinfo`,
-		subject_types_supported: opts.pairwiseSecret ? ["public", "pairwise"] : ["public"],
-		id_token_signing_alg_values_supported: jwtPluginOptions?.jwks?.keyPairConfig?.alg ? [jwtPluginOptions?.jwks?.keyPairConfig?.alg] : opts.disableJwtPlugin ? ["HS256"] : ["EdDSA"],
-		end_session_endpoint: `${baseURL}/oauth2/end-session`,
-		acr_values_supported: ["urn:mace:incommon:iap:bronze"],
-		prompt_values_supported: [
-			"login",
-			"consent",
-			"create",
-			"select_account",
-			"none"
-		],
-		...mergeDiscoveryMetadata(opts.clientDiscovery)
-	};
-}
-const METADATA_CACHE_CONTROL = "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400";
-function metadataResponse(body, extraHeaders) {
-	const headers = new Headers(extraHeaders);
-	if (!headers.has("Cache-Control")) headers.set("Cache-Control", METADATA_CACHE_CONTROL);
-	headers.set("Content-Type", "application/json");
-	return new Response(JSON.stringify(body), {
-		status: 200,
-		headers
-	});
-}
-/**
-* Provides an exportable `/.well-known/oauth-authorization-server`.
-*
-* Useful when basePath prevents the endpoint from being located at the root
-* and must be provided manually.
-*
-* @external
-*/
-const oauthProviderAuthServerMetadata = (auth, opts) => {
-	return async (request) => {
-		return metadataResponse(await auth.api.getOAuthServerConfig({
-			request,
-			asResponse: false
-		}), opts?.headers);
-	};
-};
-/**
-* Provides an exportable `/.well-known/openid-configuration`.
-*
-* Useful when basePath prevents the endpoint from being located at the root
-* and must be provided manually.
-*
-* @external
-*/
-const oauthProviderOpenIdConfigMetadata = (auth, opts) => {
-	return async (request) => {
-		return metadataResponse(await auth.api.getOpenIdConfig({
-			request,
-			asResponse: false
-		}), opts?.headers);
-	};
-};
-//#endregion
-export { authServerMetadata, checkOAuthClient, getOAuthProviderState, mcpHandler, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oauthToSchema, oidcServerMetadata };
+export { DEFAULT_OAUTH_SCOPES, ResourceUriSchema, authServerMetadata, checkOAuthClient, consumeClientAssertion, extendOAuthProvider, getIssuer, getOAuthProviderApi, getOAuthProviderState, metadataResponse, oauthAuthorizationServerMetadata, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oauthToSchema, oidcServerMetadata, raiseResourceServerChallenge };