@bigso/auth-sdk 0.5.2 → 0.5.4

package/README.md

@@ -10,6 +10,7 @@ SDK oficial de autenticación para Bigso SSO v2. Flujo basado en JWT Bearer toke
 - **JWS verification** en frontend con JWKS remoto
 - **3 entry points**: Browser, Node.js, Express middleware
 - **Server-to-server** login, exchange, refresh, logout via API v2
+- **Scope array** en JWT para consumir APIs internas
 
 ## Instalación
 
@@ -25,15 +26,15 @@ npm install @bigso/auth-sdk
 │  (consuming)  │  sso-init / sso-success    │  (iframe)     │
 └──────┬───────┘                             └──────┬───────┘
        │                                            │
-       │ 1. auth.login() → codeVerifier             │
-       │ 2. POST /exchange-v2-pkce                  │
-       │    { code, codeVerifier }                  │
+       │ 1. auth.login() → codeVerifier            │
+       │ 2. POST /api/auth/exchange-v2             │
+       │    { payload, codeVerifier }               │
        ▼                                            ▼
 ┌──────────────┐     POST /api/v2/auth/exchange    ┌──────────────┐
 │  App Backend  │──────────────────────────────────►│  SSO Core     │
 │  (Express)   │◄─────────────────────────────────│  (API v2)     │
 │              │     { accessToken, refreshToken }  │              │
-└──────────────┘                                   └──────────────┘
+└──────────────┘        (con scope array)            └──────────────┘
 ```
 
 ## Uso
@@ -44,9 +45,9 @@ npm install @bigso/auth-sdk
 import { BigsoAuth } from '@bigso/auth-sdk';
 
 const auth = new BigsoAuth({
-  clientId: 'crm',
-  ssoOrigin: 'https://sso.bigso.co',
-  jwksUrl: 'https://sso.bigso.co/.well-known/jwks.json',
+  clientId: 'ordamy',
+  ssoOrigin: 'https://sso-portal.bigso.co',
+  jwksUrl: 'https://sso-core.bigso.co/.well-known/jwks.json',
 });
 
 auth.on('success', async (result) => {
@@ -57,11 +58,12 @@ auth.on('success', async (result) => {
   // result.nonce        → matches your original nonce
 
   // Send to your backend:
-  const response = await fetch('/api/auth/exchange-v2-pkce', {
+  const response = await fetch('/api/auth/exchange-v2', {
     method: 'POST',
     headers: { 'Content-Type': 'application/json' },
     body: JSON.stringify({
       payload: result.signed_payload,
+      codeVerifier: result.codeVerifier,
     }),
   });
 });
@@ -76,15 +78,15 @@ import { BigsoSsoClient } from '@bigso/auth-sdk/node';
 import { createSsoAuthRouter, ssoAuthMiddleware } from '@bigso/auth-sdk/express';
 
 const ssoClient = new BigsoSsoClient({
-  ssoBackendUrl: 'https://sso.bigso.co',
-  ssoJwksUrl: 'https://sso.bigso.co/.well-known/jwks.json',
-  appId: 'crm',
+  ssoBackendUrl: 'https://sso-core.bigso.co',
+  ssoJwksUrl: 'https://sso-core.bigso.co/.well-known/jwks.json',
+  appId: 'ordamy',
 });
 
 // Auth routes: /exchange, /exchange-v2, /session, /refresh, /logout
 app.use('/api/auth', createSsoAuthRouter({
   ssoClient,
-  frontendUrl: 'https://myapp.com',
+  frontendUrl: 'https://ordamy.bigso.co',
 }));
 
 // Protected routes: validates Bearer JWT token
@@ -99,9 +101,9 @@ app.get('/api/protected', ssoAuthMiddleware({ ssoClient }), (req, res) => {
 import { BigsoSsoClient } from '@bigso/auth-sdk/node';
 
 const client = new BigsoSsoClient({
-  ssoBackendUrl: 'https://sso.bigso.co',
-  ssoJwksUrl: 'https://sso.bigso.co/.well-known/jwks.json',
-  appId: 'crm',
+  ssoBackendUrl: 'https://sso-core.bigso.co',
+  ssoJwksUrl: 'https://sso-core.bigso.co/.well-known/jwks.json',
+  appId: 'ordamy',
 });
 
 // Exchange authorization code with PKCE
@@ -126,7 +128,7 @@ await client.logout('eyJhbG...', true);  // revokeAll = true
 | Param | Type | Required | Default | Description |
 |---|---|---|---|---|
 | `clientId` | `string` | Yes | — | App ID registered in SSO |
-| `ssoOrigin` | `string` | Yes | — | SSO origin (e.g. `https://sso.bigso.co`) |
+| `ssoOrigin` | `string` | Yes | — | SSO origin (e.g. `https://sso-portal.bigso.co`) |
 | `jwksUrl` | `string` | Yes | — | JWKS URL for JWS verification |
 | `timeout` | `number` | No | `5000` | Timeout after `sso-ready` (ms) |
 | `debug` | `boolean` | No | `false` | Debug logging |
@@ -161,7 +163,7 @@ Returns `Promise<BigsoAuthResult>`:
 | Route | Method | Description |
 |---|---|---|
 | `/exchange` | POST | `{code, codeVerifier}` → v2 exchange |
-| `/exchange-v2` | POST | `{payload}` → verify JWS, then v2 exchange |
+| `/exchange-v2` | POST | `{payload, codeVerifier?}` → verify JWS, then v2 exchange (codeVerifier from body or JWS) |
 | `/session` | GET | Validate Bearer token, return user data |
 | `/refresh` | POST | Proxy to `/api/v2/auth/refresh` |
 | `/logout` | POST | Bearer token → `/api/v2/auth/logout` |
@@ -177,14 +179,34 @@ Reads `Authorization: Bearer <token>`, validates JWT against JWKS, populates `re
 2. Browser SDK computa: codeChallenge = SHA256(codeVerifier)
 3. Browser SDK → iframe: {codeChallenge, state, nonce}
 4. Iframe → SSO Core: POST /api/v2/auth/authorize (con codeChallenge)
-5. Iframe → Browser SDK: {code, state} (firmado como JWS)
+5. Iframe → Browser SDK: {code, signedPayload} (JWS contiene code_verifier si se pasó)
 6. Browser SDK verifica JWS, valida state y nonce
-7. Browser SDK retorna {code, codeVerifier} al consuming app
-8. Consuming app → su backend: POST /exchange-v2-pkce {payload, codeVerifier}
+7. Browser SDK retorna {code, codeVerifier, signed_payload} al consuming app
+8. Consuming app → su backend: POST /exchange-v2 {payload, codeVerifier}
 9. Backend verifica JWS, extrae code, llama /api/v2/auth/exchange {code, appId, codeVerifier}
 10. SSO Core verifica: SHA256(codeVerifier) === codeChallenge → emite tokens
 ```
 
+## JWT Access Token
+
+El access token contiene:
+
+```json
+{
+  "sub": "user-uuid",
+  "jti": "token-uuid",
+  "iss": "https://sso.bigso.co",
+  "aud": "https://ordamy.bigso.co",
+  "exp": 1234567890,
+  "iat": 1234567890,
+  "tenants": [{ "id": "...", "name": "...", "slug": "...", "role": "...", "apps": ["ordamy"] }],
+  "systemRole": "user",
+  "scope": ["https://ordamy.bigso.co", "https://api-interna.bigso.co"]
+}
+```
+
+El campo `scope` define qué APIs puede consumir este token. Cada aplicación tiene su `scope` configurado en la BD de SSO Core.
+
 ## Seguridad
 
 - **PKCE**: codeVerifier nunca sale del browser hasta el paso 7, pero jamás se envía al SSO iframe
@@ -192,6 +214,7 @@ Reads `Authorization: Bearer <token>`, validates JWT against JWKS, populates `re
 - **state + nonce**: Validados en ambos lados para prevenir CSRF y replay
 - **JWT Bearer**: Access tokens validados localmente contra JWKS, revocables en Redis/PG
 - **httpOnly cookies**: Refresh tokens via cookie, nunca accesibles via JS
+- **Scope validation**: APIs internas deben verificar que su URL esté en el array `scope` del token
 
 ## Desarrollo
 
@@ -204,6 +227,22 @@ npm test        # vitest
 
 ## Changelog
 
+### v0.5.3 (2026-04-09)
+
+- `exchange-v2` ahora acepta `codeVerifier` del body del request o del JWS (antes solo del JWS)
+- Fix de fallback: `buildFallbackUrl()` ahora incluye `code_challenge` en la URL
+
+### v0.5.2 (2026-04-08)
+
+- Nuevo campo `scope?: string[]` en `SsoTokenPayload`
+- `verifyAccessToken()` mapea `scope` del JWT payload
+- `prepublishOnly` script agregado para build automático antes de publish
+
+### v0.5.1 (2026-04-08)
+
+- Fix: SDK sin dist/ — `prepublishOnly: "npm run build"` agregado
+- `SsoJwtTenant` con `apps: string[]`
+
 ### v0.5.0 (2026-04-07) — Full v2
 
 **Breaking changes:**
@@ -219,7 +258,7 @@ npm test        # vitest
 - `BigsoSsoClient.refreshTokens()` — via `/api/v2/auth/refresh`
 - `BigsoSsoClient.logout(accessToken)` — via `/api/v2/auth/logout`
 - `BigsoSsoClient.validateAccessToken(token)` — Local JWT verification against JWKS
-- Express `/exchange-v2-pkce` route with full PKCE support
+- Express `/exchange-v2` route with full PKCE support
 - Express `/refresh` and `/logout` routes for v2 API
 - `ssoAuthMiddleware` validates Bearer JWT tokens locally
 

package/dist/browser/index.cjs

@@ -98,6 +98,7 @@ var BigsoAuth = class extends EventEmitter {
     const nonce = generateRandomId();
     const verifier = generateVerifier();
     const requestId = this.requestId;
+    const codeChallenge = await sha256Base64Url(verifier);
     sessionStorage.setItem("sso_ctx", JSON.stringify({ state, nonce, verifier, requestId }));
     this.createUI();
     return new Promise((resolve, reject) => {
@@ -130,11 +131,10 @@ var BigsoAuth = class extends EventEmitter {
               this.closeUI();
               cleanup();
               this.emit("fallback");
-              window.location.href = this.buildFallbackUrl();
+              window.location.href = this.buildFallbackUrl(codeChallenge, state);
               reject(new Error("Timeout"));
             }
           }, this.options.timeout);
-          const codeChallenge = await sha256Base64Url(verifier);
           const initPayload = {
             state,
             nonce,
@@ -207,7 +207,7 @@ var BigsoAuth = class extends EventEmitter {
           cleanup();
           if (errorPayload.code === "version_mismatch") {
             this.emit("error", errorPayload);
-            window.location.href = this.buildFallbackUrl();
+            window.location.href = this.buildFallbackUrl(codeChallenge, state);
             reject(new Error(`Version mismatch: expected ${errorPayload.expected_version}`));
           } else {
             this.emit("error", errorPayload);
@@ -342,12 +342,13 @@ var BigsoAuth = class extends EventEmitter {
         `;
   }
   // ─── Helpers ──────────────────────────────────────────────────────
-  buildFallbackUrl() {
+  buildFallbackUrl(codeChallenge, state) {
     const url = new URL(this.options.ssoOrigin);
     url.searchParams.set("app_id", this.options.clientId);
     url.searchParams.set("redirect_uri", this.options.redirectUri || window.location.origin);
     url.searchParams.set("response_type", "code");
-    url.searchParams.set("state", generateRandomId());
+    url.searchParams.set("state", state);
+    url.searchParams.set("code_challenge", codeChallenge);
     url.searchParams.set("code_challenge_method", "S256");
     url.searchParams.set("client_id", this.options.clientId);
     return url.toString();

package/dist/browser/index.d.cts

@@ -1,4 +1,4 @@
-import { B as BigsoAuthOptions, a as BigsoAuthResult } from '../types-D5BaCbus.cjs';
+import { B as BigsoAuthOptions, a as BigsoAuthResult } from '../types-K3V5MV8v.cjs';
 
 declare class EventEmitter {
     private events;

package/dist/browser/index.d.ts

@@ -1,4 +1,4 @@
-import { B as BigsoAuthOptions, a as BigsoAuthResult } from '../types-D5BaCbus.js';
+import { B as BigsoAuthOptions, a as BigsoAuthResult } from '../types-K3V5MV8v.js';
 
 declare class EventEmitter {
     private events;

package/dist/browser/index.js

@@ -1,6 +1,6 @@
 import {
   verifySignedPayload
-} from "../chunk-5ECHA2VH.js";
+} from "../chunk-PB3GVAEJ.js";
 
 // src/utils/crypto.ts
 async function sha256Base64Url(input) {
@@ -66,6 +66,7 @@ var BigsoAuth = class extends EventEmitter {
     const nonce = generateRandomId();
     const verifier = generateVerifier();
     const requestId = this.requestId;
+    const codeChallenge = await sha256Base64Url(verifier);
     sessionStorage.setItem("sso_ctx", JSON.stringify({ state, nonce, verifier, requestId }));
     this.createUI();
     return new Promise((resolve, reject) => {
@@ -98,11 +99,10 @@ var BigsoAuth = class extends EventEmitter {
               this.closeUI();
               cleanup();
               this.emit("fallback");
-              window.location.href = this.buildFallbackUrl();
+              window.location.href = this.buildFallbackUrl(codeChallenge, state);
               reject(new Error("Timeout"));
             }
           }, this.options.timeout);
-          const codeChallenge = await sha256Base64Url(verifier);
           const initPayload = {
             state,
             nonce,
@@ -175,7 +175,7 @@ var BigsoAuth = class extends EventEmitter {
           cleanup();
           if (errorPayload.code === "version_mismatch") {
             this.emit("error", errorPayload);
-            window.location.href = this.buildFallbackUrl();
+            window.location.href = this.buildFallbackUrl(codeChallenge, state);
             reject(new Error(`Version mismatch: expected ${errorPayload.expected_version}`));
           } else {
             this.emit("error", errorPayload);
@@ -310,12 +310,13 @@ var BigsoAuth = class extends EventEmitter {
         `;
   }
   // ─── Helpers ──────────────────────────────────────────────────────
-  buildFallbackUrl() {
+  buildFallbackUrl(codeChallenge, state) {
     const url = new URL(this.options.ssoOrigin);
     url.searchParams.set("app_id", this.options.clientId);
     url.searchParams.set("redirect_uri", this.options.redirectUri || window.location.origin);
     url.searchParams.set("response_type", "code");
-    url.searchParams.set("state", generateRandomId());
+    url.searchParams.set("state", state);
+    url.searchParams.set("code_challenge", codeChallenge);
     url.searchParams.set("code_challenge_method", "S256");
     url.searchParams.set("client_id", this.options.clientId);
     return url.toString();

package/dist/chunk-PB3GVAEJ.js

@@ -0,0 +1,33 @@
+// src/utils/jws.ts
+import { jwtVerify, createRemoteJWKSet } from "jose";
+async function verifySignedPayload(token, jwksUrl, expectedAudience) {
+  const JWKS = createRemoteJWKSet(new URL(jwksUrl));
+  const { payload } = await jwtVerify(token, JWKS, {
+    audience: expectedAudience
+  });
+  return payload;
+}
+async function verifyAccessToken(accessToken, jwksUrl) {
+  const JWKS = createRemoteJWKSet(new URL(jwksUrl));
+  const { payload } = await jwtVerify(accessToken, JWKS);
+  if (!payload.sub || !payload.jti) {
+    throw new Error("Invalid token structure: missing sub or jti");
+  }
+  return {
+    sub: payload.sub,
+    jti: payload.jti,
+    iss: payload.iss,
+    aud: payload.aud || "",
+    exp: payload.exp,
+    iat: payload.iat,
+    tenants: payload.tenants || [],
+    systemRole: payload.systemRole || "user",
+    scope: payload.scope,
+    deviceFingerprint: payload.deviceFingerprint
+  };
+}
+
+export {
+  verifySignedPayload,
+  verifyAccessToken
+};

package/dist/express/index.cjs

@@ -122,7 +122,7 @@ function createSsoAuthRouter(options) {
   });
   router.post("/exchange-v2", async (req, res) => {
     try {
-      const { payload } = req.body;
+      const { payload, codeVerifier: codeVerifierFromBody } = req.body;
       if (!payload) {
         res.status(400).json({ error: "Signed payload is required" });
         return;
@@ -132,12 +132,12 @@ function createSsoAuthRouter(options) {
         res.status(400).json({ error: "No authorization code found in payload" });
         return;
       }
-      const codeVerifier = verified.code_verifier;
-      if (!codeVerifier) {
-        res.status(400).json({ error: "code_verifier is required for PKCE exchange" });
+      const verifier = codeVerifierFromBody || verified.code_verifier;
+      if (!verifier) {
+        res.status(400).json({ error: "codeVerifier is required for PKCE exchange" });
         return;
       }
-      const ssoResponse = await options.ssoClient.exchangeCode(verified.code, codeVerifier);
+      const ssoResponse = await options.ssoClient.exchangeCode(verified.code, verifier);
       if (options.onLoginSuccess) {
         await options.onLoginSuccess(ssoResponse);
       }

package/dist/express/index.d.cts

@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction, Router } from 'express';
 import { BigsoSsoClient } from '../node/index.cjs';
-import { S as SsoJwtTenant, b as SsoTokenPayload, V as V2ExchangeResponse } from '../types-D5BaCbus.cjs';
+import { S as SsoJwtTenant, b as SsoTokenPayload, V as V2ExchangeResponse } from '../types-K3V5MV8v.cjs';
 
 interface SsoAuthMiddlewareOptions {
     ssoClient: BigsoSsoClient;

package/dist/express/index.d.ts

@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction, Router } from 'express';
 import { BigsoSsoClient } from '../node/index.js';
-import { S as SsoJwtTenant, b as SsoTokenPayload, V as V2ExchangeResponse } from '../types-D5BaCbus.js';
+import { S as SsoJwtTenant, b as SsoTokenPayload, V as V2ExchangeResponse } from '../types-K3V5MV8v.js';
 
 interface SsoAuthMiddlewareOptions {
     ssoClient: BigsoSsoClient;

package/dist/express/index.js

@@ -93,7 +93,7 @@ function createSsoAuthRouter(options) {
   });
   router.post("/exchange-v2", async (req, res) => {
     try {
-      const { payload } = req.body;
+      const { payload, codeVerifier: codeVerifierFromBody } = req.body;
       if (!payload) {
         res.status(400).json({ error: "Signed payload is required" });
         return;
@@ -103,12 +103,12 @@ function createSsoAuthRouter(options) {
         res.status(400).json({ error: "No authorization code found in payload" });
         return;
       }
-      const codeVerifier = verified.code_verifier;
-      if (!codeVerifier) {
-        res.status(400).json({ error: "code_verifier is required for PKCE exchange" });
+      const verifier = codeVerifierFromBody || verified.code_verifier;
+      if (!verifier) {
+        res.status(400).json({ error: "codeVerifier is required for PKCE exchange" });
         return;
       }
-      const ssoResponse = await options.ssoClient.exchangeCode(verified.code, codeVerifier);
+      const ssoResponse = await options.ssoClient.exchangeCode(verified.code, verifier);
       if (options.onLoginSuccess) {
         await options.onLoginSuccess(ssoResponse);
       }

package/dist/node/index.cjs

@@ -48,6 +48,7 @@ async function verifyAccessToken(accessToken, jwksUrl) {
     iat: payload.iat,
     tenants: payload.tenants || [],
     systemRole: payload.systemRole || "user",
+    scope: payload.scope,
     deviceFingerprint: payload.deviceFingerprint
   };
 }

package/dist/node/index.d.cts

@@ -1,4 +1,4 @@
-import { b as SsoTokenPayload, c as V2LoginResponse, V as V2ExchangeResponse, d as V2RefreshResponse } from '../types-D5BaCbus.cjs';
+import { b as SsoTokenPayload, c as V2LoginResponse, V as V2ExchangeResponse, d as V2RefreshResponse } from '../types-K3V5MV8v.cjs';
 
 interface SsoClientOptions {
     ssoBackendUrl: string;

package/dist/node/index.d.ts

@@ -1,4 +1,4 @@
-import { b as SsoTokenPayload, c as V2LoginResponse, V as V2ExchangeResponse, d as V2RefreshResponse } from '../types-D5BaCbus.js';
+import { b as SsoTokenPayload, c as V2LoginResponse, V as V2ExchangeResponse, d as V2RefreshResponse } from '../types-K3V5MV8v.js';
 
 interface SsoClientOptions {
     ssoBackendUrl: string;

package/dist/node/index.js

@@ -1,7 +1,7 @@
 import {
   verifyAccessToken,
   verifySignedPayload
-} from "../chunk-5ECHA2VH.js";
+} from "../chunk-PB3GVAEJ.js";
 
 // src/node/SsoClient.ts
 var BigsoSsoClient = class {

package/dist/types-K3V5MV8v.d.cts

@@ -0,0 +1,81 @@
+interface BigsoAuthOptions {
+    clientId: string;
+    ssoOrigin: string;
+    jwksUrl: string;
+    timeout?: number;
+    debug?: boolean;
+    redirectUri?: string;
+    tenantHint?: string;
+    theme?: 'light' | 'dark';
+}
+interface SsoUser {
+    userId: string;
+    email: string;
+    firstName: string;
+    lastName: string;
+}
+interface SsoTenant {
+    tenantId: string;
+    name: string;
+    slug: string;
+    role: string;
+}
+interface SsoJwtTenant {
+    id: string;
+    name: string;
+    slug: string;
+    role: string;
+    apps: string[];
+}
+interface SsoTokenPayload {
+    sub: string;
+    jti: string;
+    iss: string;
+    aud: string;
+    exp: number;
+    iat: number;
+    tenants: SsoJwtTenant[];
+    systemRole: string;
+    scope?: string[];
+    deviceFingerprint?: string;
+}
+interface V2LoginResponse {
+    success: boolean;
+    tokens: {
+        accessToken: string;
+        expiresIn: number;
+    };
+    user: SsoUser;
+}
+interface V2ExchangeResponse {
+    success: boolean;
+    tokens: {
+        accessToken: string;
+        refreshToken: string;
+        expiresIn: number;
+    };
+    user: SsoUser;
+    tenant: SsoTenant;
+}
+interface V2RefreshResponse {
+    success: boolean;
+    tokens: {
+        accessToken: string;
+        expiresIn: number;
+    };
+}
+interface BigsoAuthResult {
+    code: string;
+    state: string;
+    nonce: string;
+    codeVerifier: string;
+    signed_payload: string;
+    tenant?: SsoTenant;
+    jti?: string;
+    iss?: string;
+    aud?: string;
+    exp?: number;
+    iat?: number;
+}
+
+export type { BigsoAuthOptions as B, SsoJwtTenant as S, V2ExchangeResponse as V, BigsoAuthResult as a, SsoTokenPayload as b, V2LoginResponse as c, V2RefreshResponse as d };

package/dist/types-K3V5MV8v.d.ts

@@ -0,0 +1,81 @@
+interface BigsoAuthOptions {
+    clientId: string;
+    ssoOrigin: string;
+    jwksUrl: string;
+    timeout?: number;
+    debug?: boolean;
+    redirectUri?: string;
+    tenantHint?: string;
+    theme?: 'light' | 'dark';
+}
+interface SsoUser {
+    userId: string;
+    email: string;
+    firstName: string;
+    lastName: string;
+}
+interface SsoTenant {
+    tenantId: string;
+    name: string;
+    slug: string;
+    role: string;
+}
+interface SsoJwtTenant {
+    id: string;
+    name: string;
+    slug: string;
+    role: string;
+    apps: string[];
+}
+interface SsoTokenPayload {
+    sub: string;
+    jti: string;
+    iss: string;
+    aud: string;
+    exp: number;
+    iat: number;
+    tenants: SsoJwtTenant[];
+    systemRole: string;
+    scope?: string[];
+    deviceFingerprint?: string;
+}
+interface V2LoginResponse {
+    success: boolean;
+    tokens: {
+        accessToken: string;
+        expiresIn: number;
+    };
+    user: SsoUser;
+}
+interface V2ExchangeResponse {
+    success: boolean;
+    tokens: {
+        accessToken: string;
+        refreshToken: string;
+        expiresIn: number;
+    };
+    user: SsoUser;
+    tenant: SsoTenant;
+}
+interface V2RefreshResponse {
+    success: boolean;
+    tokens: {
+        accessToken: string;
+        expiresIn: number;
+    };
+}
+interface BigsoAuthResult {
+    code: string;
+    state: string;
+    nonce: string;
+    codeVerifier: string;
+    signed_payload: string;
+    tenant?: SsoTenant;
+    jti?: string;
+    iss?: string;
+    aud?: string;
+    exp?: number;
+    iat?: number;
+}
+
+export type { BigsoAuthOptions as B, SsoJwtTenant as S, V2ExchangeResponse as V, BigsoAuthResult as a, SsoTokenPayload as b, V2LoginResponse as c, V2RefreshResponse as d };

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@bigso/auth-sdk",
-    "version": "0.5.2",
+    "version": "0.5.4",
     "description": "SDK de autenticación para SSO v2 - JWT Bearer + PKCE",
     "publishConfig": {
         "registry": "https://registry.npmjs.org/",
@@ -38,6 +38,7 @@
     "scripts": {
         "build": "tsup src/browser/index.ts src/node/index.ts src/express/index.ts --format esm,cjs --dts --out-dir dist",
         "dev": "tsup src/browser/index.ts src/node/index.ts src/express/index.ts --watch --out-dir dist",
+        "prepublishOnly": "npm run build",
         "lint": "eslint .",
         "test": "vitest",
         "release": "git tag v$npm_package_version && git push origin v$npm_package_version"