@blimu/backend 1.2.0 → 1.2.2

package/dist/index.cjs

@@ -29,14 +29,15 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/index.ts
-var src_exports = {};
-__export(src_exports, {
+var index_exports = {};
+__export(index_exports, {
+  AuthJwksService: () => AuthJwksService,
   Blimu: () => Blimu,
   BlimuError: () => BlimuError,
   BulkResourcesService: () => BulkResourcesService,
   BulkRolesService: () => BulkRolesService,
   EntitlementsService: () => EntitlementsService,
-  FetchError: () => import_fetch10.FetchError,
+  FetchError: () => import_fetch.FetchError,
   PlansService: () => PlansService,
   ResourceMembersService: () => ResourceMembersService,
   ResourcesService: () => ResourcesService,
@@ -49,15 +50,16 @@ __export(src_exports, {
   isNotUndefined: () => isNotUndefined,
   listAll: () => listAll,
   paginate: () => paginate,
-  parseNDJSONStream: () => import_fetch12.parseNDJSONStream,
-  parseSSEStream: () => import_fetch12.parseSSEStream,
+  parseNDJSONStream: () => import_fetch3.parseNDJSONStream,
+  parseSSEStream: () => import_fetch3.parseSSEStream,
+  verifyOAuthToken: () => verifyOAuthToken,
   verifyToken: () => verifyToken
 });
-module.exports = __toCommonJS(src_exports);
+module.exports = __toCommonJS(index_exports);
 
 // src/client.ts
-var import_fetch10 = require("@blimu/fetch");
-var import_fetch11 = require("@blimu/fetch");
+var import_fetch = require("@blimu/fetch");
+var import_fetch2 = require("@blimu/fetch");
 
 // src/auth-strategies.ts
 function buildAuthStrategies(cfg) {
@@ -73,11 +75,46 @@ function buildAuthStrategies(cfg) {
   return authStrategies;
 }
 
-// src/services/bulk_resources.ts
-var import_fetch = require("@blimu/fetch");
-
-// src/schema.ts
-var schema_exports = {};
+// src/services/auth_jwks.ts
+var AuthJwksService = class {
+  constructor(core) {
+    this.core = core;
+  }
+  /**
+   * GET /v1/auth/.well-known/jwks.json*
+   * @summary Get JSON Web Key Set for environment (Public)*
+   * @description Returns the public keys used to verify JWT tokens issued by this environment. Authenticate using either x-api-key header (secretKey) or x-blimu-publishable-key header (publishableKey).*/
+  getJwks(init) {
+    return this.core.request({
+      method: "GET",
+      path: `/v1/auth/.well-known/jwks.json`,
+      ...init ?? {}
+    });
+  }
+  /**
+   * GET /v1/auth/.well-known/public-key.pem*
+   * @summary Get environment public key (PEM)*
+   * @description Returns the public key in PEM format for verifying JWT tokens. Authenticate with x-api-key or x-blimu-publishable-key.*/
+  getPublicKeyPem(init) {
+    return this.core.request({
+      method: "GET",
+      path: `/v1/auth/.well-known/public-key.pem`,
+      ...init ?? {}
+    });
+  }
+  /**
+   * GET /v1/auth/oauth/.well-known/jwks.json*
+   * @summary Get JSON Web Key Set for OAuth app (Public)*
+   * @description Returns the public key for a specific OAuth app to verify JWT tokens. This is a public endpoint following OAuth2/OIDC standards. Provide client_id to get keys for a specific OAuth app, or use authenticated endpoint for environment keys.*/
+  getOAuthAppJwks(query, init) {
+    return this.core.request({
+      method: "GET",
+      path: `/v1/auth/oauth/.well-known/jwks.json`,
+      query,
+      ...init ?? {}
+    });
+  }
+};
 
 // src/services/bulk_resources.ts
 var BulkResourcesService = class {
@@ -99,7 +136,6 @@ var BulkResourcesService = class {
 };
 
 // src/services/bulk_roles.ts
-var import_fetch2 = require("@blimu/fetch");
 var BulkRolesService = class {
   constructor(core) {
     this.core = core;
@@ -119,7 +155,6 @@ var BulkRolesService = class {
 };
 
 // src/services/entitlements.ts
-var import_fetch3 = require("@blimu/fetch");
 var EntitlementsService = class {
   constructor(core) {
     this.core = core;
@@ -162,8 +197,121 @@ var EntitlementsService = class {
   }
 };
 
+// src/services/oauth.ts
+var OauthService = class {
+  constructor(core) {
+    this.core = core;
+  }
+  /**
+   * GET /v1/oauth/authorize*
+   * @summary Check consent requirement*
+   * @description Checks if user consent is required for the OAuth2 app and requested scopes.*/
+  checkConsentRequired(query, init) {
+    return this.core.request({
+      method: "GET",
+      path: `/v1/oauth/authorize`,
+      query,
+      ...init ?? {}
+    });
+  }
+  /**
+   * POST /v1/oauth/authorize*
+   * @summary Authorize OAuth2 application*
+   * @description Handles user consent approval/denial. Validates auto_approved flag against consent requirements.*/
+  authorize(body, init) {
+    return this.core.request({
+      method: "POST",
+      path: `/v1/oauth/authorize`,
+      body,
+      ...init ?? {}
+    });
+  }
+  /**
+   * POST /v1/oauth/device/authorize*
+   * @summary Authorize or deny device code*
+   * @description Allows an authenticated user to authorize or deny a device code request. Requires valid user session.*/
+  authorizeDeviceCode(body, init) {
+    return this.core.request({
+      method: "POST",
+      path: `/v1/oauth/device/authorize`,
+      body,
+      ...init ?? {}
+    });
+  }
+  /**
+   * POST /v1/oauth/device/code*
+   * @summary Request device authorization codes*
+   * @description Initiates device authorization flow. Returns device_code (for polling) and user_code (for user entry).*/
+  requestDeviceCode(body, init) {
+    return this.core.request({
+      method: "POST",
+      path: `/v1/oauth/device/code`,
+      body,
+      ...init ?? {}
+    });
+  }
+  /**
+   * GET /v1/oauth/device/code/{user_code}*
+   * @summary Get device code information*
+   * @description Returns device code information including app name, scopes, and consent requirement status.*/
+  getDeviceCodeInfo(user_code, init) {
+    return this.core.request({
+      method: "GET",
+      path: `/v1/oauth/device/code/${encodeURIComponent(user_code)}`,
+      ...init ?? {}
+    });
+  }
+  /**
+   * POST /v1/oauth/device/token*
+   * @summary Poll for device authorization tokens*
+   * @description Client polls this endpoint to exchange device_code for tokens once user has authorized.*/
+  exchangeDeviceCode(body, init) {
+    return this.core.request({
+      method: "POST",
+      path: `/v1/oauth/device/token`,
+      body,
+      ...init ?? {}
+    });
+  }
+  /**
+   * POST /v1/oauth/introspect*
+   * @summary Introspect token*
+   * @description Validates a token and returns metadata. Requires client authentication.*/
+  introspect(body, init) {
+    return this.core.request({
+      method: "POST",
+      path: `/v1/oauth/introspect`,
+      body,
+      ...init ?? {}
+    });
+  }
+  /**
+   * POST /v1/oauth/revoke*
+   * @summary Revoke token*
+   * @description Revokes an access or refresh token. Requires client authentication.*/
+  revoke(body, init) {
+    return this.core.request({
+      method: "POST",
+      path: `/v1/oauth/revoke`,
+      body,
+      ...init ?? {}
+    });
+  }
+  /**
+   * POST /v1/oauth/token*
+   * @summary Token endpoint*
+   * @description Issues access and refresh tokens. Supports authorization_code and refresh_token (always available per OAuth2 spec).*/
+  token(body, init) {
+    return this.core.request({
+      method: "POST",
+      path: `/v1/oauth/token`,
+      body,
+      ...init ?? {}
+    });
+  }
+};
+
 // src/services/plans.ts
-var import_fetch4 = require("@blimu/fetch");
 var PlansService = class {
   constructor(core) {
     this.core = core;
@@ -205,7 +353,6 @@ var PlansService = class {
 };
 
 // src/services/resource_members.ts
-var import_fetch5 = require("@blimu/fetch");
 var ResourceMembersService = class {
   constructor(core) {
     this.core = core;
@@ -225,7 +372,6 @@ var ResourceMembersService = class {
 };
 
 // src/services/resources.ts
-var import_fetch6 = require("@blimu/fetch");
 var ResourcesService = class {
   constructor(core) {
     this.core = core;
@@ -291,7 +437,6 @@ var ResourcesService = class {
 };
 
 // src/services/roles.ts
-var import_fetch7 = require("@blimu/fetch");
 var RolesService = class {
   constructor(core) {
     this.core = core;
@@ -334,7 +479,6 @@ var RolesService = class {
 };
 
 // src/services/usage.ts
-var import_fetch8 = require("@blimu/fetch");
 var UsageService = class {
   constructor(core) {
     this.core = core;
@@ -402,7 +546,6 @@ var UsageService = class {
 };
 
 // src/services/users.ts
-var import_fetch9 = require("@blimu/fetch");
 var UsersService = class {
   constructor(core) {
     this.core = core;
@@ -480,9 +623,11 @@ var UsersService = class {
 
 // src/client.ts
 var Blimu = class {
+  authJwks;
   bulkResources;
   bulkRoles;
   entitlements;
+  oauth;
   plans;
   resourceMembers;
   resources;
@@ -493,14 +638,16 @@ var Blimu = class {
     const restCfg = { ...options ?? {} };
     delete restCfg.apiKey;
     const authStrategies = buildAuthStrategies(options ?? {});
-    const core = new import_fetch10.FetchClient({
+    const core = new import_fetch.FetchClient({
       ...restCfg,
       baseURL: options?.baseURL ?? "https://api.blimu.dev",
       ...authStrategies.length > 0 ? { authStrategies } : {}
     });
+    this.authJwks = new AuthJwksService(core);
     this.bulkResources = new BulkResourcesService(core);
     this.bulkRoles = new BulkRolesService(core);
     this.entitlements = new EntitlementsService(core);
+    this.oauth = new OauthService(core);
     this.plans = new PlansService(core);
     this.resourceMembers = new ResourceMembersService(core);
     this.resources = new ResourcesService(core);
@@ -509,13 +656,13 @@ var Blimu = class {
     this.users = new UsersService(core);
   }
 };
-var BlimuError = import_fetch10.FetchError;
+var BlimuError = import_fetch.FetchError;
 
 // src/index.ts
-__reExport(src_exports, require("@blimu/fetch"), module.exports);
+__reExport(index_exports, require("@blimu/fetch"), module.exports);
 
 // src/utils.ts
-var import_fetch12 = require("@blimu/fetch");
+var import_fetch3 = require("@blimu/fetch");
 async function* paginate(fetchPage, initialQuery = {}, pageSize = 100) {
   let offset = Number(initialQuery.offset ?? 0);
   const limit = Number(initialQuery.limit ?? pageSize);
@@ -541,19 +688,37 @@ function isNotUndefined(arr) {
   );
 }
 
+// src/schema.ts
+var schema_exports = {};
+
 // src/schema.zod.ts
 var schema_zod_exports = {};
 __export(schema_zod_exports, {
+  AuthJwksGetOAuthAppJwksQuerySchema: () => AuthJwksGetOAuthAppJwksQuerySchema,
+  AuthorizeRequestSchema: () => AuthorizeRequestSchema,
   BalanceResponseSchema: () => BalanceResponseSchema,
   CheckLimitResponseSchema: () => CheckLimitResponseSchema,
+  ConsentCheckResponseSchema: () => ConsentCheckResponseSchema,
+  DeviceAuthorizeRequestSchema: () => DeviceAuthorizeRequestSchema,
+  DeviceAuthorizeResponseSchema: () => DeviceAuthorizeResponseSchema,
+  DeviceCodeInfoResponseSchema: () => DeviceCodeInfoResponseSchema,
+  DeviceCodeRequestSchema: () => DeviceCodeRequestSchema,
+  DeviceCodeResponseSchema: () => DeviceCodeResponseSchema,
+  DeviceTokenRequestSchema: () => DeviceTokenRequestSchema,
   EntitlementCheckBodySchema: () => EntitlementCheckBodySchema,
   EntitlementCheckResultSchema: () => EntitlementCheckResultSchema,
+  EntitlementTypeSchema: () => EntitlementTypeSchema,
   EntitlementsListForResourceQuerySchema: () => EntitlementsListForResourceQuerySchema,
   EntitlementsListForTenantQuerySchema: () => EntitlementsListForTenantQuerySchema,
   EntitlementsListResultSchema: () => EntitlementsListResultSchema,
+  IntrospectionRequestSchema: () => IntrospectionRequestSchema,
+  IntrospectionResponseSchema: () => IntrospectionResponseSchema,
+  JWKSchema: () => JWKSchema,
+  OauthCheckConsentRequiredQuerySchema: () => OauthCheckConsentRequiredQuerySchema,
   PlanAssignBodySchema: () => PlanAssignBodySchema,
   PlanDeleteResponseSchema: () => PlanDeleteResponseSchema,
   PlanResponseSchema: () => PlanResponseSchema,
+  PlanTypeSchema: () => PlanTypeSchema,
   ResourceBulkCreateBodySchema: () => ResourceBulkCreateBodySchema,
   ResourceBulkResultSchema: () => ResourceBulkResultSchema,
   ResourceCreateBodySchema: () => ResourceCreateBodySchema,
@@ -561,20 +726,25 @@ __export(schema_zod_exports, {
   ResourceMemberListSchema: () => ResourceMemberListSchema,
   ResourceMembersListQuerySchema: () => ResourceMembersListQuerySchema,
   ResourceSchema: () => ResourceSchema,
+  ResourceTypeSchema: () => ResourceTypeSchema,
   ResourceUpdateBodySchema: () => ResourceUpdateBodySchema,
   ResourcesListQuerySchema: () => ResourcesListQuerySchema,
+  RevocationRequestSchema: () => RevocationRequestSchema,
   RoleBulkCreateBodySchema: () => RoleBulkCreateBodySchema,
   RoleBulkResultSchema: () => RoleBulkResultSchema,
   RoleCreateBodySchema: () => RoleCreateBodySchema,
   RoleListSchema: () => RoleListSchema,
   RoleSchema: () => RoleSchema,
   RolesListQuerySchema: () => RolesListQuerySchema,
+  TokenRequestSchema: () => TokenRequestSchema,
+  TokenResponseSchema: () => TokenResponseSchema,
   TransactionHistoryResponseSchema: () => TransactionHistoryResponseSchema,
   UsageCheckBodySchema: () => UsageCheckBodySchema,
   UsageConsumeBodySchema: () => UsageConsumeBodySchema,
   UsageCreditBodySchema: () => UsageCreditBodySchema,
   UsageGetBalanceQuerySchema: () => UsageGetBalanceQuerySchema,
   UsageGetTransactionHistoryQuerySchema: () => UsageGetTransactionHistoryQuerySchema,
+  UsageLimitTypeSchema: () => UsageLimitTypeSchema,
   UsageWalletResponseSchema: () => UsageWalletResponseSchema,
   UserCreateBodySchema: () => UserCreateBodySchema,
   UserListSchema: () => UserListSchema,
@@ -584,6 +754,32 @@ __export(schema_zod_exports, {
   UsersListQuerySchema: () => UsersListQuerySchema
 });
 var import_zod = require("zod");
+var EntitlementTypeSchema = import_zod.z.string();
+var PlanTypeSchema = import_zod.z.string();
+var ResourceTypeSchema = import_zod.z.string();
+var UsageLimitTypeSchema = import_zod.z.string();
+var AuthorizeRequestSchema = import_zod.z.object({
+  /** Action to take: allow or deny */
+  action: import_zod.z.enum(["allow", "deny"]),
+  /** True if consent was auto-approved (not required or previously granted) */
+  auto_approved: import_zod.z.boolean().optional(),
+  /** OAuth2 client ID */
+  client_id: import_zod.z.string(),
+  /** PKCE code challenge */
+  code_challenge: import_zod.z.string().optional(),
+  /** PKCE code challenge method */
+  code_challenge_method: import_zod.z.string().optional(),
+  /** Redirect URI */
+  redirect_uri: import_zod.z.string(),
+  /** Response type (typically "code") */
+  response_type: import_zod.z.string(),
+  /** Space-separated list of scopes */
+  scope: import_zod.z.string().optional(),
+  /** State parameter for CSRF protection */
+  state: import_zod.z.string().optional(),
+  /** True if user explicitly clicked Allow, false if auto-approved */
+  user_action: import_zod.z.boolean().optional()
+});
 var BalanceResponseSchema = import_zod.z.object({ balance: import_zod.z.number() });
 var CheckLimitResponseSchema = import_zod.z.object({
   allowed: import_zod.z.boolean(),
@@ -591,9 +787,216 @@ var CheckLimitResponseSchema = import_zod.z.object({
   remaining: import_zod.z.number().optional(),
   requested: import_zod.z.number()
 });
+var ConsentCheckResponseSchema = import_zod.z.object({
+  /** Whether user consent is required */
+  consent_required: import_zod.z.boolean(),
+  /** Whether consent was previously granted for this app and scopes */
+  previously_granted: import_zod.z.boolean()
+});
+var DeviceAuthorizeRequestSchema = import_zod.z.object({
+  /** Action to take: allow or deny */
+  action: import_zod.z.enum(["allow", "deny"]),
+  /** True if consent was auto-approved (not required or previously granted) */
+  auto_approved: import_zod.z.boolean().optional(),
+  /** True if user explicitly clicked Allow, false if auto-approved */
+  user_action: import_zod.z.boolean().optional(),
+  /** The user code displayed to the user */
+  user_code: import_zod.z.string()
+});
+var DeviceAuthorizeResponseSchema = import_zod.z.object({
+  /** Whether the authorization was successful */
+  success: import_zod.z.boolean()
+});
+var DeviceCodeInfoResponseSchema = import_zod.z.object({
+  /** The name of the OAuth2 application */
+  appName: import_zod.z.string(),
+  /** Whether the user has already granted consent for this app and scopes */
+  previouslyGranted: import_zod.z.boolean(),
+  /** Whether the app requires user consent */
+  requireConsent: import_zod.z.boolean(),
+  /** The scopes requested by the device code */
+  scopes: import_zod.z.string().array()
+});
+var DeviceCodeRequestSchema = import_zod.z.object({
+  /** OAuth2 client ID */
+  client_id: import_zod.z.string(),
+  /** PKCE code challenge (base64url encoded SHA256 hash) */
+  code_challenge: import_zod.z.string().optional(),
+  /** PKCE code challenge method */
+  code_challenge_method: import_zod.z.enum(["S256", "plain"]).optional(),
+  /** Space-separated list of scopes */
+  scope: import_zod.z.string().optional()
+});
+var DeviceCodeResponseSchema = import_zod.z.object({
+  /** Device verification code (for polling) */
+  device_code: import_zod.z.string(),
+  /** Device code expiration time in seconds */
+  expires_in: import_zod.z.number(),
+  /** Minimum polling interval in seconds */
+  interval: import_zod.z.number(),
+  /** User verification code (short, human-readable) */
+  user_code: import_zod.z.string(),
+  /** Verification URI for user */
+  verification_uri: import_zod.z.string(),
+  /** Complete verification URI with user code */
+  verification_uri_complete: import_zod.z.string()
+});
+var DeviceTokenRequestSchema = import_zod.z.object({
+  /** OAuth2 client ID */
+  client_id: import_zod.z.string(),
+  /** PKCE code verifier (if challenge was provided) */
+  code_verifier: import_zod.z.string().optional(),
+  /** Device code from authorization response */
+  device_code: import_zod.z.string(),
+  /** Grant type (must be device_code) */
+  grant_type: import_zod.z.enum([
+    "urn:ietf:params:oauth:grant-type:device_code"
+  ])
+});
+var IntrospectionRequestSchema = import_zod.z.object({
+  /** The token to introspect */
+  token: import_zod.z.string(),
+  /** Hint about token type */
+  token_type_hint: import_zod.z.enum(["access_token", "refresh_token"]).optional()
+});
+var IntrospectionResponseSchema = import_zod.z.object({
+  /** Whether the token is active */
+  active: import_zod.z.boolean(),
+  /** Client ID */
+  client_id: import_zod.z.string().optional(),
+  /** Environment ID */
+  environment_id: import_zod.z.string().optional(),
+  /** Token expiration timestamp */
+  exp: import_zod.z.number().optional(),
+  /** Token issued at timestamp */
+  iat: import_zod.z.number().optional(),
+  /** Space-separated list of scopes */
+  scope: import_zod.z.string().optional(),
+  /** Subject (user ID) */
+  sub: import_zod.z.string().optional(),
+  /** Token type */
+  token_type: import_zod.z.string().optional(),
+  /** Username or user ID */
+  username: import_zod.z.string().optional()
+});
+var JWKSchema = import_zod.z.object({
+  keys: import_zod.z.object({
+    alg: import_zod.z.string(),
+    e: import_zod.z.string(),
+    kid: import_zod.z.string(),
+    kty: import_zod.z.string(),
+    n: import_zod.z.string(),
+    use: import_zod.z.string()
+  }).array()
+});
+var PlanDeleteResponseSchema = import_zod.z.object({ success: import_zod.z.boolean() });
+var ResourceMemberListSchema = import_zod.z.object({
+  items: import_zod.z.object({
+    inherited: import_zod.z.boolean(),
+    role: import_zod.z.string(),
+    user: import_zod.z.object({
+      avatarUrl: import_zod.z.string().nullable(),
+      createdAt: import_zod.z.iso.datetime(),
+      email: import_zod.z.email(),
+      emailVerified: import_zod.z.boolean(),
+      firstName: import_zod.z.string().nullable(),
+      id: import_zod.z.string(),
+      lastLoginAt: import_zod.z.iso.datetime().nullable(),
+      lastName: import_zod.z.string().nullable(),
+      lookupKey: import_zod.z.string().nullable(),
+      updatedAt: import_zod.z.iso.datetime()
+    }),
+    userId: import_zod.z.string()
+  }).array(),
+  limit: import_zod.z.number(),
+  page: import_zod.z.number(),
+  total: import_zod.z.number()
+});
+var RevocationRequestSchema = import_zod.z.object({
+  /** The token to revoke */
+  token: import_zod.z.string(),
+  /** Hint about token type */
+  token_type_hint: import_zod.z.enum(["access_token", "refresh_token"]).optional()
+});
+var TokenRequestSchema = import_zod.z.object({
+  /** OAuth2 client ID */
+  client_id: import_zod.z.string(),
+  /** OAuth2 client secret (required for confidential clients) */
+  client_secret: import_zod.z.string().optional(),
+  /** Authorization code (required for authorization_code grant) */
+  code: import_zod.z.string().optional(),
+  /** PKCE code verifier (if challenge was provided) */
+  code_verifier: import_zod.z.string().optional(),
+  /** OAuth2 grant type */
+  grant_type: import_zod.z.enum(["authorization_code", "refresh_token"]),
+  /** Redirect URI (required for authorization_code grant) */
+  redirect_uri: import_zod.z.string().optional(),
+  /** Refresh token (required for refresh_token grant) */
+  refresh_token: import_zod.z.string().optional(),
+  /** Space-separated list of scopes (optional for refresh) */
+  scope: import_zod.z.string().optional()
+});
+var TokenResponseSchema = import_zod.z.object({
+  /** Access token (JWT) */
+  access_token: import_zod.z.string(),
+  /** Access token expiration time in seconds */
+  expires_in: import_zod.z.number(),
+  /** Refresh token (for obtaining new access tokens) */
+  refresh_token: import_zod.z.string(),
+  /** Space-separated list of granted scopes */
+  scope: import_zod.z.string().optional(),
+  /** Token type */
+  token_type: import_zod.z.string()
+});
+var UserSchema = import_zod.z.object({
+  avatarUrl: import_zod.z.string().nullable(),
+  createdAt: import_zod.z.iso.datetime(),
+  email: import_zod.z.email(),
+  emailVerified: import_zod.z.boolean(),
+  firstName: import_zod.z.string().nullable(),
+  id: import_zod.z.string(),
+  lastLoginAt: import_zod.z.iso.datetime().nullable(),
+  lastName: import_zod.z.string().nullable(),
+  lookupKey: import_zod.z.string().nullable(),
+  updatedAt: import_zod.z.iso.datetime()
+});
+var UserCreateBodySchema = import_zod.z.object({
+  avatarUrl: import_zod.z.url().optional(),
+  email: import_zod.z.email(),
+  firstName: import_zod.z.string().nullable().optional(),
+  lastName: import_zod.z.string().nullable().optional(),
+  lookupKey: import_zod.z.string(),
+  newUser: import_zod.z.boolean().nullable().optional(),
+  password: import_zod.z.string().nullable().optional()
+});
+var UserListSchema = import_zod.z.object({
+  items: import_zod.z.object({
+    avatarUrl: import_zod.z.string().nullable(),
+    createdAt: import_zod.z.iso.datetime(),
+    email: import_zod.z.email(),
+    emailVerified: import_zod.z.boolean(),
+    firstName: import_zod.z.string().nullable(),
+    id: import_zod.z.string(),
+    lastLoginAt: import_zod.z.iso.datetime().nullable(),
+    lastName: import_zod.z.string().nullable(),
+    lookupKey: import_zod.z.string().nullable(),
+    updatedAt: import_zod.z.iso.datetime()
+  }).array(),
+  limit: import_zod.z.number(),
+  page: import_zod.z.number(),
+  total: import_zod.z.number()
+});
+var UserUpdateBodySchema = import_zod.z.object({
+  avatarUrl: import_zod.z.url().nullable().optional(),
+  email: import_zod.z.email().optional(),
+  firstName: import_zod.z.string().nullable().optional(),
+  lastName: import_zod.z.string().nullable().optional(),
+  lookupKey: import_zod.z.string().optional(),
+  password: import_zod.z.string().optional()
+});
 var EntitlementCheckBodySchema = import_zod.z.object({
   amount: import_zod.z.number().int().optional(),
-  entitlement: import_zod.z.string(),
+  entitlement: EntitlementTypeSchema,
   resourceId: import_zod.z.string(),
   userId: import_zod.z.string()
 });
@@ -603,15 +1006,15 @@ var EntitlementCheckResultSchema = import_zod.z.object({
     allowed: import_zod.z.boolean(),
     current: import_zod.z.number().optional(),
     limit: import_zod.z.number().optional(),
-    plan: import_zod.z.string().nullable().optional(),
+    plan: PlanTypeSchema.optional(),
     reason: import_zod.z.string().optional(),
     remaining: import_zod.z.number().optional(),
     scope: import_zod.z.string().optional()
   }).nullable().optional(),
   plans: import_zod.z.object({
     allowed: import_zod.z.boolean(),
-    allowedPlans: import_zod.z.string().array().optional(),
-    plan: import_zod.z.string().nullable().optional(),
+    allowedPlans: PlanTypeSchema.array().optional(),
+    plan: PlanTypeSchema.optional(),
     reason: import_zod.z.string().optional()
   }).nullable().optional(),
   roles: import_zod.z.object({
@@ -621,30 +1024,29 @@ var EntitlementCheckResultSchema = import_zod.z.object({
     userRoles: import_zod.z.string().array().optional()
   }).nullable().optional()
 });
+var PlanAssignBodySchema = import_zod.z.object({ planKey: PlanTypeSchema });
 var EntitlementsListResultSchema = import_zod.z.object({
   results: import_zod.z.object({
     entitlements: import_zod.z.object({
       allowed: import_zod.z.boolean(),
       allowedByPlan: import_zod.z.boolean(),
       allowedByRole: import_zod.z.boolean(),
-      allowedPlans: import_zod.z.string().array().optional(),
+      allowedPlans: PlanTypeSchema.array().optional(),
       allowedRoles: import_zod.z.string().array(),
-      currentPlan: import_zod.z.string().optional(),
+      currentPlan: PlanTypeSchema.optional(),
       currentRole: import_zod.z.string().optional(),
-      entitlement: import_zod.z.string()
+      entitlement: EntitlementTypeSchema
     }).array(),
     resourceId: import_zod.z.string(),
-    resourceType: import_zod.z.string()
+    resourceType: ResourceTypeSchema
   }).array()
 });
-var PlanAssignBodySchema = import_zod.z.object({ planKey: import_zod.z.string() });
-var PlanDeleteResponseSchema = import_zod.z.object({ success: import_zod.z.boolean() });
 var PlanResponseSchema = import_zod.z.object({
   createdAt: import_zod.z.iso.datetime(),
   environmentId: import_zod.z.string(),
-  planKey: import_zod.z.string(),
+  planKey: PlanTypeSchema,
   resourceId: import_zod.z.string(),
-  resourceType: import_zod.z.string(),
+  resourceType: ResourceTypeSchema,
   updatedAt: import_zod.z.iso.datetime()
 });
 var ResourceSchema = import_zod.z.object({
@@ -653,9 +1055,9 @@ var ResourceSchema = import_zod.z.object({
   name: import_zod.z.string().nullable(),
   parents: import_zod.z.object({
     id: import_zod.z.string(),
-    type: import_zod.z.string()
+    type: ResourceTypeSchema
   }).array().optional(),
-  type: import_zod.z.string()
+  type: ResourceTypeSchema
 });
 var ResourceBulkCreateBodySchema = import_zod.z.object({
   resources: import_zod.z.object({
@@ -663,7 +1065,7 @@ var ResourceBulkCreateBodySchema = import_zod.z.object({
     name: import_zod.z.string().optional(),
     parents: import_zod.z.object({
       id: import_zod.z.string(),
-      type: import_zod.z.string()
+      type: ResourceTypeSchema
     }).array().optional(),
     roles: import_zod.z.object({
       role: import_zod.z.string(),
@@ -675,7 +1077,7 @@ var ResourceBulkResultSchema = import_zod.z.object({
   created: import_zod.z.object({
     environmentId: import_zod.z.string(),
     id: import_zod.z.string(),
-    type: import_zod.z.string()
+    type: ResourceTypeSchema
   }).array(),
   errors: import_zod.z.object({
     error: import_zod.z.string(),
@@ -685,7 +1087,7 @@ var ResourceBulkResultSchema = import_zod.z.object({
       name: import_zod.z.string().optional(),
       parents: import_zod.z.object({
         id: import_zod.z.string(),
-        type: import_zod.z.string()
+        type: ResourceTypeSchema
       }).array().optional(),
       roles: import_zod.z.object({
         role: import_zod.z.string(),
@@ -705,55 +1107,33 @@ var ResourceCreateBodySchema = import_zod.z.object({
   name: import_zod.z.string().optional(),
   parents: import_zod.z.object({
     id: import_zod.z.string(),
-    type: import_zod.z.string()
+    type: ResourceTypeSchema
   }).array().optional(),
   roles: import_zod.z.object({
     role: import_zod.z.string(),
     userId: import_zod.z.string()
   }).array().optional()
 });
-var ResourceMemberListSchema = import_zod.z.object({
-  items: import_zod.z.object({
-    inherited: import_zod.z.boolean(),
-    role: import_zod.z.string(),
-    user: import_zod.z.object({
-      avatarUrl: import_zod.z.string().nullable(),
-      createdAt: import_zod.z.iso.datetime(),
-      email: import_zod.z.email(),
-      emailVerified: import_zod.z.boolean(),
-      firstName: import_zod.z.string().nullable(),
-      id: import_zod.z.string(),
-      lastLoginAt: import_zod.z.iso.datetime().nullable(),
-      lastName: import_zod.z.string().nullable(),
-      lookupKey: import_zod.z.string().nullable(),
-      updatedAt: import_zod.z.iso.datetime()
-    }),
-    userId: import_zod.z.string()
-  }).array(),
-  limit: import_zod.z.number(),
-  page: import_zod.z.number(),
-  total: import_zod.z.number()
-});
 var ResourceUpdateBodySchema = import_zod.z.object({
   name: import_zod.z.string().optional(),
   /** Creates relationships with other resources. Parent resources must already exist. */
   parents: import_zod.z.object({
     id: import_zod.z.string(),
-    type: import_zod.z.string()
+    type: ResourceTypeSchema
   }).array().optional()
 });
 var RoleSchema = import_zod.z.object({
   createdAt: import_zod.z.string(),
   environmentId: import_zod.z.string(),
   resourceId: import_zod.z.string(),
-  resourceType: import_zod.z.string(),
+  resourceType: ResourceTypeSchema,
   role: import_zod.z.string(),
   userId: import_zod.z.string()
 });
 var RoleBulkCreateBodySchema = import_zod.z.object({
   roles: import_zod.z.object({
     resourceId: import_zod.z.string(),
-    resourceType: import_zod.z.string(),
+    resourceType: ResourceTypeSchema,
     role: import_zod.z.string(),
     userId: import_zod.z.string()
   }).array()
@@ -763,7 +1143,7 @@ var RoleBulkResultSchema = import_zod.z.object({
     createdAt: import_zod.z.string(),
     environmentId: import_zod.z.string(),
     resourceId: import_zod.z.string(),
-    resourceType: import_zod.z.string(),
+    resourceType: ResourceTypeSchema,
     role: import_zod.z.string(),
     userId: import_zod.z.string()
   }).array(),
@@ -772,7 +1152,7 @@ var RoleBulkResultSchema = import_zod.z.object({
     index: import_zod.z.number(),
     role: import_zod.z.object({
       resourceId: import_zod.z.string(),
-      resourceType: import_zod.z.string(),
+      resourceType: ResourceTypeSchema,
       role: import_zod.z.string(),
       userId: import_zod.z.string()
     })
@@ -786,7 +1166,7 @@ var RoleBulkResultSchema = import_zod.z.object({
 });
 var RoleCreateBodySchema = import_zod.z.object({
   resourceId: import_zod.z.string(),
-  resourceType: import_zod.z.string(),
+  resourceType: ResourceTypeSchema,
   role: import_zod.z.string()
 });
 var RoleListSchema = import_zod.z.object({
@@ -796,43 +1176,58 @@ var RoleListSchema = import_zod.z.object({
     createdAt: import_zod.z.string(),
     environmentId: import_zod.z.string(),
     resourceId: import_zod.z.string(),
-    resourceType: import_zod.z.string(),
+    resourceType: ResourceTypeSchema,
     role: import_zod.z.string(),
     userId: import_zod.z.string()
   }).array(),
   total: import_zod.z.number()
 });
+var UserResourceListSchema = import_zod.z.array(
+  import_zod.z.object({
+    inherited: import_zod.z.boolean(),
+    resource: import_zod.z.object({
+      id: import_zod.z.string(),
+      name: import_zod.z.string(),
+      parents: import_zod.z.object({
+        id: import_zod.z.string(),
+        type: ResourceTypeSchema
+      }).array(),
+      type: ResourceTypeSchema
+    }).catchall(import_zod.z.unknown()),
+    role: import_zod.z.string()
+  })
+);
 var TransactionHistoryResponseSchema = import_zod.z.object({
   items: import_zod.z.object({
     amount: import_zod.z.number().int(),
     createdAt: import_zod.z.iso.datetime(),
     environmentId: import_zod.z.string(),
     id: import_zod.z.string(),
-    limitType: import_zod.z.string(),
+    limitType: UsageLimitTypeSchema,
     resourceId: import_zod.z.string(),
-    resourceType: import_zod.z.string(),
+    resourceType: ResourceTypeSchema,
     tags: import_zod.z.record(import_zod.z.string(), import_zod.z.unknown()).nullable()
   }).array()
 });
 var UsageCheckBodySchema = import_zod.z.object({
   amount: import_zod.z.number().int(),
-  limitType: import_zod.z.string(),
+  limitType: UsageLimitTypeSchema,
   period: import_zod.z.enum(["monthly", "yearly", "lifetime"]),
   resourceId: import_zod.z.string(),
-  resourceType: import_zod.z.string()
+  resourceType: ResourceTypeSchema
 });
 var UsageConsumeBodySchema = import_zod.z.object({
   amount: import_zod.z.number().int(),
-  limitType: import_zod.z.string(),
+  limitType: UsageLimitTypeSchema,
   resourceId: import_zod.z.string(),
-  resourceType: import_zod.z.string(),
+  resourceType: ResourceTypeSchema,
   tags: import_zod.z.record(import_zod.z.string(), import_zod.z.unknown()).optional()
 });
 var UsageCreditBodySchema = import_zod.z.object({
   amount: import_zod.z.number().int(),
-  limitType: import_zod.z.string(),
+  limitType: UsageLimitTypeSchema,
   resourceId: import_zod.z.string(),
-  resourceType: import_zod.z.string(),
+  resourceType: ResourceTypeSchema,
   tags: import_zod.z.record(import_zod.z.string(), import_zod.z.unknown()).optional()
 });
 var UsageWalletResponseSchema = import_zod.z.object({
@@ -840,78 +1235,21 @@ var UsageWalletResponseSchema = import_zod.z.object({
   createdAt: import_zod.z.iso.datetime(),
   environmentId: import_zod.z.string(),
   id: import_zod.z.string(),
-  limitType: import_zod.z.string(),
+  limitType: UsageLimitTypeSchema,
   resourceId: import_zod.z.string(),
-  resourceType: import_zod.z.string(),
+  resourceType: ResourceTypeSchema,
   tags: import_zod.z.record(import_zod.z.string(), import_zod.z.unknown()).nullable()
 });
-var UserSchema = import_zod.z.object({
-  avatarUrl: import_zod.z.string().nullable(),
-  createdAt: import_zod.z.iso.datetime(),
-  email: import_zod.z.email(),
-  emailVerified: import_zod.z.boolean(),
-  firstName: import_zod.z.string().nullable(),
-  id: import_zod.z.string(),
-  lastLoginAt: import_zod.z.iso.datetime().nullable(),
-  lastName: import_zod.z.string().nullable(),
-  lookupKey: import_zod.z.string().nullable(),
-  updatedAt: import_zod.z.iso.datetime()
-});
-var UserCreateBodySchema = import_zod.z.object({
-  avatarUrl: import_zod.z.url().optional(),
-  email: import_zod.z.email(),
-  firstName: import_zod.z.string().nullable().optional(),
-  lastName: import_zod.z.string().nullable().optional(),
-  lookupKey: import_zod.z.string(),
-  newUser: import_zod.z.boolean().nullable().optional(),
-  password: import_zod.z.string().nullable().optional()
-});
-var UserListSchema = import_zod.z.object({
-  items: import_zod.z.object({
-    avatarUrl: import_zod.z.string().nullable(),
-    createdAt: import_zod.z.iso.datetime(),
-    email: import_zod.z.email(),
-    emailVerified: import_zod.z.boolean(),
-    firstName: import_zod.z.string().nullable(),
-    id: import_zod.z.string(),
-    lastLoginAt: import_zod.z.iso.datetime().nullable(),
-    lastName: import_zod.z.string().nullable(),
-    lookupKey: import_zod.z.string().nullable(),
-    updatedAt: import_zod.z.iso.datetime()
-  }).array(),
-  limit: import_zod.z.number(),
-  page: import_zod.z.number(),
-  total: import_zod.z.number()
-});
-var UserResourceListSchema = import_zod.z.array(
-  import_zod.z.object({
-    inherited: import_zod.z.boolean(),
-    resource: import_zod.z.object({
-      id: import_zod.z.string(),
-      name: import_zod.z.string(),
-      parents: import_zod.z.object({
-        id: import_zod.z.string(),
-        type: import_zod.z.string()
-      }).array(),
-      type: import_zod.z.string()
-    }).catchall(import_zod.z.unknown()),
-    role: import_zod.z.string()
-  })
-);
-var UserUpdateBodySchema = import_zod.z.object({
-  avatarUrl: import_zod.z.url().nullable().optional(),
-  email: import_zod.z.email().optional(),
-  firstName: import_zod.z.string().nullable().optional(),
-  lastName: import_zod.z.string().nullable().optional(),
-  lookupKey: import_zod.z.string().optional(),
-  password: import_zod.z.string().optional()
-});
 var ResourceListSchema = import_zod.z.object({
   items: ResourceSchema.array(),
   limit: import_zod.z.number(),
   page: import_zod.z.number(),
   total: import_zod.z.number()
 });
+var AuthJwksGetOAuthAppJwksQuerySchema = import_zod.z.object({
+  /** OAuth app client ID to get public keys for */
+  client_id: import_zod.z.string().optional()
+});
 var EntitlementsListForResourceQuerySchema = import_zod.z.object({
   /** The unique identifier of the user */
   userId: import_zod.z.string()
@@ -920,6 +1258,14 @@ var EntitlementsListForTenantQuerySchema = import_zod.z.object({
   /** The unique identifier of the user */
   userId: import_zod.z.string()
 });
+var OauthCheckConsentRequiredQuerySchema = import_zod.z.object({
+  /** OAuth2 client ID */
+  client_id: import_zod.z.string(),
+  /** Redirect URI */
+  redirect_uri: import_zod.z.string().optional(),
+  /** Space-separated list of scopes */
+  scope: import_zod.z.string().optional()
+});
 var ResourceMembersListQuerySchema = import_zod.z.object({
   /** Number of items per page (minimum: 1, maximum: 100) */
   limit: import_zod.z.number().optional(),
@@ -944,7 +1290,7 @@ var RolesListQuerySchema = import_zod.z.object({
   /** Filter roles by specific resource ID */
   resourceId: import_zod.z.string().optional(),
   /** Filter roles by resource type */
-  resourceType: import_zod.z.string().optional(),
+  resourceType: ResourceTypeSchema.optional(),
   /** Filter by role name */
   role: import_zod.z.string().optional()
 });
@@ -972,40 +1318,14 @@ var UsersListQuerySchema = import_zod.z.object({
 // src/token-verifier.ts
 var crypto = __toESM(require("crypto"));
 var jwt = __toESM(require("jsonwebtoken"));
+var import_fetch4 = require("@blimu/fetch");
 var TokenVerifier = class {
   cache = /* @__PURE__ */ new Map();
   cacheTTL;
-  runtimeApiUrl;
+  baseURL;
   constructor(options) {
     this.cacheTTL = options?.cacheTTL ?? 60 * 60 * 1e3;
-    this.runtimeApiUrl = options?.runtimeApiUrl ?? "https://api.blimu.dev";
-  }
-  /**
-   * Fetch JWK Set from runtime-api
-   */
-  async fetchJWKSet(endpoint, headers) {
-    console.log(`[TokenVerifier] \u{1F4E1} Fetching JWK Set from: ${endpoint}`);
-    if (headers) {
-      console.log(
-        `[TokenVerifier] \u{1F4E1} Request headers: ${JSON.stringify(Object.keys(headers).map((k) => `${k}: ${k === "x-api-key" ? "***" : headers[k]}`))}`
-      );
-    }
-    const response = await fetch(endpoint, {
-      method: "GET",
-      headers: {
-        "Content-Type": "application/json",
-        ...headers
-      }
-    });
-    console.log(`[TokenVerifier] \u{1F4E1} Response status: ${response.status} ${response.statusText}`);
-    if (!response.ok) {
-      const errorText = await response.text();
-      console.error(`[TokenVerifier] \u274C Failed to fetch JWKs: ${response.status} ${errorText}`);
-      throw new import_fetch10.FetchError("Failed to fetch JWKs", response.status, errorText);
-    }
-    const jwkSet = await response.json();
-    console.log(`[TokenVerifier] \u2705 Successfully fetched JWK Set with ${jwkSet.keys.length} keys`);
-    return jwkSet;
+    this.baseURL = options?.runtimeApiUrl ?? "https://api.blimu.dev";
   }
   /**
    * Convert JWK to KeyObject
@@ -1024,25 +1344,19 @@ var TokenVerifier = class {
   /**
    * Get public key for a specific key ID
    */
-  async getPublicKey(kid, cacheKey, endpoint, headers) {
+  async getPublicKey(kid, cacheKey, fetchJwks) {
     const cached = this.cache.get(cacheKey);
     if (cached && cached.expiresAt > Date.now()) {
-      console.log(`[TokenVerifier] \u2705 Using cached key for kid: ${kid}`);
       return cached.key;
     }
-    console.log(`[TokenVerifier] \u{1F50D} Cache miss or expired. Fetching new key for kid: ${kid}`);
-    const jwkSet = await this.fetchJWKSet(endpoint, headers);
+    const jwkSet = await fetchJwks();
     const jwk = jwkSet.keys.find((k) => k.kid === kid);
     if (!jwk) {
       const availableKids = jwkSet.keys.map((k) => k.kid).join(", ");
-      console.error(
-        `[TokenVerifier] \u274C Key with kid '${kid}' not found in JWK Set. Available kids: ${availableKids}`
-      );
       throw new Error(
         `Key with kid '${kid}' not found in JWK Set. Available kids: ${availableKids}`
       );
     }
-    console.log(`[TokenVerifier] \u2705 Found key with kid: ${kid}`);
     const keyObject = this.jwkToKeyObject(jwk);
     this.cache.set(cacheKey, {
       key: keyObject,
@@ -1052,15 +1366,16 @@ var TokenVerifier = class {
     return keyObject;
   }
   /**
-   * Verify JWT token using JWKs from runtime-api
+   * Verify JWT token using JWKs from Blimu runtime API.
+   * Supports: environment/session tokens (secretKey) or OAuth app tokens (clientId).
    */
   async verifyToken(options) {
-    const { url, secretKey, token, runtimeApiUrl } = options;
-    if (!url && !secretKey) {
-      throw new Error("Either url or secretKey must be provided");
-    }
-    if (url && secretKey) {
-      throw new Error("Cannot provide both url and secretKey");
+    const { secretKey, clientId, token, runtimeApiUrl } = options;
+    const provided = [secretKey, clientId].filter(Boolean);
+    if (provided.length !== 1) {
+      throw new Error(
+        "Exactly one of secretKey or clientId must be provided. Use secretKey for environment/session tokens, clientId for OAuth app access tokens."
+      );
     }
     const decoded = jwt.decode(token, { complete: true });
     if (!decoded || typeof decoded === "string") {
@@ -1070,67 +1385,38 @@ var TokenVerifier = class {
     if (!header.kid) {
       throw new Error("Token missing kid in header");
     }
-    let endpoint;
+    const baseURL = runtimeApiUrl ?? this.baseURL;
     let cacheKey;
-    let headers;
+    let fetchJwks;
     if (secretKey) {
-      const apiUrl = runtimeApiUrl ?? this.runtimeApiUrl;
-      endpoint = `${apiUrl}/v1/auth/.well-known/jwks.json`;
       cacheKey = secretKey;
-      headers = {
-        "x-api-key": secretKey
-      };
-      console.log(
-        `[TokenVerifier] \u{1F50D} Verifying token with kid: ${header.kid}, endpoint: ${endpoint}`
-      );
+      const core = new import_fetch4.FetchClient({
+        baseURL,
+        authStrategies: buildAuthStrategies({ apiKey: secretKey, baseURL })
+      });
+      const authJwks = new AuthJwksService(core);
+      fetchJwks = () => authJwks.getJwks();
     } else {
-      endpoint = url;
-      cacheKey = url;
-      console.log(
-        `[TokenVerifier] \u{1F50D} Verifying token with kid: ${header.kid}, endpoint: ${endpoint}`
-      );
+      cacheKey = `oauth:${clientId}`;
+      const core = new import_fetch4.FetchClient({ baseURL });
+      const authJwks = new AuthJwksService(core);
+      fetchJwks = () => authJwks.getOAuthAppJwks({ client_id: clientId });
     }
     let publicKey;
     try {
-      publicKey = await this.getPublicKey(header.kid, cacheKey, endpoint, headers);
-      console.log(`[TokenVerifier] \u2705 Successfully retrieved public key for kid: ${header.kid}`);
-    } catch (error) {
-      console.error(
-        `[TokenVerifier] \u274C Failed to get public key (first attempt): ${error instanceof Error ? error.message : String(error)}`
-      );
+      publicKey = await this.getPublicKey(header.kid, cacheKey, fetchJwks);
+    } catch {
       this.clearCache(cacheKey);
-      console.log(`[TokenVerifier] \u{1F504} Retrying after cache clear...`);
-      try {
-        publicKey = await this.getPublicKey(header.kid, cacheKey, endpoint, headers);
-        console.log(
-          `[TokenVerifier] \u2705 Successfully retrieved public key for kid: ${header.kid} (retry)`
-        );
-      } catch (retryError) {
-        console.error(
-          `[TokenVerifier] \u274C Failed to get public key (retry): ${retryError instanceof Error ? retryError.message : String(retryError)}`
-        );
-        throw retryError;
-      }
-    }
-    try {
-      const payload = jwt.verify(token, publicKey, {
-        algorithms: ["RS256"]
-      });
-      console.log(`[TokenVerifier] \u2705 Token verified successfully`);
-      return payload;
-    } catch (error) {
-      console.error(
-        `[TokenVerifier] \u274C JWT verification failed: ${error instanceof Error ? error.message : String(error)}`
-      );
-      throw error;
+      publicKey = await this.getPublicKey(header.kid, cacheKey, fetchJwks);
     }
+    return jwt.verify(token, publicKey, { algorithms: ["RS256"] });
   }
   /**
    * Clear cache (useful for testing or key rotation)
    */
-  clearCache(secretKeyOrUrl) {
-    if (secretKeyOrUrl) {
-      this.cache.delete(secretKeyOrUrl);
+  clearCache(cacheKey) {
+    if (cacheKey) {
+      this.cache.delete(cacheKey);
     } else {
       this.cache.clear();
     }
@@ -1140,8 +1426,15 @@ async function verifyToken(options) {
   const verifier = new TokenVerifier();
   return verifier.verifyToken(options);
 }
+async function verifyOAuthToken(options) {
+  return verifyToken({
+    ...options,
+    clientId: options.clientId
+  });
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  AuthJwksService,
   Blimu,
   BlimuError,
   BulkResourcesService,
@@ -1162,6 +1455,7 @@ async function verifyToken(options) {
   paginate,
   parseNDJSONStream,
   parseSSEStream,
+  verifyOAuthToken,
   verifyToken,
   ...require("@blimu/fetch")
 });