@blimu/backend 1.2.1 → 1.2.2

package/dist/index.d.mts

@@ -2,11 +2,13 @@ export { Blimu, BlimuError, ClientOption } from './client.mjs';
 export * from '@blimu/fetch';
 export { FetchError, parseNDJSONStream, parseSSEStream } from '@blimu/fetch';
 export { PaginableQuery, isNotUndefined, listAll, paginate } from './utils.mjs';
-export { s as Schema } from './schema-CGYqiv8k.mjs';
+import { J as JWK$1 } from './schema-CdEZKE7E.mjs';
+export { s as Schema } from './schema-CdEZKE7E.mjs';
 import { z } from 'zod';
 export { BulkResourcesService } from './services/bulk_resources.mjs';
 export { BulkRolesService } from './services/bulk_roles.mjs';
 export { EntitlementsService } from './services/entitlements.mjs';
+export { AuthJwksService } from './services/auth_jwks.mjs';
 export { PlansService } from './services/plans.mjs';
 export { ResourceMembersService } from './services/resource_members.mjs';
 export { ResourcesService } from './services/resources.mjs';
@@ -109,6 +111,16 @@ declare const IntrospectionResponseSchema: z.ZodObject<{
     token_type: z.ZodOptional<z.ZodString>;
     username: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>;
+declare const JWKSchema: z.ZodObject<{
+    keys: z.ZodArray<z.ZodObject<{
+        alg: z.ZodString;
+        e: z.ZodString;
+        kid: z.ZodString;
+        kty: z.ZodString;
+        n: z.ZodString;
+        use: z.ZodString;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
 declare const PlanDeleteResponseSchema: z.ZodObject<{
     success: z.ZodBoolean;
 }, z.core.$strip>;
@@ -471,6 +483,9 @@ declare const ResourceListSchema: z.ZodObject<{
     page: z.ZodNumber;
     total: z.ZodNumber;
 }, z.core.$strip>;
+declare const AuthJwksGetOAuthAppJwksQuerySchema: z.ZodObject<{
+    client_id: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
 declare const EntitlementsListForResourceQuerySchema: z.ZodObject<{
     userId: z.ZodString;
 }, z.core.$strip>;
@@ -521,6 +536,7 @@ declare const UsersListQuerySchema: z.ZodObject<{
     search: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>;
 
+declare const schema_zod_AuthJwksGetOAuthAppJwksQuerySchema: typeof AuthJwksGetOAuthAppJwksQuerySchema;
 declare const schema_zod_AuthorizeRequestSchema: typeof AuthorizeRequestSchema;
 declare const schema_zod_BalanceResponseSchema: typeof BalanceResponseSchema;
 declare const schema_zod_CheckLimitResponseSchema: typeof CheckLimitResponseSchema;
@@ -539,6 +555,7 @@ declare const schema_zod_EntitlementsListForTenantQuerySchema: typeof Entitlemen
 declare const schema_zod_EntitlementsListResultSchema: typeof EntitlementsListResultSchema;
 declare const schema_zod_IntrospectionRequestSchema: typeof IntrospectionRequestSchema;
 declare const schema_zod_IntrospectionResponseSchema: typeof IntrospectionResponseSchema;
+declare const schema_zod_JWKSchema: typeof JWKSchema;
 declare const schema_zod_OauthCheckConsentRequiredQuerySchema: typeof OauthCheckConsentRequiredQuerySchema;
 declare const schema_zod_PlanAssignBodySchema: typeof PlanAssignBodySchema;
 declare const schema_zod_PlanDeleteResponseSchema: typeof PlanDeleteResponseSchema;
@@ -578,23 +595,14 @@ declare const schema_zod_UserSchema: typeof UserSchema;
 declare const schema_zod_UserUpdateBodySchema: typeof UserUpdateBodySchema;
 declare const schema_zod_UsersListQuerySchema: typeof UsersListQuerySchema;
 declare namespace schema_zod {
-  export { schema_zod_AuthorizeRequestSchema as AuthorizeRequestSchema, schema_zod_BalanceResponseSchema as BalanceResponseSchema, schema_zod_CheckLimitResponseSchema as CheckLimitResponseSchema, schema_zod_ConsentCheckResponseSchema as ConsentCheckResponseSchema, schema_zod_DeviceAuthorizeRequestSchema as DeviceAuthorizeRequestSchema, schema_zod_DeviceAuthorizeResponseSchema as DeviceAuthorizeResponseSchema, schema_zod_DeviceCodeInfoResponseSchema as DeviceCodeInfoResponseSchema, schema_zod_DeviceCodeRequestSchema as DeviceCodeRequestSchema, schema_zod_DeviceCodeResponseSchema as DeviceCodeResponseSchema, schema_zod_DeviceTokenRequestSchema as DeviceTokenRequestSchema, schema_zod_EntitlementCheckBodySchema as EntitlementCheckBodySchema, schema_zod_EntitlementCheckResultSchema as EntitlementCheckResultSchema, schema_zod_EntitlementTypeSchema as EntitlementTypeSchema, schema_zod_EntitlementsListForResourceQuerySchema as EntitlementsListForResourceQuerySchema, schema_zod_EntitlementsListForTenantQuerySchema as EntitlementsListForTenantQuerySchema, schema_zod_EntitlementsListResultSchema as EntitlementsListResultSchema, schema_zod_IntrospectionRequestSchema as IntrospectionRequestSchema, schema_zod_IntrospectionResponseSchema as IntrospectionResponseSchema, schema_zod_OauthCheckConsentRequiredQuerySchema as OauthCheckConsentRequiredQuerySchema, schema_zod_PlanAssignBodySchema as PlanAssignBodySchema, schema_zod_PlanDeleteResponseSchema as PlanDeleteResponseSchema, schema_zod_PlanResponseSchema as PlanResponseSchema, schema_zod_PlanTypeSchema as PlanTypeSchema, schema_zod_ResourceBulkCreateBodySchema as ResourceBulkCreateBodySchema, schema_zod_ResourceBulkResultSchema as ResourceBulkResultSchema, schema_zod_ResourceCreateBodySchema as ResourceCreateBodySchema, schema_zod_ResourceListSchema as ResourceListSchema, schema_zod_ResourceMemberListSchema as ResourceMemberListSchema, schema_zod_ResourceMembersListQuerySchema as ResourceMembersListQuerySchema, schema_zod_ResourceSchema as ResourceSchema, schema_zod_ResourceTypeSchema as ResourceTypeSchema, schema_zod_ResourceUpdateBodySchema as ResourceUpdateBodySchema, schema_zod_ResourcesListQuerySchema as ResourcesListQuerySchema, schema_zod_RevocationRequestSchema as RevocationRequestSchema, schema_zod_RoleBulkCreateBodySchema as RoleBulkCreateBodySchema, schema_zod_RoleBulkResultSchema as RoleBulkResultSchema, schema_zod_RoleCreateBodySchema as RoleCreateBodySchema, schema_zod_RoleListSchema as RoleListSchema, schema_zod_RoleSchema as RoleSchema, schema_zod_RolesListQuerySchema as RolesListQuerySchema, schema_zod_TokenRequestSchema as TokenRequestSchema, schema_zod_TokenResponseSchema as TokenResponseSchema, schema_zod_TransactionHistoryResponseSchema as TransactionHistoryResponseSchema, schema_zod_UsageCheckBodySchema as UsageCheckBodySchema, schema_zod_UsageConsumeBodySchema as UsageConsumeBodySchema, schema_zod_UsageCreditBodySchema as UsageCreditBodySchema, schema_zod_UsageGetBalanceQuerySchema as UsageGetBalanceQuerySchema, schema_zod_UsageGetTransactionHistoryQuerySchema as UsageGetTransactionHistoryQuerySchema, schema_zod_UsageLimitTypeSchema as UsageLimitTypeSchema, schema_zod_UsageWalletResponseSchema as UsageWalletResponseSchema, schema_zod_UserCreateBodySchema as UserCreateBodySchema, schema_zod_UserListSchema as UserListSchema, schema_zod_UserResourceListSchema as UserResourceListSchema, schema_zod_UserSchema as UserSchema, schema_zod_UserUpdateBodySchema as UserUpdateBodySchema, schema_zod_UsersListQuerySchema as UsersListQuerySchema };
+  export { schema_zod_AuthJwksGetOAuthAppJwksQuerySchema as AuthJwksGetOAuthAppJwksQuerySchema, schema_zod_AuthorizeRequestSchema as AuthorizeRequestSchema, schema_zod_BalanceResponseSchema as BalanceResponseSchema, schema_zod_CheckLimitResponseSchema as CheckLimitResponseSchema, schema_zod_ConsentCheckResponseSchema as ConsentCheckResponseSchema, schema_zod_DeviceAuthorizeRequestSchema as DeviceAuthorizeRequestSchema, schema_zod_DeviceAuthorizeResponseSchema as DeviceAuthorizeResponseSchema, schema_zod_DeviceCodeInfoResponseSchema as DeviceCodeInfoResponseSchema, schema_zod_DeviceCodeRequestSchema as DeviceCodeRequestSchema, schema_zod_DeviceCodeResponseSchema as DeviceCodeResponseSchema, schema_zod_DeviceTokenRequestSchema as DeviceTokenRequestSchema, schema_zod_EntitlementCheckBodySchema as EntitlementCheckBodySchema, schema_zod_EntitlementCheckResultSchema as EntitlementCheckResultSchema, schema_zod_EntitlementTypeSchema as EntitlementTypeSchema, schema_zod_EntitlementsListForResourceQuerySchema as EntitlementsListForResourceQuerySchema, schema_zod_EntitlementsListForTenantQuerySchema as EntitlementsListForTenantQuerySchema, schema_zod_EntitlementsListResultSchema as EntitlementsListResultSchema, schema_zod_IntrospectionRequestSchema as IntrospectionRequestSchema, schema_zod_IntrospectionResponseSchema as IntrospectionResponseSchema, schema_zod_JWKSchema as JWKSchema, schema_zod_OauthCheckConsentRequiredQuerySchema as OauthCheckConsentRequiredQuerySchema, schema_zod_PlanAssignBodySchema as PlanAssignBodySchema, schema_zod_PlanDeleteResponseSchema as PlanDeleteResponseSchema, schema_zod_PlanResponseSchema as PlanResponseSchema, schema_zod_PlanTypeSchema as PlanTypeSchema, schema_zod_ResourceBulkCreateBodySchema as ResourceBulkCreateBodySchema, schema_zod_ResourceBulkResultSchema as ResourceBulkResultSchema, schema_zod_ResourceCreateBodySchema as ResourceCreateBodySchema, schema_zod_ResourceListSchema as ResourceListSchema, schema_zod_ResourceMemberListSchema as ResourceMemberListSchema, schema_zod_ResourceMembersListQuerySchema as ResourceMembersListQuerySchema, schema_zod_ResourceSchema as ResourceSchema, schema_zod_ResourceTypeSchema as ResourceTypeSchema, schema_zod_ResourceUpdateBodySchema as ResourceUpdateBodySchema, schema_zod_ResourcesListQuerySchema as ResourcesListQuerySchema, schema_zod_RevocationRequestSchema as RevocationRequestSchema, schema_zod_RoleBulkCreateBodySchema as RoleBulkCreateBodySchema, schema_zod_RoleBulkResultSchema as RoleBulkResultSchema, schema_zod_RoleCreateBodySchema as RoleCreateBodySchema, schema_zod_RoleListSchema as RoleListSchema, schema_zod_RoleSchema as RoleSchema, schema_zod_RolesListQuerySchema as RolesListQuerySchema, schema_zod_TokenRequestSchema as TokenRequestSchema, schema_zod_TokenResponseSchema as TokenResponseSchema, schema_zod_TransactionHistoryResponseSchema as TransactionHistoryResponseSchema, schema_zod_UsageCheckBodySchema as UsageCheckBodySchema, schema_zod_UsageConsumeBodySchema as UsageConsumeBodySchema, schema_zod_UsageCreditBodySchema as UsageCreditBodySchema, schema_zod_UsageGetBalanceQuerySchema as UsageGetBalanceQuerySchema, schema_zod_UsageGetTransactionHistoryQuerySchema as UsageGetTransactionHistoryQuerySchema, schema_zod_UsageLimitTypeSchema as UsageLimitTypeSchema, schema_zod_UsageWalletResponseSchema as UsageWalletResponseSchema, schema_zod_UserCreateBodySchema as UserCreateBodySchema, schema_zod_UserListSchema as UserListSchema, schema_zod_UserResourceListSchema as UserResourceListSchema, schema_zod_UserSchema as UserSchema, schema_zod_UserUpdateBodySchema as UserUpdateBodySchema, schema_zod_UsersListQuerySchema as UsersListQuerySchema };
 }
 
-interface JWK {
-    kty: string;
-    use: string;
-    kid: string;
-    alg: string;
-    n: string;
-    e: string;
-}
-interface JWKSet {
-    keys: JWK[];
-}
+type JWK = JWK$1['keys'][number];
+type JWKSet = JWK$1;
 interface VerifyTokenOptions {
-    url?: string;
     secretKey?: string;
+    clientId?: string;
     token: string;
     runtimeApiUrl?: string | undefined;
 }
@@ -605,14 +613,19 @@ interface TokenVerifierOptions {
 declare class TokenVerifier {
     private readonly cache;
     private readonly cacheTTL;
-    private readonly runtimeApiUrl;
+    private readonly baseURL;
     constructor(options?: TokenVerifierOptions);
-    private fetchJWKSet;
     private jwkToKeyObject;
     private getPublicKey;
     verifyToken<T = unknown>(options: VerifyTokenOptions): Promise<T>;
-    clearCache(secretKeyOrUrl?: string): void;
+    clearCache(cacheKey?: string): void;
 }
 declare function verifyToken<T = unknown>(options: VerifyTokenOptions): Promise<T>;
+interface VerifyOAuthTokenOptions {
+    token: string;
+    clientId: string;
+    runtimeApiUrl?: string | undefined;
+}
+declare function verifyOAuthToken<T = unknown>(options: VerifyOAuthTokenOptions): Promise<T>;
 
-export { type JWK, type JWKSet, TokenVerifier, type TokenVerifierOptions, type VerifyTokenOptions, schema_zod as ZodSchema, verifyToken };
+export { type JWK, type JWKSet, TokenVerifier, type TokenVerifierOptions, type VerifyOAuthTokenOptions, type VerifyTokenOptions, schema_zod as ZodSchema, verifyOAuthToken, verifyToken };

package/dist/index.d.ts

@@ -2,11 +2,13 @@ export { Blimu, BlimuError, ClientOption } from './client.js';
 export * from '@blimu/fetch';
 export { FetchError, parseNDJSONStream, parseSSEStream } from '@blimu/fetch';
 export { PaginableQuery, isNotUndefined, listAll, paginate } from './utils.js';
-export { s as Schema } from './schema-CGYqiv8k.js';
+import { J as JWK$1 } from './schema-CdEZKE7E.js';
+export { s as Schema } from './schema-CdEZKE7E.js';
 import { z } from 'zod';
 export { BulkResourcesService } from './services/bulk_resources.js';
 export { BulkRolesService } from './services/bulk_roles.js';
 export { EntitlementsService } from './services/entitlements.js';
+export { AuthJwksService } from './services/auth_jwks.js';
 export { PlansService } from './services/plans.js';
 export { ResourceMembersService } from './services/resource_members.js';
 export { ResourcesService } from './services/resources.js';
@@ -109,6 +111,16 @@ declare const IntrospectionResponseSchema: z.ZodObject<{
     token_type: z.ZodOptional<z.ZodString>;
     username: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>;
+declare const JWKSchema: z.ZodObject<{
+    keys: z.ZodArray<z.ZodObject<{
+        alg: z.ZodString;
+        e: z.ZodString;
+        kid: z.ZodString;
+        kty: z.ZodString;
+        n: z.ZodString;
+        use: z.ZodString;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
 declare const PlanDeleteResponseSchema: z.ZodObject<{
     success: z.ZodBoolean;
 }, z.core.$strip>;
@@ -471,6 +483,9 @@ declare const ResourceListSchema: z.ZodObject<{
     page: z.ZodNumber;
     total: z.ZodNumber;
 }, z.core.$strip>;
+declare const AuthJwksGetOAuthAppJwksQuerySchema: z.ZodObject<{
+    client_id: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
 declare const EntitlementsListForResourceQuerySchema: z.ZodObject<{
     userId: z.ZodString;
 }, z.core.$strip>;
@@ -521,6 +536,7 @@ declare const UsersListQuerySchema: z.ZodObject<{
     search: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>;
 
+declare const schema_zod_AuthJwksGetOAuthAppJwksQuerySchema: typeof AuthJwksGetOAuthAppJwksQuerySchema;
 declare const schema_zod_AuthorizeRequestSchema: typeof AuthorizeRequestSchema;
 declare const schema_zod_BalanceResponseSchema: typeof BalanceResponseSchema;
 declare const schema_zod_CheckLimitResponseSchema: typeof CheckLimitResponseSchema;
@@ -539,6 +555,7 @@ declare const schema_zod_EntitlementsListForTenantQuerySchema: typeof Entitlemen
 declare const schema_zod_EntitlementsListResultSchema: typeof EntitlementsListResultSchema;
 declare const schema_zod_IntrospectionRequestSchema: typeof IntrospectionRequestSchema;
 declare const schema_zod_IntrospectionResponseSchema: typeof IntrospectionResponseSchema;
+declare const schema_zod_JWKSchema: typeof JWKSchema;
 declare const schema_zod_OauthCheckConsentRequiredQuerySchema: typeof OauthCheckConsentRequiredQuerySchema;
 declare const schema_zod_PlanAssignBodySchema: typeof PlanAssignBodySchema;
 declare const schema_zod_PlanDeleteResponseSchema: typeof PlanDeleteResponseSchema;
@@ -578,23 +595,14 @@ declare const schema_zod_UserSchema: typeof UserSchema;
 declare const schema_zod_UserUpdateBodySchema: typeof UserUpdateBodySchema;
 declare const schema_zod_UsersListQuerySchema: typeof UsersListQuerySchema;
 declare namespace schema_zod {
-  export { schema_zod_AuthorizeRequestSchema as AuthorizeRequestSchema, schema_zod_BalanceResponseSchema as BalanceResponseSchema, schema_zod_CheckLimitResponseSchema as CheckLimitResponseSchema, schema_zod_ConsentCheckResponseSchema as ConsentCheckResponseSchema, schema_zod_DeviceAuthorizeRequestSchema as DeviceAuthorizeRequestSchema, schema_zod_DeviceAuthorizeResponseSchema as DeviceAuthorizeResponseSchema, schema_zod_DeviceCodeInfoResponseSchema as DeviceCodeInfoResponseSchema, schema_zod_DeviceCodeRequestSchema as DeviceCodeRequestSchema, schema_zod_DeviceCodeResponseSchema as DeviceCodeResponseSchema, schema_zod_DeviceTokenRequestSchema as DeviceTokenRequestSchema, schema_zod_EntitlementCheckBodySchema as EntitlementCheckBodySchema, schema_zod_EntitlementCheckResultSchema as EntitlementCheckResultSchema, schema_zod_EntitlementTypeSchema as EntitlementTypeSchema, schema_zod_EntitlementsListForResourceQuerySchema as EntitlementsListForResourceQuerySchema, schema_zod_EntitlementsListForTenantQuerySchema as EntitlementsListForTenantQuerySchema, schema_zod_EntitlementsListResultSchema as EntitlementsListResultSchema, schema_zod_IntrospectionRequestSchema as IntrospectionRequestSchema, schema_zod_IntrospectionResponseSchema as IntrospectionResponseSchema, schema_zod_OauthCheckConsentRequiredQuerySchema as OauthCheckConsentRequiredQuerySchema, schema_zod_PlanAssignBodySchema as PlanAssignBodySchema, schema_zod_PlanDeleteResponseSchema as PlanDeleteResponseSchema, schema_zod_PlanResponseSchema as PlanResponseSchema, schema_zod_PlanTypeSchema as PlanTypeSchema, schema_zod_ResourceBulkCreateBodySchema as ResourceBulkCreateBodySchema, schema_zod_ResourceBulkResultSchema as ResourceBulkResultSchema, schema_zod_ResourceCreateBodySchema as ResourceCreateBodySchema, schema_zod_ResourceListSchema as ResourceListSchema, schema_zod_ResourceMemberListSchema as ResourceMemberListSchema, schema_zod_ResourceMembersListQuerySchema as ResourceMembersListQuerySchema, schema_zod_ResourceSchema as ResourceSchema, schema_zod_ResourceTypeSchema as ResourceTypeSchema, schema_zod_ResourceUpdateBodySchema as ResourceUpdateBodySchema, schema_zod_ResourcesListQuerySchema as ResourcesListQuerySchema, schema_zod_RevocationRequestSchema as RevocationRequestSchema, schema_zod_RoleBulkCreateBodySchema as RoleBulkCreateBodySchema, schema_zod_RoleBulkResultSchema as RoleBulkResultSchema, schema_zod_RoleCreateBodySchema as RoleCreateBodySchema, schema_zod_RoleListSchema as RoleListSchema, schema_zod_RoleSchema as RoleSchema, schema_zod_RolesListQuerySchema as RolesListQuerySchema, schema_zod_TokenRequestSchema as TokenRequestSchema, schema_zod_TokenResponseSchema as TokenResponseSchema, schema_zod_TransactionHistoryResponseSchema as TransactionHistoryResponseSchema, schema_zod_UsageCheckBodySchema as UsageCheckBodySchema, schema_zod_UsageConsumeBodySchema as UsageConsumeBodySchema, schema_zod_UsageCreditBodySchema as UsageCreditBodySchema, schema_zod_UsageGetBalanceQuerySchema as UsageGetBalanceQuerySchema, schema_zod_UsageGetTransactionHistoryQuerySchema as UsageGetTransactionHistoryQuerySchema, schema_zod_UsageLimitTypeSchema as UsageLimitTypeSchema, schema_zod_UsageWalletResponseSchema as UsageWalletResponseSchema, schema_zod_UserCreateBodySchema as UserCreateBodySchema, schema_zod_UserListSchema as UserListSchema, schema_zod_UserResourceListSchema as UserResourceListSchema, schema_zod_UserSchema as UserSchema, schema_zod_UserUpdateBodySchema as UserUpdateBodySchema, schema_zod_UsersListQuerySchema as UsersListQuerySchema };
+  export { schema_zod_AuthJwksGetOAuthAppJwksQuerySchema as AuthJwksGetOAuthAppJwksQuerySchema, schema_zod_AuthorizeRequestSchema as AuthorizeRequestSchema, schema_zod_BalanceResponseSchema as BalanceResponseSchema, schema_zod_CheckLimitResponseSchema as CheckLimitResponseSchema, schema_zod_ConsentCheckResponseSchema as ConsentCheckResponseSchema, schema_zod_DeviceAuthorizeRequestSchema as DeviceAuthorizeRequestSchema, schema_zod_DeviceAuthorizeResponseSchema as DeviceAuthorizeResponseSchema, schema_zod_DeviceCodeInfoResponseSchema as DeviceCodeInfoResponseSchema, schema_zod_DeviceCodeRequestSchema as DeviceCodeRequestSchema, schema_zod_DeviceCodeResponseSchema as DeviceCodeResponseSchema, schema_zod_DeviceTokenRequestSchema as DeviceTokenRequestSchema, schema_zod_EntitlementCheckBodySchema as EntitlementCheckBodySchema, schema_zod_EntitlementCheckResultSchema as EntitlementCheckResultSchema, schema_zod_EntitlementTypeSchema as EntitlementTypeSchema, schema_zod_EntitlementsListForResourceQuerySchema as EntitlementsListForResourceQuerySchema, schema_zod_EntitlementsListForTenantQuerySchema as EntitlementsListForTenantQuerySchema, schema_zod_EntitlementsListResultSchema as EntitlementsListResultSchema, schema_zod_IntrospectionRequestSchema as IntrospectionRequestSchema, schema_zod_IntrospectionResponseSchema as IntrospectionResponseSchema, schema_zod_JWKSchema as JWKSchema, schema_zod_OauthCheckConsentRequiredQuerySchema as OauthCheckConsentRequiredQuerySchema, schema_zod_PlanAssignBodySchema as PlanAssignBodySchema, schema_zod_PlanDeleteResponseSchema as PlanDeleteResponseSchema, schema_zod_PlanResponseSchema as PlanResponseSchema, schema_zod_PlanTypeSchema as PlanTypeSchema, schema_zod_ResourceBulkCreateBodySchema as ResourceBulkCreateBodySchema, schema_zod_ResourceBulkResultSchema as ResourceBulkResultSchema, schema_zod_ResourceCreateBodySchema as ResourceCreateBodySchema, schema_zod_ResourceListSchema as ResourceListSchema, schema_zod_ResourceMemberListSchema as ResourceMemberListSchema, schema_zod_ResourceMembersListQuerySchema as ResourceMembersListQuerySchema, schema_zod_ResourceSchema as ResourceSchema, schema_zod_ResourceTypeSchema as ResourceTypeSchema, schema_zod_ResourceUpdateBodySchema as ResourceUpdateBodySchema, schema_zod_ResourcesListQuerySchema as ResourcesListQuerySchema, schema_zod_RevocationRequestSchema as RevocationRequestSchema, schema_zod_RoleBulkCreateBodySchema as RoleBulkCreateBodySchema, schema_zod_RoleBulkResultSchema as RoleBulkResultSchema, schema_zod_RoleCreateBodySchema as RoleCreateBodySchema, schema_zod_RoleListSchema as RoleListSchema, schema_zod_RoleSchema as RoleSchema, schema_zod_RolesListQuerySchema as RolesListQuerySchema, schema_zod_TokenRequestSchema as TokenRequestSchema, schema_zod_TokenResponseSchema as TokenResponseSchema, schema_zod_TransactionHistoryResponseSchema as TransactionHistoryResponseSchema, schema_zod_UsageCheckBodySchema as UsageCheckBodySchema, schema_zod_UsageConsumeBodySchema as UsageConsumeBodySchema, schema_zod_UsageCreditBodySchema as UsageCreditBodySchema, schema_zod_UsageGetBalanceQuerySchema as UsageGetBalanceQuerySchema, schema_zod_UsageGetTransactionHistoryQuerySchema as UsageGetTransactionHistoryQuerySchema, schema_zod_UsageLimitTypeSchema as UsageLimitTypeSchema, schema_zod_UsageWalletResponseSchema as UsageWalletResponseSchema, schema_zod_UserCreateBodySchema as UserCreateBodySchema, schema_zod_UserListSchema as UserListSchema, schema_zod_UserResourceListSchema as UserResourceListSchema, schema_zod_UserSchema as UserSchema, schema_zod_UserUpdateBodySchema as UserUpdateBodySchema, schema_zod_UsersListQuerySchema as UsersListQuerySchema };
 }
 
-interface JWK {
-    kty: string;
-    use: string;
-    kid: string;
-    alg: string;
-    n: string;
-    e: string;
-}
-interface JWKSet {
-    keys: JWK[];
-}
+type JWK = JWK$1['keys'][number];
+type JWKSet = JWK$1;
 interface VerifyTokenOptions {
-    url?: string;
     secretKey?: string;
+    clientId?: string;
     token: string;
     runtimeApiUrl?: string | undefined;
 }
@@ -605,14 +613,19 @@ interface TokenVerifierOptions {
 declare class TokenVerifier {
     private readonly cache;
     private readonly cacheTTL;
-    private readonly runtimeApiUrl;
+    private readonly baseURL;
     constructor(options?: TokenVerifierOptions);
-    private fetchJWKSet;
     private jwkToKeyObject;
     private getPublicKey;
     verifyToken<T = unknown>(options: VerifyTokenOptions): Promise<T>;
-    clearCache(secretKeyOrUrl?: string): void;
+    clearCache(cacheKey?: string): void;
 }
 declare function verifyToken<T = unknown>(options: VerifyTokenOptions): Promise<T>;
+interface VerifyOAuthTokenOptions {
+    token: string;
+    clientId: string;
+    runtimeApiUrl?: string | undefined;
+}
+declare function verifyOAuthToken<T = unknown>(options: VerifyOAuthTokenOptions): Promise<T>;
 
-export { type JWK, type JWKSet, TokenVerifier, type TokenVerifierOptions, type VerifyTokenOptions, schema_zod as ZodSchema, verifyToken };
+export { type JWK, type JWKSet, TokenVerifier, type TokenVerifierOptions, type VerifyOAuthTokenOptions, type VerifyTokenOptions, schema_zod as ZodSchema, verifyOAuthToken, verifyToken };

package/dist/index.mjs

@@ -22,6 +22,47 @@ function buildAuthStrategies(cfg) {
   return authStrategies;
 }
 
+// src/services/auth_jwks.ts
+var AuthJwksService = class {
+  constructor(core) {
+    this.core = core;
+  }
+  /**
+   * GET /v1/auth/.well-known/jwks.json*
+   * @summary Get JSON Web Key Set for environment (Public)*
+   * @description Returns the public keys used to verify JWT tokens issued by this environment. Authenticate using either x-api-key header (secretKey) or x-blimu-publishable-key header (publishableKey).*/
+  getJwks(init) {
+    return this.core.request({
+      method: "GET",
+      path: `/v1/auth/.well-known/jwks.json`,
+      ...init ?? {}
+    });
+  }
+  /**
+   * GET /v1/auth/.well-known/public-key.pem*
+   * @summary Get environment public key (PEM)*
+   * @description Returns the public key in PEM format for verifying JWT tokens. Authenticate with x-api-key or x-blimu-publishable-key.*/
+  getPublicKeyPem(init) {
+    return this.core.request({
+      method: "GET",
+      path: `/v1/auth/.well-known/public-key.pem`,
+      ...init ?? {}
+    });
+  }
+  /**
+   * GET /v1/auth/oauth/.well-known/jwks.json*
+   * @summary Get JSON Web Key Set for OAuth app (Public)*
+   * @description Returns the public key for a specific OAuth app to verify JWT tokens. This is a public endpoint following OAuth2/OIDC standards. Provide client_id to get keys for a specific OAuth app, or use authenticated endpoint for environment keys.*/
+  getOAuthAppJwks(query, init) {
+    return this.core.request({
+      method: "GET",
+      path: `/v1/auth/oauth/.well-known/jwks.json`,
+      query,
+      ...init ?? {}
+    });
+  }
+};
+
 // src/services/bulk_resources.ts
 var BulkResourcesService = class {
   constructor(core) {
@@ -529,6 +570,7 @@ var UsersService = class {
 
 // src/client.ts
 var Blimu = class {
+  authJwks;
   bulkResources;
   bulkRoles;
   entitlements;
@@ -548,6 +590,7 @@ var Blimu = class {
       baseURL: options?.baseURL ?? "https://api.blimu.dev",
       ...authStrategies.length > 0 ? { authStrategies } : {}
     });
+    this.authJwks = new AuthJwksService(core);
     this.bulkResources = new BulkResourcesService(core);
     this.bulkRoles = new BulkRolesService(core);
     this.entitlements = new EntitlementsService(core);
@@ -598,6 +641,7 @@ var schema_exports = {};
 // src/schema.zod.ts
 var schema_zod_exports = {};
 __export(schema_zod_exports, {
+  AuthJwksGetOAuthAppJwksQuerySchema: () => AuthJwksGetOAuthAppJwksQuerySchema,
   AuthorizeRequestSchema: () => AuthorizeRequestSchema,
   BalanceResponseSchema: () => BalanceResponseSchema,
   CheckLimitResponseSchema: () => CheckLimitResponseSchema,
@@ -616,6 +660,7 @@ __export(schema_zod_exports, {
   EntitlementsListResultSchema: () => EntitlementsListResultSchema,
   IntrospectionRequestSchema: () => IntrospectionRequestSchema,
   IntrospectionResponseSchema: () => IntrospectionResponseSchema,
+  JWKSchema: () => JWKSchema,
   OauthCheckConsentRequiredQuerySchema: () => OauthCheckConsentRequiredQuerySchema,
   PlanAssignBodySchema: () => PlanAssignBodySchema,
   PlanDeleteResponseSchema: () => PlanDeleteResponseSchema,
@@ -781,6 +826,16 @@ var IntrospectionResponseSchema = z.object({
   /** Username or user ID */
   username: z.string().optional()
 });
+var JWKSchema = z.object({
+  keys: z.object({
+    alg: z.string(),
+    e: z.string(),
+    kid: z.string(),
+    kty: z.string(),
+    n: z.string(),
+    use: z.string()
+  }).array()
+});
 var PlanDeleteResponseSchema = z.object({ success: z.boolean() });
 var ResourceMemberListSchema = z.object({
   items: z.object({
@@ -1138,6 +1193,10 @@ var ResourceListSchema = z.object({
   page: z.number(),
   total: z.number()
 });
+var AuthJwksGetOAuthAppJwksQuerySchema = z.object({
+  /** OAuth app client ID to get public keys for */
+  client_id: z.string().optional()
+});
 var EntitlementsListForResourceQuerySchema = z.object({
   /** The unique identifier of the user */
   userId: z.string()
@@ -1206,40 +1265,14 @@ var UsersListQuerySchema = z.object({
 // src/token-verifier.ts
 import * as crypto from "crypto";
 import * as jwt from "jsonwebtoken";
+import { FetchClient as FetchClient2 } from "@blimu/fetch";
 var TokenVerifier = class {
   cache = /* @__PURE__ */ new Map();
   cacheTTL;
-  runtimeApiUrl;
+  baseURL;
   constructor(options) {
     this.cacheTTL = options?.cacheTTL ?? 60 * 60 * 1e3;
-    this.runtimeApiUrl = options?.runtimeApiUrl ?? "https://api.blimu.dev";
-  }
-  /**
-   * Fetch JWK Set from runtime-api
-   */
-  async fetchJWKSet(endpoint, headers) {
-    console.log(`[TokenVerifier] \u{1F4E1} Fetching JWK Set from: ${endpoint}`);
-    if (headers) {
-      console.log(
-        `[TokenVerifier] \u{1F4E1} Request headers: ${JSON.stringify(Object.keys(headers).map((k) => `${k}: ${k === "x-api-key" ? "***" : headers[k]}`))}`
-      );
-    }
-    const response = await fetch(endpoint, {
-      method: "GET",
-      headers: {
-        "Content-Type": "application/json",
-        ...headers
-      }
-    });
-    console.log(`[TokenVerifier] \u{1F4E1} Response status: ${response.status} ${response.statusText}`);
-    if (!response.ok) {
-      const errorText = await response.text();
-      console.error(`[TokenVerifier] \u274C Failed to fetch JWKs: ${response.status} ${errorText}`);
-      throw new FetchError("Failed to fetch JWKs", response.status, errorText);
-    }
-    const jwkSet = await response.json();
-    console.log(`[TokenVerifier] \u2705 Successfully fetched JWK Set with ${jwkSet.keys.length} keys`);
-    return jwkSet;
+    this.baseURL = options?.runtimeApiUrl ?? "https://api.blimu.dev";
   }
   /**
    * Convert JWK to KeyObject
@@ -1258,25 +1291,19 @@ var TokenVerifier = class {
   /**
    * Get public key for a specific key ID
    */
-  async getPublicKey(kid, cacheKey, endpoint, headers) {
+  async getPublicKey(kid, cacheKey, fetchJwks) {
     const cached = this.cache.get(cacheKey);
     if (cached && cached.expiresAt > Date.now()) {
-      console.log(`[TokenVerifier] \u2705 Using cached key for kid: ${kid}`);
       return cached.key;
     }
-    console.log(`[TokenVerifier] \u{1F50D} Cache miss or expired. Fetching new key for kid: ${kid}`);
-    const jwkSet = await this.fetchJWKSet(endpoint, headers);
+    const jwkSet = await fetchJwks();
     const jwk = jwkSet.keys.find((k) => k.kid === kid);
     if (!jwk) {
       const availableKids = jwkSet.keys.map((k) => k.kid).join(", ");
-      console.error(
-        `[TokenVerifier] \u274C Key with kid '${kid}' not found in JWK Set. Available kids: ${availableKids}`
-      );
       throw new Error(
         `Key with kid '${kid}' not found in JWK Set. Available kids: ${availableKids}`
       );
     }
-    console.log(`[TokenVerifier] \u2705 Found key with kid: ${kid}`);
     const keyObject = this.jwkToKeyObject(jwk);
     this.cache.set(cacheKey, {
       key: keyObject,
@@ -1286,15 +1313,16 @@ var TokenVerifier = class {
     return keyObject;
   }
   /**
-   * Verify JWT token using JWKs from runtime-api
+   * Verify JWT token using JWKs from Blimu runtime API.
+   * Supports: environment/session tokens (secretKey) or OAuth app tokens (clientId).
    */
   async verifyToken(options) {
-    const { url, secretKey, token, runtimeApiUrl } = options;
-    if (!url && !secretKey) {
-      throw new Error("Either url or secretKey must be provided");
-    }
-    if (url && secretKey) {
-      throw new Error("Cannot provide both url and secretKey");
+    const { secretKey, clientId, token, runtimeApiUrl } = options;
+    const provided = [secretKey, clientId].filter(Boolean);
+    if (provided.length !== 1) {
+      throw new Error(
+        "Exactly one of secretKey or clientId must be provided. Use secretKey for environment/session tokens, clientId for OAuth app access tokens."
+      );
     }
     const decoded = jwt.decode(token, { complete: true });
     if (!decoded || typeof decoded === "string") {
@@ -1304,67 +1332,38 @@ var TokenVerifier = class {
     if (!header.kid) {
       throw new Error("Token missing kid in header");
     }
-    let endpoint;
+    const baseURL = runtimeApiUrl ?? this.baseURL;
     let cacheKey;
-    let headers;
+    let fetchJwks;
     if (secretKey) {
-      const apiUrl = runtimeApiUrl ?? this.runtimeApiUrl;
-      endpoint = `${apiUrl}/v1/auth/.well-known/jwks.json`;
       cacheKey = secretKey;
-      headers = {
-        "x-api-key": secretKey
-      };
-      console.log(
-        `[TokenVerifier] \u{1F50D} Verifying token with kid: ${header.kid}, endpoint: ${endpoint}`
-      );
+      const core = new FetchClient2({
+        baseURL,
+        authStrategies: buildAuthStrategies({ apiKey: secretKey, baseURL })
+      });
+      const authJwks = new AuthJwksService(core);
+      fetchJwks = () => authJwks.getJwks();
     } else {
-      endpoint = url;
-      cacheKey = url;
-      console.log(
-        `[TokenVerifier] \u{1F50D} Verifying token with kid: ${header.kid}, endpoint: ${endpoint}`
-      );
+      cacheKey = `oauth:${clientId}`;
+      const core = new FetchClient2({ baseURL });
+      const authJwks = new AuthJwksService(core);
+      fetchJwks = () => authJwks.getOAuthAppJwks({ client_id: clientId });
     }
     let publicKey;
     try {
-      publicKey = await this.getPublicKey(header.kid, cacheKey, endpoint, headers);
-      console.log(`[TokenVerifier] \u2705 Successfully retrieved public key for kid: ${header.kid}`);
-    } catch (error) {
-      console.error(
-        `[TokenVerifier] \u274C Failed to get public key (first attempt): ${error instanceof Error ? error.message : String(error)}`
-      );
+      publicKey = await this.getPublicKey(header.kid, cacheKey, fetchJwks);
+    } catch {
       this.clearCache(cacheKey);
-      console.log(`[TokenVerifier] \u{1F504} Retrying after cache clear...`);
-      try {
-        publicKey = await this.getPublicKey(header.kid, cacheKey, endpoint, headers);
-        console.log(
-          `[TokenVerifier] \u2705 Successfully retrieved public key for kid: ${header.kid} (retry)`
-        );
-      } catch (retryError) {
-        console.error(
-          `[TokenVerifier] \u274C Failed to get public key (retry): ${retryError instanceof Error ? retryError.message : String(retryError)}`
-        );
-        throw retryError;
-      }
-    }
-    try {
-      const payload = jwt.verify(token, publicKey, {
-        algorithms: ["RS256"]
-      });
-      console.log(`[TokenVerifier] \u2705 Token verified successfully`);
-      return payload;
-    } catch (error) {
-      console.error(
-        `[TokenVerifier] \u274C JWT verification failed: ${error instanceof Error ? error.message : String(error)}`
-      );
-      throw error;
+      publicKey = await this.getPublicKey(header.kid, cacheKey, fetchJwks);
     }
+    return jwt.verify(token, publicKey, { algorithms: ["RS256"] });
   }
   /**
    * Clear cache (useful for testing or key rotation)
    */
-  clearCache(secretKeyOrUrl) {
-    if (secretKeyOrUrl) {
-      this.cache.delete(secretKeyOrUrl);
+  clearCache(cacheKey) {
+    if (cacheKey) {
+      this.cache.delete(cacheKey);
     } else {
       this.cache.clear();
     }
@@ -1374,7 +1373,14 @@ async function verifyToken(options) {
   const verifier = new TokenVerifier();
   return verifier.verifyToken(options);
 }
+async function verifyOAuthToken(options) {
+  return verifyToken({
+    ...options,
+    clientId: options.clientId
+  });
+}
 export {
+  AuthJwksService,
   Blimu,
   BlimuError,
   BulkResourcesService,
@@ -1395,6 +1401,7 @@ export {
   paginate,
   parseNDJSONStream,
   parseSSEStream,
+  verifyOAuthToken,
   verifyToken
 };
 //# sourceMappingURL=index.mjs.map