@clerk/backend 3.0.0-snapshot.v20251204175016 → 3.0.0-snapshot.v20251208202852

package/dist/internal.mjs

@@ -23,10 +23,10 @@ import {
   stripPrivateDataFromObject,
   unauthenticatedMachineObject,
   verifyMachineAuthToken
-} from "./chunk-777XG3PJ.mjs";
+} from "./chunk-XZ7V2XHT.mjs";
 import "./chunk-YBVFDYDR.mjs";
-import "./chunk-QYKVFAML.mjs";
-import "./chunk-HNJNM32R.mjs";
+import "./chunk-SNA7AD3D.mjs";
+import "./chunk-TCIXZLLW.mjs";
 import "./chunk-RPS7XK5K.mjs";
 export {
   AuthStatus,

package/dist/jwt/assertions.d.ts

@@ -1,6 +1,6 @@
 export type IssuerResolver = string | ((iss: string) => boolean);
 export declare const assertAudienceClaim: (aud?: unknown, audience?: unknown) => void;
-export declare const assertHeaderType: (typ?: unknown) => void;
+export declare const assertHeaderType: (typ?: unknown, allowedTypes?: string | string[]) => void;
 export declare const assertHeaderAlgorithm: (alg: string) => void;
 export declare const assertSubClaim: (sub?: string) => void;
 export declare const assertAuthorizedPartiesClaim: (azp?: string, authorizedParties?: string[]) => void;

package/dist/jwt/assertions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"assertions.d.ts","sourceRoot":"","sources":["../../src/jwt/assertions.ts"],"names":[],"mappings":"AAGA,MAAM,MAAM,cAAc,GAAG,MAAM,GAAG,CAAC,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,CAAC;AAMjE,eAAO,MAAM,mBAAmB,GAAI,MAAM,OAAO,EAAE,WAAW,OAAO,SAsCpE,CAAC;AAEF,eAAO,MAAM,gBAAgB,GAAI,MAAM,OAAO,SAY7C,CAAC;AAEF,eAAO,MAAM,qBAAqB,GAAI,KAAK,MAAM,SAQhD,CAAC;AAEF,eAAO,MAAM,cAAc,GAAI,MAAM,MAAM,SAQ1C,CAAC;AAEF,eAAO,MAAM,4BAA4B,GAAI,MAAM,MAAM,EAAE,oBAAoB,MAAM,EAAE,SAWtF,CAAC;AAEF,eAAO,MAAM,qBAAqB,GAAI,KAAK,MAAM,EAAE,eAAe,MAAM,SAoBvE,CAAC;AAEF,eAAO,MAAM,qBAAqB,GAAI,KAAK,MAAM,GAAG,SAAS,EAAE,eAAe,MAAM,SAwBnF,CAAC;AAEF,eAAO,MAAM,mBAAmB,GAAI,KAAK,MAAM,GAAG,SAAS,EAAE,eAAe,MAAM,SAwBjF,CAAC"}
+{"version":3,"file":"assertions.d.ts","sourceRoot":"","sources":["../../src/jwt/assertions.ts"],"names":[],"mappings":"AAGA,MAAM,MAAM,cAAc,GAAG,MAAM,GAAG,CAAC,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,CAAC;AAMjE,eAAO,MAAM,mBAAmB,GAAI,MAAM,OAAO,EAAE,WAAW,OAAO,SAsCpE,CAAC;AAEF,eAAO,MAAM,gBAAgB,GAAI,MAAM,OAAO,EAAE,eAAc,MAAM,GAAG,MAAM,EAAU,SAatF,CAAC;AAEF,eAAO,MAAM,qBAAqB,GAAI,KAAK,MAAM,SAQhD,CAAC;AAEF,eAAO,MAAM,cAAc,GAAI,MAAM,MAAM,SAQ1C,CAAC;AAEF,eAAO,MAAM,4BAA4B,GAAI,MAAM,MAAM,EAAE,oBAAoB,MAAM,EAAE,SAWtF,CAAC;AAEF,eAAO,MAAM,qBAAqB,GAAI,KAAK,MAAM,EAAE,eAAe,MAAM,SAoBvE,CAAC;AAEF,eAAO,MAAM,qBAAqB,GAAI,KAAK,MAAM,GAAG,SAAS,EAAE,eAAe,MAAM,SAwBnF,CAAC;AAEF,eAAO,MAAM,mBAAmB,GAAI,KAAK,MAAM,GAAG,SAAS,EAAE,eAAe,MAAM,SAwBjF,CAAC"}

package/dist/jwt/index.js

@@ -296,15 +296,16 @@ var assertAudienceClaim = (aud, audience) => {
     }
   }
 };
-var assertHeaderType = (typ) => {
+var assertHeaderType = (typ, allowedTypes = "JWT") => {
   if (typeof typ === "undefined") {
     return;
   }
-  if (typ !== "JWT") {
+  const allowed = Array.isArray(allowedTypes) ? allowedTypes : [allowedTypes];
+  if (!allowed.includes(typ)) {
     throw new TokenVerificationError({
       action: TokenVerificationErrorAction.EnsureClerkJWT,
       reason: TokenVerificationErrorReason.TokenInvalid,
-      message: `Invalid JWT type ${JSON.stringify(typ)}. Expected "JWT".`
+      message: `Invalid JWT type ${JSON.stringify(typ)}. Expected "${allowed.join(", ")}".`
     });
   }
 };
@@ -454,7 +455,7 @@ function decodeJwt(token) {
   return { data };
 }
 async function verifyJwt(token, options) {
-  const { audience, authorizedParties, clockSkewInMs, key } = options;
+  const { audience, authorizedParties, clockSkewInMs, key, headerType } = options;
   const clockSkew = clockSkewInMs || DEFAULT_CLOCK_SKEW_IN_MS;
   const { data: decoded, errors } = decodeJwt(token);
   if (errors) {
@@ -463,7 +464,7 @@ async function verifyJwt(token, options) {
   const { header, payload } = decoded;
   try {
     const { typ, alg } = header;
-    assertHeaderType(typ);
+    assertHeaderType(typ, headerType);
     assertHeaderAlgorithm(alg);
     const { azp, sub, aud, iat, exp, nbf } = payload;
     assertSubClaim(sub);

package/dist/jwt/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/jwt/index.ts","../../src/jwt/legacyReturn.ts","../../src/errors.ts","../../src/runtime.ts","../../src/util/rfc4648.ts","../../src/jwt/algorithms.ts","../../src/jwt/cryptoKeys.ts","../../src/jwt/signJwt.ts","../../src/jwt/assertions.ts","../../src/jwt/verifyJwt.ts"],"sourcesContent":["import { withLegacyReturn, withLegacySyncReturn } from './legacyReturn';\nimport { signJwt as _signJwt } from './signJwt';\nimport { decodeJwt as _decodeJwt, hasValidSignature as _hasValidSignature, verifyJwt as _verifyJwt } from './verifyJwt';\n\nexport type { VerifyJwtOptions } from './verifyJwt';\nexport type { SignJwtOptions } from './signJwt';\n\n// Introduce compatibility layer to avoid more breaking changes\n// TODO(dimkl): This (probably be drop in the next major version)\n\nexport const verifyJwt = withLegacyReturn(_verifyJwt);\nexport const decodeJwt = withLegacySyncReturn(_decodeJwt);\n\nexport const signJwt = withLegacyReturn(_signJwt);\nexport const hasValidSignature = withLegacyReturn(_hasValidSignature);\n","import type { JwtReturnType } from './types';\n\n// TODO(dimkl): Will be probably be dropped in next major version\nexport function withLegacyReturn<T extends (...args: any[]) => Promise<JwtReturnType<any, any>>>(cb: T) {\n  return async (...args: Parameters<T>): Promise<NonNullable<Awaited<ReturnType<T>>['data']>> | never => {\n    const { data, errors } = await cb(...args);\n    if (errors) {\n      throw errors[0];\n    }\n    return data;\n  };\n}\n\n// TODO(dimkl): Will be probably be dropped in next major version\nexport function withLegacySyncReturn<T extends (...args: any[]) => JwtReturnType<any, any>>(cb: T) {\n  return (...args: Parameters<T>): NonNullable<Awaited<ReturnType<T>>['data']> | never => {\n    const { data, errors } = cb(...args);\n    if (errors) {\n      throw errors[0];\n    }\n    return data;\n  };\n}\n","export type TokenCarrier = 'header' | 'cookie';\n\nexport const TokenVerificationErrorCode = {\n  InvalidSecretKey: 'clerk_key_invalid',\n};\n\nexport type TokenVerificationErrorCode = (typeof TokenVerificationErrorCode)[keyof typeof TokenVerificationErrorCode];\n\nexport const TokenVerificationErrorReason = {\n  TokenExpired: 'token-expired',\n  TokenInvalid: 'token-invalid',\n  TokenInvalidAlgorithm: 'token-invalid-algorithm',\n  TokenInvalidAuthorizedParties: 'token-invalid-authorized-parties',\n  TokenInvalidSignature: 'token-invalid-signature',\n  TokenNotActiveYet: 'token-not-active-yet',\n  TokenIatInTheFuture: 'token-iat-in-the-future',\n  TokenVerificationFailed: 'token-verification-failed',\n  InvalidSecretKey: 'secret-key-invalid',\n  LocalJWKMissing: 'jwk-local-missing',\n  RemoteJWKFailedToLoad: 'jwk-remote-failed-to-load',\n  RemoteJWKInvalid: 'jwk-remote-invalid',\n  RemoteJWKMissing: 'jwk-remote-missing',\n  JWKFailedToResolve: 'jwk-failed-to-resolve',\n  JWKKidMismatch: 'jwk-kid-mismatch',\n};\n\nexport type TokenVerificationErrorReason =\n  (typeof TokenVerificationErrorReason)[keyof typeof TokenVerificationErrorReason];\n\nexport const TokenVerificationErrorAction = {\n  ContactSupport: 'Contact support@clerk.com',\n  EnsureClerkJWT: 'Make sure that this is a valid Clerk-generated JWT.',\n  SetClerkJWTKey: 'Set the CLERK_JWT_KEY environment variable.',\n  SetClerkSecretKey: 'Set the CLERK_SECRET_KEY environment variable.',\n  EnsureClockSync: 'Make sure your system clock is in sync (e.g. turn off and on automatic time synchronization).',\n};\n\nexport type TokenVerificationErrorAction =\n  (typeof TokenVerificationErrorAction)[keyof typeof TokenVerificationErrorAction];\n\nexport class TokenVerificationError extends Error {\n  action?: TokenVerificationErrorAction;\n  reason: TokenVerificationErrorReason;\n  tokenCarrier?: TokenCarrier;\n\n  constructor({\n    action,\n    message,\n    reason,\n  }: {\n    action?: TokenVerificationErrorAction;\n    message: string;\n    reason: TokenVerificationErrorReason;\n  }) {\n    super(message);\n\n    Object.setPrototypeOf(this, TokenVerificationError.prototype);\n\n    this.reason = reason;\n    this.message = message;\n    this.action = action;\n  }\n\n  public getFullMessage() {\n    return `${[this.message, this.action].filter(m => m).join(' ')} (reason=${this.reason}, token-carrier=${\n      this.tokenCarrier\n    })`;\n  }\n}\n\nexport class SignJWTError extends Error {}\n\nexport const MachineTokenVerificationErrorCode = {\n  TokenInvalid: 'token-invalid',\n  InvalidSecretKey: 'secret-key-invalid',\n  UnexpectedError: 'unexpected-error',\n} as const;\n\nexport type MachineTokenVerificationErrorCode =\n  (typeof MachineTokenVerificationErrorCode)[keyof typeof MachineTokenVerificationErrorCode];\n\nexport class MachineTokenVerificationError extends Error {\n  code: MachineTokenVerificationErrorCode;\n  long_message?: string;\n  status: number;\n\n  constructor({ message, code, status }: { message: string; code: MachineTokenVerificationErrorCode; status: number }) {\n    super(message);\n    Object.setPrototypeOf(this, MachineTokenVerificationError.prototype);\n\n    this.code = code;\n    this.status = status;\n  }\n\n  public getFullMessage() {\n    return `${this.message} (code=${this.code}, status=${this.status})`;\n  }\n}\n","/**\n * This file exports APIs that vary across runtimes (i.e. Node & Browser - V8 isolates)\n * as a singleton object.\n *\n * Runtime polyfills are written in VanillaJS for now to avoid TS complication. Moreover,\n * due to this issue https://github.com/microsoft/TypeScript/issues/44848, there is not a good way\n * to tell Typescript which conditional import to use during build type.\n *\n * The Runtime type definition ensures type safety for now.\n * Runtime js modules are copied into dist folder with bash script.\n *\n * TODO: Support TS runtime modules\n */\n\n// @ts-ignore - These are package subpaths\nimport { webcrypto as crypto } from '#crypto';\n\ntype Runtime = {\n  crypto: Crypto;\n  fetch: typeof globalThis.fetch;\n  AbortController: typeof globalThis.AbortController;\n  Blob: typeof globalThis.Blob;\n  FormData: typeof globalThis.FormData;\n  Headers: typeof globalThis.Headers;\n  Request: typeof globalThis.Request;\n  Response: typeof globalThis.Response;\n};\n\n// Invoking the global.fetch without binding it first to the globalObject fails in\n// Cloudflare Workers with an \"Illegal Invocation\" error.\n//\n// The globalThis object is supported for Node >= 12.0.\n//\n// https://github.com/supabase/supabase/issues/4417\nconst globalFetch = fetch.bind(globalThis);\n\nexport const runtime: Runtime = {\n  crypto,\n  get fetch() {\n    // We need to use the globalFetch for Cloudflare Workers but the fetch for testing\n    return process.env.NODE_ENV === 'test' ? fetch : globalFetch;\n  },\n  AbortController: globalThis.AbortController,\n  Blob: globalThis.Blob,\n  FormData: globalThis.FormData,\n  Headers: globalThis.Headers,\n  Request: globalThis.Request,\n  Response: globalThis.Response,\n};\n","/**\n * The base64url helper was extracted from the rfc4648 package\n * in order to resolve CSJ/ESM interoperability issues\n *\n * https://github.com/swansontec/rfc4648.js\n *\n * For more context please refer to:\n * - https://github.com/evanw/esbuild/issues/1719\n * - https://github.com/evanw/esbuild/issues/532\n * - https://github.com/swansontec/rollup-plugin-mjs-entry\n */\nexport const base64url = {\n  parse(string: string, opts?: ParseOptions): Uint8Array {\n    return parse(string, base64UrlEncoding, opts);\n  },\n\n  stringify(data: ArrayLike<number>, opts?: StringifyOptions): string {\n    return stringify(data, base64UrlEncoding, opts);\n  },\n};\n\nconst base64UrlEncoding: Encoding = {\n  chars: 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_',\n  bits: 6,\n};\n\ninterface Encoding {\n  bits: number;\n  chars: string;\n  codes?: { [char: string]: number };\n}\n\ninterface ParseOptions {\n  loose?: boolean;\n  out?: new (size: number) => { [index: number]: number };\n}\n\ninterface StringifyOptions {\n  pad?: boolean;\n}\n\nfunction parse(string: string, encoding: Encoding, opts: ParseOptions = {}): Uint8Array {\n  // Build the character lookup table:\n  if (!encoding.codes) {\n    encoding.codes = {};\n    for (let i = 0; i < encoding.chars.length; ++i) {\n      encoding.codes[encoding.chars[i]] = i;\n    }\n  }\n\n  // The string must have a whole number of bytes:\n  if (!opts.loose && (string.length * encoding.bits) & 7) {\n    throw new SyntaxError('Invalid padding');\n  }\n\n  // Count the padding bytes:\n  let end = string.length;\n  while (string[end - 1] === '=') {\n    --end;\n\n    // If we get a whole number of bytes, there is too much padding:\n    if (!opts.loose && !(((string.length - end) * encoding.bits) & 7)) {\n      throw new SyntaxError('Invalid padding');\n    }\n  }\n\n  // Allocate the output:\n  const out = new (opts.out ?? Uint8Array)(((end * encoding.bits) / 8) | 0) as Uint8Array;\n\n  // Parse the data:\n  let bits = 0; // Number of bits currently in the buffer\n  let buffer = 0; // Bits waiting to be written out, MSB first\n  let written = 0; // Next byte to write\n  for (let i = 0; i < end; ++i) {\n    // Read one character from the string:\n    const value = encoding.codes[string[i]];\n    if (value === undefined) {\n      throw new SyntaxError('Invalid character ' + string[i]);\n    }\n\n    // Append the bits to the buffer:\n    buffer = (buffer << encoding.bits) | value;\n    bits += encoding.bits;\n\n    // Write out some bits if the buffer has a byte's worth:\n    if (bits >= 8) {\n      bits -= 8;\n      out[written++] = 0xff & (buffer >> bits);\n    }\n  }\n\n  // Verify that we have received just enough bits:\n  if (bits >= encoding.bits || 0xff & (buffer << (8 - bits))) {\n    throw new SyntaxError('Unexpected end of data');\n  }\n\n  return out;\n}\n\nfunction stringify(data: ArrayLike<number>, encoding: Encoding, opts: StringifyOptions = {}): string {\n  const { pad = true } = opts;\n  const mask = (1 << encoding.bits) - 1;\n  let out = '';\n\n  let bits = 0; // Number of bits currently in the buffer\n  let buffer = 0; // Bits waiting to be written out, MSB first\n  for (let i = 0; i < data.length; ++i) {\n    // Slurp data into the buffer:\n    buffer = (buffer << 8) | (0xff & data[i]);\n    bits += 8;\n\n    // Write out as much as we can:\n    while (bits > encoding.bits) {\n      bits -= encoding.bits;\n      out += encoding.chars[mask & (buffer >> bits)];\n    }\n  }\n\n  // Partial character:\n  if (bits) {\n    out += encoding.chars[mask & (buffer << (encoding.bits - bits))];\n  }\n\n  // Add padding characters until we hit a byte boundary:\n  if (pad) {\n    while ((out.length * encoding.bits) & 7) {\n      out += '=';\n    }\n  }\n\n  return out;\n}\n","const algToHash: Record<string, string> = {\n  RS256: 'SHA-256',\n  RS384: 'SHA-384',\n  RS512: 'SHA-512',\n};\nconst RSA_ALGORITHM_NAME = 'RSASSA-PKCS1-v1_5';\n\nconst jwksAlgToCryptoAlg: Record<string, string> = {\n  RS256: RSA_ALGORITHM_NAME,\n  RS384: RSA_ALGORITHM_NAME,\n  RS512: RSA_ALGORITHM_NAME,\n};\n\nexport const algs = Object.keys(algToHash);\n\nexport function getCryptoAlgorithm(algorithmName: string): RsaHashedImportParams {\n  const hash = algToHash[algorithmName];\n  const name = jwksAlgToCryptoAlg[algorithmName];\n\n  if (!hash || !name) {\n    throw new Error(`Unsupported algorithm ${algorithmName}, expected one of ${algs.join(',')}.`);\n  }\n\n  return {\n    hash: { name: algToHash[algorithmName] },\n    name: jwksAlgToCryptoAlg[algorithmName],\n  };\n}\n","import { isomorphicAtob } from '@clerk/shared/isomorphicAtob';\n\nimport { runtime } from '../runtime';\n\n// https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#pkcs_8_import\nfunction pemToBuffer(secret: string): ArrayBuffer {\n  const trimmed = secret\n    .replace(/-----BEGIN.*?-----/g, '')\n    .replace(/-----END.*?-----/g, '')\n    .replace(/\\s/g, '');\n\n  const decoded = isomorphicAtob(trimmed);\n\n  const buffer = new ArrayBuffer(decoded.length);\n  const bufView = new Uint8Array(buffer);\n\n  for (let i = 0, strLen = decoded.length; i < strLen; i++) {\n    bufView[i] = decoded.charCodeAt(i);\n  }\n\n  return bufView;\n}\n\nexport function importKey(\n  key: JsonWebKey | string,\n  algorithm: RsaHashedImportParams,\n  keyUsage: 'verify' | 'sign',\n): Promise<CryptoKey> {\n  if (typeof key === 'object') {\n    return runtime.crypto.subtle.importKey('jwk', key, algorithm, false, [keyUsage]);\n  }\n\n  const keyData = pemToBuffer(key);\n  const format = keyUsage === 'sign' ? 'pkcs8' : 'spki';\n\n  return runtime.crypto.subtle.importKey(format, keyData, algorithm, false, [keyUsage]);\n}\n","import { SignJWTError } from '../errors';\nimport { runtime } from '../runtime';\nimport { base64url } from '../util/rfc4648';\nimport { getCryptoAlgorithm } from './algorithms';\nimport { importKey } from './cryptoKeys';\nimport type { JwtReturnType } from './types';\n\nexport interface SignJwtOptions {\n  algorithm?: string;\n  header?: Record<string, unknown>;\n}\n\nfunction encodeJwtData(value: unknown): string {\n  const stringified = JSON.stringify(value);\n  const encoder = new TextEncoder();\n  const encoded = encoder.encode(stringified);\n  return base64url.stringify(encoded, { pad: false });\n}\n\n/**\n * Signs a JSON Web Token (JWT) with the given payload, key, and options.\n * This function is intended to be used *internally* by other Clerk packages and typically\n * should not be used directly.\n *\n * @internal\n * @param payload The payload to include in the JWT.\n * @param key The key to use for signing the JWT. Can be a string or a JsonWebKey.\n * @param options The options to use for signing the JWT.\n * @returns A Promise that resolves to the signed JWT string.\n * @throws An error if no algorithm is specified or if the specified algorithm is unsupported.\n * @throws An error if there is an issue with importing the key or signing the JWT.\n */\nexport async function signJwt(\n  payload: Record<string, unknown>,\n  key: string | JsonWebKey,\n  options: SignJwtOptions,\n): Promise<JwtReturnType<string, Error>> {\n  if (!options.algorithm) {\n    throw new Error('No algorithm specified');\n  }\n  const encoder = new TextEncoder();\n\n  const algorithm = getCryptoAlgorithm(options.algorithm);\n  if (!algorithm) {\n    return {\n      errors: [new SignJWTError(`Unsupported algorithm ${options.algorithm}`)],\n    };\n  }\n\n  const cryptoKey = await importKey(key, algorithm, 'sign');\n  const header = options.header || { typ: 'JWT' };\n\n  header.alg = options.algorithm;\n  payload.iat = Math.floor(Date.now() / 1000);\n\n  const encodedHeader = encodeJwtData(header);\n  const encodedPayload = encodeJwtData(payload);\n  const firstPart = `${encodedHeader}.${encodedPayload}`;\n\n  try {\n    const signature = await runtime.crypto.subtle.sign(algorithm, cryptoKey, encoder.encode(firstPart));\n    const encodedSignature = `${firstPart}.${base64url.stringify(new Uint8Array(signature), { pad: false })}`;\n    return { data: encodedSignature };\n  } catch (error) {\n    return { errors: [new SignJWTError((error as Error)?.message)] };\n  }\n}\n","import { TokenVerificationError, TokenVerificationErrorAction, TokenVerificationErrorReason } from '../errors';\nimport { algs } from './algorithms';\n\nexport type IssuerResolver = string | ((iss: string) => boolean);\n\nconst isArrayString = (s: unknown): s is string[] => {\n  return Array.isArray(s) && s.length > 0 && s.every(a => typeof a === 'string');\n};\n\nexport const assertAudienceClaim = (aud?: unknown, audience?: unknown) => {\n  const audienceList = [audience].flat().filter(a => !!a);\n  const audList = [aud].flat().filter(a => !!a);\n  const shouldVerifyAudience = audienceList.length > 0 && audList.length > 0;\n\n  if (!shouldVerifyAudience) {\n    // Notice: Clerk JWTs use AZP claim instead of Audience\n    //\n    // return {\n    //   valid: false,\n    //   reason: `Invalid JWT audience claim (aud) ${JSON.stringify(\n    //     aud,\n    //   )}. Expected a string or a non-empty array of strings.`,\n    // };\n    return;\n  }\n\n  if (typeof aud === 'string') {\n    if (!audienceList.includes(aud)) {\n      throw new TokenVerificationError({\n        action: TokenVerificationErrorAction.EnsureClerkJWT,\n        reason: TokenVerificationErrorReason.TokenVerificationFailed,\n        message: `Invalid JWT audience claim (aud) ${JSON.stringify(aud)}. Is not included in \"${JSON.stringify(\n          audienceList,\n        )}\".`,\n      });\n    }\n  } else if (isArrayString(aud)) {\n    if (!aud.some(a => audienceList.includes(a))) {\n      throw new TokenVerificationError({\n        action: TokenVerificationErrorAction.EnsureClerkJWT,\n        reason: TokenVerificationErrorReason.TokenVerificationFailed,\n        message: `Invalid JWT audience claim array (aud) ${JSON.stringify(aud)}. Is not included in \"${JSON.stringify(\n          audienceList,\n        )}\".`,\n      });\n    }\n  }\n};\n\nexport const assertHeaderType = (typ?: unknown) => {\n  if (typeof typ === 'undefined') {\n    return;\n  }\n\n  if (typ !== 'JWT') {\n    throw new TokenVerificationError({\n      action: TokenVerificationErrorAction.EnsureClerkJWT,\n      reason: TokenVerificationErrorReason.TokenInvalid,\n      message: `Invalid JWT type ${JSON.stringify(typ)}. Expected \"JWT\".`,\n    });\n  }\n};\n\nexport const assertHeaderAlgorithm = (alg: string) => {\n  if (!algs.includes(alg)) {\n    throw new TokenVerificationError({\n      action: TokenVerificationErrorAction.EnsureClerkJWT,\n      reason: TokenVerificationErrorReason.TokenInvalidAlgorithm,\n      message: `Invalid JWT algorithm ${JSON.stringify(alg)}. Supported: ${algs}.`,\n    });\n  }\n};\n\nexport const assertSubClaim = (sub?: string) => {\n  if (typeof sub !== 'string') {\n    throw new TokenVerificationError({\n      action: TokenVerificationErrorAction.EnsureClerkJWT,\n      reason: TokenVerificationErrorReason.TokenVerificationFailed,\n      message: `Subject claim (sub) is required and must be a string. Received ${JSON.stringify(sub)}.`,\n    });\n  }\n};\n\nexport const assertAuthorizedPartiesClaim = (azp?: string, authorizedParties?: string[]) => {\n  if (!azp || !authorizedParties || authorizedParties.length === 0) {\n    return;\n  }\n\n  if (!authorizedParties.includes(azp)) {\n    throw new TokenVerificationError({\n      reason: TokenVerificationErrorReason.TokenInvalidAuthorizedParties,\n      message: `Invalid JWT Authorized party claim (azp) ${JSON.stringify(azp)}. Expected \"${authorizedParties}\".`,\n    });\n  }\n};\n\nexport const assertExpirationClaim = (exp: number, clockSkewInMs: number) => {\n  if (typeof exp !== 'number') {\n    throw new TokenVerificationError({\n      action: TokenVerificationErrorAction.EnsureClerkJWT,\n      reason: TokenVerificationErrorReason.TokenVerificationFailed,\n      message: `Invalid JWT expiry date claim (exp) ${JSON.stringify(exp)}. Expected number.`,\n    });\n  }\n\n  const currentDate = new Date(Date.now());\n  const expiryDate = new Date(0);\n  expiryDate.setUTCSeconds(exp);\n\n  const expired = expiryDate.getTime() <= currentDate.getTime() - clockSkewInMs;\n  if (expired) {\n    throw new TokenVerificationError({\n      reason: TokenVerificationErrorReason.TokenExpired,\n      message: `JWT is expired. Expiry date: ${expiryDate.toUTCString()}, Current date: ${currentDate.toUTCString()}.`,\n    });\n  }\n};\n\nexport const assertActivationClaim = (nbf: number | undefined, clockSkewInMs: number) => {\n  if (typeof nbf === 'undefined') {\n    return;\n  }\n\n  if (typeof nbf !== 'number') {\n    throw new TokenVerificationError({\n      action: TokenVerificationErrorAction.EnsureClerkJWT,\n      reason: TokenVerificationErrorReason.TokenVerificationFailed,\n      message: `Invalid JWT not before date claim (nbf) ${JSON.stringify(nbf)}. Expected number.`,\n    });\n  }\n\n  const currentDate = new Date(Date.now());\n  const notBeforeDate = new Date(0);\n  notBeforeDate.setUTCSeconds(nbf);\n\n  const early = notBeforeDate.getTime() > currentDate.getTime() + clockSkewInMs;\n  if (early) {\n    throw new TokenVerificationError({\n      reason: TokenVerificationErrorReason.TokenNotActiveYet,\n      message: `JWT cannot be used prior to not before date claim (nbf). Not before date: ${notBeforeDate.toUTCString()}; Current date: ${currentDate.toUTCString()};`,\n    });\n  }\n};\n\nexport const assertIssuedAtClaim = (iat: number | undefined, clockSkewInMs: number) => {\n  if (typeof iat === 'undefined') {\n    return;\n  }\n\n  if (typeof iat !== 'number') {\n    throw new TokenVerificationError({\n      action: TokenVerificationErrorAction.EnsureClerkJWT,\n      reason: TokenVerificationErrorReason.TokenVerificationFailed,\n      message: `Invalid JWT issued at date claim (iat) ${JSON.stringify(iat)}. Expected number.`,\n    });\n  }\n\n  const currentDate = new Date(Date.now());\n  const issuedAtDate = new Date(0);\n  issuedAtDate.setUTCSeconds(iat);\n\n  const postIssued = issuedAtDate.getTime() > currentDate.getTime() + clockSkewInMs;\n  if (postIssued) {\n    throw new TokenVerificationError({\n      reason: TokenVerificationErrorReason.TokenIatInTheFuture,\n      message: `JWT issued at date claim (iat) is in the future. Issued at date: ${issuedAtDate.toUTCString()}; Current date: ${currentDate.toUTCString()};`,\n    });\n  }\n};\n","import type { Jwt, JwtPayload } from '@clerk/shared/types';\n\nimport { TokenVerificationError, TokenVerificationErrorAction, TokenVerificationErrorReason } from '../errors';\nimport { runtime } from '../runtime';\nimport { base64url } from '../util/rfc4648';\nimport { getCryptoAlgorithm } from './algorithms';\nimport {\n  assertActivationClaim,\n  assertAudienceClaim,\n  assertAuthorizedPartiesClaim,\n  assertExpirationClaim,\n  assertHeaderAlgorithm,\n  assertHeaderType,\n  assertIssuedAtClaim,\n  assertSubClaim,\n} from './assertions';\nimport { importKey } from './cryptoKeys';\nimport type { JwtReturnType } from './types';\n\nconst DEFAULT_CLOCK_SKEW_IN_MS = 5 * 1000;\n\nexport async function hasValidSignature(jwt: Jwt, key: JsonWebKey | string): Promise<JwtReturnType<boolean, Error>> {\n  const { header, signature, raw } = jwt;\n  const encoder = new TextEncoder();\n  const data = encoder.encode([raw.header, raw.payload].join('.'));\n  const algorithm = getCryptoAlgorithm(header.alg);\n\n  try {\n    const cryptoKey = await importKey(key, algorithm, 'verify');\n\n    const verified = await runtime.crypto.subtle.verify(algorithm.name, cryptoKey, signature, data);\n    return { data: verified };\n  } catch (error) {\n    return {\n      errors: [\n        new TokenVerificationError({\n          reason: TokenVerificationErrorReason.TokenInvalidSignature,\n          message: (error as Error)?.message,\n        }),\n      ],\n    };\n  }\n}\n\nexport function decodeJwt(token: string): JwtReturnType<Jwt, TokenVerificationError> {\n  const tokenParts = (token || '').toString().split('.');\n  if (tokenParts.length !== 3) {\n    return {\n      errors: [\n        new TokenVerificationError({\n          reason: TokenVerificationErrorReason.TokenInvalid,\n          message: `Invalid JWT form. A JWT consists of three parts separated by dots.`,\n        }),\n      ],\n    };\n  }\n\n  const [rawHeader, rawPayload, rawSignature] = tokenParts;\n\n  const decoder = new TextDecoder();\n\n  // To verify a JWS with SubtleCrypto you need to be careful to encode and decode\n  // the data properly between binary and base64url representation. Unfortunately\n  // the standard implementation in the V8 of btoa() and atob() are difficult to\n  // work with as they use \"a Unicode string containing only characters in the\n  // range U+0000 to U+00FF, each representing a binary byte with values 0x00 to\n  // 0xFF respectively\" as the representation of binary data.\n\n  // A better solution to represent binary data in Javascript is to use ES6 TypedArray\n  // and use a Javascript library to convert them to base64url that honors RFC 4648.\n\n  // Side note: The difference between base64 and base64url is the characters selected\n  // for value 62 and 63 in the standard, base64 encode them to + and / while base64url\n  // encode - and _.\n\n  // More info at https://stackoverflow.com/questions/54062583/how-to-verify-a-signed-jwt-with-subtlecrypto-of-the-web-crypto-API\n  const header = JSON.parse(decoder.decode(base64url.parse(rawHeader, { loose: true })));\n  const payload = JSON.parse(decoder.decode(base64url.parse(rawPayload, { loose: true })));\n\n  const signature = base64url.parse(rawSignature, { loose: true });\n\n  const data = {\n    header,\n    payload,\n    signature,\n    raw: {\n      header: rawHeader,\n      payload: rawPayload,\n      signature: rawSignature,\n      text: token,\n    },\n  } satisfies Jwt;\n\n  return { data };\n}\n\n/**\n * @inline\n */\nexport type VerifyJwtOptions = {\n  /**\n   * A string or list of [audiences](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3). If passed, it is checked against the `aud` claim in the token.\n   */\n  audience?: string | string[];\n  /**\n   * An allowlist of origins to verify against, to protect your application from the subdomain cookie leaking attack.\n   * @example\n   * ```ts\n   * ['http://localhost:3000', 'https://example.com']\n   * ```\n   */\n  authorizedParties?: string[];\n  /**\n   * Specifies the allowed time difference (in milliseconds) between the Clerk server (which generates the token) and the clock of the user's application server when validating a token.\n   * @default 5000\n   */\n  clockSkewInMs?: number;\n  /**\n   * @internal\n   */\n  key: JsonWebKey | string;\n};\n\nexport async function verifyJwt(\n  token: string,\n  options: VerifyJwtOptions,\n): Promise<JwtReturnType<JwtPayload, TokenVerificationError>> {\n  const { audience, authorizedParties, clockSkewInMs, key } = options;\n  const clockSkew = clockSkewInMs || DEFAULT_CLOCK_SKEW_IN_MS;\n\n  const { data: decoded, errors } = decodeJwt(token);\n  if (errors) {\n    return { errors };\n  }\n\n  const { header, payload } = decoded;\n  try {\n    // Header verifications\n    const { typ, alg } = header;\n\n    assertHeaderType(typ);\n    assertHeaderAlgorithm(alg);\n\n    // Payload verifications\n    const { azp, sub, aud, iat, exp, nbf } = payload;\n\n    assertSubClaim(sub);\n    assertAudienceClaim([aud], [audience]);\n    assertAuthorizedPartiesClaim(azp, authorizedParties);\n    assertExpirationClaim(exp, clockSkew);\n    assertActivationClaim(nbf, clockSkew);\n    assertIssuedAtClaim(iat, clockSkew);\n  } catch (err) {\n    return { errors: [err as TokenVerificationError] };\n  }\n\n  const { data: signatureValid, errors: signatureErrors } = await hasValidSignature(decoded, key);\n  if (signatureErrors) {\n    return {\n      errors: [\n        new TokenVerificationError({\n          action: TokenVerificationErrorAction.EnsureClerkJWT,\n          reason: TokenVerificationErrorReason.TokenVerificationFailed,\n          message: `Error verifying JWT signature. ${signatureErrors[0]}`,\n        }),\n      ],\n    };\n  }\n\n  if (!signatureValid) {\n    return {\n      errors: [\n        new TokenVerificationError({\n          reason: TokenVerificationErrorReason.TokenInvalidSignature,\n          message: 'JWT signature is invalid.',\n        }),\n      ],\n    };\n  }\n\n  return { data: payload };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA,mBAAAA;AAAA,EAAA,yBAAAC;AAAA,EAAA,eAAAC;AAAA,EAAA,iBAAAC;AAAA;AAAA;;;ACGO,SAAS,iBAAiF,IAAO;AACtG,SAAO,UAAU,SAAsF;AACrG,UAAM,EAAE,MAAM,OAAO,IAAI,MAAM,GAAG,GAAG,IAAI;AACzC,QAAI,QAAQ;AACV,YAAM,OAAO,CAAC;AAAA,IAChB;AACA,WAAO;AAAA,EACT;AACF;AAGO,SAAS,qBAA4E,IAAO;AACjG,SAAO,IAAI,SAA6E;AACtF,UAAM,EAAE,MAAM,OAAO,IAAI,GAAG,GAAG,IAAI;AACnC,QAAI,QAAQ;AACV,YAAM,OAAO,CAAC;AAAA,IAChB;AACA,WAAO;AAAA,EACT;AACF;;;ACdO,IAAM,+BAA+B;AAAA,EAC1C,cAAc;AAAA,EACd,cAAc;AAAA,EACd,uBAAuB;AAAA,EACvB,+BAA+B;AAAA,EAC/B,uBAAuB;AAAA,EACvB,mBAAmB;AAAA,EACnB,qBAAqB;AAAA,EACrB,yBAAyB;AAAA,EACzB,kBAAkB;AAAA,EAClB,iBAAiB;AAAA,EACjB,uBAAuB;AAAA,EACvB,kBAAkB;AAAA,EAClB,kBAAkB;AAAA,EAClB,oBAAoB;AAAA,EACpB,gBAAgB;AAClB;AAKO,IAAM,+BAA+B;AAAA,EAC1C,gBAAgB;AAAA,EAChB,gBAAgB;AAAA,EAChB,gBAAgB;AAAA,EAChB,mBAAmB;AAAA,EACnB,iBAAiB;AACnB;AAKO,IAAM,yBAAN,MAAM,gCAA+B,MAAM;AAAA,EAKhD,YAAY;AAAA,IACV;AAAA,IACA;AAAA,IACA;AAAA,EACF,GAIG;AACD,UAAM,OAAO;AAEb,WAAO,eAAe,MAAM,wBAAuB,SAAS;AAE5D,SAAK,SAAS;AACd,SAAK,UAAU;AACf,SAAK,SAAS;AAAA,EAChB;AAAA,EAEO,iBAAiB;AACtB,WAAO,GAAG,CAAC,KAAK,SAAS,KAAK,MAAM,EAAE,OAAO,OAAK,CAAC,EAAE,KAAK,GAAG,CAAC,YAAY,KAAK,MAAM,mBACnF,KAAK,YACP;AAAA,EACF;AACF;AAEO,IAAM,eAAN,cAA2B,MAAM;AAAC;;;ACvDzC,oBAAoC;AAmBpC,IAAM,cAAc,MAAM,KAAK,UAAU;AAElC,IAAM,UAAmB;AAAA,EAC9B,sBAAAC;AAAA,EACA,IAAI,QAAQ;AAEV,WAAO,QAAQ,IAAI,aAAa,SAAS,QAAQ;AAAA,EACnD;AAAA,EACA,iBAAiB,WAAW;AAAA,EAC5B,MAAM,WAAW;AAAA,EACjB,UAAU,WAAW;AAAA,EACrB,SAAS,WAAW;AAAA,EACpB,SAAS,WAAW;AAAA,EACpB,UAAU,WAAW;AACvB;;;ACrCO,IAAM,YAAY;AAAA,EACvB,MAAM,QAAgB,MAAiC;AACrD,WAAO,MAAM,QAAQ,mBAAmB,IAAI;AAAA,EAC9C;AAAA,EAEA,UAAU,MAAyB,MAAiC;AAClE,WAAO,UAAU,MAAM,mBAAmB,IAAI;AAAA,EAChD;AACF;AAEA,IAAM,oBAA8B;AAAA,EAClC,OAAO;AAAA,EACP,MAAM;AACR;AAiBA,SAAS,MAAM,QAAgB,UAAoB,OAAqB,CAAC,GAAe;AAEtF,MAAI,CAAC,SAAS,OAAO;AACnB,aAAS,QAAQ,CAAC;AAClB,aAAS,IAAI,GAAG,IAAI,SAAS,MAAM,QAAQ,EAAE,GAAG;AAC9C,eAAS,MAAM,SAAS,MAAM,CAAC,CAAC,IAAI;AAAA,IACtC;AAAA,EACF;AAGA,MAAI,CAAC,KAAK,SAAU,OAAO,SAAS,SAAS,OAAQ,GAAG;AACtD,UAAM,IAAI,YAAY,iBAAiB;AAAA,EACzC;AAGA,MAAI,MAAM,OAAO;AACjB,SAAO,OAAO,MAAM,CAAC,MAAM,KAAK;AAC9B,MAAE;AAGF,QAAI,CAAC,KAAK,SAAS,GAAI,OAAO,SAAS,OAAO,SAAS,OAAQ,IAAI;AACjE,YAAM,IAAI,YAAY,iBAAiB;AAAA,IACzC;AAAA,EACF;AAGA,QAAM,MAAM,KAAK,KAAK,OAAO,YAAc,MAAM,SAAS,OAAQ,IAAK,CAAC;AAGxE,MAAI,OAAO;AACX,MAAI,SAAS;AACb,MAAI,UAAU;AACd,WAAS,IAAI,GAAG,IAAI,KAAK,EAAE,GAAG;AAE5B,UAAM,QAAQ,SAAS,MAAM,OAAO,CAAC,CAAC;AACtC,QAAI,UAAU,QAAW;AACvB,YAAM,IAAI,YAAY,uBAAuB,OAAO,CAAC,CAAC;AAAA,IACxD;AAGA,aAAU,UAAU,SAAS,OAAQ;AACrC,YAAQ,SAAS;AAGjB,QAAI,QAAQ,GAAG;AACb,cAAQ;AACR,UAAI,SAAS,IAAI,MAAQ,UAAU;AAAA,IACrC;AAAA,EACF;AAGA,MAAI,QAAQ,SAAS,QAAQ,MAAQ,UAAW,IAAI,MAAQ;AAC1D,UAAM,IAAI,YAAY,wBAAwB;AAAA,EAChD;AAEA,SAAO;AACT;AAEA,SAAS,UAAU,MAAyB,UAAoB,OAAyB,CAAC,GAAW;AACnG,QAAM,EAAE,MAAM,KAAK,IAAI;AACvB,QAAM,QAAQ,KAAK,SAAS,QAAQ;AACpC,MAAI,MAAM;AAEV,MAAI,OAAO;AACX,MAAI,SAAS;AACb,WAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,EAAE,GAAG;AAEpC,aAAU,UAAU,IAAM,MAAO,KAAK,CAAC;AACvC,YAAQ;AAGR,WAAO,OAAO,SAAS,MAAM;AAC3B,cAAQ,SAAS;AACjB,aAAO,SAAS,MAAM,OAAQ,UAAU,IAAK;AAAA,IAC/C;AAAA,EACF;AAGA,MAAI,MAAM;AACR,WAAO,SAAS,MAAM,OAAQ,UAAW,SAAS,OAAO,IAAM;AAAA,EACjE;AAGA,MAAI,KAAK;AACP,WAAQ,IAAI,SAAS,SAAS,OAAQ,GAAG;AACvC,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;;;ACnIA,IAAM,YAAoC;AAAA,EACxC,OAAO;AAAA,EACP,OAAO;AAAA,EACP,OAAO;AACT;AACA,IAAM,qBAAqB;AAE3B,IAAM,qBAA6C;AAAA,EACjD,OAAO;AAAA,EACP,OAAO;AAAA,EACP,OAAO;AACT;AAEO,IAAM,OAAO,OAAO,KAAK,SAAS;AAElC,SAAS,mBAAmB,eAA8C;AAC/E,QAAM,OAAO,UAAU,aAAa;AACpC,QAAM,OAAO,mBAAmB,aAAa;AAE7C,MAAI,CAAC,QAAQ,CAAC,MAAM;AAClB,UAAM,IAAI,MAAM,yBAAyB,aAAa,qBAAqB,KAAK,KAAK,GAAG,CAAC,GAAG;AAAA,EAC9F;AAEA,SAAO;AAAA,IACL,MAAM,EAAE,MAAM,UAAU,aAAa,EAAE;AAAA,IACvC,MAAM,mBAAmB,aAAa;AAAA,EACxC;AACF;;;AC3BA,4BAA+B;AAK/B,SAAS,YAAY,QAA6B;AAChD,QAAM,UAAU,OACb,QAAQ,uBAAuB,EAAE,EACjC,QAAQ,qBAAqB,EAAE,EAC/B,QAAQ,OAAO,EAAE;AAEpB,QAAM,cAAU,sCAAe,OAAO;AAEtC,QAAM,SAAS,IAAI,YAAY,QAAQ,MAAM;AAC7C,QAAM,UAAU,IAAI,WAAW,MAAM;AAErC,WAAS,IAAI,GAAG,SAAS,QAAQ,QAAQ,IAAI,QAAQ,KAAK;AACxD,YAAQ,CAAC,IAAI,QAAQ,WAAW,CAAC;AAAA,EACnC;AAEA,SAAO;AACT;AAEO,SAAS,UACd,KACA,WACA,UACoB;AACpB,MAAI,OAAO,QAAQ,UAAU;AAC3B,WAAO,QAAQ,OAAO,OAAO,UAAU,OAAO,KAAK,WAAW,OAAO,CAAC,QAAQ,CAAC;AAAA,EACjF;AAEA,QAAM,UAAU,YAAY,GAAG;AAC/B,QAAM,SAAS,aAAa,SAAS,UAAU;AAE/C,SAAO,QAAQ,OAAO,OAAO,UAAU,QAAQ,SAAS,WAAW,OAAO,CAAC,QAAQ,CAAC;AACtF;;;ACxBA,SAAS,cAAc,OAAwB;AAC7C,QAAM,cAAc,KAAK,UAAU,KAAK;AACxC,QAAM,UAAU,IAAI,YAAY;AAChC,QAAM,UAAU,QAAQ,OAAO,WAAW;AAC1C,SAAO,UAAU,UAAU,SAAS,EAAE,KAAK,MAAM,CAAC;AACpD;AAeA,eAAsB,QACpB,SACA,KACA,SACuC;AACvC,MAAI,CAAC,QAAQ,WAAW;AACtB,UAAM,IAAI,MAAM,wBAAwB;AAAA,EAC1C;AACA,QAAM,UAAU,IAAI,YAAY;AAEhC,QAAM,YAAY,mBAAmB,QAAQ,SAAS;AACtD,MAAI,CAAC,WAAW;AACd,WAAO;AAAA,MACL,QAAQ,CAAC,IAAI,aAAa,yBAAyB,QAAQ,SAAS,EAAE,CAAC;AAAA,IACzE;AAAA,EACF;AAEA,QAAM,YAAY,MAAM,UAAU,KAAK,WAAW,MAAM;AACxD,QAAM,SAAS,QAAQ,UAAU,EAAE,KAAK,MAAM;AAE9C,SAAO,MAAM,QAAQ;AACrB,UAAQ,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAE1C,QAAM,gBAAgB,cAAc,MAAM;AAC1C,QAAM,iBAAiB,cAAc,OAAO;AAC5C,QAAM,YAAY,GAAG,aAAa,IAAI,cAAc;AAEpD,MAAI;AACF,UAAM,YAAY,MAAM,QAAQ,OAAO,OAAO,KAAK,WAAW,WAAW,QAAQ,OAAO,SAAS,CAAC;AAClG,UAAM,mBAAmB,GAAG,SAAS,IAAI,UAAU,UAAU,IAAI,WAAW,SAAS,GAAG,EAAE,KAAK,MAAM,CAAC,CAAC;AACvG,WAAO,EAAE,MAAM,iBAAiB;AAAA,EAClC,SAAS,OAAO;AACd,WAAO,EAAE,QAAQ,CAAC,IAAI,aAAc,OAAiB,OAAO,CAAC,EAAE;AAAA,EACjE;AACF;;;AC7DA,IAAM,gBAAgB,CAAC,MAA8B;AACnD,SAAO,MAAM,QAAQ,CAAC,KAAK,EAAE,SAAS,KAAK,EAAE,MAAM,OAAK,OAAO,MAAM,QAAQ;AAC/E;AAEO,IAAM,sBAAsB,CAAC,KAAe,aAAuB;AACxE,QAAM,eAAe,CAAC,QAAQ,EAAE,KAAK,EAAE,OAAO,OAAK,CAAC,CAAC,CAAC;AACtD,QAAM,UAAU,CAAC,GAAG,EAAE,KAAK,EAAE,OAAO,OAAK,CAAC,CAAC,CAAC;AAC5C,QAAM,uBAAuB,aAAa,SAAS,KAAK,QAAQ,SAAS;AAEzE,MAAI,CAAC,sBAAsB;AASzB;AAAA,EACF;AAEA,MAAI,OAAO,QAAQ,UAAU;AAC3B,QAAI,CAAC,aAAa,SAAS,GAAG,GAAG;AAC/B,YAAM,IAAI,uBAAuB;AAAA,QAC/B,QAAQ,6BAA6B;AAAA,QACrC,QAAQ,6BAA6B;AAAA,QACrC,SAAS,oCAAoC,KAAK,UAAU,GAAG,CAAC,yBAAyB,KAAK;AAAA,UAC5F;AAAA,QACF,CAAC;AAAA,MACH,CAAC;AAAA,IACH;AAAA,EACF,WAAW,cAAc,GAAG,GAAG;AAC7B,QAAI,CAAC,IAAI,KAAK,OAAK,aAAa,SAAS,CAAC,CAAC,GAAG;AAC5C,YAAM,IAAI,uBAAuB;AAAA,QAC/B,QAAQ,6BAA6B;AAAA,QACrC,QAAQ,6BAA6B;AAAA,QACrC,SAAS,0CAA0C,KAAK,UAAU,GAAG,CAAC,yBAAyB,KAAK;AAAA,UAClG;AAAA,QACF,CAAC;AAAA,MACH,CAAC;AAAA,IACH;AAAA,EACF;AACF;AAEO,IAAM,mBAAmB,CAAC,QAAkB;AACjD,MAAI,OAAO,QAAQ,aAAa;AAC9B;AAAA,EACF;AAEA,MAAI,QAAQ,OAAO;AACjB,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,QAAQ,6BAA6B;AAAA,MACrC,SAAS,oBAAoB,KAAK,UAAU,GAAG,CAAC;AAAA,IAClD,CAAC;AAAA,EACH;AACF;AAEO,IAAM,wBAAwB,CAAC,QAAgB;AACpD,MAAI,CAAC,KAAK,SAAS,GAAG,GAAG;AACvB,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,QAAQ,6BAA6B;AAAA,MACrC,SAAS,yBAAyB,KAAK,UAAU,GAAG,CAAC,gBAAgB,IAAI;AAAA,IAC3E,CAAC;AAAA,EACH;AACF;AAEO,IAAM,iBAAiB,CAAC,QAAiB;AAC9C,MAAI,OAAO,QAAQ,UAAU;AAC3B,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,QAAQ,6BAA6B;AAAA,MACrC,SAAS,kEAAkE,KAAK,UAAU,GAAG,CAAC;AAAA,IAChG,CAAC;AAAA,EACH;AACF;AAEO,IAAM,+BAA+B,CAAC,KAAc,sBAAiC;AAC1F,MAAI,CAAC,OAAO,CAAC,qBAAqB,kBAAkB,WAAW,GAAG;AAChE;AAAA,EACF;AAEA,MAAI,CAAC,kBAAkB,SAAS,GAAG,GAAG;AACpC,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,SAAS,4CAA4C,KAAK,UAAU,GAAG,CAAC,eAAe,iBAAiB;AAAA,IAC1G,CAAC;AAAA,EACH;AACF;AAEO,IAAM,wBAAwB,CAAC,KAAa,kBAA0B;AAC3E,MAAI,OAAO,QAAQ,UAAU;AAC3B,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,QAAQ,6BAA6B;AAAA,MACrC,SAAS,uCAAuC,KAAK,UAAU,GAAG,CAAC;AAAA,IACrE,CAAC;AAAA,EACH;AAEA,QAAM,cAAc,IAAI,KAAK,KAAK,IAAI,CAAC;AACvC,QAAM,aAAa,oBAAI,KAAK,CAAC;AAC7B,aAAW,cAAc,GAAG;AAE5B,QAAM,UAAU,WAAW,QAAQ,KAAK,YAAY,QAAQ,IAAI;AAChE,MAAI,SAAS;AACX,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,SAAS,gCAAgC,WAAW,YAAY,CAAC,mBAAmB,YAAY,YAAY,CAAC;AAAA,IAC/G,CAAC;AAAA,EACH;AACF;AAEO,IAAM,wBAAwB,CAAC,KAAyB,kBAA0B;AACvF,MAAI,OAAO,QAAQ,aAAa;AAC9B;AAAA,EACF;AAEA,MAAI,OAAO,QAAQ,UAAU;AAC3B,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,QAAQ,6BAA6B;AAAA,MACrC,SAAS,2CAA2C,KAAK,UAAU,GAAG,CAAC;AAAA,IACzE,CAAC;AAAA,EACH;AAEA,QAAM,cAAc,IAAI,KAAK,KAAK,IAAI,CAAC;AACvC,QAAM,gBAAgB,oBAAI,KAAK,CAAC;AAChC,gBAAc,cAAc,GAAG;AAE/B,QAAM,QAAQ,cAAc,QAAQ,IAAI,YAAY,QAAQ,IAAI;AAChE,MAAI,OAAO;AACT,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,SAAS,6EAA6E,cAAc,YAAY,CAAC,mBAAmB,YAAY,YAAY,CAAC;AAAA,IAC/J,CAAC;AAAA,EACH;AACF;AAEO,IAAM,sBAAsB,CAAC,KAAyB,kBAA0B;AACrF,MAAI,OAAO,QAAQ,aAAa;AAC9B;AAAA,EACF;AAEA,MAAI,OAAO,QAAQ,UAAU;AAC3B,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,QAAQ,6BAA6B;AAAA,MACrC,SAAS,0CAA0C,KAAK,UAAU,GAAG,CAAC;AAAA,IACxE,CAAC;AAAA,EACH;AAEA,QAAM,cAAc,IAAI,KAAK,KAAK,IAAI,CAAC;AACvC,QAAM,eAAe,oBAAI,KAAK,CAAC;AAC/B,eAAa,cAAc,GAAG;AAE9B,QAAM,aAAa,aAAa,QAAQ,IAAI,YAAY,QAAQ,IAAI;AACpE,MAAI,YAAY;AACd,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,SAAS,oEAAoE,aAAa,YAAY,CAAC,mBAAmB,YAAY,YAAY,CAAC;AAAA,IACrJ,CAAC;AAAA,EACH;AACF;;;ACrJA,IAAM,2BAA2B,IAAI;AAErC,eAAsB,kBAAkB,KAAU,KAAkE;AAClH,QAAM,EAAE,QAAQ,WAAW,IAAI,IAAI;AACnC,QAAM,UAAU,IAAI,YAAY;AAChC,QAAM,OAAO,QAAQ,OAAO,CAAC,IAAI,QAAQ,IAAI,OAAO,EAAE,KAAK,GAAG,CAAC;AAC/D,QAAM,YAAY,mBAAmB,OAAO,GAAG;AAE/C,MAAI;AACF,UAAM,YAAY,MAAM,UAAU,KAAK,WAAW,QAAQ;AAE1D,UAAM,WAAW,MAAM,QAAQ,OAAO,OAAO,OAAO,UAAU,MAAM,WAAW,WAAW,IAAI;AAC9F,WAAO,EAAE,MAAM,SAAS;AAAA,EAC1B,SAAS,OAAO;AACd,WAAO;AAAA,MACL,QAAQ;AAAA,QACN,IAAI,uBAAuB;AAAA,UACzB,QAAQ,6BAA6B;AAAA,UACrC,SAAU,OAAiB;AAAA,QAC7B,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AACF;AAEO,SAAS,UAAU,OAA2D;AACnF,QAAM,cAAc,SAAS,IAAI,SAAS,EAAE,MAAM,GAAG;AACrD,MAAI,WAAW,WAAW,GAAG;AAC3B,WAAO;AAAA,MACL,QAAQ;AAAA,QACN,IAAI,uBAAuB;AAAA,UACzB,QAAQ,6BAA6B;AAAA,UACrC,SAAS;AAAA,QACX,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAEA,QAAM,CAAC,WAAW,YAAY,YAAY,IAAI;AAE9C,QAAM,UAAU,IAAI,YAAY;AAiBhC,QAAM,SAAS,KAAK,MAAM,QAAQ,OAAO,UAAU,MAAM,WAAW,EAAE,OAAO,KAAK,CAAC,CAAC,CAAC;AACrF,QAAM,UAAU,KAAK,MAAM,QAAQ,OAAO,UAAU,MAAM,YAAY,EAAE,OAAO,KAAK,CAAC,CAAC,CAAC;AAEvF,QAAM,YAAY,UAAU,MAAM,cAAc,EAAE,OAAO,KAAK,CAAC;AAE/D,QAAM,OAAO;AAAA,IACX;AAAA,IACA;AAAA,IACA;AAAA,IACA,KAAK;AAAA,MACH,QAAQ;AAAA,MACR,SAAS;AAAA,MACT,WAAW;AAAA,MACX,MAAM;AAAA,IACR;AAAA,EACF;AAEA,SAAO,EAAE,KAAK;AAChB;AA6BA,eAAsB,UACpB,OACA,SAC4D;AAC5D,QAAM,EAAE,UAAU,mBAAmB,eAAe,IAAI,IAAI;AAC5D,QAAM,YAAY,iBAAiB;AAEnC,QAAM,EAAE,MAAM,SAAS,OAAO,IAAI,UAAU,KAAK;AACjD,MAAI,QAAQ;AACV,WAAO,EAAE,OAAO;AAAA,EAClB;AAEA,QAAM,EAAE,QAAQ,QAAQ,IAAI;AAC5B,MAAI;AAEF,UAAM,EAAE,KAAK,IAAI,IAAI;AAErB,qBAAiB,GAAG;AACpB,0BAAsB,GAAG;AAGzB,UAAM,EAAE,KAAK,KAAK,KAAK,KAAK,KAAK,IAAI,IAAI;AAEzC,mBAAe,GAAG;AAClB,wBAAoB,CAAC,GAAG,GAAG,CAAC,QAAQ,CAAC;AACrC,iCAA6B,KAAK,iBAAiB;AACnD,0BAAsB,KAAK,SAAS;AACpC,0BAAsB,KAAK,SAAS;AACpC,wBAAoB,KAAK,SAAS;AAAA,EACpC,SAAS,KAAK;AACZ,WAAO,EAAE,QAAQ,CAAC,GAA6B,EAAE;AAAA,EACnD;AAEA,QAAM,EAAE,MAAM,gBAAgB,QAAQ,gBAAgB,IAAI,MAAM,kBAAkB,SAAS,GAAG;AAC9F,MAAI,iBAAiB;AACnB,WAAO;AAAA,MACL,QAAQ;AAAA,QACN,IAAI,uBAAuB;AAAA,UACzB,QAAQ,6BAA6B;AAAA,UACrC,QAAQ,6BAA6B;AAAA,UACrC,SAAS,kCAAkC,gBAAgB,CAAC,CAAC;AAAA,QAC/D,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAEA,MAAI,CAAC,gBAAgB;AACnB,WAAO;AAAA,MACL,QAAQ;AAAA,QACN,IAAI,uBAAuB;AAAA,UACzB,QAAQ,6BAA6B;AAAA,UACrC,SAAS;AAAA,QACX,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAEA,SAAO,EAAE,MAAM,QAAQ;AACzB;;;AT3KO,IAAMC,aAAY,iBAAiB,SAAU;AAC7C,IAAMC,aAAY,qBAAqB,SAAU;AAEjD,IAAMC,WAAU,iBAAiB,OAAQ;AACzC,IAAMC,qBAAoB,iBAAiB,iBAAkB;","names":["decodeJwt","hasValidSignature","signJwt","verifyJwt","crypto","verifyJwt","decodeJwt","signJwt","hasValidSignature"]}
+{"version":3,"sources":["../../src/jwt/index.ts","../../src/jwt/legacyReturn.ts","../../src/errors.ts","../../src/runtime.ts","../../src/util/rfc4648.ts","../../src/jwt/algorithms.ts","../../src/jwt/cryptoKeys.ts","../../src/jwt/signJwt.ts","../../src/jwt/assertions.ts","../../src/jwt/verifyJwt.ts"],"sourcesContent":["import { withLegacyReturn, withLegacySyncReturn } from './legacyReturn';\nimport { signJwt as _signJwt } from './signJwt';\nimport { decodeJwt as _decodeJwt, hasValidSignature as _hasValidSignature, verifyJwt as _verifyJwt } from './verifyJwt';\n\nexport type { VerifyJwtOptions } from './verifyJwt';\nexport type { SignJwtOptions } from './signJwt';\n\n// Introduce compatibility layer to avoid more breaking changes\n// TODO(dimkl): This (probably be drop in the next major version)\n\nexport const verifyJwt = withLegacyReturn(_verifyJwt);\nexport const decodeJwt = withLegacySyncReturn(_decodeJwt);\n\nexport const signJwt = withLegacyReturn(_signJwt);\nexport const hasValidSignature = withLegacyReturn(_hasValidSignature);\n","import type { JwtReturnType } from './types';\n\n// TODO(dimkl): Will be probably be dropped in next major version\nexport function withLegacyReturn<T extends (...args: any[]) => Promise<JwtReturnType<any, any>>>(cb: T) {\n  return async (...args: Parameters<T>): Promise<NonNullable<Awaited<ReturnType<T>>['data']>> | never => {\n    const { data, errors } = await cb(...args);\n    if (errors) {\n      throw errors[0];\n    }\n    return data;\n  };\n}\n\n// TODO(dimkl): Will be probably be dropped in next major version\nexport function withLegacySyncReturn<T extends (...args: any[]) => JwtReturnType<any, any>>(cb: T) {\n  return (...args: Parameters<T>): NonNullable<Awaited<ReturnType<T>>['data']> | never => {\n    const { data, errors } = cb(...args);\n    if (errors) {\n      throw errors[0];\n    }\n    return data;\n  };\n}\n","export type TokenCarrier = 'header' | 'cookie';\n\nexport const TokenVerificationErrorCode = {\n  InvalidSecretKey: 'clerk_key_invalid',\n};\n\nexport type TokenVerificationErrorCode = (typeof TokenVerificationErrorCode)[keyof typeof TokenVerificationErrorCode];\n\nexport const TokenVerificationErrorReason = {\n  TokenExpired: 'token-expired',\n  TokenInvalid: 'token-invalid',\n  TokenInvalidAlgorithm: 'token-invalid-algorithm',\n  TokenInvalidAuthorizedParties: 'token-invalid-authorized-parties',\n  TokenInvalidSignature: 'token-invalid-signature',\n  TokenNotActiveYet: 'token-not-active-yet',\n  TokenIatInTheFuture: 'token-iat-in-the-future',\n  TokenVerificationFailed: 'token-verification-failed',\n  InvalidSecretKey: 'secret-key-invalid',\n  LocalJWKMissing: 'jwk-local-missing',\n  RemoteJWKFailedToLoad: 'jwk-remote-failed-to-load',\n  RemoteJWKInvalid: 'jwk-remote-invalid',\n  RemoteJWKMissing: 'jwk-remote-missing',\n  JWKFailedToResolve: 'jwk-failed-to-resolve',\n  JWKKidMismatch: 'jwk-kid-mismatch',\n};\n\nexport type TokenVerificationErrorReason =\n  (typeof TokenVerificationErrorReason)[keyof typeof TokenVerificationErrorReason];\n\nexport const TokenVerificationErrorAction = {\n  ContactSupport: 'Contact support@clerk.com',\n  EnsureClerkJWT: 'Make sure that this is a valid Clerk-generated JWT.',\n  SetClerkJWTKey: 'Set the CLERK_JWT_KEY environment variable.',\n  SetClerkSecretKey: 'Set the CLERK_SECRET_KEY environment variable.',\n  EnsureClockSync: 'Make sure your system clock is in sync (e.g. turn off and on automatic time synchronization).',\n};\n\nexport type TokenVerificationErrorAction =\n  (typeof TokenVerificationErrorAction)[keyof typeof TokenVerificationErrorAction];\n\nexport class TokenVerificationError extends Error {\n  action?: TokenVerificationErrorAction;\n  reason: TokenVerificationErrorReason;\n  tokenCarrier?: TokenCarrier;\n\n  constructor({\n    action,\n    message,\n    reason,\n  }: {\n    action?: TokenVerificationErrorAction;\n    message: string;\n    reason: TokenVerificationErrorReason;\n  }) {\n    super(message);\n\n    Object.setPrototypeOf(this, TokenVerificationError.prototype);\n\n    this.reason = reason;\n    this.message = message;\n    this.action = action;\n  }\n\n  public getFullMessage() {\n    return `${[this.message, this.action].filter(m => m).join(' ')} (reason=${this.reason}, token-carrier=${\n      this.tokenCarrier\n    })`;\n  }\n}\n\nexport class SignJWTError extends Error {}\n\nexport const MachineTokenVerificationErrorCode = {\n  TokenInvalid: 'token-invalid',\n  InvalidSecretKey: 'secret-key-invalid',\n  UnexpectedError: 'unexpected-error',\n  TokenVerificationFailed: 'token-verification-failed',\n} as const;\n\nexport type MachineTokenVerificationErrorCode =\n  (typeof MachineTokenVerificationErrorCode)[keyof typeof MachineTokenVerificationErrorCode];\n\nexport class MachineTokenVerificationError extends Error {\n  code: MachineTokenVerificationErrorCode;\n  long_message?: string;\n  status?: number;\n  action?: TokenVerificationErrorAction;\n\n  constructor({\n    message,\n    code,\n    status,\n    action,\n  }: {\n    message: string;\n    code: MachineTokenVerificationErrorCode;\n    status?: number;\n    action?: TokenVerificationErrorAction;\n  }) {\n    super(message);\n    Object.setPrototypeOf(this, MachineTokenVerificationError.prototype);\n\n    this.code = code;\n    this.status = status;\n    this.action = action;\n  }\n\n  public getFullMessage() {\n    return `${this.message} (code=${this.code}, status=${this.status || 'n/a'})`;\n  }\n}\n","/**\n * This file exports APIs that vary across runtimes (i.e. Node & Browser - V8 isolates)\n * as a singleton object.\n *\n * Runtime polyfills are written in VanillaJS for now to avoid TS complication. Moreover,\n * due to this issue https://github.com/microsoft/TypeScript/issues/44848, there is not a good way\n * to tell Typescript which conditional import to use during build type.\n *\n * The Runtime type definition ensures type safety for now.\n * Runtime js modules are copied into dist folder with bash script.\n *\n * TODO: Support TS runtime modules\n */\n\n// @ts-ignore - These are package subpaths\nimport { webcrypto as crypto } from '#crypto';\n\ntype Runtime = {\n  crypto: Crypto;\n  fetch: typeof globalThis.fetch;\n  AbortController: typeof globalThis.AbortController;\n  Blob: typeof globalThis.Blob;\n  FormData: typeof globalThis.FormData;\n  Headers: typeof globalThis.Headers;\n  Request: typeof globalThis.Request;\n  Response: typeof globalThis.Response;\n};\n\n// Invoking the global.fetch without binding it first to the globalObject fails in\n// Cloudflare Workers with an \"Illegal Invocation\" error.\n//\n// The globalThis object is supported for Node >= 12.0.\n//\n// https://github.com/supabase/supabase/issues/4417\nconst globalFetch = fetch.bind(globalThis);\n\nexport const runtime: Runtime = {\n  crypto,\n  get fetch() {\n    // We need to use the globalFetch for Cloudflare Workers but the fetch for testing\n    return process.env.NODE_ENV === 'test' ? fetch : globalFetch;\n  },\n  AbortController: globalThis.AbortController,\n  Blob: globalThis.Blob,\n  FormData: globalThis.FormData,\n  Headers: globalThis.Headers,\n  Request: globalThis.Request,\n  Response: globalThis.Response,\n};\n","/**\n * The base64url helper was extracted from the rfc4648 package\n * in order to resolve CSJ/ESM interoperability issues\n *\n * https://github.com/swansontec/rfc4648.js\n *\n * For more context please refer to:\n * - https://github.com/evanw/esbuild/issues/1719\n * - https://github.com/evanw/esbuild/issues/532\n * - https://github.com/swansontec/rollup-plugin-mjs-entry\n */\nexport const base64url = {\n  parse(string: string, opts?: ParseOptions): Uint8Array {\n    return parse(string, base64UrlEncoding, opts);\n  },\n\n  stringify(data: ArrayLike<number>, opts?: StringifyOptions): string {\n    return stringify(data, base64UrlEncoding, opts);\n  },\n};\n\nconst base64UrlEncoding: Encoding = {\n  chars: 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_',\n  bits: 6,\n};\n\ninterface Encoding {\n  bits: number;\n  chars: string;\n  codes?: { [char: string]: number };\n}\n\ninterface ParseOptions {\n  loose?: boolean;\n  out?: new (size: number) => { [index: number]: number };\n}\n\ninterface StringifyOptions {\n  pad?: boolean;\n}\n\nfunction parse(string: string, encoding: Encoding, opts: ParseOptions = {}): Uint8Array {\n  // Build the character lookup table:\n  if (!encoding.codes) {\n    encoding.codes = {};\n    for (let i = 0; i < encoding.chars.length; ++i) {\n      encoding.codes[encoding.chars[i]] = i;\n    }\n  }\n\n  // The string must have a whole number of bytes:\n  if (!opts.loose && (string.length * encoding.bits) & 7) {\n    throw new SyntaxError('Invalid padding');\n  }\n\n  // Count the padding bytes:\n  let end = string.length;\n  while (string[end - 1] === '=') {\n    --end;\n\n    // If we get a whole number of bytes, there is too much padding:\n    if (!opts.loose && !(((string.length - end) * encoding.bits) & 7)) {\n      throw new SyntaxError('Invalid padding');\n    }\n  }\n\n  // Allocate the output:\n  const out = new (opts.out ?? Uint8Array)(((end * encoding.bits) / 8) | 0) as Uint8Array;\n\n  // Parse the data:\n  let bits = 0; // Number of bits currently in the buffer\n  let buffer = 0; // Bits waiting to be written out, MSB first\n  let written = 0; // Next byte to write\n  for (let i = 0; i < end; ++i) {\n    // Read one character from the string:\n    const value = encoding.codes[string[i]];\n    if (value === undefined) {\n      throw new SyntaxError('Invalid character ' + string[i]);\n    }\n\n    // Append the bits to the buffer:\n    buffer = (buffer << encoding.bits) | value;\n    bits += encoding.bits;\n\n    // Write out some bits if the buffer has a byte's worth:\n    if (bits >= 8) {\n      bits -= 8;\n      out[written++] = 0xff & (buffer >> bits);\n    }\n  }\n\n  // Verify that we have received just enough bits:\n  if (bits >= encoding.bits || 0xff & (buffer << (8 - bits))) {\n    throw new SyntaxError('Unexpected end of data');\n  }\n\n  return out;\n}\n\nfunction stringify(data: ArrayLike<number>, encoding: Encoding, opts: StringifyOptions = {}): string {\n  const { pad = true } = opts;\n  const mask = (1 << encoding.bits) - 1;\n  let out = '';\n\n  let bits = 0; // Number of bits currently in the buffer\n  let buffer = 0; // Bits waiting to be written out, MSB first\n  for (let i = 0; i < data.length; ++i) {\n    // Slurp data into the buffer:\n    buffer = (buffer << 8) | (0xff & data[i]);\n    bits += 8;\n\n    // Write out as much as we can:\n    while (bits > encoding.bits) {\n      bits -= encoding.bits;\n      out += encoding.chars[mask & (buffer >> bits)];\n    }\n  }\n\n  // Partial character:\n  if (bits) {\n    out += encoding.chars[mask & (buffer << (encoding.bits - bits))];\n  }\n\n  // Add padding characters until we hit a byte boundary:\n  if (pad) {\n    while ((out.length * encoding.bits) & 7) {\n      out += '=';\n    }\n  }\n\n  return out;\n}\n","const algToHash: Record<string, string> = {\n  RS256: 'SHA-256',\n  RS384: 'SHA-384',\n  RS512: 'SHA-512',\n};\nconst RSA_ALGORITHM_NAME = 'RSASSA-PKCS1-v1_5';\n\nconst jwksAlgToCryptoAlg: Record<string, string> = {\n  RS256: RSA_ALGORITHM_NAME,\n  RS384: RSA_ALGORITHM_NAME,\n  RS512: RSA_ALGORITHM_NAME,\n};\n\nexport const algs = Object.keys(algToHash);\n\nexport function getCryptoAlgorithm(algorithmName: string): RsaHashedImportParams {\n  const hash = algToHash[algorithmName];\n  const name = jwksAlgToCryptoAlg[algorithmName];\n\n  if (!hash || !name) {\n    throw new Error(`Unsupported algorithm ${algorithmName}, expected one of ${algs.join(',')}.`);\n  }\n\n  return {\n    hash: { name: algToHash[algorithmName] },\n    name: jwksAlgToCryptoAlg[algorithmName],\n  };\n}\n","import { isomorphicAtob } from '@clerk/shared/isomorphicAtob';\n\nimport { runtime } from '../runtime';\n\n// https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#pkcs_8_import\nfunction pemToBuffer(secret: string): ArrayBuffer {\n  const trimmed = secret\n    .replace(/-----BEGIN.*?-----/g, '')\n    .replace(/-----END.*?-----/g, '')\n    .replace(/\\s/g, '');\n\n  const decoded = isomorphicAtob(trimmed);\n\n  const buffer = new ArrayBuffer(decoded.length);\n  const bufView = new Uint8Array(buffer);\n\n  for (let i = 0, strLen = decoded.length; i < strLen; i++) {\n    bufView[i] = decoded.charCodeAt(i);\n  }\n\n  return bufView;\n}\n\nexport function importKey(\n  key: JsonWebKey | string,\n  algorithm: RsaHashedImportParams,\n  keyUsage: 'verify' | 'sign',\n): Promise<CryptoKey> {\n  if (typeof key === 'object') {\n    return runtime.crypto.subtle.importKey('jwk', key, algorithm, false, [keyUsage]);\n  }\n\n  const keyData = pemToBuffer(key);\n  const format = keyUsage === 'sign' ? 'pkcs8' : 'spki';\n\n  return runtime.crypto.subtle.importKey(format, keyData, algorithm, false, [keyUsage]);\n}\n","import { SignJWTError } from '../errors';\nimport { runtime } from '../runtime';\nimport { base64url } from '../util/rfc4648';\nimport { getCryptoAlgorithm } from './algorithms';\nimport { importKey } from './cryptoKeys';\nimport type { JwtReturnType } from './types';\n\nexport interface SignJwtOptions {\n  algorithm?: string;\n  header?: Record<string, unknown>;\n}\n\nfunction encodeJwtData(value: unknown): string {\n  const stringified = JSON.stringify(value);\n  const encoder = new TextEncoder();\n  const encoded = encoder.encode(stringified);\n  return base64url.stringify(encoded, { pad: false });\n}\n\n/**\n * Signs a JSON Web Token (JWT) with the given payload, key, and options.\n * This function is intended to be used *internally* by other Clerk packages and typically\n * should not be used directly.\n *\n * @internal\n * @param payload The payload to include in the JWT.\n * @param key The key to use for signing the JWT. Can be a string or a JsonWebKey.\n * @param options The options to use for signing the JWT.\n * @returns A Promise that resolves to the signed JWT string.\n * @throws An error if no algorithm is specified or if the specified algorithm is unsupported.\n * @throws An error if there is an issue with importing the key or signing the JWT.\n */\nexport async function signJwt(\n  payload: Record<string, unknown>,\n  key: string | JsonWebKey,\n  options: SignJwtOptions,\n): Promise<JwtReturnType<string, Error>> {\n  if (!options.algorithm) {\n    throw new Error('No algorithm specified');\n  }\n  const encoder = new TextEncoder();\n\n  const algorithm = getCryptoAlgorithm(options.algorithm);\n  if (!algorithm) {\n    return {\n      errors: [new SignJWTError(`Unsupported algorithm ${options.algorithm}`)],\n    };\n  }\n\n  const cryptoKey = await importKey(key, algorithm, 'sign');\n  const header = options.header || { typ: 'JWT' };\n\n  header.alg = options.algorithm;\n  payload.iat = Math.floor(Date.now() / 1000);\n\n  const encodedHeader = encodeJwtData(header);\n  const encodedPayload = encodeJwtData(payload);\n  const firstPart = `${encodedHeader}.${encodedPayload}`;\n\n  try {\n    const signature = await runtime.crypto.subtle.sign(algorithm, cryptoKey, encoder.encode(firstPart));\n    const encodedSignature = `${firstPart}.${base64url.stringify(new Uint8Array(signature), { pad: false })}`;\n    return { data: encodedSignature };\n  } catch (error) {\n    return { errors: [new SignJWTError((error as Error)?.message)] };\n  }\n}\n","import { TokenVerificationError, TokenVerificationErrorAction, TokenVerificationErrorReason } from '../errors';\nimport { algs } from './algorithms';\n\nexport type IssuerResolver = string | ((iss: string) => boolean);\n\nconst isArrayString = (s: unknown): s is string[] => {\n  return Array.isArray(s) && s.length > 0 && s.every(a => typeof a === 'string');\n};\n\nexport const assertAudienceClaim = (aud?: unknown, audience?: unknown) => {\n  const audienceList = [audience].flat().filter(a => !!a);\n  const audList = [aud].flat().filter(a => !!a);\n  const shouldVerifyAudience = audienceList.length > 0 && audList.length > 0;\n\n  if (!shouldVerifyAudience) {\n    // Notice: Clerk JWTs use AZP claim instead of Audience\n    //\n    // return {\n    //   valid: false,\n    //   reason: `Invalid JWT audience claim (aud) ${JSON.stringify(\n    //     aud,\n    //   )}. Expected a string or a non-empty array of strings.`,\n    // };\n    return;\n  }\n\n  if (typeof aud === 'string') {\n    if (!audienceList.includes(aud)) {\n      throw new TokenVerificationError({\n        action: TokenVerificationErrorAction.EnsureClerkJWT,\n        reason: TokenVerificationErrorReason.TokenVerificationFailed,\n        message: `Invalid JWT audience claim (aud) ${JSON.stringify(aud)}. Is not included in \"${JSON.stringify(\n          audienceList,\n        )}\".`,\n      });\n    }\n  } else if (isArrayString(aud)) {\n    if (!aud.some(a => audienceList.includes(a))) {\n      throw new TokenVerificationError({\n        action: TokenVerificationErrorAction.EnsureClerkJWT,\n        reason: TokenVerificationErrorReason.TokenVerificationFailed,\n        message: `Invalid JWT audience claim array (aud) ${JSON.stringify(aud)}. Is not included in \"${JSON.stringify(\n          audienceList,\n        )}\".`,\n      });\n    }\n  }\n};\n\nexport const assertHeaderType = (typ?: unknown, allowedTypes: string | string[] = 'JWT') => {\n  if (typeof typ === 'undefined') {\n    return;\n  }\n\n  const allowed = Array.isArray(allowedTypes) ? allowedTypes : [allowedTypes];\n  if (!allowed.includes(typ as string)) {\n    throw new TokenVerificationError({\n      action: TokenVerificationErrorAction.EnsureClerkJWT,\n      reason: TokenVerificationErrorReason.TokenInvalid,\n      message: `Invalid JWT type ${JSON.stringify(typ)}. Expected \"${allowed.join(', ')}\".`,\n    });\n  }\n};\n\nexport const assertHeaderAlgorithm = (alg: string) => {\n  if (!algs.includes(alg)) {\n    throw new TokenVerificationError({\n      action: TokenVerificationErrorAction.EnsureClerkJWT,\n      reason: TokenVerificationErrorReason.TokenInvalidAlgorithm,\n      message: `Invalid JWT algorithm ${JSON.stringify(alg)}. Supported: ${algs}.`,\n    });\n  }\n};\n\nexport const assertSubClaim = (sub?: string) => {\n  if (typeof sub !== 'string') {\n    throw new TokenVerificationError({\n      action: TokenVerificationErrorAction.EnsureClerkJWT,\n      reason: TokenVerificationErrorReason.TokenVerificationFailed,\n      message: `Subject claim (sub) is required and must be a string. Received ${JSON.stringify(sub)}.`,\n    });\n  }\n};\n\nexport const assertAuthorizedPartiesClaim = (azp?: string, authorizedParties?: string[]) => {\n  if (!azp || !authorizedParties || authorizedParties.length === 0) {\n    return;\n  }\n\n  if (!authorizedParties.includes(azp)) {\n    throw new TokenVerificationError({\n      reason: TokenVerificationErrorReason.TokenInvalidAuthorizedParties,\n      message: `Invalid JWT Authorized party claim (azp) ${JSON.stringify(azp)}. Expected \"${authorizedParties}\".`,\n    });\n  }\n};\n\nexport const assertExpirationClaim = (exp: number, clockSkewInMs: number) => {\n  if (typeof exp !== 'number') {\n    throw new TokenVerificationError({\n      action: TokenVerificationErrorAction.EnsureClerkJWT,\n      reason: TokenVerificationErrorReason.TokenVerificationFailed,\n      message: `Invalid JWT expiry date claim (exp) ${JSON.stringify(exp)}. Expected number.`,\n    });\n  }\n\n  const currentDate = new Date(Date.now());\n  const expiryDate = new Date(0);\n  expiryDate.setUTCSeconds(exp);\n\n  const expired = expiryDate.getTime() <= currentDate.getTime() - clockSkewInMs;\n  if (expired) {\n    throw new TokenVerificationError({\n      reason: TokenVerificationErrorReason.TokenExpired,\n      message: `JWT is expired. Expiry date: ${expiryDate.toUTCString()}, Current date: ${currentDate.toUTCString()}.`,\n    });\n  }\n};\n\nexport const assertActivationClaim = (nbf: number | undefined, clockSkewInMs: number) => {\n  if (typeof nbf === 'undefined') {\n    return;\n  }\n\n  if (typeof nbf !== 'number') {\n    throw new TokenVerificationError({\n      action: TokenVerificationErrorAction.EnsureClerkJWT,\n      reason: TokenVerificationErrorReason.TokenVerificationFailed,\n      message: `Invalid JWT not before date claim (nbf) ${JSON.stringify(nbf)}. Expected number.`,\n    });\n  }\n\n  const currentDate = new Date(Date.now());\n  const notBeforeDate = new Date(0);\n  notBeforeDate.setUTCSeconds(nbf);\n\n  const early = notBeforeDate.getTime() > currentDate.getTime() + clockSkewInMs;\n  if (early) {\n    throw new TokenVerificationError({\n      reason: TokenVerificationErrorReason.TokenNotActiveYet,\n      message: `JWT cannot be used prior to not before date claim (nbf). Not before date: ${notBeforeDate.toUTCString()}; Current date: ${currentDate.toUTCString()};`,\n    });\n  }\n};\n\nexport const assertIssuedAtClaim = (iat: number | undefined, clockSkewInMs: number) => {\n  if (typeof iat === 'undefined') {\n    return;\n  }\n\n  if (typeof iat !== 'number') {\n    throw new TokenVerificationError({\n      action: TokenVerificationErrorAction.EnsureClerkJWT,\n      reason: TokenVerificationErrorReason.TokenVerificationFailed,\n      message: `Invalid JWT issued at date claim (iat) ${JSON.stringify(iat)}. Expected number.`,\n    });\n  }\n\n  const currentDate = new Date(Date.now());\n  const issuedAtDate = new Date(0);\n  issuedAtDate.setUTCSeconds(iat);\n\n  const postIssued = issuedAtDate.getTime() > currentDate.getTime() + clockSkewInMs;\n  if (postIssued) {\n    throw new TokenVerificationError({\n      reason: TokenVerificationErrorReason.TokenIatInTheFuture,\n      message: `JWT issued at date claim (iat) is in the future. Issued at date: ${issuedAtDate.toUTCString()}; Current date: ${currentDate.toUTCString()};`,\n    });\n  }\n};\n","import type { Jwt, JwtPayload } from '@clerk/shared/types';\n\nimport { TokenVerificationError, TokenVerificationErrorAction, TokenVerificationErrorReason } from '../errors';\nimport { runtime } from '../runtime';\nimport { base64url } from '../util/rfc4648';\nimport { getCryptoAlgorithm } from './algorithms';\nimport {\n  assertActivationClaim,\n  assertAudienceClaim,\n  assertAuthorizedPartiesClaim,\n  assertExpirationClaim,\n  assertHeaderAlgorithm,\n  assertHeaderType,\n  assertIssuedAtClaim,\n  assertSubClaim,\n} from './assertions';\nimport { importKey } from './cryptoKeys';\nimport type { JwtReturnType } from './types';\n\nconst DEFAULT_CLOCK_SKEW_IN_MS = 5 * 1000;\n\nexport async function hasValidSignature(jwt: Jwt, key: JsonWebKey | string): Promise<JwtReturnType<boolean, Error>> {\n  const { header, signature, raw } = jwt;\n  const encoder = new TextEncoder();\n  const data = encoder.encode([raw.header, raw.payload].join('.'));\n  const algorithm = getCryptoAlgorithm(header.alg);\n\n  try {\n    const cryptoKey = await importKey(key, algorithm, 'verify');\n\n    const verified = await runtime.crypto.subtle.verify(algorithm.name, cryptoKey, signature, data);\n    return { data: verified };\n  } catch (error) {\n    return {\n      errors: [\n        new TokenVerificationError({\n          reason: TokenVerificationErrorReason.TokenInvalidSignature,\n          message: (error as Error)?.message,\n        }),\n      ],\n    };\n  }\n}\n\nexport function decodeJwt(token: string): JwtReturnType<Jwt, TokenVerificationError> {\n  const tokenParts = (token || '').toString().split('.');\n  if (tokenParts.length !== 3) {\n    return {\n      errors: [\n        new TokenVerificationError({\n          reason: TokenVerificationErrorReason.TokenInvalid,\n          message: `Invalid JWT form. A JWT consists of three parts separated by dots.`,\n        }),\n      ],\n    };\n  }\n\n  const [rawHeader, rawPayload, rawSignature] = tokenParts;\n\n  const decoder = new TextDecoder();\n\n  // To verify a JWS with SubtleCrypto you need to be careful to encode and decode\n  // the data properly between binary and base64url representation. Unfortunately\n  // the standard implementation in the V8 of btoa() and atob() are difficult to\n  // work with as they use \"a Unicode string containing only characters in the\n  // range U+0000 to U+00FF, each representing a binary byte with values 0x00 to\n  // 0xFF respectively\" as the representation of binary data.\n\n  // A better solution to represent binary data in Javascript is to use ES6 TypedArray\n  // and use a Javascript library to convert them to base64url that honors RFC 4648.\n\n  // Side note: The difference between base64 and base64url is the characters selected\n  // for value 62 and 63 in the standard, base64 encode them to + and / while base64url\n  // encode - and _.\n\n  // More info at https://stackoverflow.com/questions/54062583/how-to-verify-a-signed-jwt-with-subtlecrypto-of-the-web-crypto-API\n  const header = JSON.parse(decoder.decode(base64url.parse(rawHeader, { loose: true })));\n  const payload = JSON.parse(decoder.decode(base64url.parse(rawPayload, { loose: true })));\n\n  const signature = base64url.parse(rawSignature, { loose: true });\n\n  const data = {\n    header,\n    payload,\n    signature,\n    raw: {\n      header: rawHeader,\n      payload: rawPayload,\n      signature: rawSignature,\n      text: token,\n    },\n  } satisfies Jwt;\n\n  return { data };\n}\n\n/**\n * @inline\n */\nexport type VerifyJwtOptions = {\n  /**\n   * A string or list of [audiences](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3). If passed, it is checked against the `aud` claim in the token.\n   */\n  audience?: string | string[];\n  /**\n   * An allowlist of origins to verify against, to protect your application from the subdomain cookie leaking attack.\n   * @example\n   * ```ts\n   * ['http://localhost:3000', 'https://example.com']\n   * ```\n   */\n  authorizedParties?: string[];\n  /**\n   * Specifies the allowed time difference (in milliseconds) between the Clerk server (which generates the token) and the clock of the user's application server when validating a token.\n   * @default 5000\n   */\n  clockSkewInMs?: number;\n  /**\n   * @internal\n   */\n  key: JsonWebKey | string;\n  /**\n   * A string or list of allowed [header types](https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.9).\n   * @default 'JWT'\n   */\n  headerType?: string | string[];\n};\n\nexport async function verifyJwt(\n  token: string,\n  options: VerifyJwtOptions,\n): Promise<JwtReturnType<JwtPayload, TokenVerificationError>> {\n  const { audience, authorizedParties, clockSkewInMs, key, headerType } = options;\n  const clockSkew = clockSkewInMs || DEFAULT_CLOCK_SKEW_IN_MS;\n\n  const { data: decoded, errors } = decodeJwt(token);\n  if (errors) {\n    return { errors };\n  }\n\n  const { header, payload } = decoded;\n  try {\n    // Header verifications\n    const { typ, alg } = header;\n\n    assertHeaderType(typ, headerType);\n    assertHeaderAlgorithm(alg);\n\n    // Payload verifications\n    const { azp, sub, aud, iat, exp, nbf } = payload;\n\n    assertSubClaim(sub);\n    assertAudienceClaim([aud], [audience]);\n    assertAuthorizedPartiesClaim(azp, authorizedParties);\n    assertExpirationClaim(exp, clockSkew);\n    assertActivationClaim(nbf, clockSkew);\n    assertIssuedAtClaim(iat, clockSkew);\n  } catch (err) {\n    return { errors: [err as TokenVerificationError] };\n  }\n\n  const { data: signatureValid, errors: signatureErrors } = await hasValidSignature(decoded, key);\n  if (signatureErrors) {\n    return {\n      errors: [\n        new TokenVerificationError({\n          action: TokenVerificationErrorAction.EnsureClerkJWT,\n          reason: TokenVerificationErrorReason.TokenVerificationFailed,\n          message: `Error verifying JWT signature. ${signatureErrors[0]}`,\n        }),\n      ],\n    };\n  }\n\n  if (!signatureValid) {\n    return {\n      errors: [\n        new TokenVerificationError({\n          reason: TokenVerificationErrorReason.TokenInvalidSignature,\n          message: 'JWT signature is invalid.',\n        }),\n      ],\n    };\n  }\n\n  return { data: payload };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA,mBAAAA;AAAA,EAAA,yBAAAC;AAAA,EAAA,eAAAC;AAAA,EAAA,iBAAAC;AAAA;AAAA;;;ACGO,SAAS,iBAAiF,IAAO;AACtG,SAAO,UAAU,SAAsF;AACrG,UAAM,EAAE,MAAM,OAAO,IAAI,MAAM,GAAG,GAAG,IAAI;AACzC,QAAI,QAAQ;AACV,YAAM,OAAO,CAAC;AAAA,IAChB;AACA,WAAO;AAAA,EACT;AACF;AAGO,SAAS,qBAA4E,IAAO;AACjG,SAAO,IAAI,SAA6E;AACtF,UAAM,EAAE,MAAM,OAAO,IAAI,GAAG,GAAG,IAAI;AACnC,QAAI,QAAQ;AACV,YAAM,OAAO,CAAC;AAAA,IAChB;AACA,WAAO;AAAA,EACT;AACF;;;ACdO,IAAM,+BAA+B;AAAA,EAC1C,cAAc;AAAA,EACd,cAAc;AAAA,EACd,uBAAuB;AAAA,EACvB,+BAA+B;AAAA,EAC/B,uBAAuB;AAAA,EACvB,mBAAmB;AAAA,EACnB,qBAAqB;AAAA,EACrB,yBAAyB;AAAA,EACzB,kBAAkB;AAAA,EAClB,iBAAiB;AAAA,EACjB,uBAAuB;AAAA,EACvB,kBAAkB;AAAA,EAClB,kBAAkB;AAAA,EAClB,oBAAoB;AAAA,EACpB,gBAAgB;AAClB;AAKO,IAAM,+BAA+B;AAAA,EAC1C,gBAAgB;AAAA,EAChB,gBAAgB;AAAA,EAChB,gBAAgB;AAAA,EAChB,mBAAmB;AAAA,EACnB,iBAAiB;AACnB;AAKO,IAAM,yBAAN,MAAM,gCAA+B,MAAM;AAAA,EAKhD,YAAY;AAAA,IACV;AAAA,IACA;AAAA,IACA;AAAA,EACF,GAIG;AACD,UAAM,OAAO;AAEb,WAAO,eAAe,MAAM,wBAAuB,SAAS;AAE5D,SAAK,SAAS;AACd,SAAK,UAAU;AACf,SAAK,SAAS;AAAA,EAChB;AAAA,EAEO,iBAAiB;AACtB,WAAO,GAAG,CAAC,KAAK,SAAS,KAAK,MAAM,EAAE,OAAO,OAAK,CAAC,EAAE,KAAK,GAAG,CAAC,YAAY,KAAK,MAAM,mBACnF,KAAK,YACP;AAAA,EACF;AACF;AAEO,IAAM,eAAN,cAA2B,MAAM;AAAC;;;ACvDzC,oBAAoC;AAmBpC,IAAM,cAAc,MAAM,KAAK,UAAU;AAElC,IAAM,UAAmB;AAAA,EAC9B,sBAAAC;AAAA,EACA,IAAI,QAAQ;AAEV,WAAO,QAAQ,IAAI,aAAa,SAAS,QAAQ;AAAA,EACnD;AAAA,EACA,iBAAiB,WAAW;AAAA,EAC5B,MAAM,WAAW;AAAA,EACjB,UAAU,WAAW;AAAA,EACrB,SAAS,WAAW;AAAA,EACpB,SAAS,WAAW;AAAA,EACpB,UAAU,WAAW;AACvB;;;ACrCO,IAAM,YAAY;AAAA,EACvB,MAAM,QAAgB,MAAiC;AACrD,WAAO,MAAM,QAAQ,mBAAmB,IAAI;AAAA,EAC9C;AAAA,EAEA,UAAU,MAAyB,MAAiC;AAClE,WAAO,UAAU,MAAM,mBAAmB,IAAI;AAAA,EAChD;AACF;AAEA,IAAM,oBAA8B;AAAA,EAClC,OAAO;AAAA,EACP,MAAM;AACR;AAiBA,SAAS,MAAM,QAAgB,UAAoB,OAAqB,CAAC,GAAe;AAEtF,MAAI,CAAC,SAAS,OAAO;AACnB,aAAS,QAAQ,CAAC;AAClB,aAAS,IAAI,GAAG,IAAI,SAAS,MAAM,QAAQ,EAAE,GAAG;AAC9C,eAAS,MAAM,SAAS,MAAM,CAAC,CAAC,IAAI;AAAA,IACtC;AAAA,EACF;AAGA,MAAI,CAAC,KAAK,SAAU,OAAO,SAAS,SAAS,OAAQ,GAAG;AACtD,UAAM,IAAI,YAAY,iBAAiB;AAAA,EACzC;AAGA,MAAI,MAAM,OAAO;AACjB,SAAO,OAAO,MAAM,CAAC,MAAM,KAAK;AAC9B,MAAE;AAGF,QAAI,CAAC,KAAK,SAAS,GAAI,OAAO,SAAS,OAAO,SAAS,OAAQ,IAAI;AACjE,YAAM,IAAI,YAAY,iBAAiB;AAAA,IACzC;AAAA,EACF;AAGA,QAAM,MAAM,KAAK,KAAK,OAAO,YAAc,MAAM,SAAS,OAAQ,IAAK,CAAC;AAGxE,MAAI,OAAO;AACX,MAAI,SAAS;AACb,MAAI,UAAU;AACd,WAAS,IAAI,GAAG,IAAI,KAAK,EAAE,GAAG;AAE5B,UAAM,QAAQ,SAAS,MAAM,OAAO,CAAC,CAAC;AACtC,QAAI,UAAU,QAAW;AACvB,YAAM,IAAI,YAAY,uBAAuB,OAAO,CAAC,CAAC;AAAA,IACxD;AAGA,aAAU,UAAU,SAAS,OAAQ;AACrC,YAAQ,SAAS;AAGjB,QAAI,QAAQ,GAAG;AACb,cAAQ;AACR,UAAI,SAAS,IAAI,MAAQ,UAAU;AAAA,IACrC;AAAA,EACF;AAGA,MAAI,QAAQ,SAAS,QAAQ,MAAQ,UAAW,IAAI,MAAQ;AAC1D,UAAM,IAAI,YAAY,wBAAwB;AAAA,EAChD;AAEA,SAAO;AACT;AAEA,SAAS,UAAU,MAAyB,UAAoB,OAAyB,CAAC,GAAW;AACnG,QAAM,EAAE,MAAM,KAAK,IAAI;AACvB,QAAM,QAAQ,KAAK,SAAS,QAAQ;AACpC,MAAI,MAAM;AAEV,MAAI,OAAO;AACX,MAAI,SAAS;AACb,WAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,EAAE,GAAG;AAEpC,aAAU,UAAU,IAAM,MAAO,KAAK,CAAC;AACvC,YAAQ;AAGR,WAAO,OAAO,SAAS,MAAM;AAC3B,cAAQ,SAAS;AACjB,aAAO,SAAS,MAAM,OAAQ,UAAU,IAAK;AAAA,IAC/C;AAAA,EACF;AAGA,MAAI,MAAM;AACR,WAAO,SAAS,MAAM,OAAQ,UAAW,SAAS,OAAO,IAAM;AAAA,EACjE;AAGA,MAAI,KAAK;AACP,WAAQ,IAAI,SAAS,SAAS,OAAQ,GAAG;AACvC,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;;;ACnIA,IAAM,YAAoC;AAAA,EACxC,OAAO;AAAA,EACP,OAAO;AAAA,EACP,OAAO;AACT;AACA,IAAM,qBAAqB;AAE3B,IAAM,qBAA6C;AAAA,EACjD,OAAO;AAAA,EACP,OAAO;AAAA,EACP,OAAO;AACT;AAEO,IAAM,OAAO,OAAO,KAAK,SAAS;AAElC,SAAS,mBAAmB,eAA8C;AAC/E,QAAM,OAAO,UAAU,aAAa;AACpC,QAAM,OAAO,mBAAmB,aAAa;AAE7C,MAAI,CAAC,QAAQ,CAAC,MAAM;AAClB,UAAM,IAAI,MAAM,yBAAyB,aAAa,qBAAqB,KAAK,KAAK,GAAG,CAAC,GAAG;AAAA,EAC9F;AAEA,SAAO;AAAA,IACL,MAAM,EAAE,MAAM,UAAU,aAAa,EAAE;AAAA,IACvC,MAAM,mBAAmB,aAAa;AAAA,EACxC;AACF;;;AC3BA,4BAA+B;AAK/B,SAAS,YAAY,QAA6B;AAChD,QAAM,UAAU,OACb,QAAQ,uBAAuB,EAAE,EACjC,QAAQ,qBAAqB,EAAE,EAC/B,QAAQ,OAAO,EAAE;AAEpB,QAAM,cAAU,sCAAe,OAAO;AAEtC,QAAM,SAAS,IAAI,YAAY,QAAQ,MAAM;AAC7C,QAAM,UAAU,IAAI,WAAW,MAAM;AAErC,WAAS,IAAI,GAAG,SAAS,QAAQ,QAAQ,IAAI,QAAQ,KAAK;AACxD,YAAQ,CAAC,IAAI,QAAQ,WAAW,CAAC;AAAA,EACnC;AAEA,SAAO;AACT;AAEO,SAAS,UACd,KACA,WACA,UACoB;AACpB,MAAI,OAAO,QAAQ,UAAU;AAC3B,WAAO,QAAQ,OAAO,OAAO,UAAU,OAAO,KAAK,WAAW,OAAO,CAAC,QAAQ,CAAC;AAAA,EACjF;AAEA,QAAM,UAAU,YAAY,GAAG;AAC/B,QAAM,SAAS,aAAa,SAAS,UAAU;AAE/C,SAAO,QAAQ,OAAO,OAAO,UAAU,QAAQ,SAAS,WAAW,OAAO,CAAC,QAAQ,CAAC;AACtF;;;ACxBA,SAAS,cAAc,OAAwB;AAC7C,QAAM,cAAc,KAAK,UAAU,KAAK;AACxC,QAAM,UAAU,IAAI,YAAY;AAChC,QAAM,UAAU,QAAQ,OAAO,WAAW;AAC1C,SAAO,UAAU,UAAU,SAAS,EAAE,KAAK,MAAM,CAAC;AACpD;AAeA,eAAsB,QACpB,SACA,KACA,SACuC;AACvC,MAAI,CAAC,QAAQ,WAAW;AACtB,UAAM,IAAI,MAAM,wBAAwB;AAAA,EAC1C;AACA,QAAM,UAAU,IAAI,YAAY;AAEhC,QAAM,YAAY,mBAAmB,QAAQ,SAAS;AACtD,MAAI,CAAC,WAAW;AACd,WAAO;AAAA,MACL,QAAQ,CAAC,IAAI,aAAa,yBAAyB,QAAQ,SAAS,EAAE,CAAC;AAAA,IACzE;AAAA,EACF;AAEA,QAAM,YAAY,MAAM,UAAU,KAAK,WAAW,MAAM;AACxD,QAAM,SAAS,QAAQ,UAAU,EAAE,KAAK,MAAM;AAE9C,SAAO,MAAM,QAAQ;AACrB,UAAQ,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAE1C,QAAM,gBAAgB,cAAc,MAAM;AAC1C,QAAM,iBAAiB,cAAc,OAAO;AAC5C,QAAM,YAAY,GAAG,aAAa,IAAI,cAAc;AAEpD,MAAI;AACF,UAAM,YAAY,MAAM,QAAQ,OAAO,OAAO,KAAK,WAAW,WAAW,QAAQ,OAAO,SAAS,CAAC;AAClG,UAAM,mBAAmB,GAAG,SAAS,IAAI,UAAU,UAAU,IAAI,WAAW,SAAS,GAAG,EAAE,KAAK,MAAM,CAAC,CAAC;AACvG,WAAO,EAAE,MAAM,iBAAiB;AAAA,EAClC,SAAS,OAAO;AACd,WAAO,EAAE,QAAQ,CAAC,IAAI,aAAc,OAAiB,OAAO,CAAC,EAAE;AAAA,EACjE;AACF;;;AC7DA,IAAM,gBAAgB,CAAC,MAA8B;AACnD,SAAO,MAAM,QAAQ,CAAC,KAAK,EAAE,SAAS,KAAK,EAAE,MAAM,OAAK,OAAO,MAAM,QAAQ;AAC/E;AAEO,IAAM,sBAAsB,CAAC,KAAe,aAAuB;AACxE,QAAM,eAAe,CAAC,QAAQ,EAAE,KAAK,EAAE,OAAO,OAAK,CAAC,CAAC,CAAC;AACtD,QAAM,UAAU,CAAC,GAAG,EAAE,KAAK,EAAE,OAAO,OAAK,CAAC,CAAC,CAAC;AAC5C,QAAM,uBAAuB,aAAa,SAAS,KAAK,QAAQ,SAAS;AAEzE,MAAI,CAAC,sBAAsB;AASzB;AAAA,EACF;AAEA,MAAI,OAAO,QAAQ,UAAU;AAC3B,QAAI,CAAC,aAAa,SAAS,GAAG,GAAG;AAC/B,YAAM,IAAI,uBAAuB;AAAA,QAC/B,QAAQ,6BAA6B;AAAA,QACrC,QAAQ,6BAA6B;AAAA,QACrC,SAAS,oCAAoC,KAAK,UAAU,GAAG,CAAC,yBAAyB,KAAK;AAAA,UAC5F;AAAA,QACF,CAAC;AAAA,MACH,CAAC;AAAA,IACH;AAAA,EACF,WAAW,cAAc,GAAG,GAAG;AAC7B,QAAI,CAAC,IAAI,KAAK,OAAK,aAAa,SAAS,CAAC,CAAC,GAAG;AAC5C,YAAM,IAAI,uBAAuB;AAAA,QAC/B,QAAQ,6BAA6B;AAAA,QACrC,QAAQ,6BAA6B;AAAA,QACrC,SAAS,0CAA0C,KAAK,UAAU,GAAG,CAAC,yBAAyB,KAAK;AAAA,UAClG;AAAA,QACF,CAAC;AAAA,MACH,CAAC;AAAA,IACH;AAAA,EACF;AACF;AAEO,IAAM,mBAAmB,CAAC,KAAe,eAAkC,UAAU;AAC1F,MAAI,OAAO,QAAQ,aAAa;AAC9B;AAAA,EACF;AAEA,QAAM,UAAU,MAAM,QAAQ,YAAY,IAAI,eAAe,CAAC,YAAY;AAC1E,MAAI,CAAC,QAAQ,SAAS,GAAa,GAAG;AACpC,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,QAAQ,6BAA6B;AAAA,MACrC,SAAS,oBAAoB,KAAK,UAAU,GAAG,CAAC,eAAe,QAAQ,KAAK,IAAI,CAAC;AAAA,IACnF,CAAC;AAAA,EACH;AACF;AAEO,IAAM,wBAAwB,CAAC,QAAgB;AACpD,MAAI,CAAC,KAAK,SAAS,GAAG,GAAG;AACvB,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,QAAQ,6BAA6B;AAAA,MACrC,SAAS,yBAAyB,KAAK,UAAU,GAAG,CAAC,gBAAgB,IAAI;AAAA,IAC3E,CAAC;AAAA,EACH;AACF;AAEO,IAAM,iBAAiB,CAAC,QAAiB;AAC9C,MAAI,OAAO,QAAQ,UAAU;AAC3B,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,QAAQ,6BAA6B;AAAA,MACrC,SAAS,kEAAkE,KAAK,UAAU,GAAG,CAAC;AAAA,IAChG,CAAC;AAAA,EACH;AACF;AAEO,IAAM,+BAA+B,CAAC,KAAc,sBAAiC;AAC1F,MAAI,CAAC,OAAO,CAAC,qBAAqB,kBAAkB,WAAW,GAAG;AAChE;AAAA,EACF;AAEA,MAAI,CAAC,kBAAkB,SAAS,GAAG,GAAG;AACpC,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,SAAS,4CAA4C,KAAK,UAAU,GAAG,CAAC,eAAe,iBAAiB;AAAA,IAC1G,CAAC;AAAA,EACH;AACF;AAEO,IAAM,wBAAwB,CAAC,KAAa,kBAA0B;AAC3E,MAAI,OAAO,QAAQ,UAAU;AAC3B,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,QAAQ,6BAA6B;AAAA,MACrC,SAAS,uCAAuC,KAAK,UAAU,GAAG,CAAC;AAAA,IACrE,CAAC;AAAA,EACH;AAEA,QAAM,cAAc,IAAI,KAAK,KAAK,IAAI,CAAC;AACvC,QAAM,aAAa,oBAAI,KAAK,CAAC;AAC7B,aAAW,cAAc,GAAG;AAE5B,QAAM,UAAU,WAAW,QAAQ,KAAK,YAAY,QAAQ,IAAI;AAChE,MAAI,SAAS;AACX,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,SAAS,gCAAgC,WAAW,YAAY,CAAC,mBAAmB,YAAY,YAAY,CAAC;AAAA,IAC/G,CAAC;AAAA,EACH;AACF;AAEO,IAAM,wBAAwB,CAAC,KAAyB,kBAA0B;AACvF,MAAI,OAAO,QAAQ,aAAa;AAC9B;AAAA,EACF;AAEA,MAAI,OAAO,QAAQ,UAAU;AAC3B,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,QAAQ,6BAA6B;AAAA,MACrC,SAAS,2CAA2C,KAAK,UAAU,GAAG,CAAC;AAAA,IACzE,CAAC;AAAA,EACH;AAEA,QAAM,cAAc,IAAI,KAAK,KAAK,IAAI,CAAC;AACvC,QAAM,gBAAgB,oBAAI,KAAK,CAAC;AAChC,gBAAc,cAAc,GAAG;AAE/B,QAAM,QAAQ,cAAc,QAAQ,IAAI,YAAY,QAAQ,IAAI;AAChE,MAAI,OAAO;AACT,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,SAAS,6EAA6E,cAAc,YAAY,CAAC,mBAAmB,YAAY,YAAY,CAAC;AAAA,IAC/J,CAAC;AAAA,EACH;AACF;AAEO,IAAM,sBAAsB,CAAC,KAAyB,kBAA0B;AACrF,MAAI,OAAO,QAAQ,aAAa;AAC9B;AAAA,EACF;AAEA,MAAI,OAAO,QAAQ,UAAU;AAC3B,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,QAAQ,6BAA6B;AAAA,MACrC,SAAS,0CAA0C,KAAK,UAAU,GAAG,CAAC;AAAA,IACxE,CAAC;AAAA,EACH;AAEA,QAAM,cAAc,IAAI,KAAK,KAAK,IAAI,CAAC;AACvC,QAAM,eAAe,oBAAI,KAAK,CAAC;AAC/B,eAAa,cAAc,GAAG;AAE9B,QAAM,aAAa,aAAa,QAAQ,IAAI,YAAY,QAAQ,IAAI;AACpE,MAAI,YAAY;AACd,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,SAAS,oEAAoE,aAAa,YAAY,CAAC,mBAAmB,YAAY,YAAY,CAAC;AAAA,IACrJ,CAAC;AAAA,EACH;AACF;;;ACtJA,IAAM,2BAA2B,IAAI;AAErC,eAAsB,kBAAkB,KAAU,KAAkE;AAClH,QAAM,EAAE,QAAQ,WAAW,IAAI,IAAI;AACnC,QAAM,UAAU,IAAI,YAAY;AAChC,QAAM,OAAO,QAAQ,OAAO,CAAC,IAAI,QAAQ,IAAI,OAAO,EAAE,KAAK,GAAG,CAAC;AAC/D,QAAM,YAAY,mBAAmB,OAAO,GAAG;AAE/C,MAAI;AACF,UAAM,YAAY,MAAM,UAAU,KAAK,WAAW,QAAQ;AAE1D,UAAM,WAAW,MAAM,QAAQ,OAAO,OAAO,OAAO,UAAU,MAAM,WAAW,WAAW,IAAI;AAC9F,WAAO,EAAE,MAAM,SAAS;AAAA,EAC1B,SAAS,OAAO;AACd,WAAO;AAAA,MACL,QAAQ;AAAA,QACN,IAAI,uBAAuB;AAAA,UACzB,QAAQ,6BAA6B;AAAA,UACrC,SAAU,OAAiB;AAAA,QAC7B,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AACF;AAEO,SAAS,UAAU,OAA2D;AACnF,QAAM,cAAc,SAAS,IAAI,SAAS,EAAE,MAAM,GAAG;AACrD,MAAI,WAAW,WAAW,GAAG;AAC3B,WAAO;AAAA,MACL,QAAQ;AAAA,QACN,IAAI,uBAAuB;AAAA,UACzB,QAAQ,6BAA6B;AAAA,UACrC,SAAS;AAAA,QACX,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAEA,QAAM,CAAC,WAAW,YAAY,YAAY,IAAI;AAE9C,QAAM,UAAU,IAAI,YAAY;AAiBhC,QAAM,SAAS,KAAK,MAAM,QAAQ,OAAO,UAAU,MAAM,WAAW,EAAE,OAAO,KAAK,CAAC,CAAC,CAAC;AACrF,QAAM,UAAU,KAAK,MAAM,QAAQ,OAAO,UAAU,MAAM,YAAY,EAAE,OAAO,KAAK,CAAC,CAAC,CAAC;AAEvF,QAAM,YAAY,UAAU,MAAM,cAAc,EAAE,OAAO,KAAK,CAAC;AAE/D,QAAM,OAAO;AAAA,IACX;AAAA,IACA;AAAA,IACA;AAAA,IACA,KAAK;AAAA,MACH,QAAQ;AAAA,MACR,SAAS;AAAA,MACT,WAAW;AAAA,MACX,MAAM;AAAA,IACR;AAAA,EACF;AAEA,SAAO,EAAE,KAAK;AAChB;AAkCA,eAAsB,UACpB,OACA,SAC4D;AAC5D,QAAM,EAAE,UAAU,mBAAmB,eAAe,KAAK,WAAW,IAAI;AACxE,QAAM,YAAY,iBAAiB;AAEnC,QAAM,EAAE,MAAM,SAAS,OAAO,IAAI,UAAU,KAAK;AACjD,MAAI,QAAQ;AACV,WAAO,EAAE,OAAO;AAAA,EAClB;AAEA,QAAM,EAAE,QAAQ,QAAQ,IAAI;AAC5B,MAAI;AAEF,UAAM,EAAE,KAAK,IAAI,IAAI;AAErB,qBAAiB,KAAK,UAAU;AAChC,0BAAsB,GAAG;AAGzB,UAAM,EAAE,KAAK,KAAK,KAAK,KAAK,KAAK,IAAI,IAAI;AAEzC,mBAAe,GAAG;AAClB,wBAAoB,CAAC,GAAG,GAAG,CAAC,QAAQ,CAAC;AACrC,iCAA6B,KAAK,iBAAiB;AACnD,0BAAsB,KAAK,SAAS;AACpC,0BAAsB,KAAK,SAAS;AACpC,wBAAoB,KAAK,SAAS;AAAA,EACpC,SAAS,KAAK;AACZ,WAAO,EAAE,QAAQ,CAAC,GAA6B,EAAE;AAAA,EACnD;AAEA,QAAM,EAAE,MAAM,gBAAgB,QAAQ,gBAAgB,IAAI,MAAM,kBAAkB,SAAS,GAAG;AAC9F,MAAI,iBAAiB;AACnB,WAAO;AAAA,MACL,QAAQ;AAAA,QACN,IAAI,uBAAuB;AAAA,UACzB,QAAQ,6BAA6B;AAAA,UACrC,QAAQ,6BAA6B;AAAA,UACrC,SAAS,kCAAkC,gBAAgB,CAAC,CAAC;AAAA,QAC/D,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAEA,MAAI,CAAC,gBAAgB;AACnB,WAAO;AAAA,MACL,QAAQ;AAAA,QACN,IAAI,uBAAuB;AAAA,UACzB,QAAQ,6BAA6B;AAAA,UACrC,SAAS;AAAA,QACX,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAEA,SAAO,EAAE,MAAM,QAAQ;AACzB;;;AThLO,IAAMC,aAAY,iBAAiB,SAAU;AAC7C,IAAMC,aAAY,qBAAqB,SAAU;AAEjD,IAAMC,WAAU,iBAAiB,OAAQ;AACzC,IAAMC,qBAAoB,iBAAiB,iBAAkB;","names":["decodeJwt","hasValidSignature","signJwt","verifyJwt","crypto","verifyJwt","decodeJwt","signJwt","hasValidSignature"]}

package/dist/jwt/index.mjs

@@ -10,10 +10,10 @@ import {
   importKey,
   runtime,
   verifyJwt
-} from "../chunk-QYKVFAML.mjs";
+} from "../chunk-SNA7AD3D.mjs";
 import {
   SignJWTError
-} from "../chunk-HNJNM32R.mjs";
+} from "../chunk-TCIXZLLW.mjs";
 import "../chunk-RPS7XK5K.mjs";
 
 // src/jwt/signJwt.ts

package/dist/jwt/verifyJwt.d.ts

@@ -28,6 +28,11 @@ export type VerifyJwtOptions = {
      * @internal
      */
     key: JsonWebKey | string;
+    /**
+     * A string or list of allowed [header types](https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.9).
+     * @default 'JWT'
+     */
+    headerType?: string | string[];
 };
 export declare function verifyJwt(token: string, options: VerifyJwtOptions): Promise<JwtReturnType<JwtPayload, TokenVerificationError>>;
 //# sourceMappingURL=verifyJwt.d.ts.map

package/dist/jwt/verifyJwt.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"verifyJwt.d.ts","sourceRoot":"","sources":["../../src/jwt/verifyJwt.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,GAAG,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAE3D,OAAO,EAAE,sBAAsB,EAA8D,MAAM,WAAW,CAAC;AAe/G,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAI7C,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,UAAU,GAAG,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAqBlH;AAED,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,aAAa,CAAC,GAAG,EAAE,sBAAsB,CAAC,CAkDnF;AAED;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG;IAC7B;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC7B;;;;;;OAMG;IACH,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;OAEG;IACH,GAAG,EAAE,UAAU,GAAG,MAAM,CAAC;CAC1B,CAAC;AAEF,wBAAsB,SAAS,CAC7B,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,gBAAgB,GACxB,OAAO,CAAC,aAAa,CAAC,UAAU,EAAE,sBAAsB,CAAC,CAAC,CAuD5D"}
+{"version":3,"file":"verifyJwt.d.ts","sourceRoot":"","sources":["../../src/jwt/verifyJwt.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,GAAG,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAE3D,OAAO,EAAE,sBAAsB,EAA8D,MAAM,WAAW,CAAC;AAe/G,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAI7C,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,UAAU,GAAG,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAqBlH;AAED,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,aAAa,CAAC,GAAG,EAAE,sBAAsB,CAAC,CAkDnF;AAED;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG;IAC7B;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC7B;;;;;;OAMG;IACH,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;OAEG;IACH,GAAG,EAAE,UAAU,GAAG,MAAM,CAAC;IACzB;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;CAChC,CAAC;AAEF,wBAAsB,SAAS,CAC7B,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,gBAAgB,GACxB,OAAO,CAAC,aAAa,CAAC,UAAU,EAAE,sBAAsB,CAAC,CAAC,CAuD5D"}

package/dist/tokens/machine.d.ts

@@ -4,6 +4,22 @@ import { TokenType } from './tokenTypes';
 export declare const M2M_TOKEN_PREFIX = "mt_";
 export declare const OAUTH_TOKEN_PREFIX = "oat_";
 export declare const API_KEY_PREFIX = "ak_";
+export declare const JwtFormatRegExp: RegExp;
+export declare function isJwtFormat(token: string): boolean;
+/**
+ * Valid OAuth 2.0 JWT access token type values per RFC 9068.
+ * @see https://www.rfc-editor.org/rfc/rfc9068.html#section-2.1
+ */
+export declare const OAUTH_ACCESS_TOKEN_TYPES: string[];
+/**
+ * Checks if a token is an OAuth 2.0 JWT access token.
+ * Validates the JWT format and verifies the header 'typ' field matches RFC 9068 values.
+ *
+ * @param token - The token string to check
+ * @returns true if the token is a valid OAuth JWT access token
+ * @see https://www.rfc-editor.org/rfc/rfc9068.html#section-2.1
+ */
+export declare function isOAuthJwt(token: string): boolean;
 /**
  * Checks if a token is a machine token by looking at its prefix.
  *
@@ -15,6 +31,13 @@ export declare const API_KEY_PREFIX = "ak_";
  * @returns true if the token starts with a recognized machine token prefix
  */
 export declare function isMachineTokenByPrefix(token: string): boolean;
+/**
+ * Checks if a token is a machine token by looking at its prefix or if it's an OAuth JWT access token (RFC 9068).
+ *
+ * @param token - The token string to check
+ * @returns true if the token is a machine token
+ */
+export declare function isMachineToken(token: string): boolean;
 /**
  * Gets the specific type of machine token based on its prefix.
  *

package/dist/tokens/machine.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"machine.d.ts","sourceRoot":"","sources":["../../src/tokens/machine.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,iBAAiB,CAAC;AAClE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACrD,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAEzC,eAAO,MAAM,gBAAgB,QAAQ,CAAC;AACtC,eAAO,MAAM,kBAAkB,SAAS,CAAC;AACzC,eAAO,MAAM,cAAc,QAAQ,CAAC;AAIpC;;;;;;;;;GASG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAE7D;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,gBAAgB,CAcnE;AAED;;;;;;GAMG;AACH,eAAO,MAAM,mBAAmB,GAC9B,WAAW,SAAS,GAAG,IAAI,EAC3B,cAAc,WAAW,CAAC,0BAA0B,CAAC,cAAc,CAAC,CAAC,KACpE,OAWF,CAAC;AAEF;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,IAAI,gBAAgB,CAEzE"}
+{"version":3,"file":"machine.d.ts","sourceRoot":"","sources":["../../src/tokens/machine.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,iBAAiB,CAAC;AAClE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACrD,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAEzC,eAAO,MAAM,gBAAgB,QAAQ,CAAC;AACtC,eAAO,MAAM,kBAAkB,SAAS,CAAC;AACzC,eAAO,MAAM,cAAc,QAAQ,CAAC;AAIpC,eAAO,MAAM,eAAe,QAAwD,CAAC;AAErF,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAElD;AAED;;;GAGG;AACH,eAAO,MAAM,wBAAwB,UAAmC,CAAC;AAEzE;;;;;;;GAOG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAcjD;AAED;;;;;;;;;GASG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAE7D;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAErD;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,gBAAgB,CAcnE;AAED;;;;;;GAMG;AACH,eAAO,MAAM,mBAAmB,GAC9B,WAAW,SAAS,GAAG,IAAI,EAC3B,cAAc,WAAW,CAAC,0BAA0B,CAAC,cAAc,CAAC,CAAC,KACpE,OAWF,CAAC;AAEF;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,IAAI,gBAAgB,CAEzE"}

package/dist/tokens/verify.d.ts

@@ -1,5 +1,5 @@
 import type { JwtPayload, Simplify } from '@clerk/shared/types';
-import type { APIKey, IdPOAuthAccessToken, M2MToken } from '../api';
+import { type APIKey, IdPOAuthAccessToken, type M2MToken } from '../api';
 import { MachineTokenVerificationError, TokenVerificationError } from '../errors';
 import type { VerifyJwtOptions } from '../jwt';
 import type { JwtReturnType } from '../jwt/types';

package/dist/tokens/verify.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../../src/tokens/verify.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AAEhE,OAAO,KAAK,EAAE,MAAM,EAAE,mBAAmB,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AAEpE,OAAO,EACL,6BAA6B,EAE7B,sBAAsB,EAGvB,MAAM,WAAW,CAAC;AACnB,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,QAAQ,CAAC;AAC/C,OAAO,KAAK,EAAE,aAAa,EAA0B,MAAM,cAAc,CAAC;AAE1E,OAAO,KAAK,EAAE,6BAA6B,EAAE,MAAM,QAAQ,CAAC;AAG5D,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAGrD;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAAG,QAAQ,CACvC,IAAI,CAAC,gBAAgB,EAAE,KAAK,CAAC,GAC3B,IAAI,CAAC,6BAA6B,EAAE,KAAK,CAAC,GAAG;IAC3C;;OAEG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,CACJ,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkEG;AACH,wBAAsB,WAAW,CAC/B,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,kBAAkB,GAC1B,OAAO,CAAC,aAAa,CAAC,UAAU,EAAE,sBAAsB,CAAC,CAAC,CAiC5D;AAgGD;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,kBAAkB;;;;;;;;;;;;;;;;GAYtF"}
+{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../../src/tokens/verify.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAO,UAAU,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AAErE,OAAO,EAAE,KAAK,MAAM,EAAE,mBAAmB,EAAE,KAAK,QAAQ,EAAE,MAAM,QAAQ,CAAC;AAEzE,OAAO,EACL,6BAA6B,EAE7B,sBAAsB,EAGvB,MAAM,WAAW,CAAC;AACnB,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,QAAQ,CAAC;AAC/C,OAAO,KAAK,EAAE,aAAa,EAA0B,MAAM,cAAc,CAAC;AAE1E,OAAO,KAAK,EAAE,6BAA6B,EAAE,MAAM,QAAQ,CAAC;AAG5D,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAGrD;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAAG,QAAQ,CACvC,IAAI,CAAC,gBAAgB,EAAE,KAAK,CAAC,GAC3B,IAAI,CAAC,6BAA6B,EAAE,KAAK,CAAC,GAAG;IAC3C;;OAEG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,CACJ,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkEG;AACH,wBAAsB,WAAW,CAC/B,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,kBAAkB,GAC1B,OAAO,CAAC,aAAa,CAAC,UAAU,EAAE,sBAAsB,CAAC,CAAC,CAiC5D;AAgMD;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,kBAAkB;;;;;;;;;;;;;;;;GAYtF"}

package/dist/util/shared.d.ts

@@ -2,6 +2,6 @@ export { deprecated, deprecatedProperty } from '@clerk/shared/deprecated';
 export { getCookieSuffix, getSuffixedCookieName, isDevelopmentFromSecretKey, isProductionFromSecretKey, parsePublishableKey, } from '@clerk/shared/keys';
 export { retry } from '@clerk/shared/retry';
 export { addClerkPrefix, getClerkJsMajorVersionOrTag, getScriptUrl } from '@clerk/shared/url';
-export declare const errorThrower: import("@clerk/shared/error-CwbYlf2s").y;
+export declare const errorThrower: import("@clerk/shared/error-DSsmf214").y;
 export declare const isDevOrStagingUrl: (url: string | URL) => boolean;
 //# sourceMappingURL=shared.d.ts.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@clerk/backend",
-  "version": "3.0.0-snapshot.v20251204175016",
+  "version": "3.0.0-snapshot.v20251208202852",
   "description": "Clerk Backend SDK - REST Client for Backend API & JWT verification utilities",
   "homepage": "https://clerk.com/",
   "bugs": {
@@ -89,7 +89,7 @@
     "cookie": "1.0.2",
     "standardwebhooks": "^1.0.0",
     "tslib": "2.8.1",
-    "@clerk/shared": "^4.0.0-snapshot.v20251204175016"
+    "@clerk/shared": "^4.0.0-snapshot.v20251208202852"
   },
   "devDependencies": {
     "@edge-runtime/vm": "5.0.0",