@concavejs/cli 0.0.1-alpha.12 → 0.0.1-alpha.13

package/dist/assets/runtime-cf/runtime.bundle.js

@@ -2828,6 +2828,113 @@ var init_base64url = __esm(() => {
   init_buffer_utils();
 });
 
+// ../../node_modules/jose/dist/webapi/lib/crypto_key.js
+function getHashLength(hash) {
+  return parseInt(hash.name.slice(4), 10);
+}
+function checkHashLength(algorithm, expected) {
+  const actual = getHashLength(algorithm.hash);
+  if (actual !== expected)
+    throw unusable(`SHA-${expected}`, "algorithm.hash");
+}
+function getNamedCurve(alg) {
+  switch (alg) {
+    case "ES256":
+      return "P-256";
+    case "ES384":
+      return "P-384";
+    case "ES512":
+      return "P-521";
+    default:
+      throw new Error("unreachable");
+  }
+}
+function checkUsage(key, usage) {
+  if (usage && !key.usages.includes(usage)) {
+    throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);
+  }
+}
+function checkSigCryptoKey(key, alg, usage) {
+  switch (alg) {
+    case "HS256":
+    case "HS384":
+    case "HS512": {
+      if (!isAlgorithm(key.algorithm, "HMAC"))
+        throw unusable("HMAC");
+      checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
+      break;
+    }
+    case "RS256":
+    case "RS384":
+    case "RS512": {
+      if (!isAlgorithm(key.algorithm, "RSASSA-PKCS1-v1_5"))
+        throw unusable("RSASSA-PKCS1-v1_5");
+      checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
+      break;
+    }
+    case "PS256":
+    case "PS384":
+    case "PS512": {
+      if (!isAlgorithm(key.algorithm, "RSA-PSS"))
+        throw unusable("RSA-PSS");
+      checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
+      break;
+    }
+    case "Ed25519":
+    case "EdDSA": {
+      if (!isAlgorithm(key.algorithm, "Ed25519"))
+        throw unusable("Ed25519");
+      break;
+    }
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87": {
+      if (!isAlgorithm(key.algorithm, alg))
+        throw unusable(alg);
+      break;
+    }
+    case "ES256":
+    case "ES384":
+    case "ES512": {
+      if (!isAlgorithm(key.algorithm, "ECDSA"))
+        throw unusable("ECDSA");
+      const expected = getNamedCurve(alg);
+      const actual = key.algorithm.namedCurve;
+      if (actual !== expected)
+        throw unusable(expected, "algorithm.namedCurve");
+      break;
+    }
+    default:
+      throw new TypeError("CryptoKey does not support this operation");
+  }
+  checkUsage(key, usage);
+}
+var unusable = (name, prop = "algorithm.name") => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`), isAlgorithm = (algorithm, name) => algorithm.name === name;
+
+// ../../node_modules/jose/dist/webapi/lib/invalid_key_input.js
+function message(msg, actual, ...types) {
+  types = types.filter(Boolean);
+  if (types.length > 2) {
+    const last = types.pop();
+    msg += `one of type ${types.join(", ")}, or ${last}.`;
+  } else if (types.length === 2) {
+    msg += `one of type ${types[0]} or ${types[1]}.`;
+  } else {
+    msg += `of type ${types[0]}.`;
+  }
+  if (actual == null) {
+    msg += ` Received ${actual}`;
+  } else if (typeof actual === "function" && actual.name) {
+    msg += ` Received function ${actual.name}`;
+  } else if (typeof actual === "object" && actual != null) {
+    if (actual.constructor?.name) {
+      msg += ` Received an instance of ${actual.constructor.name}`;
+    }
+  }
+  return msg;
+}
+var invalidKeyInput = (actual, ...types) => message("Key must be ", actual, ...types), withAlg = (alg, actual, ...types) => message(`Key for the ${alg} algorithm must be `, actual, ...types);
+
 // ../../node_modules/jose/dist/webapi/util/errors.js
 var exports_errors = {};
 __export(exports_errors, {
@@ -2852,8 +2959,8 @@ var init_errors2 = __esm(() => {
   JOSEError = class JOSEError extends Error {
     static code = "ERR_JOSE_GENERIC";
     code = "ERR_JOSE_GENERIC";
-    constructor(message, options) {
-      super(message, options);
+    constructor(message2, options) {
+      super(message2, options);
       this.name = this.constructor.name;
       Error.captureStackTrace?.(this, this.constructor);
     }
@@ -2864,8 +2971,8 @@ var init_errors2 = __esm(() => {
     claim;
     reason;
     payload;
-    constructor(message, payload, claim = "unspecified", reason = "unspecified") {
-      super(message, { cause: { claim, reason, payload } });
+    constructor(message2, payload, claim = "unspecified", reason = "unspecified") {
+      super(message2, { cause: { claim, reason, payload } });
       this.claim = claim;
       this.reason = reason;
       this.payload = payload;
@@ -2877,8 +2984,8 @@ var init_errors2 = __esm(() => {
     claim;
     reason;
     payload;
-    constructor(message, payload, claim = "unspecified", reason = "unspecified") {
-      super(message, { cause: { claim, reason, payload } });
+    constructor(message2, payload, claim = "unspecified", reason = "unspecified") {
+      super(message2, { cause: { claim, reason, payload } });
       this.claim = claim;
       this.reason = reason;
       this.payload = payload;
@@ -2895,8 +3002,8 @@ var init_errors2 = __esm(() => {
   JWEDecryptionFailed = class JWEDecryptionFailed extends JOSEError {
     static code = "ERR_JWE_DECRYPTION_FAILED";
     code = "ERR_JWE_DECRYPTION_FAILED";
-    constructor(message = "decryption operation failed", options) {
-      super(message, options);
+    constructor(message2 = "decryption operation failed", options) {
+      super(message2, options);
     }
   };
   JWEInvalid = class JWEInvalid extends JOSEError {
@@ -2922,145 +3029,34 @@ var init_errors2 = __esm(() => {
   JWKSNoMatchingKey = class JWKSNoMatchingKey extends JOSEError {
     static code = "ERR_JWKS_NO_MATCHING_KEY";
     code = "ERR_JWKS_NO_MATCHING_KEY";
-    constructor(message = "no applicable key found in the JSON Web Key Set", options) {
-      super(message, options);
+    constructor(message2 = "no applicable key found in the JSON Web Key Set", options) {
+      super(message2, options);
     }
   };
   JWKSMultipleMatchingKeys = class JWKSMultipleMatchingKeys extends JOSEError {
     [Symbol.asyncIterator];
     static code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
     code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
-    constructor(message = "multiple matching keys found in the JSON Web Key Set", options) {
-      super(message, options);
+    constructor(message2 = "multiple matching keys found in the JSON Web Key Set", options) {
+      super(message2, options);
     }
   };
   JWKSTimeout = class JWKSTimeout extends JOSEError {
     static code = "ERR_JWKS_TIMEOUT";
     code = "ERR_JWKS_TIMEOUT";
-    constructor(message = "request timed out", options) {
-      super(message, options);
+    constructor(message2 = "request timed out", options) {
+      super(message2, options);
     }
   };
   JWSSignatureVerificationFailed = class JWSSignatureVerificationFailed extends JOSEError {
     static code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
     code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
-    constructor(message = "signature verification failed", options) {
-      super(message, options);
+    constructor(message2 = "signature verification failed", options) {
+      super(message2, options);
     }
   };
 });
 
-// ../../node_modules/jose/dist/webapi/lib/crypto_key.js
-function getHashLength(hash) {
-  return parseInt(hash.name.slice(4), 10);
-}
-function getNamedCurve(alg) {
-  switch (alg) {
-    case "ES256":
-      return "P-256";
-    case "ES384":
-      return "P-384";
-    case "ES512":
-      return "P-521";
-    default:
-      throw new Error("unreachable");
-  }
-}
-function checkUsage(key, usage) {
-  if (usage && !key.usages.includes(usage)) {
-    throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);
-  }
-}
-function checkSigCryptoKey(key, alg, usage) {
-  switch (alg) {
-    case "HS256":
-    case "HS384":
-    case "HS512": {
-      if (!isAlgorithm(key.algorithm, "HMAC"))
-        throw unusable("HMAC");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable(`SHA-${expected}`, "algorithm.hash");
-      break;
-    }
-    case "RS256":
-    case "RS384":
-    case "RS512": {
-      if (!isAlgorithm(key.algorithm, "RSASSA-PKCS1-v1_5"))
-        throw unusable("RSASSA-PKCS1-v1_5");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable(`SHA-${expected}`, "algorithm.hash");
-      break;
-    }
-    case "PS256":
-    case "PS384":
-    case "PS512": {
-      if (!isAlgorithm(key.algorithm, "RSA-PSS"))
-        throw unusable("RSA-PSS");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable(`SHA-${expected}`, "algorithm.hash");
-      break;
-    }
-    case "Ed25519":
-    case "EdDSA": {
-      if (!isAlgorithm(key.algorithm, "Ed25519"))
-        throw unusable("Ed25519");
-      break;
-    }
-    case "ML-DSA-44":
-    case "ML-DSA-65":
-    case "ML-DSA-87": {
-      if (!isAlgorithm(key.algorithm, alg))
-        throw unusable(alg);
-      break;
-    }
-    case "ES256":
-    case "ES384":
-    case "ES512": {
-      if (!isAlgorithm(key.algorithm, "ECDSA"))
-        throw unusable("ECDSA");
-      const expected = getNamedCurve(alg);
-      const actual = key.algorithm.namedCurve;
-      if (actual !== expected)
-        throw unusable(expected, "algorithm.namedCurve");
-      break;
-    }
-    default:
-      throw new TypeError("CryptoKey does not support this operation");
-  }
-  checkUsage(key, usage);
-}
-var unusable = (name, prop = "algorithm.name") => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`), isAlgorithm = (algorithm, name) => algorithm.name === name;
-
-// ../../node_modules/jose/dist/webapi/lib/invalid_key_input.js
-function message(msg, actual, ...types) {
-  types = types.filter(Boolean);
-  if (types.length > 2) {
-    const last = types.pop();
-    msg += `one of type ${types.join(", ")}, or ${last}.`;
-  } else if (types.length === 2) {
-    msg += `one of type ${types[0]} or ${types[1]}.`;
-  } else {
-    msg += `of type ${types[0]}.`;
-  }
-  if (actual == null) {
-    msg += ` Received ${actual}`;
-  } else if (typeof actual === "function" && actual.name) {
-    msg += ` Received function ${actual.name}`;
-  } else if (typeof actual === "object" && actual != null) {
-    if (actual.constructor?.name) {
-      msg += ` Received an instance of ${actual.constructor.name}`;
-    }
-  }
-  return msg;
-}
-var invalidKeyInput = (actual, ...types) => message("Key must be ", actual, ...types), withAlg = (alg, actual, ...types) => message(`Key for the ${alg} algorithm must be `, actual, ...types);
-
 // ../../node_modules/jose/dist/webapi/lib/is_key_like.js
 var isCryptoKey = (key) => {
   if (key?.[Symbol.toStringTag] === "CryptoKey")
@@ -3072,7 +3068,34 @@ var isCryptoKey = (key) => {
   }
 }, isKeyObject = (key) => key?.[Symbol.toStringTag] === "KeyObject", isKeyLike = (key) => isCryptoKey(key) || isKeyObject(key);
 
-// ../../node_modules/jose/dist/webapi/lib/is_disjoint.js
+// ../../node_modules/jose/dist/webapi/lib/helpers.js
+function decodeBase64url(value, label, ErrorClass) {
+  try {
+    return decode(value);
+  } catch {
+    throw new ErrorClass(`Failed to base64url decode the ${label}`);
+  }
+}
+var unprotected;
+var init_helpers = __esm(() => {
+  init_base64url();
+  unprotected = Symbol();
+});
+
+// ../../node_modules/jose/dist/webapi/lib/type_checks.js
+function isObject(input) {
+  if (!isObjectLike(input) || Object.prototype.toString.call(input) !== "[object Object]") {
+    return false;
+  }
+  if (Object.getPrototypeOf(input) === null) {
+    return true;
+  }
+  let proto = input;
+  while (Object.getPrototypeOf(proto) !== null) {
+    proto = Object.getPrototypeOf(proto);
+  }
+  return Object.getPrototypeOf(input) === proto;
+}
 function isDisjoint(...headers) {
   const sources = headers.filter(Boolean);
   if (sources.length === 0 || sources.length === 1) {
@@ -3094,24 +3117,9 @@ function isDisjoint(...headers) {
   }
   return true;
 }
+var isObjectLike = (value) => typeof value === "object" && value !== null, isJWK = (key) => isObject(key) && typeof key.kty === "string", isPrivateJWK = (key) => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string"), isPublicJWK = (key) => key.kty !== "oct" && key.d === undefined && key.priv === undefined, isSecretJWK = (key) => key.kty === "oct" && typeof key.k === "string";
 
-// ../../node_modules/jose/dist/webapi/lib/is_object.js
-function isObject(input) {
-  if (!isObjectLike(input) || Object.prototype.toString.call(input) !== "[object Object]") {
-    return false;
-  }
-  if (Object.getPrototypeOf(input) === null) {
-    return true;
-  }
-  let proto = input;
-  while (Object.getPrototypeOf(proto) !== null) {
-    proto = Object.getPrototypeOf(proto);
-  }
-  return Object.getPrototypeOf(input) === proto;
-}
-var isObjectLike = (value) => typeof value === "object" && value !== null;
-
-// ../../node_modules/jose/dist/webapi/lib/check_key_length.js
+// ../../node_modules/jose/dist/webapi/lib/signing.js
 function checkKeyLength(alg, key) {
   if (alg.startsWith("RS") || alg.startsWith("PS")) {
     const { modulusLength } = key.algorithm;
@@ -3120,6 +3128,59 @@ function checkKeyLength(alg, key) {
     }
   }
 }
+function subtleAlgorithm(alg, algorithm) {
+  const hash = `SHA-${alg.slice(-3)}`;
+  switch (alg) {
+    case "HS256":
+    case "HS384":
+    case "HS512":
+      return { hash, name: "HMAC" };
+    case "PS256":
+    case "PS384":
+    case "PS512":
+      return { hash, name: "RSA-PSS", saltLength: parseInt(alg.slice(-3), 10) >> 3 };
+    case "RS256":
+    case "RS384":
+    case "RS512":
+      return { hash, name: "RSASSA-PKCS1-v1_5" };
+    case "ES256":
+    case "ES384":
+    case "ES512":
+      return { hash, name: "ECDSA", namedCurve: algorithm.namedCurve };
+    case "Ed25519":
+    case "EdDSA":
+      return { name: "Ed25519" };
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      return { name: alg };
+    default:
+      throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
+  }
+}
+async function getSigKey(alg, key, usage) {
+  if (key instanceof Uint8Array) {
+    if (!alg.startsWith("HS")) {
+      throw new TypeError(invalidKeyInput(key, "CryptoKey", "KeyObject", "JSON Web Key"));
+    }
+    return crypto.subtle.importKey("raw", key, { hash: `SHA-${alg.slice(-3)}`, name: "HMAC" }, false, [usage]);
+  }
+  checkSigCryptoKey(key, alg, usage);
+  return key;
+}
+async function verify(alg, key, signature, data) {
+  const cryptoKey = await getSigKey(alg, key, "verify");
+  checkKeyLength(alg, cryptoKey);
+  const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);
+  try {
+    return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
+  } catch {
+    return false;
+  }
+}
+var init_signing = __esm(() => {
+  init_errors2();
+});
 
 // ../../node_modules/jose/dist/webapi/lib/jwk_to_key.js
 function subtleMapping(jwk) {
@@ -3135,7 +3196,7 @@ function subtleMapping(jwk) {
           keyUsages = jwk.priv ? ["sign"] : ["verify"];
           break;
         default:
-          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported(unsupportedAlg);
       }
       break;
     }
@@ -3164,22 +3225,19 @@ function subtleMapping(jwk) {
           keyUsages = jwk.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
           break;
         default:
-          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported(unsupportedAlg);
       }
       break;
     }
     case "EC": {
       switch (jwk.alg) {
         case "ES256":
-          algorithm = { name: "ECDSA", namedCurve: "P-256" };
-          keyUsages = jwk.d ? ["sign"] : ["verify"];
-          break;
         case "ES384":
-          algorithm = { name: "ECDSA", namedCurve: "P-384" };
-          keyUsages = jwk.d ? ["sign"] : ["verify"];
-          break;
         case "ES512":
-          algorithm = { name: "ECDSA", namedCurve: "P-521" };
+          algorithm = {
+            name: "ECDSA",
+            namedCurve: { ES256: "P-256", ES384: "P-384", ES512: "P-521" }[jwk.alg]
+          };
           keyUsages = jwk.d ? ["sign"] : ["verify"];
           break;
         case "ECDH-ES":
@@ -3190,7 +3248,7 @@ function subtleMapping(jwk) {
           keyUsages = jwk.d ? ["deriveBits"] : [];
           break;
         default:
-          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported(unsupportedAlg);
       }
       break;
     }
@@ -3209,7 +3267,7 @@ function subtleMapping(jwk) {
           keyUsages = jwk.d ? ["deriveBits"] : [];
           break;
         default:
-          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported(unsupportedAlg);
       }
       break;
     }
@@ -3230,100 +3288,11 @@ async function jwkToKey(jwk) {
   delete keyData.use;
   return crypto.subtle.importKey("jwk", keyData, algorithm, jwk.ext ?? (jwk.d || jwk.priv ? false : true), jwk.key_ops ?? keyUsages);
 }
+var unsupportedAlg = 'Invalid or unsupported JWK "alg" (Algorithm) Parameter value';
 var init_jwk_to_key = __esm(() => {
   init_errors2();
 });
 
-// ../../node_modules/jose/dist/webapi/key/import.js
-async function importJWK(jwk, alg, options) {
-  if (!isObject(jwk)) {
-    throw new TypeError("JWK must be an object");
-  }
-  let ext;
-  alg ??= jwk.alg;
-  ext ??= options?.extractable ?? jwk.ext;
-  switch (jwk.kty) {
-    case "oct":
-      if (typeof jwk.k !== "string" || !jwk.k) {
-        throw new TypeError('missing "k" (Key Value) Parameter value');
-      }
-      return decode(jwk.k);
-    case "RSA":
-      if ("oth" in jwk && jwk.oth !== undefined) {
-        throw new JOSENotSupported('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
-      }
-      return jwkToKey({ ...jwk, alg, ext });
-    case "AKP": {
-      if (typeof jwk.alg !== "string" || !jwk.alg) {
-        throw new TypeError('missing "alg" (Algorithm) Parameter value');
-      }
-      if (alg !== undefined && alg !== jwk.alg) {
-        throw new TypeError("JWK alg and alg option value mismatch");
-      }
-      return jwkToKey({ ...jwk, ext });
-    }
-    case "EC":
-    case "OKP":
-      return jwkToKey({ ...jwk, alg, ext });
-    default:
-      throw new JOSENotSupported('Unsupported "kty" (Key Type) Parameter value');
-  }
-}
-var init_import = __esm(() => {
-  init_base64url();
-  init_jwk_to_key();
-  init_errors2();
-});
-
-// ../../node_modules/jose/dist/webapi/lib/validate_crit.js
-function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
-  if (joseHeader.crit !== undefined && protectedHeader?.crit === undefined) {
-    throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
-  }
-  if (!protectedHeader || protectedHeader.crit === undefined) {
-    return new Set;
-  }
-  if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) {
-    throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
-  }
-  let recognized;
-  if (recognizedOption !== undefined) {
-    recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
-  } else {
-    recognized = recognizedDefault;
-  }
-  for (const parameter of protectedHeader.crit) {
-    if (!recognized.has(parameter)) {
-      throw new JOSENotSupported(`Extension Header Parameter "${parameter}" is not recognized`);
-    }
-    if (joseHeader[parameter] === undefined) {
-      throw new Err(`Extension Header Parameter "${parameter}" is missing`);
-    }
-    if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {
-      throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
-    }
-  }
-  return new Set(protectedHeader.crit);
-}
-var init_validate_crit = __esm(() => {
-  init_errors2();
-});
-
-// ../../node_modules/jose/dist/webapi/lib/validate_algorithms.js
-function validateAlgorithms(option, algorithms) {
-  if (algorithms !== undefined && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) {
-    throw new TypeError(`"${option}" option must be an array of strings`);
-  }
-  if (!algorithms) {
-    return;
-  }
-  return new Set(algorithms);
-}
-
-// ../../node_modules/jose/dist/webapi/lib/is_jwk.js
-var isJWK = (key) => isObject(key) && typeof key.kty === "string", isPrivateJWK = (key) => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string"), isPublicJWK = (key) => key.kty !== "oct" && key.d === undefined && key.priv === undefined, isSecretJWK = (key) => key.kty === "oct" && typeof key.k === "string";
-var init_is_jwk = () => {};
-
 // ../../node_modules/jose/dist/webapi/lib/normalize_key.js
 async function normalizeKey(key, alg) {
   if (key instanceof Uint8Array) {
@@ -3356,7 +3325,7 @@ async function normalizeKey(key, alg) {
   }
   throw new Error("unreachable");
 }
-var cache, handleJWK = async (key, jwk, alg, freeze = false) => {
+var unusableForAlg = "given KeyObject instance cannot be used for this algorithm", cache, handleJWK = async (key, jwk, alg, freeze = false) => {
   cache ||= new WeakMap;
   let cached = cache.get(key);
   if (cached?.[alg]) {
@@ -3388,13 +3357,13 @@ var cache, handleJWK = async (key, jwk, alg, freeze = false) => {
       case "ECDH-ES+A256KW":
         break;
       default:
-        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        throw new TypeError(unusableForAlg);
     }
     cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ["deriveBits"]);
   }
   if (keyObject.asymmetricKeyType === "ed25519") {
     if (alg !== "EdDSA" && alg !== "Ed25519") {
-      throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+      throw new TypeError(unusableForAlg);
     }
     cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
       isPublic ? "verify" : "sign"
@@ -3405,7 +3374,7 @@ var cache, handleJWK = async (key, jwk, alg, freeze = false) => {
     case "ml-dsa-65":
     case "ml-dsa-87": {
       if (alg !== keyObject.asymmetricKeyType.toUpperCase()) {
-        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        throw new TypeError(unusableForAlg);
       }
       cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
         isPublic ? "verify" : "sign"
@@ -3434,7 +3403,7 @@ var cache, handleJWK = async (key, jwk, alg, freeze = false) => {
         hash = "SHA-512";
         break;
       default:
-        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        throw new TypeError(unusableForAlg);
     }
     if (alg.startsWith("RSA-OAEP")) {
       return keyObject.toCryptoKey({
@@ -3455,21 +3424,10 @@ var cache, handleJWK = async (key, jwk, alg, freeze = false) => {
     ]);
     const namedCurve = nist.get(keyObject.asymmetricKeyDetails?.namedCurve);
     if (!namedCurve) {
-      throw new TypeError("given KeyObject instance cannot be used for this algorithm");
-    }
-    if (alg === "ES256" && namedCurve === "P-256") {
-      cryptoKey = keyObject.toCryptoKey({
-        name: "ECDSA",
-        namedCurve
-      }, extractable, [isPublic ? "verify" : "sign"]);
-    }
-    if (alg === "ES384" && namedCurve === "P-384") {
-      cryptoKey = keyObject.toCryptoKey({
-        name: "ECDSA",
-        namedCurve
-      }, extractable, [isPublic ? "verify" : "sign"]);
+      throw new TypeError(unusableForAlg);
     }
-    if (alg === "ES512" && namedCurve === "P-521") {
+    const expectedCurve = { ES256: "P-256", ES384: "P-384", ES512: "P-521" };
+    if (expectedCurve[alg] && namedCurve === expectedCurve[alg]) {
       cryptoKey = keyObject.toCryptoKey({
         name: "ECDSA",
         namedCurve
@@ -3483,7 +3441,7 @@ var cache, handleJWK = async (key, jwk, alg, freeze = false) => {
     }
   }
   if (!cryptoKey) {
-    throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+    throw new TypeError(unusableForAlg);
   }
   if (!cached) {
     cache.set(keyObject, { [alg]: cryptoKey });
@@ -3493,11 +3451,96 @@ var cache, handleJWK = async (key, jwk, alg, freeze = false) => {
   return cryptoKey;
 };
 var init_normalize_key = __esm(() => {
-  init_is_jwk();
   init_base64url();
   init_jwk_to_key();
 });
 
+// ../../node_modules/jose/dist/webapi/key/import.js
+async function importJWK(jwk, alg, options) {
+  if (!isObject(jwk)) {
+    throw new TypeError("JWK must be an object");
+  }
+  let ext;
+  alg ??= jwk.alg;
+  ext ??= options?.extractable ?? jwk.ext;
+  switch (jwk.kty) {
+    case "oct":
+      if (typeof jwk.k !== "string" || !jwk.k) {
+        throw new TypeError('missing "k" (Key Value) Parameter value');
+      }
+      return decode(jwk.k);
+    case "RSA":
+      if ("oth" in jwk && jwk.oth !== undefined) {
+        throw new JOSENotSupported('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
+      }
+      return jwkToKey({ ...jwk, alg, ext });
+    case "AKP": {
+      if (typeof jwk.alg !== "string" || !jwk.alg) {
+        throw new TypeError('missing "alg" (Algorithm) Parameter value');
+      }
+      if (alg !== undefined && alg !== jwk.alg) {
+        throw new TypeError("JWK alg and alg option value mismatch");
+      }
+      return jwkToKey({ ...jwk, ext });
+    }
+    case "EC":
+    case "OKP":
+      return jwkToKey({ ...jwk, alg, ext });
+    default:
+      throw new JOSENotSupported('Unsupported "kty" (Key Type) Parameter value');
+  }
+}
+var init_import = __esm(() => {
+  init_base64url();
+  init_jwk_to_key();
+  init_errors2();
+});
+
+// ../../node_modules/jose/dist/webapi/lib/validate_crit.js
+function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
+  if (joseHeader.crit !== undefined && protectedHeader?.crit === undefined) {
+    throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
+  }
+  if (!protectedHeader || protectedHeader.crit === undefined) {
+    return new Set;
+  }
+  if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) {
+    throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
+  }
+  let recognized;
+  if (recognizedOption !== undefined) {
+    recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
+  } else {
+    recognized = recognizedDefault;
+  }
+  for (const parameter of protectedHeader.crit) {
+    if (!recognized.has(parameter)) {
+      throw new JOSENotSupported(`Extension Header Parameter "${parameter}" is not recognized`);
+    }
+    if (joseHeader[parameter] === undefined) {
+      throw new Err(`Extension Header Parameter "${parameter}" is missing`);
+    }
+    if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {
+      throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
+    }
+  }
+  return new Set(protectedHeader.crit);
+}
+var init_validate_crit = __esm(() => {
+  init_errors2();
+});
+
+// ../../node_modules/jose/dist/webapi/lib/validate_algorithms.js
+function validateAlgorithms(option, algorithms) {
+  if (algorithms !== undefined && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) {
+    throw new TypeError(`"${option}" option must be an array of strings`);
+  }
+  if (!algorithms) {
+    return;
+  }
+  return new Set(algorithms);
+}
+
 // ../../node_modules/jose/dist/webapi/lib/check_key_type.js
 function checkKeyType(alg, key, usage) {
   switch (alg.substring(0, 2)) {
@@ -3614,73 +3657,7 @@ var tag = (key) => key?.[Symbol.toStringTag], jwkMatchesOp = (alg, key, usage) =
     }
   }
 };
-var init_check_key_type = __esm(() => {
-  init_is_jwk();
-});
-
-// ../../node_modules/jose/dist/webapi/lib/subtle_dsa.js
-function subtleAlgorithm(alg, algorithm) {
-  const hash = `SHA-${alg.slice(-3)}`;
-  switch (alg) {
-    case "HS256":
-    case "HS384":
-    case "HS512":
-      return { hash, name: "HMAC" };
-    case "PS256":
-    case "PS384":
-    case "PS512":
-      return { hash, name: "RSA-PSS", saltLength: parseInt(alg.slice(-3), 10) >> 3 };
-    case "RS256":
-    case "RS384":
-    case "RS512":
-      return { hash, name: "RSASSA-PKCS1-v1_5" };
-    case "ES256":
-    case "ES384":
-    case "ES512":
-      return { hash, name: "ECDSA", namedCurve: algorithm.namedCurve };
-    case "Ed25519":
-    case "EdDSA":
-      return { name: "Ed25519" };
-    case "ML-DSA-44":
-    case "ML-DSA-65":
-    case "ML-DSA-87":
-      return { name: alg };
-    default:
-      throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
-  }
-}
-var init_subtle_dsa = __esm(() => {
-  init_errors2();
-});
-
-// ../../node_modules/jose/dist/webapi/lib/get_sign_verify_key.js
-async function getSigKey(alg, key, usage) {
-  if (key instanceof Uint8Array) {
-    if (!alg.startsWith("HS")) {
-      throw new TypeError(invalidKeyInput(key, "CryptoKey", "KeyObject", "JSON Web Key"));
-    }
-    return crypto.subtle.importKey("raw", key, { hash: `SHA-${alg.slice(-3)}`, name: "HMAC" }, false, [usage]);
-  }
-  checkSigCryptoKey(key, alg, usage);
-  return key;
-}
-var init_get_sign_verify_key = () => {};
-
-// ../../node_modules/jose/dist/webapi/lib/verify.js
-async function verify(alg, key, signature, data) {
-  const cryptoKey = await getSigKey(alg, key, "verify");
-  checkKeyLength(alg, cryptoKey);
-  const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);
-  try {
-    return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
-  } catch {
-    return false;
-  }
-}
-var init_verify = __esm(() => {
-  init_subtle_dsa();
-  init_get_sign_verify_key();
-});
+var init_check_key_type = () => {};
 
 // ../../node_modules/jose/dist/webapi/jws/flattened/verify.js
 async function flattenedVerify(jws, key, options) {
@@ -3748,12 +3725,7 @@ async function flattenedVerify(jws, key, options) {
   }
   checkKeyType(alg, key, "verify");
   const data = concat(jws.protected !== undefined ? encode(jws.protected) : new Uint8Array, encode("."), typeof jws.payload === "string" ? b64 ? encode(jws.payload) : encoder.encode(jws.payload) : jws.payload);
-  let signature;
-  try {
-    signature = decode(jws.signature);
-  } catch {
-    throw new JWSInvalid("Failed to base64url decode the signature");
-  }
+  const signature = decodeBase64url(jws.signature, "signature", JWSInvalid);
   const k = await normalizeKey(key, alg);
   const verified = await verify(alg, k, signature, data);
   if (!verified) {
@@ -3761,11 +3733,7 @@ async function flattenedVerify(jws, key, options) {
   }
   let payload;
   if (b64) {
-    try {
-      payload = decode(jws.payload);
-    } catch {
-      throw new JWSInvalid("Failed to base64url decode the payload");
-    }
+    payload = decodeBase64url(jws.payload, "payload", JWSInvalid);
   } else if (typeof jws.payload === "string") {
     payload = encoder.encode(jws.payload);
   } else {
@@ -3783,11 +3751,12 @@ async function flattenedVerify(jws, key, options) {
   }
   return result;
 }
-var init_verify2 = __esm(() => {
+var init_verify = __esm(() => {
   init_base64url();
-  init_verify();
+  init_signing();
   init_errors2();
   init_buffer_utils();
+  init_helpers();
   init_check_key_type();
   init_validate_crit();
   init_normalize_key();
@@ -3812,8 +3781,8 @@ async function compactVerify(jws, key, options) {
   }
   return result;
 }
-var init_verify3 = __esm(() => {
-  init_verify2();
+var init_verify2 = __esm(() => {
+  init_verify();
   init_errors2();
   init_buffer_utils();
 });
@@ -4057,8 +4026,8 @@ async function jwtVerify(jwt, key, options) {
   }
   return result;
 }
-var init_verify4 = __esm(() => {
-  init_verify3();
+var init_verify3 = __esm(() => {
+  init_verify2();
   init_jwt_claims_set();
   init_errors2();
 });
@@ -4343,7 +4312,7 @@ var init_remote = __esm(() => {
   init_local();
   if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) {
     const NAME = "jose";
-    const VERSION = "v6.1.3";
+    const VERSION = "v6.2.1";
     USER_AGENT = `${NAME}/${VERSION}`;
   }
   customFetch = Symbol();
@@ -4352,7 +4321,7 @@ var init_remote = __esm(() => {
 
 // ../../node_modules/jose/dist/webapi/index.js
 var init_webapi = __esm(() => {
-  init_verify4();
+  init_verify3();
   init_local();
   init_remote();
   init_errors2();
@@ -13428,6 +13397,27 @@ function notFoundHttpResponse() {
     }
   });
 }
+function isMissingModuleError(error, moduleName) {
+  if (!error) {
+    return false;
+  }
+  const errorString = String(error);
+  const moduleSpecifiers = [moduleName, `convex/${moduleName}`];
+  const hasDirectMissingMessage = moduleSpecifiers.some((specifier) => errorString.includes(`Module not found: ${specifier}`));
+  if (hasDirectMissingMessage || errorString.toLowerCase().includes("failed to load convex module")) {
+    return true;
+  }
+  const hasResolutionMessage = moduleSpecifiers.some((specifier) => errorString.includes(`Unable to resolve module "${specifier}"`));
+  const causes = error.causes;
+  if (Array.isArray(causes) && causes.length > 0) {
+    return hasResolutionMessage ? causes.every((cause2) => isMissingModuleError(cause2, moduleName)) : causes.some((cause2) => isMissingModuleError(cause2, moduleName));
+  }
+  const cause = error.cause;
+  if (cause) {
+    return isMissingModuleError(cause, moduleName);
+  }
+  return hasResolutionMessage;
+}
 function getHttpRouteRank(routePath) {
   if (routePath.endsWith("*")) {
     return { kind: 0, length: routePath.length - 1 };
@@ -13599,8 +13589,7 @@ class InlineUdfExecutor {
     try {
       return await loadConvexModule(moduleName, { componentPath });
     } catch (error) {
-      const message2 = error?.message?.toLowerCase();
-      if (message2 && (message2.includes("module not found") || message2.includes("failed to load convex module"))) {
+      if (isMissingModuleError(error, moduleName)) {
         throw new Error(`UDF module not found: ${moduleName}`);
       }
       throw error;
@@ -18308,6 +18297,111 @@ function decode2(input) {
 var init_base64url2 = __esm2(() => {
   init_buffer_utils2();
 });
+function getHashLength2(hash) {
+  return parseInt(hash.name.slice(4), 10);
+}
+function checkHashLength2(algorithm, expected) {
+  const actual = getHashLength2(algorithm.hash);
+  if (actual !== expected)
+    throw unusable2(`SHA-${expected}`, "algorithm.hash");
+}
+function getNamedCurve2(alg) {
+  switch (alg) {
+    case "ES256":
+      return "P-256";
+    case "ES384":
+      return "P-384";
+    case "ES512":
+      return "P-521";
+    default:
+      throw new Error("unreachable");
+  }
+}
+function checkUsage2(key, usage) {
+  if (usage && !key.usages.includes(usage)) {
+    throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);
+  }
+}
+function checkSigCryptoKey2(key, alg, usage) {
+  switch (alg) {
+    case "HS256":
+    case "HS384":
+    case "HS512": {
+      if (!isAlgorithm2(key.algorithm, "HMAC"))
+        throw unusable2("HMAC");
+      checkHashLength2(key.algorithm, parseInt(alg.slice(2), 10));
+      break;
+    }
+    case "RS256":
+    case "RS384":
+    case "RS512": {
+      if (!isAlgorithm2(key.algorithm, "RSASSA-PKCS1-v1_5"))
+        throw unusable2("RSASSA-PKCS1-v1_5");
+      checkHashLength2(key.algorithm, parseInt(alg.slice(2), 10));
+      break;
+    }
+    case "PS256":
+    case "PS384":
+    case "PS512": {
+      if (!isAlgorithm2(key.algorithm, "RSA-PSS"))
+        throw unusable2("RSA-PSS");
+      checkHashLength2(key.algorithm, parseInt(alg.slice(2), 10));
+      break;
+    }
+    case "Ed25519":
+    case "EdDSA": {
+      if (!isAlgorithm2(key.algorithm, "Ed25519"))
+        throw unusable2("Ed25519");
+      break;
+    }
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87": {
+      if (!isAlgorithm2(key.algorithm, alg))
+        throw unusable2(alg);
+      break;
+    }
+    case "ES256":
+    case "ES384":
+    case "ES512": {
+      if (!isAlgorithm2(key.algorithm, "ECDSA"))
+        throw unusable2("ECDSA");
+      const expected = getNamedCurve2(alg);
+      const actual = key.algorithm.namedCurve;
+      if (actual !== expected)
+        throw unusable2(expected, "algorithm.namedCurve");
+      break;
+    }
+    default:
+      throw new TypeError("CryptoKey does not support this operation");
+  }
+  checkUsage2(key, usage);
+}
+var unusable2 = (name, prop = "algorithm.name") => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);
+var isAlgorithm2 = (algorithm, name) => algorithm.name === name;
+function message2(msg, actual, ...types2) {
+  types2 = types2.filter(Boolean);
+  if (types2.length > 2) {
+    const last = types2.pop();
+    msg += `one of type ${types2.join(", ")}, or ${last}.`;
+  } else if (types2.length === 2) {
+    msg += `one of type ${types2[0]} or ${types2[1]}.`;
+  } else {
+    msg += `of type ${types2[0]}.`;
+  }
+  if (actual == null) {
+    msg += ` Received ${actual}`;
+  } else if (typeof actual === "function" && actual.name) {
+    msg += ` Received function ${actual.name}`;
+  } else if (typeof actual === "object" && actual != null) {
+    if (actual.constructor?.name) {
+      msg += ` Received an instance of ${actual.constructor.name}`;
+    }
+  }
+  return msg;
+}
+var invalidKeyInput2 = (actual, ...types2) => message2("Key must be ", actual, ...types2);
+var withAlg2 = (alg, actual, ...types2) => message2(`Key for the ${alg} algorithm must be `, actual, ...types2);
 var exports_errors2 = {};
 __export2(exports_errors2, {
   JWTInvalid: () => JWTInvalid2,
@@ -18345,8 +18439,8 @@ var init_errors22 = __esm2(() => {
   JOSEError2 = class JOSEError3 extends Error {
     static code = "ERR_JOSE_GENERIC";
     code = "ERR_JOSE_GENERIC";
-    constructor(message2, options) {
-      super(message2, options);
+    constructor(message22, options) {
+      super(message22, options);
       this.name = this.constructor.name;
       Error.captureStackTrace?.(this, this.constructor);
     }
@@ -18357,8 +18451,8 @@ var init_errors22 = __esm2(() => {
     claim;
     reason;
     payload;
-    constructor(message2, payload, claim = "unspecified", reason = "unspecified") {
-      super(message2, { cause: { claim, reason, payload } });
+    constructor(message22, payload, claim = "unspecified", reason = "unspecified") {
+      super(message22, { cause: { claim, reason, payload } });
       this.claim = claim;
       this.reason = reason;
       this.payload = payload;
@@ -18370,8 +18464,8 @@ var init_errors22 = __esm2(() => {
     claim;
     reason;
     payload;
-    constructor(message2, payload, claim = "unspecified", reason = "unspecified") {
-      super(message2, { cause: { claim, reason, payload } });
+    constructor(message22, payload, claim = "unspecified", reason = "unspecified") {
+      super(message22, { cause: { claim, reason, payload } });
       this.claim = claim;
       this.reason = reason;
       this.payload = payload;
@@ -18388,8 +18482,8 @@ var init_errors22 = __esm2(() => {
   JWEDecryptionFailed2 = class JWEDecryptionFailed3 extends JOSEError2 {
     static code = "ERR_JWE_DECRYPTION_FAILED";
     code = "ERR_JWE_DECRYPTION_FAILED";
-    constructor(message2 = "decryption operation failed", options) {
-      super(message2, options);
+    constructor(message22 = "decryption operation failed", options) {
+      super(message22, options);
     }
   };
   JWEInvalid2 = class JWEInvalid3 extends JOSEError2 {
@@ -18415,142 +18509,33 @@ var init_errors22 = __esm2(() => {
   JWKSNoMatchingKey2 = class JWKSNoMatchingKey3 extends JOSEError2 {
     static code = "ERR_JWKS_NO_MATCHING_KEY";
     code = "ERR_JWKS_NO_MATCHING_KEY";
-    constructor(message2 = "no applicable key found in the JSON Web Key Set", options) {
-      super(message2, options);
+    constructor(message22 = "no applicable key found in the JSON Web Key Set", options) {
+      super(message22, options);
     }
   };
   JWKSMultipleMatchingKeys2 = class JWKSMultipleMatchingKeys3 extends JOSEError2 {
     [Symbol.asyncIterator];
     static code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
     code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
-    constructor(message2 = "multiple matching keys found in the JSON Web Key Set", options) {
-      super(message2, options);
+    constructor(message22 = "multiple matching keys found in the JSON Web Key Set", options) {
+      super(message22, options);
     }
   };
   JWKSTimeout2 = class JWKSTimeout3 extends JOSEError2 {
     static code = "ERR_JWKS_TIMEOUT";
     code = "ERR_JWKS_TIMEOUT";
-    constructor(message2 = "request timed out", options) {
-      super(message2, options);
+    constructor(message22 = "request timed out", options) {
+      super(message22, options);
     }
   };
   JWSSignatureVerificationFailed2 = class JWSSignatureVerificationFailed3 extends JOSEError2 {
     static code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
     code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
-    constructor(message2 = "signature verification failed", options) {
-      super(message2, options);
+    constructor(message22 = "signature verification failed", options) {
+      super(message22, options);
     }
   };
 });
-function getHashLength2(hash) {
-  return parseInt(hash.name.slice(4), 10);
-}
-function getNamedCurve2(alg) {
-  switch (alg) {
-    case "ES256":
-      return "P-256";
-    case "ES384":
-      return "P-384";
-    case "ES512":
-      return "P-521";
-    default:
-      throw new Error("unreachable");
-  }
-}
-function checkUsage2(key, usage) {
-  if (usage && !key.usages.includes(usage)) {
-    throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);
-  }
-}
-function checkSigCryptoKey2(key, alg, usage) {
-  switch (alg) {
-    case "HS256":
-    case "HS384":
-    case "HS512": {
-      if (!isAlgorithm2(key.algorithm, "HMAC"))
-        throw unusable2("HMAC");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength2(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable2(`SHA-${expected}`, "algorithm.hash");
-      break;
-    }
-    case "RS256":
-    case "RS384":
-    case "RS512": {
-      if (!isAlgorithm2(key.algorithm, "RSASSA-PKCS1-v1_5"))
-        throw unusable2("RSASSA-PKCS1-v1_5");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength2(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable2(`SHA-${expected}`, "algorithm.hash");
-      break;
-    }
-    case "PS256":
-    case "PS384":
-    case "PS512": {
-      if (!isAlgorithm2(key.algorithm, "RSA-PSS"))
-        throw unusable2("RSA-PSS");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength2(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable2(`SHA-${expected}`, "algorithm.hash");
-      break;
-    }
-    case "Ed25519":
-    case "EdDSA": {
-      if (!isAlgorithm2(key.algorithm, "Ed25519"))
-        throw unusable2("Ed25519");
-      break;
-    }
-    case "ML-DSA-44":
-    case "ML-DSA-65":
-    case "ML-DSA-87": {
-      if (!isAlgorithm2(key.algorithm, alg))
-        throw unusable2(alg);
-      break;
-    }
-    case "ES256":
-    case "ES384":
-    case "ES512": {
-      if (!isAlgorithm2(key.algorithm, "ECDSA"))
-        throw unusable2("ECDSA");
-      const expected = getNamedCurve2(alg);
-      const actual = key.algorithm.namedCurve;
-      if (actual !== expected)
-        throw unusable2(expected, "algorithm.namedCurve");
-      break;
-    }
-    default:
-      throw new TypeError("CryptoKey does not support this operation");
-  }
-  checkUsage2(key, usage);
-}
-var unusable2 = (name, prop = "algorithm.name") => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);
-var isAlgorithm2 = (algorithm, name) => algorithm.name === name;
-function message2(msg, actual, ...types2) {
-  types2 = types2.filter(Boolean);
-  if (types2.length > 2) {
-    const last = types2.pop();
-    msg += `one of type ${types2.join(", ")}, or ${last}.`;
-  } else if (types2.length === 2) {
-    msg += `one of type ${types2[0]} or ${types2[1]}.`;
-  } else {
-    msg += `of type ${types2[0]}.`;
-  }
-  if (actual == null) {
-    msg += ` Received ${actual}`;
-  } else if (typeof actual === "function" && actual.name) {
-    msg += ` Received function ${actual.name}`;
-  } else if (typeof actual === "object" && actual != null) {
-    if (actual.constructor?.name) {
-      msg += ` Received an instance of ${actual.constructor.name}`;
-    }
-  }
-  return msg;
-}
-var invalidKeyInput2 = (actual, ...types2) => message2("Key must be ", actual, ...types2);
-var withAlg2 = (alg, actual, ...types2) => message2(`Key for the ${alg} algorithm must be `, actual, ...types2);
 var isCryptoKey2 = (key) => {
   if (key?.[Symbol.toStringTag] === "CryptoKey")
     return true;
@@ -18562,6 +18547,31 @@ var isCryptoKey2 = (key) => {
 };
 var isKeyObject2 = (key) => key?.[Symbol.toStringTag] === "KeyObject";
 var isKeyLike2 = (key) => isCryptoKey2(key) || isKeyObject2(key);
+function decodeBase64url2(value, label, ErrorClass) {
+  try {
+    return decode2(value);
+  } catch {
+    throw new ErrorClass(`Failed to base64url decode the ${label}`);
+  }
+}
+var unprotected2;
+var init_helpers2 = __esm2(() => {
+  init_base64url2();
+  unprotected2 = Symbol();
+});
+function isObject2(input) {
+  if (!isObjectLike2(input) || Object.prototype.toString.call(input) !== "[object Object]") {
+    return false;
+  }
+  if (Object.getPrototypeOf(input) === null) {
+    return true;
+  }
+  let proto = input;
+  while (Object.getPrototypeOf(proto) !== null) {
+    proto = Object.getPrototypeOf(proto);
+  }
+  return Object.getPrototypeOf(input) === proto;
+}
 function isDisjoint2(...headers) {
   const sources = headers.filter(Boolean);
   if (sources.length === 0 || sources.length === 1) {
@@ -18583,20 +18593,11 @@ function isDisjoint2(...headers) {
   }
   return true;
 }
-function isObject2(input) {
-  if (!isObjectLike2(input) || Object.prototype.toString.call(input) !== "[object Object]") {
-    return false;
-  }
-  if (Object.getPrototypeOf(input) === null) {
-    return true;
-  }
-  let proto = input;
-  while (Object.getPrototypeOf(proto) !== null) {
-    proto = Object.getPrototypeOf(proto);
-  }
-  return Object.getPrototypeOf(input) === proto;
-}
 var isObjectLike2 = (value) => typeof value === "object" && value !== null;
+var isJWK2 = (key) => isObject2(key) && typeof key.kty === "string";
+var isPrivateJWK2 = (key) => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string");
+var isPublicJWK2 = (key) => key.kty !== "oct" && key.d === undefined && key.priv === undefined;
+var isSecretJWK2 = (key) => key.kty === "oct" && typeof key.k === "string";
 function checkKeyLength2(alg, key) {
   if (alg.startsWith("RS") || alg.startsWith("PS")) {
     const { modulusLength } = key.algorithm;
@@ -18605,6 +18606,59 @@ function checkKeyLength2(alg, key) {
     }
   }
 }
+function subtleAlgorithm2(alg, algorithm) {
+  const hash = `SHA-${alg.slice(-3)}`;
+  switch (alg) {
+    case "HS256":
+    case "HS384":
+    case "HS512":
+      return { hash, name: "HMAC" };
+    case "PS256":
+    case "PS384":
+    case "PS512":
+      return { hash, name: "RSA-PSS", saltLength: parseInt(alg.slice(-3), 10) >> 3 };
+    case "RS256":
+    case "RS384":
+    case "RS512":
+      return { hash, name: "RSASSA-PKCS1-v1_5" };
+    case "ES256":
+    case "ES384":
+    case "ES512":
+      return { hash, name: "ECDSA", namedCurve: algorithm.namedCurve };
+    case "Ed25519":
+    case "EdDSA":
+      return { name: "Ed25519" };
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      return { name: alg };
+    default:
+      throw new JOSENotSupported2(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
+  }
+}
+async function getSigKey2(alg, key, usage) {
+  if (key instanceof Uint8Array) {
+    if (!alg.startsWith("HS")) {
+      throw new TypeError(invalidKeyInput2(key, "CryptoKey", "KeyObject", "JSON Web Key"));
+    }
+    return crypto.subtle.importKey("raw", key, { hash: `SHA-${alg.slice(-3)}`, name: "HMAC" }, false, [usage]);
+  }
+  checkSigCryptoKey2(key, alg, usage);
+  return key;
+}
+async function verify2(alg, key, signature, data) {
+  const cryptoKey = await getSigKey2(alg, key, "verify");
+  checkKeyLength2(alg, cryptoKey);
+  const algorithm = subtleAlgorithm2(alg, cryptoKey.algorithm);
+  try {
+    return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
+  } catch {
+    return false;
+  }
+}
+var init_signing2 = __esm2(() => {
+  init_errors22();
+});
 function subtleMapping2(jwk) {
   let algorithm;
   let keyUsages;
@@ -18618,7 +18672,7 @@ function subtleMapping2(jwk) {
           keyUsages = jwk.priv ? ["sign"] : ["verify"];
           break;
         default:
-          throw new JOSENotSupported2('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported2(unsupportedAlg2);
       }
       break;
     }
@@ -18647,22 +18701,19 @@ function subtleMapping2(jwk) {
           keyUsages = jwk.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
           break;
         default:
-          throw new JOSENotSupported2('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported2(unsupportedAlg2);
       }
       break;
     }
     case "EC": {
       switch (jwk.alg) {
         case "ES256":
-          algorithm = { name: "ECDSA", namedCurve: "P-256" };
-          keyUsages = jwk.d ? ["sign"] : ["verify"];
-          break;
         case "ES384":
-          algorithm = { name: "ECDSA", namedCurve: "P-384" };
-          keyUsages = jwk.d ? ["sign"] : ["verify"];
-          break;
         case "ES512":
-          algorithm = { name: "ECDSA", namedCurve: "P-521" };
+          algorithm = {
+            name: "ECDSA",
+            namedCurve: { ES256: "P-256", ES384: "P-384", ES512: "P-521" }[jwk.alg]
+          };
           keyUsages = jwk.d ? ["sign"] : ["verify"];
           break;
         case "ECDH-ES":
@@ -18673,7 +18724,7 @@ function subtleMapping2(jwk) {
           keyUsages = jwk.d ? ["deriveBits"] : [];
           break;
         default:
-          throw new JOSENotSupported2('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported2(unsupportedAlg2);
       }
       break;
     }
@@ -18692,7 +18743,7 @@ function subtleMapping2(jwk) {
           keyUsages = jwk.d ? ["deriveBits"] : [];
           break;
         default:
-          throw new JOSENotSupported2('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported2(unsupportedAlg2);
       }
       break;
     }
@@ -18713,94 +18764,10 @@ async function jwkToKey2(jwk) {
   delete keyData.use;
   return crypto.subtle.importKey("jwk", keyData, algorithm, jwk.ext ?? (jwk.d || jwk.priv ? false : true), jwk.key_ops ?? keyUsages);
 }
+var unsupportedAlg2 = 'Invalid or unsupported JWK "alg" (Algorithm) Parameter value';
 var init_jwk_to_key2 = __esm2(() => {
   init_errors22();
 });
-async function importJWK2(jwk, alg, options) {
-  if (!isObject2(jwk)) {
-    throw new TypeError("JWK must be an object");
-  }
-  let ext;
-  alg ??= jwk.alg;
-  ext ??= options?.extractable ?? jwk.ext;
-  switch (jwk.kty) {
-    case "oct":
-      if (typeof jwk.k !== "string" || !jwk.k) {
-        throw new TypeError('missing "k" (Key Value) Parameter value');
-      }
-      return decode2(jwk.k);
-    case "RSA":
-      if ("oth" in jwk && jwk.oth !== undefined) {
-        throw new JOSENotSupported2('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
-      }
-      return jwkToKey2({ ...jwk, alg, ext });
-    case "AKP": {
-      if (typeof jwk.alg !== "string" || !jwk.alg) {
-        throw new TypeError('missing "alg" (Algorithm) Parameter value');
-      }
-      if (alg !== undefined && alg !== jwk.alg) {
-        throw new TypeError("JWK alg and alg option value mismatch");
-      }
-      return jwkToKey2({ ...jwk, ext });
-    }
-    case "EC":
-    case "OKP":
-      return jwkToKey2({ ...jwk, alg, ext });
-    default:
-      throw new JOSENotSupported2('Unsupported "kty" (Key Type) Parameter value');
-  }
-}
-var init_import2 = __esm2(() => {
-  init_base64url2();
-  init_jwk_to_key2();
-  init_errors22();
-});
-function validateCrit2(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
-  if (joseHeader.crit !== undefined && protectedHeader?.crit === undefined) {
-    throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
-  }
-  if (!protectedHeader || protectedHeader.crit === undefined) {
-    return new Set;
-  }
-  if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) {
-    throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
-  }
-  let recognized;
-  if (recognizedOption !== undefined) {
-    recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
-  } else {
-    recognized = recognizedDefault;
-  }
-  for (const parameter of protectedHeader.crit) {
-    if (!recognized.has(parameter)) {
-      throw new JOSENotSupported2(`Extension Header Parameter "${parameter}" is not recognized`);
-    }
-    if (joseHeader[parameter] === undefined) {
-      throw new Err(`Extension Header Parameter "${parameter}" is missing`);
-    }
-    if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {
-      throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
-    }
-  }
-  return new Set(protectedHeader.crit);
-}
-var init_validate_crit2 = __esm2(() => {
-  init_errors22();
-});
-function validateAlgorithms2(option, algorithms) {
-  if (algorithms !== undefined && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) {
-    throw new TypeError(`"${option}" option must be an array of strings`);
-  }
-  if (!algorithms) {
-    return;
-  }
-  return new Set(algorithms);
-}
-var isJWK2 = (key) => isObject2(key) && typeof key.kty === "string";
-var isPrivateJWK2 = (key) => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string");
-var isPublicJWK2 = (key) => key.kty !== "oct" && key.d === undefined && key.priv === undefined;
-var isSecretJWK2 = (key) => key.kty === "oct" && typeof key.k === "string";
-var init_is_jwk2 = () => {};
 async function normalizeKey2(key, alg) {
   if (key instanceof Uint8Array) {
     return key;
@@ -18832,6 +18799,7 @@ async function normalizeKey2(key, alg) {
   }
   throw new Error("unreachable");
 }
+var unusableForAlg2 = "given KeyObject instance cannot be used for this algorithm";
 var cache2;
 var handleJWK2 = async (key, jwk, alg, freeze = false) => {
   cache2 ||= new WeakMap;
@@ -18866,13 +18834,13 @@ var handleKeyObject2 = (keyObject, alg) => {
       case "ECDH-ES+A256KW":
         break;
       default:
-        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        throw new TypeError(unusableForAlg2);
     }
     cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ["deriveBits"]);
   }
   if (keyObject.asymmetricKeyType === "ed25519") {
     if (alg !== "EdDSA" && alg !== "Ed25519") {
-      throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+      throw new TypeError(unusableForAlg2);
     }
     cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
       isPublic ? "verify" : "sign"
@@ -18883,7 +18851,7 @@ var handleKeyObject2 = (keyObject, alg) => {
     case "ml-dsa-65":
     case "ml-dsa-87": {
       if (alg !== keyObject.asymmetricKeyType.toUpperCase()) {
-        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        throw new TypeError(unusableForAlg2);
       }
       cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
         isPublic ? "verify" : "sign"
@@ -18912,7 +18880,7 @@ var handleKeyObject2 = (keyObject, alg) => {
         hash = "SHA-512";
         break;
       default:
-        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        throw new TypeError(unusableForAlg2);
     }
     if (alg.startsWith("RSA-OAEP")) {
       return keyObject.toCryptoKey({
@@ -18933,21 +18901,10 @@ var handleKeyObject2 = (keyObject, alg) => {
     ]);
     const namedCurve = nist.get(keyObject.asymmetricKeyDetails?.namedCurve);
     if (!namedCurve) {
-      throw new TypeError("given KeyObject instance cannot be used for this algorithm");
-    }
-    if (alg === "ES256" && namedCurve === "P-256") {
-      cryptoKey = keyObject.toCryptoKey({
-        name: "ECDSA",
-        namedCurve
-      }, extractable, [isPublic ? "verify" : "sign"]);
-    }
-    if (alg === "ES384" && namedCurve === "P-384") {
-      cryptoKey = keyObject.toCryptoKey({
-        name: "ECDSA",
-        namedCurve
-      }, extractable, [isPublic ? "verify" : "sign"]);
+      throw new TypeError(unusableForAlg2);
     }
-    if (alg === "ES512" && namedCurve === "P-521") {
+    const expectedCurve = { ES256: "P-256", ES384: "P-384", ES512: "P-521" };
+    if (expectedCurve[alg] && namedCurve === expectedCurve[alg]) {
       cryptoKey = keyObject.toCryptoKey({
         name: "ECDSA",
         namedCurve
@@ -18961,7 +18918,7 @@ var handleKeyObject2 = (keyObject, alg) => {
     }
   }
   if (!cryptoKey) {
-    throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+    throw new TypeError(unusableForAlg2);
   }
   if (!cached) {
     cache2.set(keyObject, { [alg]: cryptoKey });
@@ -18971,10 +18928,89 @@ var handleKeyObject2 = (keyObject, alg) => {
   return cryptoKey;
 };
 var init_normalize_key2 = __esm2(() => {
-  init_is_jwk2();
   init_base64url2();
   init_jwk_to_key2();
 });
+async function importJWK2(jwk, alg, options) {
+  if (!isObject2(jwk)) {
+    throw new TypeError("JWK must be an object");
+  }
+  let ext;
+  alg ??= jwk.alg;
+  ext ??= options?.extractable ?? jwk.ext;
+  switch (jwk.kty) {
+    case "oct":
+      if (typeof jwk.k !== "string" || !jwk.k) {
+        throw new TypeError('missing "k" (Key Value) Parameter value');
+      }
+      return decode2(jwk.k);
+    case "RSA":
+      if ("oth" in jwk && jwk.oth !== undefined) {
+        throw new JOSENotSupported2('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
+      }
+      return jwkToKey2({ ...jwk, alg, ext });
+    case "AKP": {
+      if (typeof jwk.alg !== "string" || !jwk.alg) {
+        throw new TypeError('missing "alg" (Algorithm) Parameter value');
+      }
+      if (alg !== undefined && alg !== jwk.alg) {
+        throw new TypeError("JWK alg and alg option value mismatch");
+      }
+      return jwkToKey2({ ...jwk, ext });
+    }
+    case "EC":
+    case "OKP":
+      return jwkToKey2({ ...jwk, alg, ext });
+    default:
+      throw new JOSENotSupported2('Unsupported "kty" (Key Type) Parameter value');
+  }
+}
+var init_import2 = __esm2(() => {
+  init_base64url2();
+  init_jwk_to_key2();
+  init_errors22();
+});
+function validateCrit2(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
+  if (joseHeader.crit !== undefined && protectedHeader?.crit === undefined) {
+    throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
+  }
+  if (!protectedHeader || protectedHeader.crit === undefined) {
+    return new Set;
+  }
+  if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) {
+    throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
+  }
+  let recognized;
+  if (recognizedOption !== undefined) {
+    recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
+  } else {
+    recognized = recognizedDefault;
+  }
+  for (const parameter of protectedHeader.crit) {
+    if (!recognized.has(parameter)) {
+      throw new JOSENotSupported2(`Extension Header Parameter "${parameter}" is not recognized`);
+    }
+    if (joseHeader[parameter] === undefined) {
+      throw new Err(`Extension Header Parameter "${parameter}" is missing`);
+    }
+    if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {
+      throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
+    }
+  }
+  return new Set(protectedHeader.crit);
+}
+var init_validate_crit2 = __esm2(() => {
+  init_errors22();
+});
+function validateAlgorithms2(option, algorithms) {
+  if (algorithms !== undefined && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) {
+    throw new TypeError(`"${option}" option must be an array of strings`);
+  }
+  if (!algorithms) {
+    return;
+  }
+  return new Set(algorithms);
+}
 function checkKeyType2(alg, key, usage) {
   switch (alg.substring(0, 2)) {
     case "A1":
@@ -19093,67 +19129,7 @@ var asymmetricTypeCheck2 = (alg, key, usage) => {
     }
   }
 };
-var init_check_key_type2 = __esm2(() => {
-  init_is_jwk2();
-});
-function subtleAlgorithm2(alg, algorithm) {
-  const hash = `SHA-${alg.slice(-3)}`;
-  switch (alg) {
-    case "HS256":
-    case "HS384":
-    case "HS512":
-      return { hash, name: "HMAC" };
-    case "PS256":
-    case "PS384":
-    case "PS512":
-      return { hash, name: "RSA-PSS", saltLength: parseInt(alg.slice(-3), 10) >> 3 };
-    case "RS256":
-    case "RS384":
-    case "RS512":
-      return { hash, name: "RSASSA-PKCS1-v1_5" };
-    case "ES256":
-    case "ES384":
-    case "ES512":
-      return { hash, name: "ECDSA", namedCurve: algorithm.namedCurve };
-    case "Ed25519":
-    case "EdDSA":
-      return { name: "Ed25519" };
-    case "ML-DSA-44":
-    case "ML-DSA-65":
-    case "ML-DSA-87":
-      return { name: alg };
-    default:
-      throw new JOSENotSupported2(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
-  }
-}
-var init_subtle_dsa2 = __esm2(() => {
-  init_errors22();
-});
-async function getSigKey2(alg, key, usage) {
-  if (key instanceof Uint8Array) {
-    if (!alg.startsWith("HS")) {
-      throw new TypeError(invalidKeyInput2(key, "CryptoKey", "KeyObject", "JSON Web Key"));
-    }
-    return crypto.subtle.importKey("raw", key, { hash: `SHA-${alg.slice(-3)}`, name: "HMAC" }, false, [usage]);
-  }
-  checkSigCryptoKey2(key, alg, usage);
-  return key;
-}
-var init_get_sign_verify_key2 = () => {};
-async function verify2(alg, key, signature, data) {
-  const cryptoKey = await getSigKey2(alg, key, "verify");
-  checkKeyLength2(alg, cryptoKey);
-  const algorithm = subtleAlgorithm2(alg, cryptoKey.algorithm);
-  try {
-    return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
-  } catch {
-    return false;
-  }
-}
-var init_verify5 = __esm2(() => {
-  init_subtle_dsa2();
-  init_get_sign_verify_key2();
-});
+var init_check_key_type2 = () => {};
 async function flattenedVerify2(jws, key, options) {
   if (!isObject2(jws)) {
     throw new JWSInvalid2("Flattened JWS must be an object");
@@ -19219,12 +19195,7 @@ async function flattenedVerify2(jws, key, options) {
   }
   checkKeyType2(alg, key, "verify");
   const data = concat2(jws.protected !== undefined ? encode2(jws.protected) : new Uint8Array, encode2("."), typeof jws.payload === "string" ? b64 ? encode2(jws.payload) : encoder2.encode(jws.payload) : jws.payload);
-  let signature;
-  try {
-    signature = decode2(jws.signature);
-  } catch {
-    throw new JWSInvalid2("Failed to base64url decode the signature");
-  }
+  const signature = decodeBase64url2(jws.signature, "signature", JWSInvalid2);
   const k = await normalizeKey2(key, alg);
   const verified = await verify2(alg, k, signature, data);
   if (!verified) {
@@ -19232,11 +19203,7 @@ async function flattenedVerify2(jws, key, options) {
   }
   let payload;
   if (b64) {
-    try {
-      payload = decode2(jws.payload);
-    } catch {
-      throw new JWSInvalid2("Failed to base64url decode the payload");
-    }
+    payload = decodeBase64url2(jws.payload, "payload", JWSInvalid2);
   } else if (typeof jws.payload === "string") {
     payload = encoder2.encode(jws.payload);
   } else {
@@ -19254,11 +19221,12 @@ async function flattenedVerify2(jws, key, options) {
   }
   return result;
 }
-var init_verify22 = __esm2(() => {
+var init_verify4 = __esm2(() => {
   init_base64url2();
-  init_verify5();
+  init_signing2();
   init_errors22();
   init_buffer_utils2();
+  init_helpers2();
   init_check_key_type2();
   init_validate_crit2();
   init_normalize_key2();
@@ -19281,8 +19249,8 @@ async function compactVerify2(jws, key, options) {
   }
   return result;
 }
-var init_verify32 = __esm2(() => {
-  init_verify22();
+var init_verify22 = __esm2(() => {
+  init_verify4();
   init_errors22();
   init_buffer_utils2();
 });
@@ -19530,8 +19498,8 @@ async function jwtVerify2(jwt2, key, options) {
   }
   return result;
 }
-var init_verify42 = __esm2(() => {
-  init_verify32();
+var init_verify32 = __esm2(() => {
+  init_verify22();
   init_jwt_claims_set2();
   init_errors22();
 });
@@ -19814,14 +19782,14 @@ var init_remote2 = __esm2(() => {
   init_local2();
   if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) {
     const NAME = "jose";
-    const VERSION = "v6.1.3";
+    const VERSION = "v6.2.1";
     USER_AGENT2 = `${NAME}/${VERSION}`;
   }
   customFetch2 = Symbol();
   jwksCache2 = Symbol();
 });
 var init_webapi2 = __esm2(() => {
-  init_verify42();
+  init_verify32();
   init_local2();
   init_remote2();
   init_errors22();
@@ -31595,6 +31563,111 @@ function decode3(input) {
 var init_base64url3 = __esm3(() => {
   init_buffer_utils3();
 });
+function getHashLength3(hash) {
+  return parseInt(hash.name.slice(4), 10);
+}
+function checkHashLength3(algorithm, expected) {
+  const actual = getHashLength3(algorithm.hash);
+  if (actual !== expected)
+    throw unusable3(`SHA-${expected}`, "algorithm.hash");
+}
+function getNamedCurve3(alg) {
+  switch (alg) {
+    case "ES256":
+      return "P-256";
+    case "ES384":
+      return "P-384";
+    case "ES512":
+      return "P-521";
+    default:
+      throw new Error("unreachable");
+  }
+}
+function checkUsage3(key, usage) {
+  if (usage && !key.usages.includes(usage)) {
+    throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);
+  }
+}
+function checkSigCryptoKey3(key, alg, usage) {
+  switch (alg) {
+    case "HS256":
+    case "HS384":
+    case "HS512": {
+      if (!isAlgorithm3(key.algorithm, "HMAC"))
+        throw unusable3("HMAC");
+      checkHashLength3(key.algorithm, parseInt(alg.slice(2), 10));
+      break;
+    }
+    case "RS256":
+    case "RS384":
+    case "RS512": {
+      if (!isAlgorithm3(key.algorithm, "RSASSA-PKCS1-v1_5"))
+        throw unusable3("RSASSA-PKCS1-v1_5");
+      checkHashLength3(key.algorithm, parseInt(alg.slice(2), 10));
+      break;
+    }
+    case "PS256":
+    case "PS384":
+    case "PS512": {
+      if (!isAlgorithm3(key.algorithm, "RSA-PSS"))
+        throw unusable3("RSA-PSS");
+      checkHashLength3(key.algorithm, parseInt(alg.slice(2), 10));
+      break;
+    }
+    case "Ed25519":
+    case "EdDSA": {
+      if (!isAlgorithm3(key.algorithm, "Ed25519"))
+        throw unusable3("Ed25519");
+      break;
+    }
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87": {
+      if (!isAlgorithm3(key.algorithm, alg))
+        throw unusable3(alg);
+      break;
+    }
+    case "ES256":
+    case "ES384":
+    case "ES512": {
+      if (!isAlgorithm3(key.algorithm, "ECDSA"))
+        throw unusable3("ECDSA");
+      const expected = getNamedCurve3(alg);
+      const actual = key.algorithm.namedCurve;
+      if (actual !== expected)
+        throw unusable3(expected, "algorithm.namedCurve");
+      break;
+    }
+    default:
+      throw new TypeError("CryptoKey does not support this operation");
+  }
+  checkUsage3(key, usage);
+}
+var unusable3 = (name, prop = "algorithm.name") => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);
+var isAlgorithm3 = (algorithm, name) => algorithm.name === name;
+function message3(msg, actual, ...types2) {
+  types2 = types2.filter(Boolean);
+  if (types2.length > 2) {
+    const last = types2.pop();
+    msg += `one of type ${types2.join(", ")}, or ${last}.`;
+  } else if (types2.length === 2) {
+    msg += `one of type ${types2[0]} or ${types2[1]}.`;
+  } else {
+    msg += `of type ${types2[0]}.`;
+  }
+  if (actual == null) {
+    msg += ` Received ${actual}`;
+  } else if (typeof actual === "function" && actual.name) {
+    msg += ` Received function ${actual.name}`;
+  } else if (typeof actual === "object" && actual != null) {
+    if (actual.constructor?.name) {
+      msg += ` Received an instance of ${actual.constructor.name}`;
+    }
+  }
+  return msg;
+}
+var invalidKeyInput3 = (actual, ...types2) => message3("Key must be ", actual, ...types2);
+var withAlg3 = (alg, actual, ...types2) => message3(`Key for the ${alg} algorithm must be `, actual, ...types2);
 var exports_errors3 = {};
 __export3(exports_errors3, {
   JWTInvalid: () => JWTInvalid3,
@@ -31632,8 +31705,8 @@ var init_errors23 = __esm3(() => {
   JOSEError3 = class JOSEError4 extends Error {
     static code = "ERR_JOSE_GENERIC";
     code = "ERR_JOSE_GENERIC";
-    constructor(message3, options) {
-      super(message3, options);
+    constructor(message22, options) {
+      super(message22, options);
       this.name = this.constructor.name;
       Error.captureStackTrace?.(this, this.constructor);
     }
@@ -31644,8 +31717,8 @@ var init_errors23 = __esm3(() => {
     claim;
     reason;
     payload;
-    constructor(message3, payload, claim = "unspecified", reason = "unspecified") {
-      super(message3, { cause: { claim, reason, payload } });
+    constructor(message22, payload, claim = "unspecified", reason = "unspecified") {
+      super(message22, { cause: { claim, reason, payload } });
       this.claim = claim;
       this.reason = reason;
       this.payload = payload;
@@ -31657,8 +31730,8 @@ var init_errors23 = __esm3(() => {
     claim;
     reason;
     payload;
-    constructor(message3, payload, claim = "unspecified", reason = "unspecified") {
-      super(message3, { cause: { claim, reason, payload } });
+    constructor(message22, payload, claim = "unspecified", reason = "unspecified") {
+      super(message22, { cause: { claim, reason, payload } });
       this.claim = claim;
       this.reason = reason;
       this.payload = payload;
@@ -31675,8 +31748,8 @@ var init_errors23 = __esm3(() => {
   JWEDecryptionFailed3 = class JWEDecryptionFailed4 extends JOSEError3 {
     static code = "ERR_JWE_DECRYPTION_FAILED";
     code = "ERR_JWE_DECRYPTION_FAILED";
-    constructor(message3 = "decryption operation failed", options) {
-      super(message3, options);
+    constructor(message22 = "decryption operation failed", options) {
+      super(message22, options);
     }
   };
   JWEInvalid3 = class JWEInvalid4 extends JOSEError3 {
@@ -31702,142 +31775,33 @@ var init_errors23 = __esm3(() => {
   JWKSNoMatchingKey3 = class JWKSNoMatchingKey4 extends JOSEError3 {
     static code = "ERR_JWKS_NO_MATCHING_KEY";
     code = "ERR_JWKS_NO_MATCHING_KEY";
-    constructor(message3 = "no applicable key found in the JSON Web Key Set", options) {
-      super(message3, options);
+    constructor(message22 = "no applicable key found in the JSON Web Key Set", options) {
+      super(message22, options);
     }
   };
   JWKSMultipleMatchingKeys3 = class JWKSMultipleMatchingKeys4 extends JOSEError3 {
     [Symbol.asyncIterator];
     static code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
     code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
-    constructor(message3 = "multiple matching keys found in the JSON Web Key Set", options) {
-      super(message3, options);
+    constructor(message22 = "multiple matching keys found in the JSON Web Key Set", options) {
+      super(message22, options);
     }
   };
   JWKSTimeout3 = class JWKSTimeout4 extends JOSEError3 {
     static code = "ERR_JWKS_TIMEOUT";
     code = "ERR_JWKS_TIMEOUT";
-    constructor(message3 = "request timed out", options) {
-      super(message3, options);
+    constructor(message22 = "request timed out", options) {
+      super(message22, options);
     }
   };
   JWSSignatureVerificationFailed3 = class JWSSignatureVerificationFailed4 extends JOSEError3 {
     static code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
     code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
-    constructor(message3 = "signature verification failed", options) {
-      super(message3, options);
+    constructor(message22 = "signature verification failed", options) {
+      super(message22, options);
     }
   };
 });
-function getHashLength3(hash) {
-  return parseInt(hash.name.slice(4), 10);
-}
-function getNamedCurve3(alg) {
-  switch (alg) {
-    case "ES256":
-      return "P-256";
-    case "ES384":
-      return "P-384";
-    case "ES512":
-      return "P-521";
-    default:
-      throw new Error("unreachable");
-  }
-}
-function checkUsage3(key, usage) {
-  if (usage && !key.usages.includes(usage)) {
-    throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);
-  }
-}
-function checkSigCryptoKey3(key, alg, usage) {
-  switch (alg) {
-    case "HS256":
-    case "HS384":
-    case "HS512": {
-      if (!isAlgorithm3(key.algorithm, "HMAC"))
-        throw unusable3("HMAC");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength3(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable3(`SHA-${expected}`, "algorithm.hash");
-      break;
-    }
-    case "RS256":
-    case "RS384":
-    case "RS512": {
-      if (!isAlgorithm3(key.algorithm, "RSASSA-PKCS1-v1_5"))
-        throw unusable3("RSASSA-PKCS1-v1_5");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength3(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable3(`SHA-${expected}`, "algorithm.hash");
-      break;
-    }
-    case "PS256":
-    case "PS384":
-    case "PS512": {
-      if (!isAlgorithm3(key.algorithm, "RSA-PSS"))
-        throw unusable3("RSA-PSS");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength3(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable3(`SHA-${expected}`, "algorithm.hash");
-      break;
-    }
-    case "Ed25519":
-    case "EdDSA": {
-      if (!isAlgorithm3(key.algorithm, "Ed25519"))
-        throw unusable3("Ed25519");
-      break;
-    }
-    case "ML-DSA-44":
-    case "ML-DSA-65":
-    case "ML-DSA-87": {
-      if (!isAlgorithm3(key.algorithm, alg))
-        throw unusable3(alg);
-      break;
-    }
-    case "ES256":
-    case "ES384":
-    case "ES512": {
-      if (!isAlgorithm3(key.algorithm, "ECDSA"))
-        throw unusable3("ECDSA");
-      const expected = getNamedCurve3(alg);
-      const actual = key.algorithm.namedCurve;
-      if (actual !== expected)
-        throw unusable3(expected, "algorithm.namedCurve");
-      break;
-    }
-    default:
-      throw new TypeError("CryptoKey does not support this operation");
-  }
-  checkUsage3(key, usage);
-}
-var unusable3 = (name, prop = "algorithm.name") => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);
-var isAlgorithm3 = (algorithm, name) => algorithm.name === name;
-function message3(msg, actual, ...types2) {
-  types2 = types2.filter(Boolean);
-  if (types2.length > 2) {
-    const last = types2.pop();
-    msg += `one of type ${types2.join(", ")}, or ${last}.`;
-  } else if (types2.length === 2) {
-    msg += `one of type ${types2[0]} or ${types2[1]}.`;
-  } else {
-    msg += `of type ${types2[0]}.`;
-  }
-  if (actual == null) {
-    msg += ` Received ${actual}`;
-  } else if (typeof actual === "function" && actual.name) {
-    msg += ` Received function ${actual.name}`;
-  } else if (typeof actual === "object" && actual != null) {
-    if (actual.constructor?.name) {
-      msg += ` Received an instance of ${actual.constructor.name}`;
-    }
-  }
-  return msg;
-}
-var invalidKeyInput3 = (actual, ...types2) => message3("Key must be ", actual, ...types2);
-var withAlg3 = (alg, actual, ...types2) => message3(`Key for the ${alg} algorithm must be `, actual, ...types2);
 var isCryptoKey3 = (key) => {
   if (key?.[Symbol.toStringTag] === "CryptoKey")
     return true;
@@ -31849,6 +31813,31 @@ var isCryptoKey3 = (key) => {
 };
 var isKeyObject3 = (key) => key?.[Symbol.toStringTag] === "KeyObject";
 var isKeyLike3 = (key) => isCryptoKey3(key) || isKeyObject3(key);
+function decodeBase64url3(value, label, ErrorClass) {
+  try {
+    return decode3(value);
+  } catch {
+    throw new ErrorClass(`Failed to base64url decode the ${label}`);
+  }
+}
+var unprotected3;
+var init_helpers3 = __esm3(() => {
+  init_base64url3();
+  unprotected3 = Symbol();
+});
+function isObject3(input) {
+  if (!isObjectLike3(input) || Object.prototype.toString.call(input) !== "[object Object]") {
+    return false;
+  }
+  if (Object.getPrototypeOf(input) === null) {
+    return true;
+  }
+  let proto = input;
+  while (Object.getPrototypeOf(proto) !== null) {
+    proto = Object.getPrototypeOf(proto);
+  }
+  return Object.getPrototypeOf(input) === proto;
+}
 function isDisjoint3(...headers) {
   const sources = headers.filter(Boolean);
   if (sources.length === 0 || sources.length === 1) {
@@ -31870,20 +31859,11 @@ function isDisjoint3(...headers) {
   }
   return true;
 }
-function isObject3(input) {
-  if (!isObjectLike3(input) || Object.prototype.toString.call(input) !== "[object Object]") {
-    return false;
-  }
-  if (Object.getPrototypeOf(input) === null) {
-    return true;
-  }
-  let proto = input;
-  while (Object.getPrototypeOf(proto) !== null) {
-    proto = Object.getPrototypeOf(proto);
-  }
-  return Object.getPrototypeOf(input) === proto;
-}
 var isObjectLike3 = (value) => typeof value === "object" && value !== null;
+var isJWK3 = (key) => isObject3(key) && typeof key.kty === "string";
+var isPrivateJWK3 = (key) => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string");
+var isPublicJWK3 = (key) => key.kty !== "oct" && key.d === undefined && key.priv === undefined;
+var isSecretJWK3 = (key) => key.kty === "oct" && typeof key.k === "string";
 function checkKeyLength3(alg, key) {
   if (alg.startsWith("RS") || alg.startsWith("PS")) {
     const { modulusLength } = key.algorithm;
@@ -31892,6 +31872,59 @@ function checkKeyLength3(alg, key) {
     }
   }
 }
+function subtleAlgorithm3(alg, algorithm) {
+  const hash = `SHA-${alg.slice(-3)}`;
+  switch (alg) {
+    case "HS256":
+    case "HS384":
+    case "HS512":
+      return { hash, name: "HMAC" };
+    case "PS256":
+    case "PS384":
+    case "PS512":
+      return { hash, name: "RSA-PSS", saltLength: parseInt(alg.slice(-3), 10) >> 3 };
+    case "RS256":
+    case "RS384":
+    case "RS512":
+      return { hash, name: "RSASSA-PKCS1-v1_5" };
+    case "ES256":
+    case "ES384":
+    case "ES512":
+      return { hash, name: "ECDSA", namedCurve: algorithm.namedCurve };
+    case "Ed25519":
+    case "EdDSA":
+      return { name: "Ed25519" };
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      return { name: alg };
+    default:
+      throw new JOSENotSupported3(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
+  }
+}
+async function getSigKey3(alg, key, usage) {
+  if (key instanceof Uint8Array) {
+    if (!alg.startsWith("HS")) {
+      throw new TypeError(invalidKeyInput3(key, "CryptoKey", "KeyObject", "JSON Web Key"));
+    }
+    return crypto.subtle.importKey("raw", key, { hash: `SHA-${alg.slice(-3)}`, name: "HMAC" }, false, [usage]);
+  }
+  checkSigCryptoKey3(key, alg, usage);
+  return key;
+}
+async function verify3(alg, key, signature, data) {
+  const cryptoKey = await getSigKey3(alg, key, "verify");
+  checkKeyLength3(alg, cryptoKey);
+  const algorithm = subtleAlgorithm3(alg, cryptoKey.algorithm);
+  try {
+    return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
+  } catch {
+    return false;
+  }
+}
+var init_signing3 = __esm3(() => {
+  init_errors23();
+});
 function subtleMapping3(jwk) {
   let algorithm;
   let keyUsages;
@@ -31905,7 +31938,7 @@ function subtleMapping3(jwk) {
           keyUsages = jwk.priv ? ["sign"] : ["verify"];
           break;
         default:
-          throw new JOSENotSupported3('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported3(unsupportedAlg3);
       }
       break;
     }
@@ -31934,22 +31967,19 @@ function subtleMapping3(jwk) {
           keyUsages = jwk.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
           break;
         default:
-          throw new JOSENotSupported3('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported3(unsupportedAlg3);
       }
       break;
     }
     case "EC": {
       switch (jwk.alg) {
         case "ES256":
-          algorithm = { name: "ECDSA", namedCurve: "P-256" };
-          keyUsages = jwk.d ? ["sign"] : ["verify"];
-          break;
         case "ES384":
-          algorithm = { name: "ECDSA", namedCurve: "P-384" };
-          keyUsages = jwk.d ? ["sign"] : ["verify"];
-          break;
         case "ES512":
-          algorithm = { name: "ECDSA", namedCurve: "P-521" };
+          algorithm = {
+            name: "ECDSA",
+            namedCurve: { ES256: "P-256", ES384: "P-384", ES512: "P-521" }[jwk.alg]
+          };
           keyUsages = jwk.d ? ["sign"] : ["verify"];
           break;
         case "ECDH-ES":
@@ -31960,7 +31990,7 @@ function subtleMapping3(jwk) {
           keyUsages = jwk.d ? ["deriveBits"] : [];
           break;
         default:
-          throw new JOSENotSupported3('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported3(unsupportedAlg3);
       }
       break;
     }
@@ -31979,7 +32009,7 @@ function subtleMapping3(jwk) {
           keyUsages = jwk.d ? ["deriveBits"] : [];
           break;
         default:
-          throw new JOSENotSupported3('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported3(unsupportedAlg3);
       }
       break;
     }
@@ -32000,94 +32030,10 @@ async function jwkToKey3(jwk) {
   delete keyData.use;
   return crypto.subtle.importKey("jwk", keyData, algorithm, jwk.ext ?? (jwk.d || jwk.priv ? false : true), jwk.key_ops ?? keyUsages);
 }
+var unsupportedAlg3 = 'Invalid or unsupported JWK "alg" (Algorithm) Parameter value';
 var init_jwk_to_key3 = __esm3(() => {
   init_errors23();
 });
-async function importJWK3(jwk, alg, options) {
-  if (!isObject3(jwk)) {
-    throw new TypeError("JWK must be an object");
-  }
-  let ext;
-  alg ??= jwk.alg;
-  ext ??= options?.extractable ?? jwk.ext;
-  switch (jwk.kty) {
-    case "oct":
-      if (typeof jwk.k !== "string" || !jwk.k) {
-        throw new TypeError('missing "k" (Key Value) Parameter value');
-      }
-      return decode3(jwk.k);
-    case "RSA":
-      if ("oth" in jwk && jwk.oth !== undefined) {
-        throw new JOSENotSupported3('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
-      }
-      return jwkToKey3({ ...jwk, alg, ext });
-    case "AKP": {
-      if (typeof jwk.alg !== "string" || !jwk.alg) {
-        throw new TypeError('missing "alg" (Algorithm) Parameter value');
-      }
-      if (alg !== undefined && alg !== jwk.alg) {
-        throw new TypeError("JWK alg and alg option value mismatch");
-      }
-      return jwkToKey3({ ...jwk, ext });
-    }
-    case "EC":
-    case "OKP":
-      return jwkToKey3({ ...jwk, alg, ext });
-    default:
-      throw new JOSENotSupported3('Unsupported "kty" (Key Type) Parameter value');
-  }
-}
-var init_import3 = __esm3(() => {
-  init_base64url3();
-  init_jwk_to_key3();
-  init_errors23();
-});
-function validateCrit3(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
-  if (joseHeader.crit !== undefined && protectedHeader?.crit === undefined) {
-    throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
-  }
-  if (!protectedHeader || protectedHeader.crit === undefined) {
-    return new Set;
-  }
-  if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) {
-    throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
-  }
-  let recognized;
-  if (recognizedOption !== undefined) {
-    recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
-  } else {
-    recognized = recognizedDefault;
-  }
-  for (const parameter of protectedHeader.crit) {
-    if (!recognized.has(parameter)) {
-      throw new JOSENotSupported3(`Extension Header Parameter "${parameter}" is not recognized`);
-    }
-    if (joseHeader[parameter] === undefined) {
-      throw new Err(`Extension Header Parameter "${parameter}" is missing`);
-    }
-    if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {
-      throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
-    }
-  }
-  return new Set(protectedHeader.crit);
-}
-var init_validate_crit3 = __esm3(() => {
-  init_errors23();
-});
-function validateAlgorithms3(option, algorithms) {
-  if (algorithms !== undefined && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) {
-    throw new TypeError(`"${option}" option must be an array of strings`);
-  }
-  if (!algorithms) {
-    return;
-  }
-  return new Set(algorithms);
-}
-var isJWK3 = (key) => isObject3(key) && typeof key.kty === "string";
-var isPrivateJWK3 = (key) => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string");
-var isPublicJWK3 = (key) => key.kty !== "oct" && key.d === undefined && key.priv === undefined;
-var isSecretJWK3 = (key) => key.kty === "oct" && typeof key.k === "string";
-var init_is_jwk3 = () => {};
 async function normalizeKey3(key, alg) {
   if (key instanceof Uint8Array) {
     return key;
@@ -32119,6 +32065,7 @@ async function normalizeKey3(key, alg) {
   }
   throw new Error("unreachable");
 }
+var unusableForAlg3 = "given KeyObject instance cannot be used for this algorithm";
 var cache3;
 var handleJWK3 = async (key, jwk, alg, freeze = false) => {
   cache3 ||= new WeakMap;
@@ -32153,13 +32100,13 @@ var handleKeyObject3 = (keyObject, alg) => {
       case "ECDH-ES+A256KW":
         break;
       default:
-        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        throw new TypeError(unusableForAlg3);
     }
     cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ["deriveBits"]);
   }
   if (keyObject.asymmetricKeyType === "ed25519") {
     if (alg !== "EdDSA" && alg !== "Ed25519") {
-      throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+      throw new TypeError(unusableForAlg3);
     }
     cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
       isPublic ? "verify" : "sign"
@@ -32170,7 +32117,7 @@ var handleKeyObject3 = (keyObject, alg) => {
     case "ml-dsa-65":
     case "ml-dsa-87": {
       if (alg !== keyObject.asymmetricKeyType.toUpperCase()) {
-        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        throw new TypeError(unusableForAlg3);
       }
       cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
         isPublic ? "verify" : "sign"
@@ -32199,7 +32146,7 @@ var handleKeyObject3 = (keyObject, alg) => {
         hash = "SHA-512";
         break;
       default:
-        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        throw new TypeError(unusableForAlg3);
     }
     if (alg.startsWith("RSA-OAEP")) {
       return keyObject.toCryptoKey({
@@ -32220,21 +32167,10 @@ var handleKeyObject3 = (keyObject, alg) => {
     ]);
     const namedCurve = nist.get(keyObject.asymmetricKeyDetails?.namedCurve);
     if (!namedCurve) {
-      throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+      throw new TypeError(unusableForAlg3);
     }
-    if (alg === "ES256" && namedCurve === "P-256") {
-      cryptoKey = keyObject.toCryptoKey({
-        name: "ECDSA",
-        namedCurve
-      }, extractable, [isPublic ? "verify" : "sign"]);
-    }
-    if (alg === "ES384" && namedCurve === "P-384") {
-      cryptoKey = keyObject.toCryptoKey({
-        name: "ECDSA",
-        namedCurve
-      }, extractable, [isPublic ? "verify" : "sign"]);
-    }
-    if (alg === "ES512" && namedCurve === "P-521") {
+    const expectedCurve = { ES256: "P-256", ES384: "P-384", ES512: "P-521" };
+    if (expectedCurve[alg] && namedCurve === expectedCurve[alg]) {
       cryptoKey = keyObject.toCryptoKey({
         name: "ECDSA",
         namedCurve
@@ -32248,7 +32184,7 @@ var handleKeyObject3 = (keyObject, alg) => {
     }
   }
   if (!cryptoKey) {
-    throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+    throw new TypeError(unusableForAlg3);
   }
   if (!cached) {
     cache3.set(keyObject, { [alg]: cryptoKey });
@@ -32258,10 +32194,89 @@ var handleKeyObject3 = (keyObject, alg) => {
   return cryptoKey;
 };
 var init_normalize_key3 = __esm3(() => {
-  init_is_jwk3();
   init_base64url3();
   init_jwk_to_key3();
 });
+async function importJWK3(jwk, alg, options) {
+  if (!isObject3(jwk)) {
+    throw new TypeError("JWK must be an object");
+  }
+  let ext;
+  alg ??= jwk.alg;
+  ext ??= options?.extractable ?? jwk.ext;
+  switch (jwk.kty) {
+    case "oct":
+      if (typeof jwk.k !== "string" || !jwk.k) {
+        throw new TypeError('missing "k" (Key Value) Parameter value');
+      }
+      return decode3(jwk.k);
+    case "RSA":
+      if ("oth" in jwk && jwk.oth !== undefined) {
+        throw new JOSENotSupported3('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
+      }
+      return jwkToKey3({ ...jwk, alg, ext });
+    case "AKP": {
+      if (typeof jwk.alg !== "string" || !jwk.alg) {
+        throw new TypeError('missing "alg" (Algorithm) Parameter value');
+      }
+      if (alg !== undefined && alg !== jwk.alg) {
+        throw new TypeError("JWK alg and alg option value mismatch");
+      }
+      return jwkToKey3({ ...jwk, ext });
+    }
+    case "EC":
+    case "OKP":
+      return jwkToKey3({ ...jwk, alg, ext });
+    default:
+      throw new JOSENotSupported3('Unsupported "kty" (Key Type) Parameter value');
+  }
+}
+var init_import3 = __esm3(() => {
+  init_base64url3();
+  init_jwk_to_key3();
+  init_errors23();
+});
+function validateCrit3(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
+  if (joseHeader.crit !== undefined && protectedHeader?.crit === undefined) {
+    throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
+  }
+  if (!protectedHeader || protectedHeader.crit === undefined) {
+    return new Set;
+  }
+  if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) {
+    throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
+  }
+  let recognized;
+  if (recognizedOption !== undefined) {
+    recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
+  } else {
+    recognized = recognizedDefault;
+  }
+  for (const parameter of protectedHeader.crit) {
+    if (!recognized.has(parameter)) {
+      throw new JOSENotSupported3(`Extension Header Parameter "${parameter}" is not recognized`);
+    }
+    if (joseHeader[parameter] === undefined) {
+      throw new Err(`Extension Header Parameter "${parameter}" is missing`);
+    }
+    if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {
+      throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
+    }
+  }
+  return new Set(protectedHeader.crit);
+}
+var init_validate_crit3 = __esm3(() => {
+  init_errors23();
+});
+function validateAlgorithms3(option, algorithms) {
+  if (algorithms !== undefined && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) {
+    throw new TypeError(`"${option}" option must be an array of strings`);
+  }
+  if (!algorithms) {
+    return;
+  }
+  return new Set(algorithms);
+}
 function checkKeyType3(alg, key, usage) {
   switch (alg.substring(0, 2)) {
     case "A1":
@@ -32380,67 +32395,7 @@ var asymmetricTypeCheck3 = (alg, key, usage) => {
     }
   }
 };
-var init_check_key_type3 = __esm3(() => {
-  init_is_jwk3();
-});
-function subtleAlgorithm3(alg, algorithm) {
-  const hash = `SHA-${alg.slice(-3)}`;
-  switch (alg) {
-    case "HS256":
-    case "HS384":
-    case "HS512":
-      return { hash, name: "HMAC" };
-    case "PS256":
-    case "PS384":
-    case "PS512":
-      return { hash, name: "RSA-PSS", saltLength: parseInt(alg.slice(-3), 10) >> 3 };
-    case "RS256":
-    case "RS384":
-    case "RS512":
-      return { hash, name: "RSASSA-PKCS1-v1_5" };
-    case "ES256":
-    case "ES384":
-    case "ES512":
-      return { hash, name: "ECDSA", namedCurve: algorithm.namedCurve };
-    case "Ed25519":
-    case "EdDSA":
-      return { name: "Ed25519" };
-    case "ML-DSA-44":
-    case "ML-DSA-65":
-    case "ML-DSA-87":
-      return { name: alg };
-    default:
-      throw new JOSENotSupported3(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
-  }
-}
-var init_subtle_dsa3 = __esm3(() => {
-  init_errors23();
-});
-async function getSigKey3(alg, key, usage) {
-  if (key instanceof Uint8Array) {
-    if (!alg.startsWith("HS")) {
-      throw new TypeError(invalidKeyInput3(key, "CryptoKey", "KeyObject", "JSON Web Key"));
-    }
-    return crypto.subtle.importKey("raw", key, { hash: `SHA-${alg.slice(-3)}`, name: "HMAC" }, false, [usage]);
-  }
-  checkSigCryptoKey3(key, alg, usage);
-  return key;
-}
-var init_get_sign_verify_key3 = () => {};
-async function verify3(alg, key, signature, data) {
-  const cryptoKey = await getSigKey3(alg, key, "verify");
-  checkKeyLength3(alg, cryptoKey);
-  const algorithm = subtleAlgorithm3(alg, cryptoKey.algorithm);
-  try {
-    return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
-  } catch {
-    return false;
-  }
-}
-var init_verify6 = __esm3(() => {
-  init_subtle_dsa3();
-  init_get_sign_verify_key3();
-});
+var init_check_key_type3 = () => {};
 async function flattenedVerify3(jws, key, options) {
   if (!isObject3(jws)) {
     throw new JWSInvalid3("Flattened JWS must be an object");
@@ -32506,12 +32461,7 @@ async function flattenedVerify3(jws, key, options) {
   }
   checkKeyType3(alg, key, "verify");
   const data = concat3(jws.protected !== undefined ? encode3(jws.protected) : new Uint8Array, encode3("."), typeof jws.payload === "string" ? b64 ? encode3(jws.payload) : encoder3.encode(jws.payload) : jws.payload);
-  let signature;
-  try {
-    signature = decode3(jws.signature);
-  } catch {
-    throw new JWSInvalid3("Failed to base64url decode the signature");
-  }
+  const signature = decodeBase64url3(jws.signature, "signature", JWSInvalid3);
   const k = await normalizeKey3(key, alg);
   const verified = await verify3(alg, k, signature, data);
   if (!verified) {
@@ -32519,11 +32469,7 @@ async function flattenedVerify3(jws, key, options) {
   }
   let payload;
   if (b64) {
-    try {
-      payload = decode3(jws.payload);
-    } catch {
-      throw new JWSInvalid3("Failed to base64url decode the payload");
-    }
+    payload = decodeBase64url3(jws.payload, "payload", JWSInvalid3);
   } else if (typeof jws.payload === "string") {
     payload = encoder3.encode(jws.payload);
   } else {
@@ -32541,11 +32487,12 @@ async function flattenedVerify3(jws, key, options) {
   }
   return result;
 }
-var init_verify23 = __esm3(() => {
+var init_verify5 = __esm3(() => {
   init_base64url3();
-  init_verify6();
+  init_signing3();
   init_errors23();
   init_buffer_utils3();
+  init_helpers3();
   init_check_key_type3();
   init_validate_crit3();
   init_normalize_key3();
@@ -32568,8 +32515,8 @@ async function compactVerify3(jws, key, options) {
   }
   return result;
 }
-var init_verify33 = __esm3(() => {
-  init_verify23();
+var init_verify23 = __esm3(() => {
+  init_verify5();
   init_errors23();
   init_buffer_utils3();
 });
@@ -32817,8 +32764,8 @@ async function jwtVerify3(jwt2, key, options) {
   }
   return result;
 }
-var init_verify43 = __esm3(() => {
-  init_verify33();
+var init_verify33 = __esm3(() => {
+  init_verify23();
   init_jwt_claims_set3();
   init_errors23();
 });
@@ -33101,14 +33048,14 @@ var init_remote3 = __esm3(() => {
   init_local3();
   if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) {
     const NAME = "jose";
-    const VERSION = "v6.1.3";
+    const VERSION = "v6.2.1";
     USER_AGENT3 = `${NAME}/${VERSION}`;
   }
   customFetch3 = Symbol();
   jwksCache3 = Symbol();
 });
 var init_webapi3 = __esm3(() => {
-  init_verify43();
+  init_verify33();
   init_local3();
   init_remote3();
   init_errors23();
@@ -41825,6 +41772,111 @@ function decode4(input) {
 var init_base64url4 = __esm4(() => {
   init_buffer_utils4();
 });
+function getHashLength4(hash) {
+  return parseInt(hash.name.slice(4), 10);
+}
+function checkHashLength4(algorithm, expected) {
+  const actual = getHashLength4(algorithm.hash);
+  if (actual !== expected)
+    throw unusable4(`SHA-${expected}`, "algorithm.hash");
+}
+function getNamedCurve4(alg) {
+  switch (alg) {
+    case "ES256":
+      return "P-256";
+    case "ES384":
+      return "P-384";
+    case "ES512":
+      return "P-521";
+    default:
+      throw new Error("unreachable");
+  }
+}
+function checkUsage4(key, usage) {
+  if (usage && !key.usages.includes(usage)) {
+    throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);
+  }
+}
+function checkSigCryptoKey4(key, alg, usage) {
+  switch (alg) {
+    case "HS256":
+    case "HS384":
+    case "HS512": {
+      if (!isAlgorithm4(key.algorithm, "HMAC"))
+        throw unusable4("HMAC");
+      checkHashLength4(key.algorithm, parseInt(alg.slice(2), 10));
+      break;
+    }
+    case "RS256":
+    case "RS384":
+    case "RS512": {
+      if (!isAlgorithm4(key.algorithm, "RSASSA-PKCS1-v1_5"))
+        throw unusable4("RSASSA-PKCS1-v1_5");
+      checkHashLength4(key.algorithm, parseInt(alg.slice(2), 10));
+      break;
+    }
+    case "PS256":
+    case "PS384":
+    case "PS512": {
+      if (!isAlgorithm4(key.algorithm, "RSA-PSS"))
+        throw unusable4("RSA-PSS");
+      checkHashLength4(key.algorithm, parseInt(alg.slice(2), 10));
+      break;
+    }
+    case "Ed25519":
+    case "EdDSA": {
+      if (!isAlgorithm4(key.algorithm, "Ed25519"))
+        throw unusable4("Ed25519");
+      break;
+    }
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87": {
+      if (!isAlgorithm4(key.algorithm, alg))
+        throw unusable4(alg);
+      break;
+    }
+    case "ES256":
+    case "ES384":
+    case "ES512": {
+      if (!isAlgorithm4(key.algorithm, "ECDSA"))
+        throw unusable4("ECDSA");
+      const expected = getNamedCurve4(alg);
+      const actual = key.algorithm.namedCurve;
+      if (actual !== expected)
+        throw unusable4(expected, "algorithm.namedCurve");
+      break;
+    }
+    default:
+      throw new TypeError("CryptoKey does not support this operation");
+  }
+  checkUsage4(key, usage);
+}
+var unusable4 = (name, prop = "algorithm.name") => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);
+var isAlgorithm4 = (algorithm, name) => algorithm.name === name;
+function message4(msg, actual, ...types2) {
+  types2 = types2.filter(Boolean);
+  if (types2.length > 2) {
+    const last = types2.pop();
+    msg += `one of type ${types2.join(", ")}, or ${last}.`;
+  } else if (types2.length === 2) {
+    msg += `one of type ${types2[0]} or ${types2[1]}.`;
+  } else {
+    msg += `of type ${types2[0]}.`;
+  }
+  if (actual == null) {
+    msg += ` Received ${actual}`;
+  } else if (typeof actual === "function" && actual.name) {
+    msg += ` Received function ${actual.name}`;
+  } else if (typeof actual === "object" && actual != null) {
+    if (actual.constructor?.name) {
+      msg += ` Received an instance of ${actual.constructor.name}`;
+    }
+  }
+  return msg;
+}
+var invalidKeyInput4 = (actual, ...types2) => message4("Key must be ", actual, ...types2);
+var withAlg4 = (alg, actual, ...types2) => message4(`Key for the ${alg} algorithm must be `, actual, ...types2);
 var exports_errors4 = {};
 __export4(exports_errors4, {
   JWTInvalid: () => JWTInvalid4,
@@ -41862,8 +41914,8 @@ var init_errors24 = __esm4(() => {
   JOSEError4 = class JOSEError5 extends Error {
     static code = "ERR_JOSE_GENERIC";
     code = "ERR_JOSE_GENERIC";
-    constructor(message4, options) {
-      super(message4, options);
+    constructor(message22, options) {
+      super(message22, options);
       this.name = this.constructor.name;
       Error.captureStackTrace?.(this, this.constructor);
     }
@@ -41874,8 +41926,8 @@ var init_errors24 = __esm4(() => {
     claim;
     reason;
     payload;
-    constructor(message4, payload, claim = "unspecified", reason = "unspecified") {
-      super(message4, { cause: { claim, reason, payload } });
+    constructor(message22, payload, claim = "unspecified", reason = "unspecified") {
+      super(message22, { cause: { claim, reason, payload } });
       this.claim = claim;
       this.reason = reason;
       this.payload = payload;
@@ -41887,8 +41939,8 @@ var init_errors24 = __esm4(() => {
     claim;
     reason;
     payload;
-    constructor(message4, payload, claim = "unspecified", reason = "unspecified") {
-      super(message4, { cause: { claim, reason, payload } });
+    constructor(message22, payload, claim = "unspecified", reason = "unspecified") {
+      super(message22, { cause: { claim, reason, payload } });
       this.claim = claim;
       this.reason = reason;
       this.payload = payload;
@@ -41905,8 +41957,8 @@ var init_errors24 = __esm4(() => {
   JWEDecryptionFailed4 = class JWEDecryptionFailed5 extends JOSEError4 {
     static code = "ERR_JWE_DECRYPTION_FAILED";
     code = "ERR_JWE_DECRYPTION_FAILED";
-    constructor(message4 = "decryption operation failed", options) {
-      super(message4, options);
+    constructor(message22 = "decryption operation failed", options) {
+      super(message22, options);
     }
   };
   JWEInvalid4 = class JWEInvalid5 extends JOSEError4 {
@@ -41932,142 +41984,33 @@ var init_errors24 = __esm4(() => {
   JWKSNoMatchingKey4 = class JWKSNoMatchingKey5 extends JOSEError4 {
     static code = "ERR_JWKS_NO_MATCHING_KEY";
     code = "ERR_JWKS_NO_MATCHING_KEY";
-    constructor(message4 = "no applicable key found in the JSON Web Key Set", options) {
-      super(message4, options);
+    constructor(message22 = "no applicable key found in the JSON Web Key Set", options) {
+      super(message22, options);
     }
   };
   JWKSMultipleMatchingKeys4 = class JWKSMultipleMatchingKeys5 extends JOSEError4 {
     [Symbol.asyncIterator];
     static code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
     code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
-    constructor(message4 = "multiple matching keys found in the JSON Web Key Set", options) {
-      super(message4, options);
+    constructor(message22 = "multiple matching keys found in the JSON Web Key Set", options) {
+      super(message22, options);
     }
   };
   JWKSTimeout4 = class JWKSTimeout5 extends JOSEError4 {
     static code = "ERR_JWKS_TIMEOUT";
     code = "ERR_JWKS_TIMEOUT";
-    constructor(message4 = "request timed out", options) {
-      super(message4, options);
+    constructor(message22 = "request timed out", options) {
+      super(message22, options);
     }
   };
   JWSSignatureVerificationFailed4 = class JWSSignatureVerificationFailed5 extends JOSEError4 {
     static code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
     code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
-    constructor(message4 = "signature verification failed", options) {
-      super(message4, options);
+    constructor(message22 = "signature verification failed", options) {
+      super(message22, options);
     }
   };
 });
-function getHashLength4(hash) {
-  return parseInt(hash.name.slice(4), 10);
-}
-function getNamedCurve4(alg) {
-  switch (alg) {
-    case "ES256":
-      return "P-256";
-    case "ES384":
-      return "P-384";
-    case "ES512":
-      return "P-521";
-    default:
-      throw new Error("unreachable");
-  }
-}
-function checkUsage4(key, usage) {
-  if (usage && !key.usages.includes(usage)) {
-    throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);
-  }
-}
-function checkSigCryptoKey4(key, alg, usage) {
-  switch (alg) {
-    case "HS256":
-    case "HS384":
-    case "HS512": {
-      if (!isAlgorithm4(key.algorithm, "HMAC"))
-        throw unusable4("HMAC");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength4(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable4(`SHA-${expected}`, "algorithm.hash");
-      break;
-    }
-    case "RS256":
-    case "RS384":
-    case "RS512": {
-      if (!isAlgorithm4(key.algorithm, "RSASSA-PKCS1-v1_5"))
-        throw unusable4("RSASSA-PKCS1-v1_5");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength4(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable4(`SHA-${expected}`, "algorithm.hash");
-      break;
-    }
-    case "PS256":
-    case "PS384":
-    case "PS512": {
-      if (!isAlgorithm4(key.algorithm, "RSA-PSS"))
-        throw unusable4("RSA-PSS");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength4(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable4(`SHA-${expected}`, "algorithm.hash");
-      break;
-    }
-    case "Ed25519":
-    case "EdDSA": {
-      if (!isAlgorithm4(key.algorithm, "Ed25519"))
-        throw unusable4("Ed25519");
-      break;
-    }
-    case "ML-DSA-44":
-    case "ML-DSA-65":
-    case "ML-DSA-87": {
-      if (!isAlgorithm4(key.algorithm, alg))
-        throw unusable4(alg);
-      break;
-    }
-    case "ES256":
-    case "ES384":
-    case "ES512": {
-      if (!isAlgorithm4(key.algorithm, "ECDSA"))
-        throw unusable4("ECDSA");
-      const expected = getNamedCurve4(alg);
-      const actual = key.algorithm.namedCurve;
-      if (actual !== expected)
-        throw unusable4(expected, "algorithm.namedCurve");
-      break;
-    }
-    default:
-      throw new TypeError("CryptoKey does not support this operation");
-  }
-  checkUsage4(key, usage);
-}
-var unusable4 = (name, prop = "algorithm.name") => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);
-var isAlgorithm4 = (algorithm, name) => algorithm.name === name;
-function message4(msg, actual, ...types2) {
-  types2 = types2.filter(Boolean);
-  if (types2.length > 2) {
-    const last = types2.pop();
-    msg += `one of type ${types2.join(", ")}, or ${last}.`;
-  } else if (types2.length === 2) {
-    msg += `one of type ${types2[0]} or ${types2[1]}.`;
-  } else {
-    msg += `of type ${types2[0]}.`;
-  }
-  if (actual == null) {
-    msg += ` Received ${actual}`;
-  } else if (typeof actual === "function" && actual.name) {
-    msg += ` Received function ${actual.name}`;
-  } else if (typeof actual === "object" && actual != null) {
-    if (actual.constructor?.name) {
-      msg += ` Received an instance of ${actual.constructor.name}`;
-    }
-  }
-  return msg;
-}
-var invalidKeyInput4 = (actual, ...types2) => message4("Key must be ", actual, ...types2);
-var withAlg4 = (alg, actual, ...types2) => message4(`Key for the ${alg} algorithm must be `, actual, ...types2);
 var isCryptoKey4 = (key) => {
   if (key?.[Symbol.toStringTag] === "CryptoKey")
     return true;
@@ -42079,6 +42022,31 @@ var isCryptoKey4 = (key) => {
 };
 var isKeyObject4 = (key) => key?.[Symbol.toStringTag] === "KeyObject";
 var isKeyLike4 = (key) => isCryptoKey4(key) || isKeyObject4(key);
+function decodeBase64url4(value, label, ErrorClass) {
+  try {
+    return decode4(value);
+  } catch {
+    throw new ErrorClass(`Failed to base64url decode the ${label}`);
+  }
+}
+var unprotected4;
+var init_helpers4 = __esm4(() => {
+  init_base64url4();
+  unprotected4 = Symbol();
+});
+function isObject4(input) {
+  if (!isObjectLike4(input) || Object.prototype.toString.call(input) !== "[object Object]") {
+    return false;
+  }
+  if (Object.getPrototypeOf(input) === null) {
+    return true;
+  }
+  let proto = input;
+  while (Object.getPrototypeOf(proto) !== null) {
+    proto = Object.getPrototypeOf(proto);
+  }
+  return Object.getPrototypeOf(input) === proto;
+}
 function isDisjoint4(...headers) {
   const sources = headers.filter(Boolean);
   if (sources.length === 0 || sources.length === 1) {
@@ -42100,20 +42068,11 @@ function isDisjoint4(...headers) {
   }
   return true;
 }
-function isObject4(input) {
-  if (!isObjectLike4(input) || Object.prototype.toString.call(input) !== "[object Object]") {
-    return false;
-  }
-  if (Object.getPrototypeOf(input) === null) {
-    return true;
-  }
-  let proto = input;
-  while (Object.getPrototypeOf(proto) !== null) {
-    proto = Object.getPrototypeOf(proto);
-  }
-  return Object.getPrototypeOf(input) === proto;
-}
 var isObjectLike4 = (value) => typeof value === "object" && value !== null;
+var isJWK4 = (key) => isObject4(key) && typeof key.kty === "string";
+var isPrivateJWK4 = (key) => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string");
+var isPublicJWK4 = (key) => key.kty !== "oct" && key.d === undefined && key.priv === undefined;
+var isSecretJWK4 = (key) => key.kty === "oct" && typeof key.k === "string";
 function checkKeyLength4(alg, key) {
   if (alg.startsWith("RS") || alg.startsWith("PS")) {
     const { modulusLength } = key.algorithm;
@@ -42122,6 +42081,59 @@ function checkKeyLength4(alg, key) {
     }
   }
 }
+function subtleAlgorithm4(alg, algorithm) {
+  const hash = `SHA-${alg.slice(-3)}`;
+  switch (alg) {
+    case "HS256":
+    case "HS384":
+    case "HS512":
+      return { hash, name: "HMAC" };
+    case "PS256":
+    case "PS384":
+    case "PS512":
+      return { hash, name: "RSA-PSS", saltLength: parseInt(alg.slice(-3), 10) >> 3 };
+    case "RS256":
+    case "RS384":
+    case "RS512":
+      return { hash, name: "RSASSA-PKCS1-v1_5" };
+    case "ES256":
+    case "ES384":
+    case "ES512":
+      return { hash, name: "ECDSA", namedCurve: algorithm.namedCurve };
+    case "Ed25519":
+    case "EdDSA":
+      return { name: "Ed25519" };
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      return { name: alg };
+    default:
+      throw new JOSENotSupported4(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
+  }
+}
+async function getSigKey4(alg, key, usage) {
+  if (key instanceof Uint8Array) {
+    if (!alg.startsWith("HS")) {
+      throw new TypeError(invalidKeyInput4(key, "CryptoKey", "KeyObject", "JSON Web Key"));
+    }
+    return crypto.subtle.importKey("raw", key, { hash: `SHA-${alg.slice(-3)}`, name: "HMAC" }, false, [usage]);
+  }
+  checkSigCryptoKey4(key, alg, usage);
+  return key;
+}
+async function verify4(alg, key, signature, data) {
+  const cryptoKey = await getSigKey4(alg, key, "verify");
+  checkKeyLength4(alg, cryptoKey);
+  const algorithm = subtleAlgorithm4(alg, cryptoKey.algorithm);
+  try {
+    return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
+  } catch {
+    return false;
+  }
+}
+var init_signing4 = __esm4(() => {
+  init_errors24();
+});
 function subtleMapping4(jwk) {
   let algorithm;
   let keyUsages;
@@ -42135,7 +42147,7 @@ function subtleMapping4(jwk) {
           keyUsages = jwk.priv ? ["sign"] : ["verify"];
           break;
         default:
-          throw new JOSENotSupported4('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported4(unsupportedAlg4);
       }
       break;
     }
@@ -42164,22 +42176,19 @@ function subtleMapping4(jwk) {
           keyUsages = jwk.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
           break;
         default:
-          throw new JOSENotSupported4('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported4(unsupportedAlg4);
       }
       break;
     }
     case "EC": {
       switch (jwk.alg) {
         case "ES256":
-          algorithm = { name: "ECDSA", namedCurve: "P-256" };
-          keyUsages = jwk.d ? ["sign"] : ["verify"];
-          break;
         case "ES384":
-          algorithm = { name: "ECDSA", namedCurve: "P-384" };
-          keyUsages = jwk.d ? ["sign"] : ["verify"];
-          break;
         case "ES512":
-          algorithm = { name: "ECDSA", namedCurve: "P-521" };
+          algorithm = {
+            name: "ECDSA",
+            namedCurve: { ES256: "P-256", ES384: "P-384", ES512: "P-521" }[jwk.alg]
+          };
           keyUsages = jwk.d ? ["sign"] : ["verify"];
           break;
         case "ECDH-ES":
@@ -42190,7 +42199,7 @@ function subtleMapping4(jwk) {
           keyUsages = jwk.d ? ["deriveBits"] : [];
           break;
         default:
-          throw new JOSENotSupported4('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported4(unsupportedAlg4);
       }
       break;
     }
@@ -42209,7 +42218,7 @@ function subtleMapping4(jwk) {
           keyUsages = jwk.d ? ["deriveBits"] : [];
           break;
         default:
-          throw new JOSENotSupported4('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported4(unsupportedAlg4);
       }
       break;
     }
@@ -42230,94 +42239,10 @@ async function jwkToKey4(jwk) {
   delete keyData.use;
   return crypto.subtle.importKey("jwk", keyData, algorithm, jwk.ext ?? (jwk.d || jwk.priv ? false : true), jwk.key_ops ?? keyUsages);
 }
+var unsupportedAlg4 = 'Invalid or unsupported JWK "alg" (Algorithm) Parameter value';
 var init_jwk_to_key4 = __esm4(() => {
   init_errors24();
 });
-async function importJWK4(jwk, alg, options) {
-  if (!isObject4(jwk)) {
-    throw new TypeError("JWK must be an object");
-  }
-  let ext;
-  alg ??= jwk.alg;
-  ext ??= options?.extractable ?? jwk.ext;
-  switch (jwk.kty) {
-    case "oct":
-      if (typeof jwk.k !== "string" || !jwk.k) {
-        throw new TypeError('missing "k" (Key Value) Parameter value');
-      }
-      return decode4(jwk.k);
-    case "RSA":
-      if ("oth" in jwk && jwk.oth !== undefined) {
-        throw new JOSENotSupported4('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
-      }
-      return jwkToKey4({ ...jwk, alg, ext });
-    case "AKP": {
-      if (typeof jwk.alg !== "string" || !jwk.alg) {
-        throw new TypeError('missing "alg" (Algorithm) Parameter value');
-      }
-      if (alg !== undefined && alg !== jwk.alg) {
-        throw new TypeError("JWK alg and alg option value mismatch");
-      }
-      return jwkToKey4({ ...jwk, ext });
-    }
-    case "EC":
-    case "OKP":
-      return jwkToKey4({ ...jwk, alg, ext });
-    default:
-      throw new JOSENotSupported4('Unsupported "kty" (Key Type) Parameter value');
-  }
-}
-var init_import4 = __esm4(() => {
-  init_base64url4();
-  init_jwk_to_key4();
-  init_errors24();
-});
-function validateCrit4(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
-  if (joseHeader.crit !== undefined && protectedHeader?.crit === undefined) {
-    throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
-  }
-  if (!protectedHeader || protectedHeader.crit === undefined) {
-    return new Set;
-  }
-  if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) {
-    throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
-  }
-  let recognized;
-  if (recognizedOption !== undefined) {
-    recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
-  } else {
-    recognized = recognizedDefault;
-  }
-  for (const parameter of protectedHeader.crit) {
-    if (!recognized.has(parameter)) {
-      throw new JOSENotSupported4(`Extension Header Parameter "${parameter}" is not recognized`);
-    }
-    if (joseHeader[parameter] === undefined) {
-      throw new Err(`Extension Header Parameter "${parameter}" is missing`);
-    }
-    if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {
-      throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
-    }
-  }
-  return new Set(protectedHeader.crit);
-}
-var init_validate_crit4 = __esm4(() => {
-  init_errors24();
-});
-function validateAlgorithms4(option, algorithms) {
-  if (algorithms !== undefined && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) {
-    throw new TypeError(`"${option}" option must be an array of strings`);
-  }
-  if (!algorithms) {
-    return;
-  }
-  return new Set(algorithms);
-}
-var isJWK4 = (key) => isObject4(key) && typeof key.kty === "string";
-var isPrivateJWK4 = (key) => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string");
-var isPublicJWK4 = (key) => key.kty !== "oct" && key.d === undefined && key.priv === undefined;
-var isSecretJWK4 = (key) => key.kty === "oct" && typeof key.k === "string";
-var init_is_jwk4 = () => {};
 async function normalizeKey4(key, alg) {
   if (key instanceof Uint8Array) {
     return key;
@@ -42349,6 +42274,7 @@ async function normalizeKey4(key, alg) {
   }
   throw new Error("unreachable");
 }
+var unusableForAlg4 = "given KeyObject instance cannot be used for this algorithm";
 var cache4;
 var handleJWK4 = async (key, jwk, alg, freeze = false) => {
   cache4 ||= new WeakMap;
@@ -42383,13 +42309,13 @@ var handleKeyObject4 = (keyObject, alg) => {
       case "ECDH-ES+A256KW":
         break;
       default:
-        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        throw new TypeError(unusableForAlg4);
     }
     cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ["deriveBits"]);
   }
   if (keyObject.asymmetricKeyType === "ed25519") {
     if (alg !== "EdDSA" && alg !== "Ed25519") {
-      throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+      throw new TypeError(unusableForAlg4);
     }
     cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
       isPublic ? "verify" : "sign"
@@ -42400,7 +42326,7 @@ var handleKeyObject4 = (keyObject, alg) => {
     case "ml-dsa-65":
     case "ml-dsa-87": {
       if (alg !== keyObject.asymmetricKeyType.toUpperCase()) {
-        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        throw new TypeError(unusableForAlg4);
       }
       cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
         isPublic ? "verify" : "sign"
@@ -42429,7 +42355,7 @@ var handleKeyObject4 = (keyObject, alg) => {
         hash = "SHA-512";
         break;
       default:
-        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        throw new TypeError(unusableForAlg4);
     }
     if (alg.startsWith("RSA-OAEP")) {
       return keyObject.toCryptoKey({
@@ -42450,21 +42376,10 @@ var handleKeyObject4 = (keyObject, alg) => {
     ]);
     const namedCurve = nist.get(keyObject.asymmetricKeyDetails?.namedCurve);
     if (!namedCurve) {
-      throw new TypeError("given KeyObject instance cannot be used for this algorithm");
-    }
-    if (alg === "ES256" && namedCurve === "P-256") {
-      cryptoKey = keyObject.toCryptoKey({
-        name: "ECDSA",
-        namedCurve
-      }, extractable, [isPublic ? "verify" : "sign"]);
-    }
-    if (alg === "ES384" && namedCurve === "P-384") {
-      cryptoKey = keyObject.toCryptoKey({
-        name: "ECDSA",
-        namedCurve
-      }, extractable, [isPublic ? "verify" : "sign"]);
+      throw new TypeError(unusableForAlg4);
     }
-    if (alg === "ES512" && namedCurve === "P-521") {
+    const expectedCurve = { ES256: "P-256", ES384: "P-384", ES512: "P-521" };
+    if (expectedCurve[alg] && namedCurve === expectedCurve[alg]) {
       cryptoKey = keyObject.toCryptoKey({
         name: "ECDSA",
         namedCurve
@@ -42478,7 +42393,7 @@ var handleKeyObject4 = (keyObject, alg) => {
     }
   }
   if (!cryptoKey) {
-    throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+    throw new TypeError(unusableForAlg4);
   }
   if (!cached) {
     cache4.set(keyObject, { [alg]: cryptoKey });
@@ -42488,10 +42403,89 @@ var handleKeyObject4 = (keyObject, alg) => {
   return cryptoKey;
 };
 var init_normalize_key4 = __esm4(() => {
-  init_is_jwk4();
   init_base64url4();
   init_jwk_to_key4();
 });
+async function importJWK4(jwk, alg, options) {
+  if (!isObject4(jwk)) {
+    throw new TypeError("JWK must be an object");
+  }
+  let ext;
+  alg ??= jwk.alg;
+  ext ??= options?.extractable ?? jwk.ext;
+  switch (jwk.kty) {
+    case "oct":
+      if (typeof jwk.k !== "string" || !jwk.k) {
+        throw new TypeError('missing "k" (Key Value) Parameter value');
+      }
+      return decode4(jwk.k);
+    case "RSA":
+      if ("oth" in jwk && jwk.oth !== undefined) {
+        throw new JOSENotSupported4('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
+      }
+      return jwkToKey4({ ...jwk, alg, ext });
+    case "AKP": {
+      if (typeof jwk.alg !== "string" || !jwk.alg) {
+        throw new TypeError('missing "alg" (Algorithm) Parameter value');
+      }
+      if (alg !== undefined && alg !== jwk.alg) {
+        throw new TypeError("JWK alg and alg option value mismatch");
+      }
+      return jwkToKey4({ ...jwk, ext });
+    }
+    case "EC":
+    case "OKP":
+      return jwkToKey4({ ...jwk, alg, ext });
+    default:
+      throw new JOSENotSupported4('Unsupported "kty" (Key Type) Parameter value');
+  }
+}
+var init_import4 = __esm4(() => {
+  init_base64url4();
+  init_jwk_to_key4();
+  init_errors24();
+});
+function validateCrit4(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
+  if (joseHeader.crit !== undefined && protectedHeader?.crit === undefined) {
+    throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
+  }
+  if (!protectedHeader || protectedHeader.crit === undefined) {
+    return new Set;
+  }
+  if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) {
+    throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
+  }
+  let recognized;
+  if (recognizedOption !== undefined) {
+    recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
+  } else {
+    recognized = recognizedDefault;
+  }
+  for (const parameter of protectedHeader.crit) {
+    if (!recognized.has(parameter)) {
+      throw new JOSENotSupported4(`Extension Header Parameter "${parameter}" is not recognized`);
+    }
+    if (joseHeader[parameter] === undefined) {
+      throw new Err(`Extension Header Parameter "${parameter}" is missing`);
+    }
+    if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {
+      throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
+    }
+  }
+  return new Set(protectedHeader.crit);
+}
+var init_validate_crit4 = __esm4(() => {
+  init_errors24();
+});
+function validateAlgorithms4(option, algorithms) {
+  if (algorithms !== undefined && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) {
+    throw new TypeError(`"${option}" option must be an array of strings`);
+  }
+  if (!algorithms) {
+    return;
+  }
+  return new Set(algorithms);
+}
 function checkKeyType4(alg, key, usage) {
   switch (alg.substring(0, 2)) {
     case "A1":
@@ -42610,67 +42604,7 @@ var asymmetricTypeCheck4 = (alg, key, usage) => {
     }
   }
 };
-var init_check_key_type4 = __esm4(() => {
-  init_is_jwk4();
-});
-function subtleAlgorithm4(alg, algorithm) {
-  const hash = `SHA-${alg.slice(-3)}`;
-  switch (alg) {
-    case "HS256":
-    case "HS384":
-    case "HS512":
-      return { hash, name: "HMAC" };
-    case "PS256":
-    case "PS384":
-    case "PS512":
-      return { hash, name: "RSA-PSS", saltLength: parseInt(alg.slice(-3), 10) >> 3 };
-    case "RS256":
-    case "RS384":
-    case "RS512":
-      return { hash, name: "RSASSA-PKCS1-v1_5" };
-    case "ES256":
-    case "ES384":
-    case "ES512":
-      return { hash, name: "ECDSA", namedCurve: algorithm.namedCurve };
-    case "Ed25519":
-    case "EdDSA":
-      return { name: "Ed25519" };
-    case "ML-DSA-44":
-    case "ML-DSA-65":
-    case "ML-DSA-87":
-      return { name: alg };
-    default:
-      throw new JOSENotSupported4(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
-  }
-}
-var init_subtle_dsa4 = __esm4(() => {
-  init_errors24();
-});
-async function getSigKey4(alg, key, usage) {
-  if (key instanceof Uint8Array) {
-    if (!alg.startsWith("HS")) {
-      throw new TypeError(invalidKeyInput4(key, "CryptoKey", "KeyObject", "JSON Web Key"));
-    }
-    return crypto.subtle.importKey("raw", key, { hash: `SHA-${alg.slice(-3)}`, name: "HMAC" }, false, [usage]);
-  }
-  checkSigCryptoKey4(key, alg, usage);
-  return key;
-}
-var init_get_sign_verify_key4 = () => {};
-async function verify4(alg, key, signature, data) {
-  const cryptoKey = await getSigKey4(alg, key, "verify");
-  checkKeyLength4(alg, cryptoKey);
-  const algorithm = subtleAlgorithm4(alg, cryptoKey.algorithm);
-  try {
-    return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
-  } catch {
-    return false;
-  }
-}
-var init_verify7 = __esm4(() => {
-  init_subtle_dsa4();
-  init_get_sign_verify_key4();
-});
+var init_check_key_type4 = () => {};
 async function flattenedVerify4(jws, key, options) {
   if (!isObject4(jws)) {
     throw new JWSInvalid4("Flattened JWS must be an object");
@@ -42736,12 +42670,7 @@ async function flattenedVerify4(jws, key, options) {
   }
   checkKeyType4(alg, key, "verify");
   const data = concat4(jws.protected !== undefined ? encode4(jws.protected) : new Uint8Array, encode4("."), typeof jws.payload === "string" ? b64 ? encode4(jws.payload) : encoder4.encode(jws.payload) : jws.payload);
-  let signature;
-  try {
-    signature = decode4(jws.signature);
-  } catch {
-    throw new JWSInvalid4("Failed to base64url decode the signature");
-  }
+  const signature = decodeBase64url4(jws.signature, "signature", JWSInvalid4);
   const k = await normalizeKey4(key, alg);
   const verified = await verify4(alg, k, signature, data);
   if (!verified) {
@@ -42749,11 +42678,7 @@ async function flattenedVerify4(jws, key, options) {
   }
   let payload;
   if (b64) {
-    try {
-      payload = decode4(jws.payload);
-    } catch {
-      throw new JWSInvalid4("Failed to base64url decode the payload");
-    }
+    payload = decodeBase64url4(jws.payload, "payload", JWSInvalid4);
   } else if (typeof jws.payload === "string") {
     payload = encoder4.encode(jws.payload);
   } else {
@@ -42771,11 +42696,12 @@ async function flattenedVerify4(jws, key, options) {
   }
   return result;
 }
-var init_verify24 = __esm4(() => {
+var init_verify6 = __esm4(() => {
   init_base64url4();
-  init_verify7();
+  init_signing4();
   init_errors24();
   init_buffer_utils4();
+  init_helpers4();
   init_check_key_type4();
   init_validate_crit4();
   init_normalize_key4();
@@ -42798,8 +42724,8 @@ async function compactVerify4(jws, key, options) {
   }
   return result;
 }
-var init_verify34 = __esm4(() => {
-  init_verify24();
+var init_verify24 = __esm4(() => {
+  init_verify6();
   init_errors24();
   init_buffer_utils4();
 });
@@ -43047,8 +42973,8 @@ async function jwtVerify4(jwt2, key, options) {
   }
   return result;
 }
-var init_verify44 = __esm4(() => {
-  init_verify34();
+var init_verify34 = __esm4(() => {
+  init_verify24();
   init_jwt_claims_set4();
   init_errors24();
 });
@@ -43331,14 +43257,14 @@ var init_remote4 = __esm4(() => {
   init_local4();
   if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) {
     const NAME = "jose";
-    const VERSION = "v6.1.3";
+    const VERSION = "v6.2.1";
     USER_AGENT4 = `${NAME}/${VERSION}`;
   }
   customFetch4 = Symbol();
   jwksCache4 = Symbol();
 });
 var init_webapi4 = __esm4(() => {
-  init_verify44();
+  init_verify34();
   init_local4();
   init_remote4();
   init_errors24();