@connectid-tools/rp-nodejs-sdk 5.0.1 → 5.1.0

package/README.md

@@ -120,6 +120,85 @@ const rpClient = new RelyingPartyClientSdk(config)
 | `include_uncertified_participants`    | By default the SDK will filter out all authorisation servers that are not fully certified. If you wish to test one of the uncertified auth servers you will need to set this to `true`. If not provided, defaults to 'false'                                                                                                                         | `false`                                                                                                     |
 | `required_claims`                     | The list of claims that the RP will be using and requires IDPs to support. If supplied, this will be used to filter the list of IDPs returned from `getParticipants` so that only IDPs supporting the claims are returned. If this value is not supplied, no filtering by claim support will be performed.                                           | `['name', 'address']`                                                                                       |
 | `required_participant_certifications` | The list of required certifications a server must support for the IDP use case (eg: TDIF Certification). If supplied, this will be used to filter the list of IDPs returned from `getParticipants` so that only IDPs with the certification are returned. If this value is not supplied, no filtering for specific certifications will be performed. | `[{ profileType: 'TDIF Accreditation', profileVariant: 'Identity Provider'}]`                               |
+| `http_cache`                          | Optional configuration for HTTP response caching. When enabled, the SDK caches responses from participant registry, discovery documents, and JWKS endpoints to improve performance. All properties are optional with sensible defaults.                                                                                                              | `{ enabled: true, ttl_minutes: 10, max_entries: 100, max_element_size_bytes: 5242880 }`                     |
+| `http_cache.enabled`                  | Enable or disable HTTP response caching. Default: `true`                                                                                                                                                                                                                                                                                            | `true`                                                                                                      |
+| `http_cache.ttl_minutes`              | Time-to-live for cached entries in minutes. Entries expire after this duration. Default: `10`                                                                                                                                                                                                                                                       | `15`                                                                                                        |
+| `http_cache.max_entries`              | Maximum number of entries to store in the cache. When exceeded, least recently used entries are evicted. Default: `100`                                                                                                                                                                                                                             | `50`                                                                                                        |
+| `http_cache.max_element_size_bytes`   | Maximum size in bytes for a single cached response. Responses larger than this will not be cached. Default: `5242880` (5MB)                                                                                                                                                                                                                         | `1048576`                                                                                                   |
+
+# HTTP Response Cache
+
+The SDK includes an in-memory HTTP response cache that improves performance by reducing redundant network calls to stable endpoints. The cache is enabled by default with sensible configuration values.
+
+## Cached Endpoints
+
+The following endpoint types are automatically cached:
+
+1. **Participant Registry** (`/participants`) - List of identity providers
+2. **OIDC Discovery Documents** (`/.well-known/openid-configuration`) - OpenID Connect configuration
+3. **JWKS Endpoints** - JSON Web Key Sets for token validation
+
+## Cache Behavior
+
+- **Cache-Aside Pattern**: The SDK checks the cache before making HTTP requests. On cache miss or stale entry, it fetches from the network and caches the response.
+- **Only Successful Responses**: Only HTTP 2xx responses are cached. Error responses (4xx, 5xx) and network failures are never cached.
+- **LRU Eviction**: When the cache reaches `max_entries`, the least recently used entries are automatically evicted.
+- **TTL Expiration**: Cached entries expire after `ttl_minutes` and are refreshed on the next access.
+
+## Configuration
+
+The cache can be configured or disabled using the `http_cache` configuration option:
+
+```typescript
+const sdk = new RelyingPartyClientSdk({
+  data: {
+    // ... other config ...
+
+    // Cache enabled with custom settings
+    http_cache: {
+      enabled: true,
+      ttl_minutes: 15,        // Cache entries for 15 minutes
+      max_entries: 50,        // Store up to 50 entries
+      max_element_size_bytes: 1048576  // Max 1MB per entry
+    }
+  }
+})
+```
+
+To disable caching entirely:
+
+```typescript
+const sdk = new RelyingPartyClientSdk({
+  data: {
+    // ... other config ...
+    http_cache: { enabled: false }
+  }
+})
+```
+
+## Default Configuration
+
+If `http_cache` is not specified, the SDK uses the following defaults:
+
+- `enabled`: `true`
+- `ttl_minutes`: `10`
+- `max_entries`: `100`
+- `max_element_size_bytes`: `5242880` (5MB)
+
+## Performance Benefits
+
+- **Reduced Latency**: Cached responses are returned instantly without network round-trips
+- **Lower Network Load**: Fewer HTTP requests to registry and authorization servers
+- **Improved Reliability**: Cached data remains available even if network requests fail
+- **Better User Experience**: Faster response times for repeated operations
+
+## Memory Usage
+
+With default settings:
+- Maximum entries: 100
+- Maximum size per entry: 5MB
+- Worst-case memory usage: ~500MB (if all entries are at maximum size)
+- Typical usage: Much lower (~5-10MB) as registry responses average 50KB, discovery documents ~5KB, and JWKS ~2KB
 
 # Process Overview Sequence Diagram
 
@@ -389,6 +468,53 @@ The required function parameters are:
 
 # Release Notes
 
+### 5.1.0 (Feb 12, 2026)
+
+**HTTP Response Cache Implementation**
+
+This release adds HTTP response caching to improve SDK performance by reducing redundant network calls to stable endpoints.
+
+**New Features:**
+- **In-Memory HTTP Response Cache**: Implements LRU (Least Recently Used) cache with TTL (Time-To-Live) expiration for HTTP responses
+- **Cached Endpoints**:
+  - Participant registry (`/participants`)
+  - OIDC discovery documents (`/.well-known/openid-configuration`)
+  - JWKS endpoints (JSON Web Key Sets)
+- **Configurable Cache Settings**: Optional `http_cache` configuration with the following parameters:
+  - `enabled` (default: `true`) - Enable/disable caching globally
+  - `ttl_minutes` (default: `10`) - Time-to-live for cache entries in minutes
+  - `max_entries` (default: `100`) - Maximum number of cached entries before eviction
+  - `max_element_size_bytes` (default: `5242880` / 5MB) - Maximum size per cached entry
+
+**Performance Benefits:**
+- Reduces network latency for repeated operations
+- Improves response times for common SDK operations
+- Reduces load on registry and authorization servers
+
+**Cache Behavior:**
+- Uses cache-aside pattern: checks cache before making HTTP requests
+- Only caches successful responses (HTTP 2xx status codes)
+- Never caches error responses (4xx, 5xx, network failures)
+- LRU eviction automatically removes oldest entries when cache is full
+- Entries automatically expire based on TTL configuration
+
+**Configuration Example:**
+```typescript
+const sdk = new RelyingPartyClientSdk({
+  data: {
+    // ... other config ...
+    http_cache: {
+      enabled: true,
+      ttl_minutes: 15,
+      max_entries: 50,
+      max_element_size_bytes: 1048576 // 1MB
+    }
+  }
+})
+```
+
+**Note:** The cache is enabled by default with sensible defaults. To disable caching, set `http_cache: { enabled: false }` in your configuration.
+
 ### 5.0.1 (Jan 16, 2026)
 
 * Fixed packaging structure which caused conflicts when including the library.

package/cache/http-response-cache.d.ts

@@ -0,0 +1,83 @@
+import { Logger } from 'winston';
+/**
+ * Configuration for HTTP Response Cache
+ */
+export interface HttpCacheConfig {
+    enabled: boolean;
+    ttlMinutes: number;
+    maxEntries: number;
+    maxElementSizeBytes: number;
+}
+/**
+ * HTTP Response Cache
+ *
+ * In-memory LRU cache with TTL expiration for HTTP responses.
+ * Thread-safe for Node.js single-threaded event loop.
+ *
+ * Features:
+ * - LRU (Least Recently Used) eviction when maxEntries exceeded
+ * - TTL (Time-To-Live) expiration with lazy staleness checking
+ * - Size limits with oversized entry rejection
+ * - Configurable enable/disable
+ */
+export declare class HttpResponseCache {
+    private readonly cache;
+    private readonly config;
+    private readonly logger;
+    constructor(config: HttpCacheConfig, logger: Logger);
+    /**
+     * Retrieves cached response for a given URL.
+     *
+     * @param url - The URL key to lookup
+     * @returns Cached content if entry exists and is fresh, undefined otherwise
+     */
+    get(url: string): string | undefined;
+    /**
+     * Stores HTTP response in cache.
+     *
+     * @param url - The URL key for caching
+     * @param content - The HTTP response body
+     */
+    put(url: string, content: string): void;
+    /**
+     * Checks if a cached entry exists and is stale.
+     *
+     * @param url - The URL key to check
+     * @returns true if entry exists and is stale, false otherwise
+     */
+    isStale(url: string): boolean;
+    /**
+     * Removes specific entry from cache.
+     *
+     * @param url - The URL key to remove
+     */
+    evict(url: string): void;
+    /**
+     * Removes all entries from cache.
+     */
+    clear(): void;
+    /**
+     * Gets current number of entries in cache.
+     *
+     * @returns Number of entries currently in cache
+     */
+    size(): number;
+    /**
+     * Checks if caching is enabled.
+     *
+     * @returns true if caching is enabled, false otherwise
+     */
+    isEnabled(): boolean;
+    /**
+     * Checks if a cache entry is stale based on TTL.
+     *
+     * @param entry - Cache entry to check
+     * @returns true if entry is stale, false if fresh
+     */
+    private isEntryStale;
+    /**
+     * Evicts the least recently used entry from cache.
+     * Map maintains insertion order, so the first entry is the LRU.
+     */
+    private evictLRU;
+}

package/cache/http-response-cache.js

@@ -0,0 +1,157 @@
+/**
+ * HTTP Response Cache
+ *
+ * In-memory LRU cache with TTL expiration for HTTP responses.
+ * Thread-safe for Node.js single-threaded event loop.
+ *
+ * Features:
+ * - LRU (Least Recently Used) eviction when maxEntries exceeded
+ * - TTL (Time-To-Live) expiration with lazy staleness checking
+ * - Size limits with oversized entry rejection
+ * - Configurable enable/disable
+ */
+export class HttpResponseCache {
+    constructor(config, logger) {
+        this.config = config;
+        this.logger = logger;
+        this.cache = new Map();
+        this.logger.debug(`HTTP cache initialized: enabled=${config.enabled}, ttlMinutes=${config.ttlMinutes}, maxEntries=${config.maxEntries}, maxElementSize=${config.maxElementSizeBytes}`);
+    }
+    /**
+     * Retrieves cached response for a given URL.
+     *
+     * @param url - The URL key to lookup
+     * @returns Cached content if entry exists and is fresh, undefined otherwise
+     */
+    get(url) {
+        if (!this.config.enabled) {
+            return undefined;
+        }
+        const entry = this.cache.get(url);
+        if (!entry) {
+            this.logger.debug(`Cache miss for URL: ${url}`);
+            return undefined;
+        }
+        // Check if entry is stale
+        if (this.isEntryStale(entry)) {
+            this.logger.debug(`Cache entry stale for URL: ${url}`);
+            return undefined;
+        }
+        // Cache hit - promote entry in LRU order by deleting and re-inserting
+        this.cache.delete(url);
+        this.cache.set(url, entry);
+        this.logger.debug(`Cache hit for URL: ${url}`);
+        return entry.content;
+    }
+    /**
+     * Stores HTTP response in cache.
+     *
+     * @param url - The URL key for caching
+     * @param content - The HTTP response body
+     */
+    put(url, content) {
+        if (!this.config.enabled) {
+            return;
+        }
+        // Check content size
+        const sizeBytes = Buffer.byteLength(content, 'utf8');
+        if (sizeBytes > this.config.maxElementSizeBytes) {
+            this.logger.warn(`Response too large to cache: ${sizeBytes} bytes (max: ${this.config.maxElementSizeBytes}), URL: ${url}`);
+            return;
+        }
+        // Create cache entry
+        const entry = {
+            content,
+            fetchedAt: Date.now(),
+            sizeBytes,
+        };
+        // Remove existing entry if present (to update position in LRU order)
+        this.cache.delete(url);
+        // Store entry (added to end of Map, which is most recently used)
+        this.cache.set(url, entry);
+        this.logger.debug(`Cached response for URL: ${url}, size: ${sizeBytes} bytes`);
+        // Evict LRU entry if cache size exceeds maxEntries
+        if (this.cache.size > this.config.maxEntries) {
+            this.evictLRU();
+        }
+    }
+    /**
+     * Checks if a cached entry exists and is stale.
+     *
+     * @param url - The URL key to check
+     * @returns true if entry exists and is stale, false otherwise
+     */
+    isStale(url) {
+        if (!this.config.enabled) {
+            return false;
+        }
+        const entry = this.cache.get(url);
+        if (!entry) {
+            return false;
+        }
+        return this.isEntryStale(entry);
+    }
+    /**
+     * Removes specific entry from cache.
+     *
+     * @param url - The URL key to remove
+     */
+    evict(url) {
+        if (!this.config.enabled) {
+            return;
+        }
+        const deleted = this.cache.delete(url);
+        if (deleted) {
+            this.logger.debug(`Evicted cache entry for URL: ${url}`);
+        }
+    }
+    /**
+     * Removes all entries from cache.
+     */
+    clear() {
+        if (!this.config.enabled) {
+            return;
+        }
+        this.cache.clear();
+        this.logger.debug('Cache cleared');
+    }
+    /**
+     * Gets current number of entries in cache.
+     *
+     * @returns Number of entries currently in cache
+     */
+    size() {
+        return this.cache.size;
+    }
+    /**
+     * Checks if caching is enabled.
+     *
+     * @returns true if caching is enabled, false otherwise
+     */
+    isEnabled() {
+        return this.config.enabled;
+    }
+    /**
+     * Checks if a cache entry is stale based on TTL.
+     *
+     * @param entry - Cache entry to check
+     * @returns true if entry is stale, false if fresh
+     */
+    isEntryStale(entry) {
+        const now = Date.now();
+        const expiryTime = entry.fetchedAt + this.config.ttlMinutes * 60 * 1000;
+        return now >= expiryTime;
+    }
+    /**
+     * Evicts the least recently used entry from cache.
+     * Map maintains insertion order, so the first entry is the LRU.
+     */
+    evictLRU() {
+        // Get first entry (oldest in insertion order)
+        const firstKey = this.cache.keys().next().value;
+        if (firstKey) {
+            this.cache.delete(firstKey);
+            this.logger.debug(`Evicted cache entry for URL: ${firstKey}`);
+        }
+    }
+}

package/endpoints/participants-endpoint.d.ts

@@ -2,11 +2,12 @@ import { Agent } from 'undici';
 import { Logger } from 'winston';
 import { AuthorisationServer, Participant, RelyingPartyClientSdkConfig } from '../types.js';
 import ParticipantFilters from '../filter/participant-filters.js';
+import { HttpResponseCache } from '../cache/http-response-cache.js';
 /**
  * Participants Endpoint
  *
  * Handles fetching and filtering of participant lists from the registry.
- * Does NOT cache - fetches fresh data on every call
+ * Uses HTTP cache for performance optimization.
  */
 export declare class ParticipantsEndpoint {
     private readonly sdkConfig;
@@ -14,7 +15,8 @@ export declare class ParticipantsEndpoint {
     private readonly httpClient;
     private readonly logger;
     private readonly getCurrentDate;
-    constructor(sdkConfig: RelyingPartyClientSdkConfig, participantFilters: ParticipantFilters, httpClient: Agent, logger: Logger, getCurrentDate: () => Date);
+    private readonly cache;
+    constructor(sdkConfig: RelyingPartyClientSdkConfig, participantFilters: ParticipantFilters, httpClient: Agent, logger: Logger, getCurrentDate: () => Date, cache: HttpResponseCache);
     /**
      * Retrieves the list of active participants.
      *
@@ -40,6 +42,7 @@ export declare class ParticipantsEndpoint {
     getFallbackProviderParticipants(): Promise<Participant[]>;
     /**
      * Fetches participants from the registry.
+     * Uses cache-aside pattern for performance optimization.
      *
      * @param uri - Registry participants URI
      * @returns Raw list of participants

package/endpoints/participants-endpoint.js

@@ -4,15 +4,16 @@ import { randomUUID } from 'node:crypto';
  * Participants Endpoint
  *
  * Handles fetching and filtering of participant lists from the registry.
- * Does NOT cache - fetches fresh data on every call
+ * Uses HTTP cache for performance optimization.
  */
 export class ParticipantsEndpoint {
-    constructor(sdkConfig, participantFilters, httpClient, logger, getCurrentDate) {
+    constructor(sdkConfig, participantFilters, httpClient, logger, getCurrentDate, cache) {
         this.sdkConfig = sdkConfig;
         this.participantFilters = participantFilters;
         this.httpClient = httpClient;
         this.logger = logger;
         this.getCurrentDate = getCurrentDate;
+        this.cache = cache;
     }
     /**
      * Retrieves the list of active participants.
@@ -90,18 +91,34 @@ export class ParticipantsEndpoint {
     }
     /**
      * Fetches participants from the registry.
+     * Uses cache-aside pattern for performance optimization.
      *
      * @param uri - Registry participants URI
      * @returns Raw list of participants
      */
     async fetchParticipants(uri) {
         try {
+            // Check cache first
+            const cachedContent = this.cache.get(uri);
+            if (cachedContent) {
+                this.logger.debug(`Cache hit for URL: ${uri}`);
+                return JSON.parse(cachedContent);
+            }
+            this.logger.debug(`Cache miss for URL: ${uri}`);
+            // Fetch from network
             const response = await HttpClientExtensions.get(uri, {
                 agent: this.httpClient,
                 clientId: this.sdkConfig.data.client_id,
                 xFapiInteractionId: randomUUID(),
             });
-            return await HttpClientExtensions.parseJsonResponse(response);
+            const participants = await HttpClientExtensions.parseJsonResponse(response);
+            // Cache successful response (only 2xx)
+            if (response.status >= 200 && response.status < 300) {
+                const content = JSON.stringify(participants);
+                this.cache.put(uri, content);
+                this.logger.debug(`Cached response for URL: ${uri}, size: ${Buffer.byteLength(content, 'utf8')} bytes`);
+            }
+            return participants;
         }
         catch (error) {
             throw new Error(`Failed to fetch participants from ${uri}: ${error instanceof Error ? error.message : String(error)}`);

package/endpoints/pushed-authorisation-request-endpoint.d.ts

@@ -2,6 +2,7 @@ import { Agent } from 'undici';
 import { Logger } from 'winston';
 import { RelyingPartyClientSdkConfig } from '../types.js';
 import { JwtHelper } from '../crypto/jwt-helper.js';
+import { HttpResponseCache } from '../cache/http-response-cache.js';
 import { ParticipantsEndpoint } from './participants-endpoint';
 /**
  * Response from the Pushed Authorization Request endpoint.
@@ -40,8 +41,9 @@ export declare class PushedAuthorisationRequestEndpoint {
     private readonly jwtHelper;
     private readonly logger;
     private readonly participantsEndpoint;
+    private readonly cache;
     private static readonly EXTENDED_CLAIMS;
-    constructor(sdkConfig: RelyingPartyClientSdkConfig, httpClient: Agent, jwtHelper: JwtHelper, logger: Logger, participantsEndpoint: ParticipantsEndpoint);
+    constructor(sdkConfig: RelyingPartyClientSdkConfig, httpClient: Agent, jwtHelper: JwtHelper, logger: Logger, participantsEndpoint: ParticipantsEndpoint, cache: HttpResponseCache);
     /**
      * Sends a Pushed Authorization Request to the authorization server.
      *

package/endpoints/pushed-authorisation-request-endpoint.js

@@ -10,12 +10,13 @@ import { generateXFapiInteractionId } from '../fapi/fapi-utils.js';
  * Creates signed request objects and submits them to the PAR endpoint.
  */
 export class PushedAuthorisationRequestEndpoint {
-    constructor(sdkConfig, httpClient, jwtHelper, logger, participantsEndpoint) {
+    constructor(sdkConfig, httpClient, jwtHelper, logger, participantsEndpoint, cache) {
         this.sdkConfig = sdkConfig;
         this.httpClient = httpClient;
         this.jwtHelper = jwtHelper;
         this.logger = logger;
         this.participantsEndpoint = participantsEndpoint;
+        this.cache = cache;
     }
     /**
      * Sends a Pushed Authorization Request to the authorization server.
@@ -59,7 +60,7 @@ export class PushedAuthorisationRequestEndpoint {
     }
     async generateRequest(authServer, claimsRequest, purpose, xFapiInteractionId) {
         // Fetch discovery document
-        const discoveryMetadata = await DiscoveryService.fetchDiscoveryDocument(authServer.OpenIDDiscoveryDocument, this.httpClient);
+        const discoveryMetadata = await DiscoveryService.fetchDiscoveryDocument(authServer.OpenIDDiscoveryDocument, this.httpClient, this.cache);
         if (!discoveryMetadata.pushed_authorization_request_endpoint) {
             throw new Error(`Authorization server ${authServer.AuthorisationServerId} does not support PAR`);
         }

package/endpoints/retrieve-token-endpoint.d.ts

@@ -2,6 +2,7 @@ import { Agent } from 'undici';
 import { Logger } from 'winston';
 import { CallbackParams, RelyingPartyClientSdkConfig } from '../types.js';
 import { JwtHelper } from '../crypto/jwt-helper.js';
+import { HttpResponseCache } from '../cache/http-response-cache.js';
 import { ConsolidatedTokenSet } from '../model/consolidated-token-set.js';
 import { ParticipantsEndpoint } from './participants-endpoint';
 /**
@@ -16,7 +17,8 @@ export declare class RetrieveTokenEndpoint {
     private readonly jwtHelper;
     private readonly logger;
     private readonly participantsEndpoint;
-    constructor(sdkConfig: RelyingPartyClientSdkConfig, httpClient: Agent, jwtHelper: JwtHelper, logger: Logger, participantsEndpoint: ParticipantsEndpoint);
+    private readonly cache;
+    constructor(sdkConfig: RelyingPartyClientSdkConfig, httpClient: Agent, jwtHelper: JwtHelper, logger: Logger, participantsEndpoint: ParticipantsEndpoint, cache: HttpResponseCache);
     /**
      * Retrieves tokens from the authorization server.
      *

package/endpoints/retrieve-token-endpoint.js

@@ -10,12 +10,13 @@ import { generateXFapiInteractionId } from '../fapi/fapi-utils.js';
  * Validates the ID token and optionally calls UserInfo for compliance.
  */
 export class RetrieveTokenEndpoint {
-    constructor(sdkConfig, httpClient, jwtHelper, logger, participantsEndpoint) {
+    constructor(sdkConfig, httpClient, jwtHelper, logger, participantsEndpoint, cache) {
         this.sdkConfig = sdkConfig;
         this.httpClient = httpClient;
         this.jwtHelper = jwtHelper;
         this.logger = logger;
         this.participantsEndpoint = participantsEndpoint;
+        this.cache = cache;
     }
     /**
      * Retrieves tokens from the authorization server.
@@ -41,7 +42,7 @@ export class RetrieveTokenEndpoint {
             this.validateCallbackParams(callbackParams, state);
             const authServer = await this.participantsEndpoint.getAuthServerDetails(authorisationServerId);
             // Fetch discovery document
-            const discoveryMetadata = await DiscoveryService.fetchDiscoveryDocument(authServer.OpenIDDiscoveryDocument, this.httpClient);
+            const discoveryMetadata = await DiscoveryService.fetchDiscoveryDocument(authServer.OpenIDDiscoveryDocument, this.httpClient, this.cache);
             // Validate issuer parameter (REQUIRED per FAPI 2.0)
             if (!callbackParams.iss) {
                 throw new Error('Authorization response missing required iss parameter');
@@ -54,7 +55,7 @@ export class RetrieveTokenEndpoint {
             // Exchange authorization code for tokens
             const tokenResponse = await this.requestToken(discoveryMetadata.token_endpoint, callbackParams.code, codeVerifier, clientAssertion, xFapiInteractionId);
             const tokenSet = new TokenSet(tokenResponse);
-            const jwks = await DiscoveryService.fetchJwks(discoveryMetadata.jwks_uri, this.httpClient);
+            const jwks = await DiscoveryService.fetchJwks(discoveryMetadata.jwks_uri, this.httpClient, this.cache);
             await tokenSet.validate(jwks, discoveryMetadata.issuer, this.sdkConfig.data.client_id, nonce, discoveryMetadata.id_token_signing_alg_values_supported);
             // Must call validate first before accessing claims
             this.logger.info(`Retrieved tokenSet from auth server: ${authorisationServerId} - ${authServer.CustomerFriendlyName}, x-fapi-interaction-id: ${xFapiInteractionId}, txn: ${tokenSet.claims().txn}`);

package/endpoints/userinfo-endpoint.d.ts

@@ -1,5 +1,6 @@
 import { Agent } from 'undici';
 import { Logger } from 'winston';
+import { HttpResponseCache } from '../cache/http-response-cache.js';
 import { ParticipantsEndpoint } from './participants-endpoint';
 /**
  * UserInfo Endpoint
@@ -12,7 +13,8 @@ export declare class UserInfoEndpoint {
     private readonly logger;
     private readonly clientId;
     private readonly participantsEndpoint;
-    constructor(httpClient: Agent, logger: Logger, clientId: string, participantsEndpoint: ParticipantsEndpoint);
+    private readonly cache;
+    constructor(httpClient: Agent, logger: Logger, clientId: string, participantsEndpoint: ParticipantsEndpoint, cache: HttpResponseCache);
     /**
      * Retrieves user information from the UserInfo endpoint.
      *

package/endpoints/userinfo-endpoint.js

@@ -8,11 +8,12 @@ import { generateXFapiInteractionId } from '../fapi/fapi-utils.js';
  * Returns user claims using an access token.
  */
 export class UserInfoEndpoint {
-    constructor(httpClient, logger, clientId, participantsEndpoint) {
+    constructor(httpClient, logger, clientId, participantsEndpoint, cache) {
         this.httpClient = httpClient;
         this.logger = logger;
         this.clientId = clientId;
         this.participantsEndpoint = participantsEndpoint;
+        this.cache = cache;
     }
     /**
      * Retrieves user information from the UserInfo endpoint.
@@ -27,7 +28,7 @@ export class UserInfoEndpoint {
         try {
             const authServer = await this.participantsEndpoint.getAuthServerDetails(authorisationServerId);
             // Fetch discovery document
-            const discoveryMetadata = await DiscoveryService.fetchDiscoveryDocument(authServer.OpenIDDiscoveryDocument, this.httpClient);
+            const discoveryMetadata = await DiscoveryService.fetchDiscoveryDocument(authServer.OpenIDDiscoveryDocument, this.httpClient, this.cache);
             if (!discoveryMetadata.userinfo_endpoint) {
                 throw new Error(`Authorization server ${authServer.AuthorisationServerId} does not have a UserInfo endpoint`);
             }

package/model/discovery-service.d.ts

@@ -1,6 +1,7 @@
 import { Agent } from 'undici';
 import { IssuerMetadata } from './issuer-metadata.js';
 import { JWKSet } from './jwks.js';
+import { HttpResponseCache } from '../cache/http-response-cache.js';
 /**
  * Service for fetching OIDC discovery documents and JWKS.
  *
@@ -10,22 +11,26 @@ import { JWKSet } from './jwks.js';
 export declare class DiscoveryService {
     /**
      * Fetches and parses an OIDC discovery document.
+     * Uses cache-aside pattern for performance optimization.
      *
      * @param discoveryUrl - URL to the .well-known/openid-configuration endpoint
      * @param httpAgent - Optional undici Agent for mTLS
+     * @param cache - Optional HTTP response cache
      * @returns Parsed issuer metadata
      * @throws Error if the discovery document cannot be fetched or parsed
      */
-    static fetchDiscoveryDocument(discoveryUrl: string, httpAgent?: Agent): Promise<IssuerMetadata>;
+    static fetchDiscoveryDocument(discoveryUrl: string, httpAgent?: Agent, cache?: HttpResponseCache): Promise<IssuerMetadata>;
     /**
      * Fetches and parses a JWKS document.
+     * Uses cache-aside pattern for performance optimization.
      *
      * @param jwksUri - URL to the JWKS endpoint
      * @param httpAgent - Optional HTTPS agent for mTLS
+     * @param cache - Optional HTTP response cache
      * @returns Parsed JWKS
      * @throws Error if the JWKS cannot be fetched or parsed
      */
-    static fetchJwks(jwksUri: string, httpAgent?: Agent): Promise<JWKSet>;
+    static fetchJwks(jwksUri: string, httpAgent?: Agent, cache?: HttpResponseCache): Promise<JWKSet>;
     /**
      * Validates that required discovery document fields are present.
      *

package/model/discovery-service.js

@@ -7,14 +7,24 @@
 export class DiscoveryService {
     /**
      * Fetches and parses an OIDC discovery document.
+     * Uses cache-aside pattern for performance optimization.
      *
      * @param discoveryUrl - URL to the .well-known/openid-configuration endpoint
      * @param httpAgent - Optional undici Agent for mTLS
+     * @param cache - Optional HTTP response cache
      * @returns Parsed issuer metadata
      * @throws Error if the discovery document cannot be fetched or parsed
      */
-    static async fetchDiscoveryDocument(discoveryUrl, httpAgent) {
+    static async fetchDiscoveryDocument(discoveryUrl, httpAgent, cache) {
         try {
+            // Check cache first
+            if (cache) {
+                const cachedContent = cache.get(discoveryUrl);
+                if (cachedContent) {
+                    return JSON.parse(cachedContent);
+                }
+            }
+            // Fetch from network
             const response = await fetch(discoveryUrl, {
                 method: 'GET',
                 headers: {
@@ -29,7 +39,12 @@ export class DiscoveryService {
             // Validate required fields
             this.validateDiscoveryDocument(metadata);
             // Apply mtls_endpoint_aliases if present
-            return this.applyMtlsAliases(metadata);
+            const processedMetadata = this.applyMtlsAliases(metadata);
+            // Cache successful response
+            if (cache && response.status >= 200 && response.status < 300) {
+                cache.put(discoveryUrl, JSON.stringify(processedMetadata));
+            }
+            return processedMetadata;
         }
         catch (error) {
             throw new Error(`Failed to fetch discovery document from ${discoveryUrl}: ${error instanceof Error ? error.message : String(error)}`);
@@ -37,14 +52,24 @@ export class DiscoveryService {
     }
     /**
      * Fetches and parses a JWKS document.
+     * Uses cache-aside pattern for performance optimization.
      *
      * @param jwksUri - URL to the JWKS endpoint
      * @param httpAgent - Optional HTTPS agent for mTLS
+     * @param cache - Optional HTTP response cache
      * @returns Parsed JWKS
      * @throws Error if the JWKS cannot be fetched or parsed
      */
-    static async fetchJwks(jwksUri, httpAgent) {
+    static async fetchJwks(jwksUri, httpAgent, cache) {
         try {
+            // Check cache first
+            if (cache) {
+                const cachedContent = cache.get(jwksUri);
+                if (cachedContent) {
+                    return JSON.parse(cachedContent);
+                }
+            }
+            // Fetch from network
             const response = await fetch(jwksUri, {
                 method: 'GET',
                 headers: {
@@ -60,6 +85,10 @@ export class DiscoveryService {
             if (!jwks.keys || !Array.isArray(jwks.keys)) {
                 throw new Error('Invalid JWKS: missing or invalid keys array');
             }
+            // Cache successful response
+            if (cache && response.status >= 200 && response.status < 300) {
+                cache.put(jwksUri, JSON.stringify(jwks));
+            }
             return jwks;
         }
         catch (error) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@connectid-tools/rp-nodejs-sdk",
-  "version": "5.0.1",
+  "version": "5.1.0",
   "description": "Digital Identity Relying Party Node SDK",
   "main": "relying-party-client-sdk.js",
   "types": "relying-party-client-sdk.d.ts",

package/relying-party-client-sdk.js

@@ -5,6 +5,7 @@ import { illegalPurposeChars, isValidCertificate, validatePurpose } from './vali
 import { CryptoLoader } from './crypto/crypto-loader.js';
 import { JwtHelper } from './crypto/jwt-helper.js';
 import { HttpClientFactory } from './http/http-client-factory.js';
+import { HttpResponseCache } from './cache/http-response-cache.js';
 import { ParticipantsEndpoint } from './endpoints/participants-endpoint.js';
 import { PushedAuthorisationRequestEndpoint } from './endpoints/pushed-authorisation-request-endpoint.js';
 import { RetrieveTokenEndpoint } from './endpoints/retrieve-token-endpoint.js';
@@ -27,7 +28,7 @@ export default class RelyingPartyClientSdk {
             throw new Error('Either ca_pem or ca_pem_content must be provided');
         }
         this.logger = getLogger(this.config.data.log_level);
-        this.logger.info(`Creating RelyingPartyClientSdk - version 5.0.1`);
+        this.logger.info(`Creating RelyingPartyClientSdk - version 5.1.0`);
         // Validate and set purpose
         if (this.config.data.purpose) {
             const purposeValidation = validatePurpose(this.config.data.purpose);
@@ -73,11 +74,19 @@ export default class RelyingPartyClientSdk {
             caPem: getCertificate(this.config.data.ca_pem, this.config.data.ca_pem_content),
             clientId: this.config.data.client_id,
         });
+        // Initialize HTTP response cache
+        const cacheConfig = {
+            enabled: this.config.data.http_cache?.enabled ?? true,
+            ttlMinutes: this.config.data.http_cache?.ttl_minutes ?? 10,
+            maxEntries: this.config.data.http_cache?.max_entries ?? 100,
+            maxElementSizeBytes: this.config.data.http_cache?.max_element_size_bytes ?? 5242880,
+        };
+        const httpCache = new HttpResponseCache(cacheConfig, this.logger);
         // Initialize endpoints
-        this.participantsEndpoint = new ParticipantsEndpoint(this.config, new ParticipantFilters(), this.httpClient, this.logger, () => this.getCurrentDate());
-        this.pushedAuthorisationRequestEndpoint = new PushedAuthorisationRequestEndpoint(this.config, this.httpClient, this.jwtHelper, this.logger, this.participantsEndpoint);
-        this.retrieveTokenEndpoint = new RetrieveTokenEndpoint(this.config, this.httpClient, this.jwtHelper, this.logger, this.participantsEndpoint);
-        this.userInfoEndpoint = new UserInfoEndpoint(this.httpClient, this.logger, this.config.data.client_id, this.participantsEndpoint);
+        this.participantsEndpoint = new ParticipantsEndpoint(this.config, new ParticipantFilters(), this.httpClient, this.logger, () => this.getCurrentDate(), httpCache);
+        this.pushedAuthorisationRequestEndpoint = new PushedAuthorisationRequestEndpoint(this.config, this.httpClient, this.jwtHelper, this.logger, this.participantsEndpoint, httpCache);
+        this.retrieveTokenEndpoint = new RetrieveTokenEndpoint(this.config, this.httpClient, this.jwtHelper, this.logger, this.participantsEndpoint, httpCache);
+        this.userInfoEndpoint = new UserInfoEndpoint(this.httpClient, this.logger, this.config.data.client_id, this.participantsEndpoint, httpCache);
     }
     /**
      * Get the list of participating identity providers within the scheme.

package/types.d.ts

@@ -2,6 +2,12 @@ import { IdTokenClaims } from './model/claims.js';
 export type { IdTokenClaims, AddressClaim, VerifiedClaims } from './model/claims.js';
 export type { CallbackParams } from './model/callback-params.js';
 export type { TokenResponse } from './model/token-response.js';
+export type HttpCacheConfig = {
+    enabled?: boolean;
+    ttl_minutes?: number;
+    max_entries?: number;
+    max_element_size_bytes?: number;
+};
 export type RelyingPartyClientSdkConfig = {
     data: {
         ca_pem?: string;
@@ -24,6 +30,7 @@ export type RelyingPartyClientSdkConfig = {
         enable_auto_compliance_verification: boolean;
         purpose?: string;
         client_id: string;
+        http_cache?: HttpCacheConfig;
     };
 };
 export type Participant = {

package/utils/user-agent.d.ts

@@ -1,2 +1,2 @@
-export declare const packageJsonVersion = "5.0.1";
+export declare const packageJsonVersion = "5.1.0";
 export declare const buildUserAgent: (clientId: string) => string;

package/utils/user-agent.js

@@ -1,4 +1,4 @@
 import { getSystemInformation } from './system-information.js';
 // important: Update this every time the package version changes
-export const packageJsonVersion = '5.0.1';
+export const packageJsonVersion = '5.1.0';
 export const buildUserAgent = (clientId) => `cid-rp-nodejs-sdk/${packageJsonVersion} ${getSystemInformation()} +${clientId}`;