@enterprisestandard/core 0.0.7-beta.20260124.2 → 0.0.7

package/dist/index.d.ts

@@ -1,524 +1,832 @@
-import { StandardSchemaV1 as StandardSchemaV15 } from "@standard-schema/spec";
-import { StandardSchemaV1 } from "@standard-schema/spec";
-/**
-* SCIM 2.0 User Resource
-* @see https://datatracker.ietf.org/doc/html/rfc7643#section-4.1
-*/
 /**
-* SCIM Name sub-attribute
+* Base user with simple, developer-friendly attributes.
+* Extended by User (SSO) and EnterpriseUser (SCIM).
 */
-interface Name {
-	/**
-	* The full name, including all middle names, titles, and suffixes as appropriate
-	*/
-	formatted?: string;
+interface BaseUser {
 	/**
-	* The family name of the User, or last name
+	* Unique identifier for the user
 	*/
-	familyName?: string;
+	id?: string;
 	/**
-	* The given name of the User, or first name
+	* REQUIRED. Unique identifier for login
 	*/
-	givenName?: string;
+	userName: string;
 	/**
-	* The middle name(s) of the User
+	* REQUIRED. Simple display name
 	*/
-	middleName?: string;
+	name: string;
 	/**
-	* The honorific prefix(es) of the User, or title
+	* REQUIRED. Primary email address
 	*/
-	honorificPrefix?: string;
+	email: string;
 	/**
-	* The honorific suffix(es) of the User, or suffix
+	* URL to user's avatar/profile picture
 	*/
-	honorificSuffix?: string;
+	avatarUrl?: string;
 }
 /**
-* SCIM Email sub-attribute
+* Magic link data stored in the store.
+*
+* @template TExtended - Type-safe custom data that consumers can add to magic links
 */
-interface Email {
+type MagicLink<TExtended = {}> = {
 	/**
-	* The email address value
+	* The magic link token (unique identifier)
 	*/
-	value: string;
+	token: string;
 	/**
-	* A human-readable name, primarily used for display purposes
+	* User information associated with this magic link
 	*/
-	display?: string;
+	user: BaseUser;
 	/**
-	* A label indicating the attribute's function (e.g., "work" or "home")
+	* Timestamp when the magic link was created
 	*/
-	type?: string;
+	createdAt: Date;
 	/**
-	* A Boolean value indicating the 'primary' or preferred attribute value
+	* Timestamp when the magic link expires
 	*/
-	primary?: boolean;
-}
-/**
-* SCIM Phone Number sub-attribute
-*/
-interface PhoneNumber {
+	expiresAt: Date;
 	/**
-	* The phone number value
+	* Allow consumers to add runtime data to magic links
 	*/
-	value: string;
+	[key: string]: unknown;
+} & TExtended;
+/**
+* Abstract interface for magic link storage backends.
+*
+* Consumers can implement this interface to use different storage backends:
+* - In-memory (for development/testing)
+* - Redis (for production with fast lookups and automatic expiration)
+* - Database (PostgreSQL, MySQL, etc.)
+*
+* @template TExtended - Type-safe custom data that consumers can add to magic links
+*
+* @example
+* ```typescript
+* // Custom magic link data
+* type MyMagicLinkData = {
+*   source: string;
+*   metadata: Record<string, unknown>;
+* };
+*
+* // Implement custom store
+* class RedisMagicLinkStore implements MagicLinkStore<MyMagicLinkData> {
+*   async create(token: string, user: BaseUser, expiresAt: Date): Promise<void> {
+*     const magicLink: MagicLink<MyMagicLinkData> = {
+*       token,
+*       user,
+*       createdAt: new Date(),
+*       expiresAt,
+*       source: 'api',
+*       metadata: {},
+*     };
+*     const ttl = Math.floor((expiresAt.getTime() - Date.now()) / 1000);
+*     await redis.setex(`magic-link:${token}`, ttl, JSON.stringify(magicLink));
+*   }
+*   // ... other methods
+* }
+* ```
+*/
+interface MagicLinkStore<TExtended = {}> {
 	/**
-	* A human-readable name, primarily used for display purposes
+	* Create a new magic link in the store.
+	*
+	* @param token - The magic link token (unique identifier)
+	* @param user - The user information to associate with this magic link
+	* @param expiresAt - When the magic link expires
+	* @throws Error if magic link with same token already exists
 	*/
-	display?: string;
+	create(token: string, user: BaseUser, expiresAt: Date): Promise<void>;
 	/**
-	* A label indicating the attribute's function (e.g., "work", "home", "mobile")
+	* Retrieve a magic link by its token.
+	*
+	* @param token - The magic link token
+	* @returns The magic link if found and not expired, null otherwise
 	*/
-	type?: string;
+	get(token: string): Promise<MagicLink<TExtended> | null>;
 	/**
-	* A Boolean value indicating the 'primary' or preferred attribute value
+	* Delete a magic link by its token.
+	*
+	* Used after a magic link has been consumed (one-time use).
+	*
+	* @param token - The magic link token to delete
 	*/
-	primary?: boolean;
+	delete(token: string): Promise<void>;
 }
 /**
-* SCIM Address sub-attribute
+* In-memory magic link store implementation using Maps.
+*
+* Suitable for:
+* - Development and testing
+* - Single-server deployments
+* - Applications without high availability requirements
+*
+* NOT suitable for:
+* - Multi-server deployments (magic links not shared)
+* - High availability scenarios (magic links lost on restart)
+* - Production applications with distributed architecture
+*
+* For production, implement MagicLinkStore with Redis or a database.
+*
+* @template TExtended - Type-safe custom data that consumers can add to magic links
 */
-interface Address {
-	/**
-	* The full mailing address, formatted for display
-	*/
-	formatted?: string;
-	/**
-	* The full street address component
-	*/
-	streetAddress?: string;
-	/**
-	* The city or locality component
-	*/
-	locality?: string;
+declare class InMemoryMagicLinkStore<TExtended = {}> implements MagicLinkStore<TExtended> {
+	private magicLinks;
+	create(token: string, user: BaseUser, expiresAt: Date): Promise<void>;
+	get(token: string): Promise<MagicLink<TExtended> | null>;
+	delete(token: string): Promise<void>;
+}
+/**
+* Session management for tracking user sessions and enabling backchannel logout.
+*
+* Session stores are optional - the package works with JWT cookies alone.
+* Sessions are only required for backchannel logout functionality.
+*
+* ## Session Validation Strategies
+*
+* When using a session store, you can configure when sessions are validated:
+*
+* ### 'always' (default)
+* Validates session on every authenticated request.
+* - **Security**: Maximum - immediate session revocation
+* - **Performance**: InMemory ~0.00005ms, Redis ~1-2ms per request
+* - **Backchannel Logout**: Takes effect immediately
+* - **Use when**: Security is paramount, using InMemory or Redis backend
+*
+* ### 'refresh-only'
+* Validates session only during token refresh (typically every 5-15 minutes).
+* - **Security**: Good - 5-15 minute revocation window
+* - **Performance**: 99% reduction in session lookups
+* - **Backchannel Logout**: Takes effect within token TTL (5-15 min)
+* - **Use when**: Performance is critical AND delayed revocation is acceptable
+* - **WARNING**: Compromised sessions remain valid until next refresh
+*
+* ### 'disabled'
+* Never validates sessions against the store.
+* - **Security**: None - backchannel logout doesn't work
+* - **Performance**: No overhead
+* - **Use when**: Cookie-only mode without session store
+* - **WARNING**: Do not use with sessionStore configured
+*
+* ## Performance Characteristics
+*
+* | Backend      | Lookup Time | Impact on Request | Recommendation         |
+* |--------------|-------------|-------------------|------------------------|
+* | InMemory     | <0.00005ms  | Negligible        | Use 'always'           |
+* | Redis        | 1-2ms       | 2-4% increase     | Use 'always' or test   |
+* | Database     | 5-20ms      | 10-40% increase   | Use Redis cache layer  |
+*
+* ## Example Usage
+*
+* ```typescript
+* import { sso, InMemorySessionStore } from '@enterprisestandard/react/server';
+*
+* // Maximum security (default)
+* const secure = sso({
+*   // ... other config
+*   sessionStore: new InMemorySessionStore(),
+*   session_validation: 'always', // Immediate revocation
+* });
+*
+* // High performance
+* const fast = sso({
+*   // ... other config
+*   sessionStore: new InMemorySessionStore(),
+*   session_validation: {
+*     strategy: 'refresh-only' // 5-15 min revocation delay
+*   }
+* });
+* ```
+*/
+/**
+* Core session data tracked for each authenticated user session.
+*
+* @template TExtended - Type-safe custom data that consumers can add to sessions
+*/
+type Session<TExtended = {}> = {
 	/**
-	* The state or region component
+	* Session ID from the Identity Provider (from `sid` claim in ID token).
+	* This is the unique identifier for the session.
 	*/
-	region?: string;
+	sid: string;
 	/**
-	* The zip code or postal code component
+	* Subject identifier (user ID) from the Identity Provider.
+	* From the `sub` claim in the ID token.
 	*/
-	postalCode?: string;
+	sub: string;
 	/**
-	* The country name component
+	* Timestamp when the session was created.
 	*/
-	country?: string;
+	createdAt: Date;
 	/**
-	* A label indicating the attribute's function (e.g., "work" or "home")
+	* Timestamp of the last activity in this session.
+	* Can be updated to track session activity.
 	*/
-	type?: string;
+	lastActivityAt: Date;
 	/**
-	* A Boolean value indicating the 'primary' or preferred attribute value
+	* Allow consumers to add runtime data to sessions.
 	*/
-	primary?: boolean;
-}
+	[key: string]: unknown;
+} & TExtended;
 /**
-* SCIM Group reference (used within User resources)
+* Abstract interface for session storage backends.
+*
+* Consumers can implement this interface to use different storage backends:
+* - Redis
+* - Database (PostgreSQL, MySQL, etc.)
+* - Distributed cache
+* - Custom solutions
+*
+* @template TExtended - Type-safe custom data that consumers can add to sessions
+*
+* @example
+* ```typescript
+* // Custom session data
+* type MySessionData = {
+*   ipAddress: string;
+*   userAgent: string;
+* };
+*
+* // Implement custom store
+* class RedisSessionStore implements SessionStore<MySessionData> {
+*   async create(session: Session<MySessionData>): Promise<void> {
+*     await redis.set(`session:${session.sid}`, JSON.stringify(session));
+*   }
+*   // ... other methods
+* }
+* ```
 */
-interface Group {
+interface SessionStore<TExtended = {}> {
 	/**
-	* The identifier of the User's group
+	* Create a new session in the store.
+	*
+	* @param session - The session data to store
+	* @throws Error if session with same sid already exists
 	*/
-	value: string;
+	create(session: Session<TExtended>): Promise<void>;
 	/**
-	* The URI of the corresponding 'Group' resource
+	* Retrieve a session by its IdP session ID (sid).
+	*
+	* @param sid - The session.sid from the Identity Provider
+	* @returns The session if found, null otherwise
 	*/
-	$ref?: string;
+	get(sid: string): Promise<Session<TExtended> | null>;
 	/**
-	* A human-readable name, primarily used for display purposes
+	* Update an existing session with partial data.
+	*
+	* Commonly used to update lastActivityAt or add custom fields.
+	*
+	* @param sid - The session.sid to update
+	* @param data - Partial session data to merge
+	* @throws Error if session not found
 	*/
-	display?: string;
+	update(sid: string, data: Partial<Session<TExtended>>): Promise<void>;
 	/**
-	* A label indicating the attribute's function (e.g., "direct" or "indirect")
-	*/
-	type?: string;
+	* Delete a session by its IdP session ID (sid).
+	*
+	* Used for both normal logout and backchannel logout flows.
+	*
+	* @param sid - The session.sid to delete
+	*/
+	delete(sid: string): Promise<void>;
 }
 /**
-* SCIM Group Member reference
+* In-memory session store implementation using Maps.
+*
+* Suitable for:
+* - Development and testing
+* - Single-server deployments
+* - Applications without high availability requirements
+*
+* NOT suitable for:
+* - Multi-server deployments (sessions not shared)
+* - High availability scenarios (sessions lost on restart)
+* - Production applications with distributed architecture
+*
+* For production, implement SessionStore with Redis or a database.
+*
+* @template TExtended - Type-safe custom data that consumers can add to sessions
 */
-interface GroupMember {
-	/**
-	* The identifier of the member (User or Group)
-	*/
-	value: string;
-	/**
-	* The URI of the corresponding member resource
-	*/
-	$ref?: string;
-	/**
-	* A human-readable name of the member
-	*/
-	display?: string;
-	/**
-	* The type of the member (e.g., "User" or "Group")
-	*/
-	type?: "User" | "Group";
+declare class InMemorySessionStore<TExtended = {}> implements SessionStore<TExtended> {
+	private sessions;
+	create(session: Session<TExtended>): Promise<void>;
+	get(sid: string): Promise<Session<TExtended> | null>;
+	update(sid: string, data: Partial<Session<TExtended>>): Promise<void>;
+	delete(sid: string): Promise<void>;
 }
+import { StandardSchemaV1 } from "@standard-schema/spec";
 /**
-* SCIM 2.0 Group Resource
-* @see https://datatracker.ietf.org/doc/html/rfc7643#section-4.2
+* OIDC Code Flow Callback URL Parameters
+* @see https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
 */
-interface GroupResource {
+interface OidcCallbackParams {
 	/**
-	* REQUIRED. The schemas attribute
+	* REQUIRED. The authorization code returned from the authorization server.
 	*/
-	schemas?: string[];
+	code: string;
 	/**
-	* Unique identifier for the Group, assigned by the service provider
+	* REQUIRED if the "state" parameter was present in the client authorization request.
+	* The exact value received from the client.
 	*/
-	id?: string;
+	state?: string;
 	/**
-	* External identifier from the provisioning client
+	* RECOMMENDED. The session state value. Clients should use this to verify the session state.
 	*/
-	externalId?: string;
+	session_state?: string;
 	/**
-	* Resource metadata
+	* OAuth 2.0 error code if the authorization request failed.
 	*/
-	meta?: {
-		resourceType?: string;
-		created?: string;
-		lastModified?: string;
-		location?: string;
-		version?: string;
-	};
+	error?: string;
 	/**
-	* REQUIRED. A human-readable name for the Group
+	* Human-readable ASCII text providing additional information for the error.
 	*/
-	displayName: string;
+	error_description?: string;
 	/**
-	* A list of members of the Group
+	* A URI identifying a human-readable web page with information about the error.
 	*/
-	members?: GroupMember[];
+	error_uri?: string;
+	/**
+	* The "iss" (issuer) parameter identifies the principal that issued the response.
+	* This is typically used in the implicit flow.
+	*/
+	iss?: string;
 }
 /**
-* SCIM Role
+* Creates a StandardSchemaV1 for validating OIDC callback URL parameters.
+* @param vendor - The name of the vendor creating this schema
+* @returns A StandardSchemaV1 instance for OIDC callback parameters
 */
-interface Role {
-	/**
-	* The value of the role
-	*/
-	value: string;
-	/**
-	* A human-readable name, primarily used for display purposes
-	*/
-	display?: string;
-	/**
-	* A label indicating the attribute's function
-	*/
-	type?: string;
-	/**
-	* A Boolean value indicating the 'primary' or preferred attribute value
-	*/
-	primary?: boolean;
+declare function oidcCallbackSchema(vendor: string): StandardSchemaV1<Record<string, unknown>, OidcCallbackParams>;
+/**
+* Token Response from IdP
+*/
+interface TokenResponse {
+	access_token: string;
+	id_token: string;
+	refresh_token?: string;
+	token_type: string;
+	expires_in?: number;
+	scope?: string;
+	refresh_expires_in?: number;
+	session_state?: string;
+	expires?: string;
 }
 /**
-* SCIM X509 Certificate
+* Creates a StandardSchemaV1 for validating OIDC Token Responses.
+* @param vendor - The name of the vendor creating this schema
+* @returns A StandardSchemaV1 instance for Token Response validation
 */
-interface X509Certificate {
-	/**
-	* The value of the X.509 certificate
-	*/
-	value: string;
-	/**
-	* A human-readable name, primarily used for display purposes
-	*/
-	display?: string;
-	/**
-	* A label indicating the attribute's function
-	*/
-	type?: string;
-	/**
-	* A Boolean value indicating the 'primary' or preferred attribute value
-	*/
-	primary?: boolean;
+declare function tokenResponseSchema(vendor: string): StandardSchemaV1<Record<string, unknown>, TokenResponse>;
+/**
+* ID Token Claims
+*/
+interface IdTokenClaims {
+	iss?: string;
+	aud?: string;
+	exp?: number;
+	iat?: number;
+	sub?: string;
+	sid?: string;
+	name?: string;
+	email?: string;
+	preferred_username?: string;
+	picture?: string;
+	[key: string]: unknown;
 }
 /**
-* SCIM Enterprise User Extension
-* @see https://datatracker.ietf.org/doc/html/rfc7643#section-4.3
+* Creates a StandardSchemaV1 for validating ID Token Claims.
+* @param vendor - The name of the vendor creating this schema
+* @returns A StandardSchemaV1 instance for ID Token Claims validation
 */
-interface EnterpriseExtension {
-	/**
-	* Numeric or alphanumeric identifier assigned to a person
-	*/
-	employeeNumber?: string;
-	/**
-	* Identifies the name of a cost center
-	*/
-	costCenter?: string;
-	/**
-	* Identifies the name of an organization
-	*/
-	organization?: string;
-	/**
-	* Identifies the name of a division
-	*/
-	division?: string;
-	/**
-	* Identifies the name of a department
-	*/
-	department?: string;
+declare function idTokenClaimsSchema(vendor: string): StandardSchemaV1<Record<string, unknown>, IdTokenClaims>;
+/**
+* Primary user type for SSO/OIDC applications.
+* Extends BaseUser with SSO-specific data.
+*/
+interface User extends BaseUser {
 	/**
-	* The user's manager
+	* SSO/OIDC authentication data
 	*/
-	manager?: {
+	sso: {
 		/**
-		* The "id" of the SCIM resource representing the User's manager
+		* ID Token claims from the identity provider
 		*/
-		value?: string;
+		profile: IdTokenClaims;
 		/**
-		* The URI of the SCIM resource representing the User's manager
+		* Tenant/organization information
 		*/
-		$ref?: string;
+		tenant: {
+			id: string;
+			name: string;
+		};
 		/**
-		* The displayName of the User's manager
+		* OAuth scopes granted
 		*/
-		displayName?: string;
+		scope?: string;
+		/**
+		* Token type (typically "Bearer")
+		*/
+		tokenType: string;
+		/**
+		* Session state from the identity provider
+		*/
+		sessionState?: string;
+		/**
+		* Token expiration time
+		*/
+		expires: Date;
 	};
 }
 /**
-* SCIM User Resource
+* Stored user data with required id and tracking metadata.
+*
+* Extends the SSO User type with:
+* - Required `id` (the `sub` claim from the IdP)
+* - Timestamps for tracking when users were first seen and last updated
+* - Optional custom extended data
+*
+* @template TExtended - Type-safe custom data that consumers can add to users
 */
-interface User {
-	/**
-	* REQUIRED. Unique identifier for the User, typically from the provider
-	*/
-	id?: string;
-	/**
-	* REQUIRED. A unique identifier for a SCIM resource as defined by the service provider
-	*/
-	externalId?: string;
+type StoredUser<TExtended = {}> = User & {
 	/**
-	* Resource metadata
+	* Required unique identifier (the `sub` claim from the IdP).
+	* This is the primary key for user storage.
 	*/
-	meta?: {
-		resourceType?: string;
-		created?: string;
-		lastModified?: string;
-		location?: string;
-		version?: string;
-	};
+	id: string;
 	/**
-	* REQUIRED. Unique identifier for the User, typically used for login
+	* Timestamp when the user was first stored.
 	*/
-	userName: string;
+	createdAt: Date;
 	/**
-	* The components of the user's name
+	* Timestamp when the user was last updated (e.g., on re-login).
 	*/
-	name?: Name;
-	/**
-	* The name of the User, suitable for display to end-users
-	*/
-	displayName?: string;
-	/**
-	* The casual way to address the user
-	*/
-	nickName?: string;
+	updatedAt: Date;
+} & TExtended;
+/**
+* Abstract interface for user storage backends.
+*
+* Consumers can implement this interface to use different storage backends:
+* - In-memory (for development/testing)
+* - Redis (for production with fast lookups)
+* - Database (PostgreSQL, MySQL, etc.)
+*
+* @template TExtended - Type-safe custom data that consumers can add to users
+*
+* @example
+* ```typescript
+* // Custom user data
+* type MyUserData = {
+*   department: string;
+*   roles: string[];
+* };
+*
+* // Implement custom store
+* class RedisUserStore implements UserStore<MyUserData> {
+*   async get(sub: string): Promise<StoredUser<MyUserData> | null> {
+*     const data = await redis.get(`user:${sub}`);
+*     return data ? JSON.parse(data) : null;
+*   }
+*   // ... other methods
+* }
+* ```
+*/
+interface UserStore<TExtended = {}> {
 	/**
-	* A fully qualified URL pointing to a page representing the User's online profile
+	* Retrieve a user by their subject identifier (sub).
+	*
+	* @param sub - The user's unique identifier from the IdP
+	* @returns The user if found, null otherwise
 	*/
-	profileUrl?: string;
+	get(sub: string): Promise<StoredUser<TExtended> | null>;
 	/**
-	* The user's title, such as "Vice President"
+	* Retrieve a user by their email address.
+	*
+	* @param email - The user's email address
+	* @returns The user if found, null otherwise
 	*/
-	title?: string;
+	getByEmail(email: string): Promise<StoredUser<TExtended> | null>;
 	/**
-	* Used to identify the relationship between the organization and the user
+	* Retrieve a user by their username.
+	*
+	* @param userName - The user's username
+	* @returns The user if found, null otherwise
 	*/
-	userType?: string;
+	getByUserName(userName: string): Promise<StoredUser<TExtended> | null>;
 	/**
-	* Indicates the User's preferred written or spoken language
+	* Create or update a user in the store.
+	*
+	* If a user with the same `id` (sub) exists, it will be updated.
+	* Otherwise, a new user will be created.
+	*
+	* @param user - The user data to store
 	*/
-	preferredLanguage?: string;
+	upsert(user: StoredUser<TExtended>): Promise<void>;
 	/**
-	* Used to indicate the User's default location for purposes of localizing items such as currency
+	* Delete a user by their subject identifier (sub).
+	*
+	* @param sub - The user's unique identifier to delete
 	*/
-	locale?: string;
+	delete(sub: string): Promise<void>;
+}
+/**
+* In-memory user store implementation using Maps.
+*
+* Suitable for:
+* - Development and testing
+* - Single-server deployments
+* - Applications without high availability requirements
+*
+* NOT suitable for:
+* - Multi-server deployments (users not shared)
+* - High availability scenarios (users lost on restart)
+* - Production applications with distributed architecture
+*
+* For production, implement UserStore with Redis or a database.
+*
+* @template TExtended - Type-safe custom data that consumers can add to users
+*/
+declare class InMemoryUserStore<TExtended = {}> implements UserStore<TExtended> {
+	/** Primary storage: sub -> user */
+	private users;
+	/** Secondary index: email -> sub */
+	private emailIndex;
+	/** Secondary index: userName -> sub */
+	private userNameIndex;
+	get(sub: string): Promise<StoredUser<TExtended> | null>;
+	getByEmail(email: string): Promise<StoredUser<TExtended> | null>;
+	getByUserName(userName: string): Promise<StoredUser<TExtended> | null>;
+	upsert(user: StoredUser<TExtended>): Promise<void>;
+	delete(sub: string): Promise<void>;
+}
+import { StandardSchemaV1 as StandardSchemaV13 } from "@standard-schema/spec";
+import { StandardSchemaV1 as StandardSchemaV12 } from "@standard-schema/spec";
+/**
+* JWT Assertion Claims for OAuth2 JWT Bearer Grant (RFC 7523) and OAuth2 Access Tokens
+* @see https://datatracker.ietf.org/doc/html/rfc7523
+* @see https://datatracker.ietf.org/doc/html/rfc9068
+*/
+interface JWTAssertionClaims {
 	/**
-	* The User's time zone in the "Olson" time zone database format
+	* REQUIRED. Issuer - the workload identity (e.g., SPIFFE ID) or authorization server
 	*/
-	timezone?: string;
+	iss: string;
 	/**
-	* A Boolean value indicating the User's administrative status
+	* REQUIRED. Subject - the workload identity or service account
 	*/
-	active?: boolean;
+	sub: string;
 	/**
-	* The User's cleartext password
+	* OPTIONAL. Audience - may be a string or array of strings
+	* Note: Required for JWT assertions, but may be absent in OAuth2 access tokens
 	*/
-	password?: string;
+	aud?: string | string[];
 	/**
-	* Email addresses for the user
+	* REQUIRED. Expiration time (Unix timestamp)
 	*/
-	emails?: Email[];
+	exp: number;
 	/**
-	* Phone numbers for the User
+	* REQUIRED. Issued at time (Unix timestamp)
 	*/
-	phoneNumbers?: PhoneNumber[];
+	iat: number;
 	/**
-	* Instant messaging addresses for the User
+	* OPTIONAL. JWT ID - unique identifier for this token
+	* Note: Required for JWT assertions, optional for access tokens
 	*/
-	ims?: Array<{
-		value: string;
-		display?: string;
-		type?: string;
-		primary?: boolean;
-	}>;
+	jti?: string;
 	/**
-	* URLs of photos of the User
+	* OPTIONAL. Requested OAuth scopes (space-delimited)
 	*/
-	photos?: Array<{
-		value: string;
-		display?: string;
-		type?: string;
-		primary?: boolean;
-	}>;
+	scope?: string;
 	/**
-	* Physical mailing addresses for this User
+	* Allow additional claims for extensibility
 	*/
-	addresses?: Address[];
+	[key: string]: unknown;
+}
+/**
+* Creates a StandardSchemaV1 for validating JWT Assertion Claims.
+* @param vendor - The name of the vendor creating this schema
+* @returns A StandardSchemaV1 instance for JWT Assertion Claims validation
+*/
+declare function jwtAssertionClaimsSchema(vendor: string): StandardSchemaV12<Record<string, unknown>, JWTAssertionClaims>;
+/**
+* Workload Token Response from OAuth2 token endpoint
+* @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.1
+*/
+interface WorkloadTokenResponse {
 	/**
-	* A list of groups to which the user belongs
+	* REQUIRED. The access token issued by the authorization server.
 	*/
-	groups?: Group[];
+	access_token: string;
 	/**
-	* A list of entitlements for the User
+	* REQUIRED. The type of the token (typically "Bearer").
 	*/
-	entitlements?: Array<{
-		value: string;
-		display?: string;
-		type?: string;
-		primary?: boolean;
-	}>;
+	token_type: string;
 	/**
-	* A list of roles for the User
+	* RECOMMENDED. The lifetime in seconds of the access token.
 	*/
-	roles?: Role[];
+	expires_in?: number;
 	/**
-	* A list of certificates issued to the User
+	* OPTIONAL. The scope of the access token.
 	*/
-	x509Certificates?: X509Certificate[];
+	scope?: string;
 	/**
-	* Enterprise User Extension
+	* OPTIONAL. The refresh token (rarely used for workload identities).
 	*/
-	"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"?: EnterpriseExtension;
+	refresh_token?: string;
 	/**
-	* REQUIRED. The schemas attribute is an array of Strings which allows introspection of the supported schema version
+	* OPTIONAL. The expiration time as an ISO 8601 string.
 	*/
-	schemas?: string[];
+	expires?: string;
 }
 /**
-* Creates a StandardSchemaV1 for validating SCIM User resources.
-* @param vendor - The name of the vendor creating this schema
-* @returns A StandardSchemaV1 instance for SCIM User resources
-*/
-declare function userSchema(vendor: string): StandardSchemaV1<Record<string, unknown>, User>;
-/**
-* Creates a StandardSchemaV1 for validating SCIM Group resources.
+* Creates a StandardSchemaV1 for validating Workload Token Responses.
 * @param vendor - The name of the vendor creating this schema
-* @returns A StandardSchemaV1 instance for SCIM Group resources
+* @returns A StandardSchemaV1 instance for Workload Token Response validation
 */
-declare function groupResourceSchema(vendor: string): StandardSchemaV1<Record<string, unknown>, GroupResource>;
+declare function workloadTokenResponseSchema(vendor: string): StandardSchemaV12<Record<string, unknown>, WorkloadTokenResponse>;
 /**
-* Stored group data with required id and tracking metadata.
-*
-* @template TExtended - Type-safe custom data that consumers can add to groups
+* Token Validation Result
 */
-type StoredGroup<TExtended = {}> = {
-	/**
-	* Required unique identifier for the group.
-	* This is the primary key for group storage.
-	*/
-	id: string;
-	/**
-	* Required human-readable name for the group.
-	*/
-	displayName: string;
+interface TokenValidationResult {
 	/**
-	* Optional external identifier from provisioning client.
+	* Whether the token is valid
 	*/
-	externalId?: string;
+	valid: boolean;
 	/**
-	* List of members in the group.
+	* The decoded and validated claims (if valid)
 	*/
-	members?: GroupMember[];
+	claims?: JWTAssertionClaims;
 	/**
-	* Timestamp when the group was first stored.
+	* Error message (if invalid)
 	*/
-	createdAt: Date;
+	error?: string;
 	/**
-	* Timestamp when the group was last updated.
+	* Token expiration time (if valid)
 	*/
-	updatedAt: Date;
-} & TExtended;
+	expiresAt?: Date;
+}
 /**
-* Abstract interface for group storage backends.
+* Token caching for workload identity authentication.
 *
-* Consumers can implement this interface to use different storage backends:
-* - In-memory (for development/testing)
-* - Redis (for production with fast lookups)
-* - Database (PostgreSQL, MySQL, etc.)
+* Token stores are optional but recommended for performance - they enable:
+* - Token caching to avoid repeated token acquisition
+* - Automatic token refresh before expiration
+* - Reduced load on authorization servers
 *
-* @template TExtended - Type-safe custom data that consumers can add to groups
-*/
-interface GroupStore<TExtended = {}> {
-	/**
-	* Retrieve a group by its unique identifier.
-	*
-	* @param id - The group's unique identifier
-	* @returns The group if found, null otherwise
+* ## Token Caching Strategy
+*
+* Unlike session stores for user authentication, workload token stores cache
+* short-lived access tokens (typically 5 minutes) for service-to-service calls.
+*
+* **Default Behavior:**
+* - Tokens cached with 5-minute TTL
+* - Auto-refresh 60 seconds before expiration
+* - Expired tokens automatically removed
+*
+* ## Performance Characteristics
+*
+* | Backend      | Lookup Time | Use Case                    |
+* |--------------|-------------|----------------------------|
+* | InMemory     | <0.00005ms  | Single-server deployments  |
+* | Redis        | 1-2ms       | Multi-server deployments   |
+* | Database     | 5-20ms      | Persistent token storage   |
+*
+* ## Example Usage
+*
+* ```typescript
+* import { workload, InMemoryWorkloadTokenStore } from '@enterprisestandard/react/server';
+*
+* // With token caching
+* const workloadAuth = workload({
+*   // ... other config
+*   tokenStore: new InMemoryWorkloadTokenStore(),
+*   auto_refresh: true,  // Refresh before expiry
+* });
+*
+* // Without token caching (fetch new token each time)
+* const workloadAuth = workload({
+*   // ... config without tokenStore
+* });
+* ```
+*/
+/**
+* Cached workload token data.
+*
+* @template TExtended - Type-safe custom data that consumers can add to cached tokens
+*/
+type CachedWorkloadToken<TExtended = object> = {
+	/**
+	* Workload identifier (typically SPIFFE ID).
+	* Used as the primary key for token lookup.
 	*/
-	get(id: string): Promise<StoredGroup<TExtended> | null>;
+	workload_id: string;
 	/**
-	* Retrieve a group by its external identifier.
-	*
-	* @param externalId - The external identifier from the provisioning client
-	* @returns The group if found, null otherwise
+	* OAuth2 access token (Bearer token)
 	*/
-	getByExternalId(externalId: string): Promise<StoredGroup<TExtended> | null>;
+	access_token: string;
 	/**
-	* Retrieve a group by its display name.
-	*
-	* @param displayName - The group's display name
-	* @returns The group if found, null otherwise
+	* Token type (always "Bearer" for OAuth2)
 	*/
-	getByDisplayName(displayName: string): Promise<StoredGroup<TExtended> | null>;
+	token_type: string;
 	/**
-	* List all groups in the store.
-	*
-	* @returns Array of all stored groups
+	* OAuth2 scopes granted for this token
 	*/
-	list(): Promise<StoredGroup<TExtended>[]>;
+	scope?: string;
 	/**
-	* Create or update a group in the store.
+	* Timestamp when the token expires.
+	* Used for automatic cleanup and refresh logic.
+	*/
+	expires_at: Date;
+	/**
+	* Timestamp when the token was created/cached.
+	*/
+	created_at: Date;
+	/**
+	* Optional refresh token (rarely used for workload identities)
+	*/
+	refresh_token?: string;
+} & TExtended;
+/**
+* Abstract interface for workload token storage backends.
+*
+* Consumers can implement this interface to use different storage backends:
+* - Redis (recommended for multi-server deployments)
+* - Database (PostgreSQL, MySQL, etc. for persistence)
+* - Distributed cache (Memcached, etc.)
+* - Custom solutions
+*
+* @template TExtended - Type-safe custom data that consumers can add to cached tokens
+*
+* @example
+* ```typescript
+* // Custom token cache data
+* type MyTokenData = {
+*   environment: string;
+*   region: string;
+* };
+*
+* // Implement custom store with Redis
+* class RedisWorkloadTokenStore implements WorkloadTokenStore<MyTokenData> {
+*   async set(token: CachedWorkloadToken<MyTokenData>): Promise<void> {
+*     const ttl = Math.floor((token.expires_at.getTime() - Date.now()) / 1000);
+*     await redis.setex(
+*       `workload:token:${token.workload_id}`,
+*       ttl,
+*       JSON.stringify(token)
+*     );
+*   }
+*
+*   async get(workload_id: string): Promise<CachedWorkloadToken<MyTokenData> | null> {
+*     const data = await redis.get(`workload:token:${workload_id}`);
+*     if (!data) return null;
+*     const token = JSON.parse(data);
+*     // Convert date strings back to Date objects
+*     token.expires_at = new Date(token.expires_at);
+*     token.created_at = new Date(token.created_at);
+*     return token;
+*   }
+*
+*   // ... other methods
+* }
+* ```
+*/
+interface WorkloadTokenStore<TExtended = object> {
+	/**
+	* Store or update a workload token in the cache.
 	*
-	* If a group with the same `id` exists, it will be updated.
-	* Otherwise, a new group will be created.
+	* @param token - The token data to cache
+	*/
+	set(token: CachedWorkloadToken<TExtended>): Promise<void>;
+	/**
+	* Retrieve a cached token by workload ID.
 	*
-	* @param group - The group data to store
+	* @param workload_id - The workload identifier (e.g., SPIFFE ID)
+	* @returns The cached token if found and not expired, null otherwise
 	*/
-	upsert(group: StoredGroup<TExtended>): Promise<void>;
+	get(workload_id: string): Promise<CachedWorkloadToken<TExtended> | null>;
 	/**
-	* Delete a group by its unique identifier.
+	* Delete a cached token by workload ID.
 	*
-	* @param id - The group's unique identifier to delete
+	* Used when explicitly revoking tokens or clearing cache.
+	*
+	* @param workload_id - The workload identifier to remove
 	*/
-	delete(id: string): Promise<void>;
+	delete(workload_id: string): Promise<void>;
 	/**
-	* Add a member to a group.
+	* Check if a valid (non-expired) token exists for a workload.
 	*
-	* @param groupId - The group's unique identifier
-	* @param member - The member to add
+	* @param workload_id - The workload identifier to check
+	* @returns true if a valid token exists, false otherwise
 	*/
-	addMember(groupId: string, member: GroupMember): Promise<void>;
+	isValid(workload_id: string): Promise<boolean>;
 	/**
-	* Remove a member from a group.
+	* Remove all expired tokens from the cache.
 	*
-	* @param groupId - The group's unique identifier
-	* @param memberId - The member's value/id to remove
+	* Should be called periodically to prevent memory leaks.
 	*/
-	removeMember(groupId: string, memberId: string): Promise<void>;
+	cleanup(): Promise<void>;
 }
 /**
-* In-memory group store implementation using Maps.
+* In-memory workload token store implementation using Maps.
 *
 * Suitable for:
 * - Development and testing
@@ -526,790 +834,898 @@ interface GroupStore<TExtended = {}> {
 * - Applications without high availability requirements
 *
 * NOT suitable for:
-* - Multi-server deployments (groups not shared)
-* - High availability scenarios (groups lost on restart)
+* - Multi-server deployments (tokens not shared across instances)
+* - High availability scenarios (tokens lost on restart)
 * - Production applications with distributed architecture
 *
-* For production, implement GroupStore with Redis or a database.
+* For production multi-server deployments, implement WorkloadTokenStore with Redis.
 *
-* @template TExtended - Type-safe custom data that consumers can add to groups
+* @template TExtended - Type-safe custom data that consumers can add to cached tokens
 */
-declare class InMemoryGroupStore<TExtended = {}> implements GroupStore<TExtended> {
-	/** Primary storage: id -> group */
-	private groups;
-	/** Secondary index: externalId -> id */
-	private externalIdIndex;
-	/** Secondary index: displayName (lowercase) -> id */
-	private displayNameIndex;
-	get(id: string): Promise<StoredGroup<TExtended> | null>;
-	getByExternalId(externalId: string): Promise<StoredGroup<TExtended> | null>;
-	getByDisplayName(displayName: string): Promise<StoredGroup<TExtended> | null>;
-	list(): Promise<StoredGroup<TExtended>[]>;
-	upsert(group: StoredGroup<TExtended>): Promise<void>;
-	delete(id: string): Promise<void>;
-	addMember(groupId: string, member: GroupMember): Promise<void>;
-	removeMember(groupId: string, memberId: string): Promise<void>;
+declare class InMemoryWorkloadTokenStore<TExtended = object> implements WorkloadTokenStore<TExtended> {
+	private tokens;
+	set(token: CachedWorkloadToken<TExtended>): Promise<void>;
+	get(workload_id: string): Promise<CachedWorkloadToken<TExtended> | null>;
+	delete(workload_id: string): Promise<void>;
+	isValid(workload_id: string): Promise<boolean>;
+	cleanup(): Promise<void>;
 }
 /**
-* Base user with simple, developer-friendly attributes.
-* Extended by User (SSO) and EnterpriseUser (SCIM).
+* Common fields shared across all workload authentication modes
 */
-interface BaseUser {
+type WorkloadConfigBase = {
 	/**
-	* Unique identifier for the user
+	* OAuth2 token endpoint URL
+	* REQUIRED for client role (token acquisition)
 	*/
-	id?: string;
+	tokenUrl?: string;
 	/**
-	* REQUIRED. Unique identifier for login
+	* JWKS endpoint URL for public key retrieval
+	* REQUIRED for server role (token validation)
 	*/
-	userName: string;
+	jwksUri?: string;
 	/**
-	* REQUIRED. Simple display name
+	* Expected token issuer URL for validation
+	* RECOMMENDED for server role (token validation)
 	*/
-	name: string;
+	issuer?: string;
 	/**
-	* REQUIRED. Primary email address
+	* Target audience for tokens
 	*/
-	email: string;
+	audience?: string;
 	/**
-	* URL to user's avatar/profile picture
+	* Default OAuth2 scopes (space-delimited)
 	*/
-	avatarUrl?: string;
-}
-import { StandardSchemaV1 as StandardSchemaV12 } from "@standard-schema/spec";
-/**
-* OIDC Code Flow Callback URL Parameters
-* @see https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
-*/
-interface OidcCallbackParams {
+	scope?: string;
 	/**
-	* REQUIRED. The authorization code returned from the authorization server.
+	* JWT assertion/token lifetime in seconds
+	* @default 300 (5 minutes)
 	*/
-	code: string;
+	tokenLifetime?: number;
 	/**
-	* REQUIRED if the "state" parameter was present in the client authorization request.
-	* The exact value received from the client.
+	* Refresh threshold in seconds (refresh token this many seconds before expiry)
+	* @default 60
 	*/
-	state?: string;
+	refreshThreshold?: number;
 	/**
-	* RECOMMENDED. The session state value. Clients should use this to verify the session state.
+	* Optional token store for caching access tokens
 	*/
-	session_state?: string;
+	tokenStore?: WorkloadTokenStore;
 	/**
-	* OAuth 2.0 error code if the authorization request failed.
+	* Automatically refresh tokens before expiration
+	* @default true
 	*/
-	error?: string;
+	autoRefresh?: boolean;
 	/**
-	* Human-readable ASCII text providing additional information for the error.
+	* Optional RFC 7009 token revocation endpoint
 	*/
-	error_description?: string;
+	revocationEndpoint?: string;
 	/**
-	* A URI identifying a human-readable web page with information about the error.
+	* Optional handler defaults (merged with per-call overrides in `handler`)
 	*/
-	error_uri?: string;
+	validateUrl?: string;
+	jwksUrl?: string;
+	refreshUrl?: string;
+	validators?: WorkloadValidators;
+};
+type WorkloadValidators = {
+	jwtAssertionClaims: StandardSchemaV13<unknown, JWTAssertionClaims>;
+	tokenResponse: StandardSchemaV13<unknown, WorkloadTokenResponse>;
+};
+/**
+* JWT Bearer Grant (RFC 7523) Configuration
+*
+* Used for SPIFFE-style workload identities where services have their own
+* cryptographic identity and sign their own JWT assertions.
+*
+* @example
+* ```json
+* {
+*   "token_url": "https://auth.example.com/oauth/token",
+*   "jwks_uri": "https://auth.example.com/.well-known/jwks.json",
+*   "workload_id": "spiffe://trust-domain/ns/service",
+*   "audience": "https://auth.example.com/oauth/token",
+*   "private_key": "-----BEGIN PRIVATE KEY-----...",
+*   "algorithm": "RS256"
+* }
+* ```
+*/
+type JwtBearerWorkloadConfig = WorkloadConfigBase & {
 	/**
-	* The "iss" (issuer) parameter identifies the principal that issued the response.
-	* This is typically used in the implicit flow.
+	* Workload identifier (e.g., SPIFFE ID: spiffe://trust-domain/namespace/service)
+	* REQUIRED for JWT Bearer Grant mode
 	*/
-	iss?: string;
-}
+	workloadId: string;
+	/**
+	* PEM-encoded private key for signing JWT assertions
+	* REQUIRED for client role in JWT Bearer Grant mode
+	*/
+	privateKey: string;
+	/**
+	* Key ID (kid) to include in JWT header for key rotation support
+	*/
+	keyId?: string;
+	/**
+	* JWT signing algorithm
+	* @default 'RS256'
+	*/
+	algorithm?: "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512";
+};
 /**
-* Creates a StandardSchemaV1 for validating OIDC callback URL parameters.
-* @param vendor - The name of the vendor creating this schema
-* @returns A StandardSchemaV1 instance for OIDC callback parameters
+* OAuth2 Client Credentials Configuration
+*
+* Standard OAuth2 Client Credentials Grant (RFC 6749 Section 4.4).
+* Used with identity providers like Keycloak for service-to-service authentication.
+*
+* @example
+* ```json
+* {
+*   "token_url": "https://sso.example.com/realms/myrealm/protocol/openid-connect/token",
+*   "jwks_uri": "https://sso.example.com/realms/myrealm/protocol/openid-connect/certs",
+*   "client_id": "my-service",
+*   "client_secret": "secret-from-idp",
+*   "issuer": "https://sso.example.com/realms/myrealm",
+*   "scope": "api:read api:write"
+* }
+* ```
 */
-declare function oidcCallbackSchema(vendor: string): StandardSchemaV12<Record<string, unknown>, OidcCallbackParams>;
+type ClientCredentialsWorkloadConfig = WorkloadConfigBase & {
+	/**
+	* OAuth2 client identifier registered with the authorization server
+	* REQUIRED for Client Credentials mode
+	*/
+	clientId: string;
+	/**
+	* OAuth2 client secret
+	* REQUIRED for Client Credentials mode
+	*/
+	clientSecret: string;
+};
 /**
-* Token Response from IdP
+* Server-Only Workload Configuration
+*
+* Used when a service only needs to validate incoming workload tokens,
+* not acquire tokens for outbound calls. Requires only jwks_uri for
+* public key retrieval.
+*
+* Note: jwksUri and issuer are optional in TypeScript (since they come from vault)
+* but are required at runtime and validated by standardSchema validators.
+*
+* @example
+* ```json
+* {
+*   "jwks_uri": "https://sso.example.com/realms/myrealm/protocol/openid-connect/certs",
+*   "issuer": "https://sso.example.com/realms/myrealm"
+* }
+* ```
 */
-interface TokenResponse {
-	access_token: string;
-	id_token: string;
-	refresh_token?: string;
-	token_type: string;
-	expires_in?: number;
+type ServerOnlyWorkloadConfig = WorkloadConfigBase & {
+	/**
+	* JWKS endpoint URL for public key retrieval
+	* REQUIRED at runtime (validated by standardSchema), optional in TypeScript (comes from vault)
+	*/
+	jwksUri?: string;
+};
+/**
+* Workload Identity Authentication Configuration
+*
+* Union type supporting multiple authentication modes. The mode is automatically
+* detected based on which fields are present:
+*
+* - **JWT Bearer Grant**: Requires `workload_id` + `private_key`
+* - **Client Credentials**: Requires `client_id` + `client_secret`
+* - **Server-Only**: Only `jwks_uri` (and optionally `issuer`) for token validation
+*
+* The developer uses the same API regardless of mode - the library handles the details.
+*/
+type WorkloadConfig = JwtBearerWorkloadConfig | ClientCredentialsWorkloadConfig | ServerOnlyWorkloadConfig;
+/**
+* Workload Identity extracted from validated tokens
+*/
+type WorkloadIdentity = {
+	/**
+	* Workload identifier (for JWT Bearer Grant tokens)
+	*/
+	workloadId?: string;
+	/**
+	* Client identifier (for OAuth2 Client Credentials tokens)
+	*/
+	clientId?: string;
+	/**
+	* Granted scopes
+	*/
 	scope?: string;
-	refresh_expires_in?: number;
-	session_state?: string;
-	expires?: string;
-}
+	/**
+	* Full JWT claims from the token
+	*/
+	claims: JWTAssertionClaims;
+};
 /**
-* Creates a StandardSchemaV1 for validating OIDC Token Responses.
-* @param vendor - The name of the vendor creating this schema
-* @returns A StandardSchemaV1 instance for Token Response validation
+* Workload Identity Authentication Interface
 */
-declare function tokenResponseSchema(vendor: string): StandardSchemaV12<Record<string, unknown>, TokenResponse>;
+type Workload = {
+	config: WorkloadConfig;
+	getToken: (scope?: string) => Promise<string>;
+	refreshToken: (scope?: string) => Promise<WorkloadTokenResponse>;
+	generateJWTAssertion: (scope?: string) => Promise<string>;
+	revokeToken: (token: string) => Promise<void>;
+	validateToken: (token: string) => Promise<TokenValidationResult>;
+	getWorkloadIdentity: (request: Request) => Promise<WorkloadIdentity | undefined>;
+	parseJWT: (token: string) => Promise<JWTAssertionClaims>;
+	handler: (request: Request) => Promise<Response>;
+};
+declare function workload(validators: WorkloadValidators, fromVault?: Partial<WorkloadConfig>, fromCode?: Partial<WorkloadConfig>): Workload | undefined;
+type CIAMConfig<
+	TMagicLinkData = {},
+	TUserData = {}
+> = {
+	/**
+	* Magic link store for storing magic link tokens
+	*/
+	magicLinkStore?: MagicLinkStore<TMagicLinkData>;
+	/**
+	* Default TTL for magic links in seconds
+	* @default 3600 (1 hour)
+	*/
+	magicLinkTtl?: number;
+	/**
+	* URL path for generating magic links (POST endpoint)
+	*/
+	magicLinkUrl?: string;
+	/**
+	* URL path for validating magic links (GET endpoint)
+	*/
+	magicLinkLoginUrl?: string;
+	/**
+	* Landing URL after successful magic link authentication
+	*/
+	landingUrl?: string;
+	/**
+	* Error URL for failed magic link authentication
+	*/
+	errorUrl?: string;
+	/**
+	* Cookie prefix for CIAM cookies
+	* @default 'es.ciam'
+	*/
+	cookiesPrefix?: string;
+	/**
+	* Cookie path
+	* @default '/'
+	*/
+	cookiesPath?: string;
+	/**
+	* Secure cookies (HTTPS only)
+	* @default true
+	*/
+	cookiesSecure?: boolean;
+	/**
+	* SameSite cookie attribute
+	* @default 'Strict'
+	*/
+	cookiesSameSite?: "Strict" | "Lax";
+	/**
+	* Optional identifier for CIAM cookies (used in prefix).
+	* When set, cookiesPrefix defaults to `es.ciam.${ciamId}`.
+	*/
+	ciamId?: string;
+	/**
+	* Signing key for CIAM JWT tokens.
+	*
+	* Generate using one of these methods:
+	* - OpenSSL: openssl rand -base64 64
+	* - Node.js: node -e "console.log(require('crypto').randomBytes(64).toString('base64'))"
+	* - Python: python3 -c "import secrets; print(secrets.token_urlsafe(64))"
+	*
+	* Store in Vault under ciam.signingKey or provide in code config.
+	* REQUIRED - will throw error during initialization if missing.
+	*/
+	signingKey?: string;
+	/**
+	* Server-side session store for CIAM sessions (required for backchannel logout).
+	*/
+	sessionStore?: SessionStore;
+	/**
+	* Session validation strategy.
+	* @default 'always'
+	*/
+	sessionValidation?: "always" | "refresh-only" | "disabled";
+	/**
+	* Logout URL (GET endpoint)
+	*/
+	logoutUrl?: string;
+	/**
+	* Back-channel logout URL (POST endpoint)
+	*/
+	logoutBackChannelUrl?: string;
+	/**
+	* Optional user store for persisting user profiles from magic link authentication.
+	* When configured, users are automatically stored/updated on each login.
+	*/
+	userStore?: UserStore<TUserData>;
+	/**
+	* Enable Just-In-Time (JIT) user provisioning.
+	* When enabled, new users are automatically created in the userStore on their first login.
+	* When disabled (default), only existing users in the userStore are updated on login.
+	* Requires userStore to be configured.
+	* @default false
+	*/
+	enableJitUserProvisioning?: boolean;
+	/**
+	* Session expiration time in seconds (for cookies)
+	* @default 86400 (24 hours)
+	*/
+	sessionTtl?: number;
+};
+type CIAM<
+	TMagicLinkData = {},
+	TUserData = {}
+> = {
+	config: CIAMConfig<TMagicLinkData, TUserData>;
+	getUser: (request: Request) => Promise<User | undefined>;
+	getRequiredUser: (request: Request) => Promise<User>;
+	logout: (request: Request) => Promise<Response>;
+	logoutBackChannel: (request: Request) => Promise<Response>;
+	handler: (request: Request) => Promise<Response>;
+};
+declare function ciam<
+	TMagicLinkData = {},
+	TUserData = {}
+>(fromVault?: Partial<CIAMConfig<TMagicLinkData, TUserData>>, fromCode?: Partial<CIAMConfig<TMagicLinkData, TUserData>>, workload?: {
+	getWorkloadIdentity: (request: Request) => Promise<WorkloadIdentity | undefined>;
+}): CIAM<TMagicLinkData, TUserData> | undefined;
+import { StandardSchemaV1 as StandardSchemaV15 } from "@standard-schema/spec";
+import { StandardSchemaV1 as StandardSchemaV14 } from "@standard-schema/spec";
 /**
-* ID Token Claims
+* SCIM 2.0 User Resource
+* @see https://datatracker.ietf.org/doc/html/rfc7643#section-4.1
 */
-interface IdTokenClaims {
-	iss?: string;
-	aud?: string;
-	exp?: number;
-	iat?: number;
-	sub?: string;
-	sid?: string;
-	name?: string;
-	email?: string;
-	preferred_username?: string;
-	picture?: string;
-	[key: string]: unknown;
-}
 /**
-* Creates a StandardSchemaV1 for validating ID Token Claims.
-* @param vendor - The name of the vendor creating this schema
-* @returns A StandardSchemaV1 instance for ID Token Claims validation
+* SCIM Name sub-attribute
 */
-declare function idTokenClaimsSchema(vendor: string): StandardSchemaV12<Record<string, unknown>, IdTokenClaims>;
+interface Name {
+	/**
+	* The full name, including all middle names, titles, and suffixes as appropriate
+	*/
+	formatted?: string;
+	/**
+	* The family name of the User, or last name
+	*/
+	familyName?: string;
+	/**
+	* The given name of the User, or first name
+	*/
+	givenName?: string;
+	/**
+	* The middle name(s) of the User
+	*/
+	middleName?: string;
+	/**
+	* The honorific prefix(es) of the User, or title
+	*/
+	honorificPrefix?: string;
+	/**
+	* The honorific suffix(es) of the User, or suffix
+	*/
+	honorificSuffix?: string;
+}
 /**
-* Primary user type for SSO/OIDC applications.
-* Extends BaseUser with SSO-specific data.
+* SCIM Email sub-attribute
 */
-interface User2 extends BaseUser {
+interface Email {
+	/**
+	* The email address value
+	*/
+	value: string;
+	/**
+	* A human-readable name, primarily used for display purposes
+	*/
+	display?: string;
+	/**
+	* A label indicating the attribute's function (e.g., "work" or "home")
+	*/
+	type?: string;
 	/**
-	* SSO/OIDC authentication data
+	* A Boolean value indicating the 'primary' or preferred attribute value
 	*/
-	sso: {
-		/**
-		* ID Token claims from the identity provider
-		*/
-		profile: IdTokenClaims;
-		/**
-		* Tenant/organization information
-		*/
-		tenant: {
-			id: string;
-			name: string;
-		};
-		/**
-		* OAuth scopes granted
-		*/
-		scope?: string;
-		/**
-		* Token type (typically "Bearer")
-		*/
-		tokenType: string;
-		/**
-		* Session state from the identity provider
-		*/
-		sessionState?: string;
-		/**
-		* Token expiration time
-		*/
-		expires: Date;
-	};
+	primary?: boolean;
 }
 /**
-* Stored user data with required id and tracking metadata.
-*
-* Extends the SSO User type with:
-* - Required `id` (the `sub` claim from the IdP)
-* - Timestamps for tracking when users were first seen and last updated
-* - Optional custom extended data
-*
-* @template TExtended - Type-safe custom data that consumers can add to users
+* SCIM Phone Number sub-attribute
 */
-type StoredUser<TExtended = {}> = User2 & {
+interface PhoneNumber {
 	/**
-	* Required unique identifier (the `sub` claim from the IdP).
-	* This is the primary key for user storage.
+	* The phone number value
 	*/
-	id: string;
+	value: string;
 	/**
-	* Timestamp when the user was first stored.
+	* A human-readable name, primarily used for display purposes
 	*/
-	createdAt: Date;
+	display?: string;
 	/**
-	* Timestamp when the user was last updated (e.g., on re-login).
+	* A label indicating the attribute's function (e.g., "work", "home", "mobile")
 	*/
-	updatedAt: Date;
-} & TExtended;
+	type?: string;
+	/**
+	* A Boolean value indicating the 'primary' or preferred attribute value
+	*/
+	primary?: boolean;
+}
 /**
-* Abstract interface for user storage backends.
-*
-* Consumers can implement this interface to use different storage backends:
-* - In-memory (for development/testing)
-* - Redis (for production with fast lookups)
-* - Database (PostgreSQL, MySQL, etc.)
-*
-* @template TExtended - Type-safe custom data that consumers can add to users
-*
-* @example
-* ```typescript
-* // Custom user data
-* type MyUserData = {
-*   department: string;
-*   roles: string[];
-* };
-*
-* // Implement custom store
-* class RedisUserStore implements UserStore<MyUserData> {
-*   async get(sub: string): Promise<StoredUser<MyUserData> | null> {
-*     const data = await redis.get(`user:${sub}`);
-*     return data ? JSON.parse(data) : null;
-*   }
-*   // ... other methods
-* }
-* ```
+* SCIM Address sub-attribute
 */
-interface UserStore<TExtended = {}> {
+interface Address {
 	/**
-	* Retrieve a user by their subject identifier (sub).
-	*
-	* @param sub - The user's unique identifier from the IdP
-	* @returns The user if found, null otherwise
+	* The full mailing address, formatted for display
 	*/
-	get(sub: string): Promise<StoredUser<TExtended> | null>;
+	formatted?: string;
 	/**
-	* Retrieve a user by their email address.
-	*
-	* @param email - The user's email address
-	* @returns The user if found, null otherwise
+	* The full street address component
 	*/
-	getByEmail(email: string): Promise<StoredUser<TExtended> | null>;
+	streetAddress?: string;
 	/**
-	* Retrieve a user by their username.
-	*
-	* @param userName - The user's username
-	* @returns The user if found, null otherwise
+	* The city or locality component
 	*/
-	getByUserName(userName: string): Promise<StoredUser<TExtended> | null>;
+	locality?: string;
 	/**
-	* Create or update a user in the store.
-	*
-	* If a user with the same `id` (sub) exists, it will be updated.
-	* Otherwise, a new user will be created.
-	*
-	* @param user - The user data to store
+	* The state or region component
 	*/
-	upsert(user: StoredUser<TExtended>): Promise<void>;
+	region?: string;
 	/**
-	* Delete a user by their subject identifier (sub).
-	*
-	* @param sub - The user's unique identifier to delete
+	* The zip code or postal code component
 	*/
-	delete(sub: string): Promise<void>;
+	postalCode?: string;
+	/**
+	* The country name component
+	*/
+	country?: string;
+	/**
+	* A label indicating the attribute's function (e.g., "work" or "home")
+	*/
+	type?: string;
+	/**
+	* A Boolean value indicating the 'primary' or preferred attribute value
+	*/
+	primary?: boolean;
 }
 /**
-* In-memory user store implementation using Maps.
-*
-* Suitable for:
-* - Development and testing
-* - Single-server deployments
-* - Applications without high availability requirements
-*
-* NOT suitable for:
-* - Multi-server deployments (users not shared)
-* - High availability scenarios (users lost on restart)
-* - Production applications with distributed architecture
-*
-* For production, implement UserStore with Redis or a database.
-*
-* @template TExtended - Type-safe custom data that consumers can add to users
+* SCIM Group reference (used within User resources)
 */
-declare class InMemoryUserStore<TExtended = {}> implements UserStore<TExtended> {
-	/** Primary storage: sub -> user */
-	private users;
-	/** Secondary index: email -> sub */
-	private emailIndex;
-	/** Secondary index: userName -> sub */
-	private userNameIndex;
-	get(sub: string): Promise<StoredUser<TExtended> | null>;
-	getByEmail(email: string): Promise<StoredUser<TExtended> | null>;
-	getByUserName(userName: string): Promise<StoredUser<TExtended> | null>;
-	upsert(user: StoredUser<TExtended>): Promise<void>;
-	delete(sub: string): Promise<void>;
+interface Group {
+	/**
+	* The identifier of the User's group
+	*/
+	value: string;
+	/**
+	* The URI of the corresponding 'Group' resource
+	*/
+	$ref?: string;
+	/**
+	* A human-readable name, primarily used for display purposes
+	*/
+	display?: string;
+	/**
+	* A label indicating the attribute's function (e.g., "direct" or "indirect")
+	*/
+	type?: string;
 }
-import { StandardSchemaV1 as StandardSchemaV14 } from "@standard-schema/spec";
-import { StandardSchemaV1 as StandardSchemaV13 } from "@standard-schema/spec";
 /**
-* JWT Assertion Claims for OAuth2 JWT Bearer Grant (RFC 7523) and OAuth2 Access Tokens
-* @see https://datatracker.ietf.org/doc/html/rfc7523
-* @see https://datatracker.ietf.org/doc/html/rfc9068
+* SCIM Group Member reference
 */
-interface JWTAssertionClaims {
+interface GroupMember {
 	/**
-	* REQUIRED. Issuer - the workload identity (e.g., SPIFFE ID) or authorization server
+	* The identifier of the member (User or Group)
 	*/
-	iss: string;
+	value: string;
 	/**
-	* REQUIRED. Subject - the workload identity or service account
+	* The URI of the corresponding member resource
 	*/
-	sub: string;
+	$ref?: string;
 	/**
-	* OPTIONAL. Audience - may be a string or array of strings
-	* Note: Required for JWT assertions, but may be absent in OAuth2 access tokens
+	* A human-readable name of the member
 	*/
-	aud?: string | string[];
+	display?: string;
 	/**
-	* REQUIRED. Expiration time (Unix timestamp)
+	* The type of the member (e.g., "User" or "Group")
 	*/
-	exp: number;
+	type?: "User" | "Group";
+}
+/**
+* SCIM 2.0 Group Resource
+* @see https://datatracker.ietf.org/doc/html/rfc7643#section-4.2
+*/
+interface GroupResource {
 	/**
-	* REQUIRED. Issued at time (Unix timestamp)
+	* REQUIRED. The schemas attribute
 	*/
-	iat: number;
+	schemas?: string[];
 	/**
-	* OPTIONAL. JWT ID - unique identifier for this token
-	* Note: Required for JWT assertions, optional for access tokens
+	* Unique identifier for the Group, assigned by the service provider
+	*/
+	id?: string;
+	/**
+	* External identifier from the provisioning client
+	*/
+	externalId?: string;
+	/**
+	* Resource metadata
+	*/
+	meta?: {
+		resourceType?: string;
+		created?: string;
+		lastModified?: string;
+		location?: string;
+		version?: string;
+	};
+	/**
+	* REQUIRED. A human-readable name for the Group
+	*/
+	displayName: string;
+	/**
+	* A list of members of the Group
+	*/
+	members?: GroupMember[];
+}
+/**
+* SCIM Role
+*/
+interface Role {
+	/**
+	* The value of the role
+	*/
+	value: string;
+	/**
+	* A human-readable name, primarily used for display purposes
 	*/
-	jti?: string;
+	display?: string;
 	/**
-	* OPTIONAL. Requested OAuth scopes (space-delimited)
+	* A label indicating the attribute's function
 	*/
-	scope?: string;
+	type?: string;
 	/**
-	* Allow additional claims for extensibility
+	* A Boolean value indicating the 'primary' or preferred attribute value
 	*/
-	[key: string]: unknown;
+	primary?: boolean;
 }
 /**
-* Creates a StandardSchemaV1 for validating JWT Assertion Claims.
-* @param vendor - The name of the vendor creating this schema
-* @returns A StandardSchemaV1 instance for JWT Assertion Claims validation
-*/
-declare function jwtAssertionClaimsSchema(vendor: string): StandardSchemaV13<Record<string, unknown>, JWTAssertionClaims>;
-/**
-* Workload Token Response from OAuth2 token endpoint
-* @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.1
+* SCIM X509 Certificate
 */
-interface WorkloadTokenResponse {
+interface X509Certificate {
 	/**
-	* REQUIRED. The access token issued by the authorization server.
+	* The value of the X.509 certificate
 	*/
-	access_token: string;
+	value: string;
 	/**
-	* REQUIRED. The type of the token (typically "Bearer").
+	* A human-readable name, primarily used for display purposes
 	*/
-	token_type: string;
+	display?: string;
 	/**
-	* RECOMMENDED. The lifetime in seconds of the access token.
+	* A label indicating the attribute's function
 	*/
-	expires_in?: number;
+	type?: string;
 	/**
-	* OPTIONAL. The scope of the access token.
+	* A Boolean value indicating the 'primary' or preferred attribute value
 	*/
-	scope?: string;
+	primary?: boolean;
+}
+/**
+* SCIM Enterprise User Extension
+* @see https://datatracker.ietf.org/doc/html/rfc7643#section-4.3
+*/
+interface EnterpriseExtension {
 	/**
-	* OPTIONAL. The refresh token (rarely used for workload identities).
+	* Numeric or alphanumeric identifier assigned to a person
 	*/
-	refresh_token?: string;
+	employeeNumber?: string;
 	/**
-	* OPTIONAL. The expiration time as an ISO 8601 string.
+	* Identifies the name of a cost center
 	*/
-	expires?: string;
-}
-/**
-* Creates a StandardSchemaV1 for validating Workload Token Responses.
-* @param vendor - The name of the vendor creating this schema
-* @returns A StandardSchemaV1 instance for Workload Token Response validation
-*/
-declare function workloadTokenResponseSchema(vendor: string): StandardSchemaV13<Record<string, unknown>, WorkloadTokenResponse>;
-/**
-* Token Validation Result
-*/
-interface TokenValidationResult {
+	costCenter?: string;
 	/**
-	* Whether the token is valid
+	* Identifies the name of an organization
 	*/
-	valid: boolean;
+	organization?: string;
 	/**
-	* The decoded and validated claims (if valid)
+	* Identifies the name of a division
 	*/
-	claims?: JWTAssertionClaims;
+	division?: string;
 	/**
-	* Error message (if invalid)
+	* Identifies the name of a department
 	*/
-	error?: string;
+	department?: string;
 	/**
-	* Token expiration time (if valid)
+	* The user's manager
 	*/
-	expiresAt?: Date;
+	manager?: {
+		/**
+		* The "id" of the SCIM resource representing the User's manager
+		*/
+		value?: string;
+		/**
+		* The URI of the SCIM resource representing the User's manager
+		*/
+		$ref?: string;
+		/**
+		* The displayName of the User's manager
+		*/
+		displayName?: string;
+	};
 }
 /**
-* Token caching for workload identity authentication.
-*
-* Token stores are optional but recommended for performance - they enable:
-* - Token caching to avoid repeated token acquisition
-* - Automatic token refresh before expiration
-* - Reduced load on authorization servers
-*
-* ## Token Caching Strategy
-*
-* Unlike session stores for user authentication, workload token stores cache
-* short-lived access tokens (typically 5 minutes) for service-to-service calls.
-*
-* **Default Behavior:**
-* - Tokens cached with 5-minute TTL
-* - Auto-refresh 60 seconds before expiration
-* - Expired tokens automatically removed
-*
-* ## Performance Characteristics
-*
-* | Backend      | Lookup Time | Use Case                    |
-* |--------------|-------------|----------------------------|
-* | InMemory     | <0.00005ms  | Single-server deployments  |
-* | Redis        | 1-2ms       | Multi-server deployments   |
-* | Database     | 5-20ms      | Persistent token storage   |
-*
-* ## Example Usage
-*
-* ```typescript
-* import { workload, InMemoryWorkloadTokenStore } from '@enterprisestandard/react/server';
-*
-* // With token caching
-* const workloadAuth = workload({
-*   // ... other config
-*   tokenStore: new InMemoryWorkloadTokenStore(),
-*   auto_refresh: true,  // Refresh before expiry
-* });
-*
-* // Without token caching (fetch new token each time)
-* const workloadAuth = workload({
-*   // ... config without tokenStore
-* });
-* ```
-*/
-/**
-* Cached workload token data.
-*
-* @template TExtended - Type-safe custom data that consumers can add to cached tokens
+* SCIM User Resource
 */
-type CachedWorkloadToken<TExtended = object> = {
+interface User2 {
 	/**
-	* Workload identifier (typically SPIFFE ID).
-	* Used as the primary key for token lookup.
+	* REQUIRED. Unique identifier for the User, typically from the provider
 	*/
-	workload_id: string;
+	id?: string;
 	/**
-	* OAuth2 access token (Bearer token)
+	* REQUIRED. A unique identifier for a SCIM resource as defined by the service provider
 	*/
-	access_token: string;
+	externalId?: string;
 	/**
-	* Token type (always "Bearer" for OAuth2)
+	* Resource metadata
 	*/
-	token_type: string;
+	meta?: {
+		resourceType?: string;
+		created?: string;
+		lastModified?: string;
+		location?: string;
+		version?: string;
+	};
 	/**
-	* OAuth2 scopes granted for this token
+	* REQUIRED. Unique identifier for the User, typically used for login
 	*/
-	scope?: string;
+	userName: string;
 	/**
-	* Timestamp when the token expires.
-	* Used for automatic cleanup and refresh logic.
+	* The components of the user's name
 	*/
-	expires_at: Date;
+	name?: Name;
 	/**
-	* Timestamp when the token was created/cached.
+	* The name of the User, suitable for display to end-users
 	*/
-	created_at: Date;
+	displayName?: string;
 	/**
-	* Optional refresh token (rarely used for workload identities)
+	* The casual way to address the user
 	*/
-	refresh_token?: string;
-} & TExtended;
-/**
-* Abstract interface for workload token storage backends.
-*
-* Consumers can implement this interface to use different storage backends:
-* - Redis (recommended for multi-server deployments)
-* - Database (PostgreSQL, MySQL, etc. for persistence)
-* - Distributed cache (Memcached, etc.)
-* - Custom solutions
-*
-* @template TExtended - Type-safe custom data that consumers can add to cached tokens
-*
-* @example
-* ```typescript
-* // Custom token cache data
-* type MyTokenData = {
-*   environment: string;
-*   region: string;
-* };
-*
-* // Implement custom store with Redis
-* class RedisWorkloadTokenStore implements WorkloadTokenStore<MyTokenData> {
-*   async set(token: CachedWorkloadToken<MyTokenData>): Promise<void> {
-*     const ttl = Math.floor((token.expires_at.getTime() - Date.now()) / 1000);
-*     await redis.setex(
-*       `workload:token:${token.workload_id}`,
-*       ttl,
-*       JSON.stringify(token)
-*     );
-*   }
-*
-*   async get(workload_id: string): Promise<CachedWorkloadToken<MyTokenData> | null> {
-*     const data = await redis.get(`workload:token:${workload_id}`);
-*     if (!data) return null;
-*     const token = JSON.parse(data);
-*     // Convert date strings back to Date objects
-*     token.expires_at = new Date(token.expires_at);
-*     token.created_at = new Date(token.created_at);
-*     return token;
-*   }
-*
-*   // ... other methods
-* }
-* ```
-*/
-interface WorkloadTokenStore<TExtended = object> {
+	nickName?: string;
 	/**
-	* Store or update a workload token in the cache.
-	*
-	* @param token - The token data to cache
+	* A fully qualified URL pointing to a page representing the User's online profile
 	*/
-	set(token: CachedWorkloadToken<TExtended>): Promise<void>;
+	profileUrl?: string;
 	/**
-	* Retrieve a cached token by workload ID.
-	*
-	* @param workload_id - The workload identifier (e.g., SPIFFE ID)
-	* @returns The cached token if found and not expired, null otherwise
+	* The user's title, such as "Vice President"
 	*/
-	get(workload_id: string): Promise<CachedWorkloadToken<TExtended> | null>;
+	title?: string;
 	/**
-	* Delete a cached token by workload ID.
-	*
-	* Used when explicitly revoking tokens or clearing cache.
-	*
-	* @param workload_id - The workload identifier to remove
+	* Used to identify the relationship between the organization and the user
 	*/
-	delete(workload_id: string): Promise<void>;
+	userType?: string;
 	/**
-	* Check if a valid (non-expired) token exists for a workload.
-	*
-	* @param workload_id - The workload identifier to check
-	* @returns true if a valid token exists, false otherwise
+	* Indicates the User's preferred written or spoken language
+	*/
+	preferredLanguage?: string;
+	/**
+	* Used to indicate the User's default location for purposes of localizing items such as currency
+	*/
+	locale?: string;
+	/**
+	* The User's time zone in the "Olson" time zone database format
 	*/
-	isValid(workload_id: string): Promise<boolean>;
+	timezone?: string;
 	/**
-	* Remove all expired tokens from the cache.
-	*
-	* Should be called periodically to prevent memory leaks.
+	* A Boolean value indicating the User's administrative status
 	*/
-	cleanup(): Promise<void>;
-}
-/**
-* In-memory workload token store implementation using Maps.
-*
-* Suitable for:
-* - Development and testing
-* - Single-server deployments
-* - Applications without high availability requirements
-*
-* NOT suitable for:
-* - Multi-server deployments (tokens not shared across instances)
-* - High availability scenarios (tokens lost on restart)
-* - Production applications with distributed architecture
-*
-* For production multi-server deployments, implement WorkloadTokenStore with Redis.
-*
-* @template TExtended - Type-safe custom data that consumers can add to cached tokens
-*/
-declare class InMemoryWorkloadTokenStore<TExtended = object> implements WorkloadTokenStore<TExtended> {
-	private tokens;
-	set(token: CachedWorkloadToken<TExtended>): Promise<void>;
-	get(workload_id: string): Promise<CachedWorkloadToken<TExtended> | null>;
-	delete(workload_id: string): Promise<void>;
-	isValid(workload_id: string): Promise<boolean>;
-	cleanup(): Promise<void>;
-}
-/**
-* Common fields shared across all workload authentication modes
-*/
-type WorkloadConfigBase = {
+	active?: boolean;
 	/**
-	* OAuth2 token endpoint URL
-	* REQUIRED for client role (token acquisition)
+	* The User's cleartext password
 	*/
-	tokenUrl?: string;
+	password?: string;
 	/**
-	* JWKS endpoint URL for public key retrieval
-	* REQUIRED for server role (token validation)
+	* Email addresses for the user
 	*/
-	jwksUri?: string;
+	emails?: Email[];
 	/**
-	* Expected token issuer URL for validation
-	* RECOMMENDED for server role (token validation)
+	* Phone numbers for the User
 	*/
-	issuer?: string;
+	phoneNumbers?: PhoneNumber[];
 	/**
-	* Target audience for tokens
+	* Instant messaging addresses for the User
 	*/
-	audience?: string;
+	ims?: Array<{
+		value: string;
+		display?: string;
+		type?: string;
+		primary?: boolean;
+	}>;
 	/**
-	* Default OAuth2 scopes (space-delimited)
+	* URLs of photos of the User
 	*/
-	scope?: string;
+	photos?: Array<{
+		value: string;
+		display?: string;
+		type?: string;
+		primary?: boolean;
+	}>;
 	/**
-	* JWT assertion/token lifetime in seconds
-	* @default 300 (5 minutes)
+	* Physical mailing addresses for this User
 	*/
-	tokenLifetime?: number;
+	addresses?: Address[];
 	/**
-	* Refresh threshold in seconds (refresh token this many seconds before expiry)
-	* @default 60
+	* A list of groups to which the user belongs
 	*/
-	refreshThreshold?: number;
+	groups?: Group[];
 	/**
-	* Optional token store for caching access tokens
+	* A list of entitlements for the User
 	*/
-	tokenStore?: WorkloadTokenStore;
+	entitlements?: Array<{
+		value: string;
+		display?: string;
+		type?: string;
+		primary?: boolean;
+	}>;
 	/**
-	* Automatically refresh tokens before expiration
-	* @default true
+	* A list of roles for the User
 	*/
-	autoRefresh?: boolean;
+	roles?: Role[];
 	/**
-	* Optional RFC 7009 token revocation endpoint
+	* A list of certificates issued to the User
 	*/
-	revocationEndpoint?: string;
+	x509Certificates?: X509Certificate[];
 	/**
-	* Optional handler defaults (merged with per-call overrides in `handler`)
+	* Enterprise User Extension
 	*/
-	validateUrl?: string;
-	jwksUrl?: string;
-	refreshUrl?: string;
-	validators?: WorkloadValidators;
-};
-type WorkloadValidators = {
-	jwtAssertionClaims: StandardSchemaV14<unknown, JWTAssertionClaims>;
-	tokenResponse: StandardSchemaV14<unknown, WorkloadTokenResponse>;
-};
+	"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"?: EnterpriseExtension;
+	/**
+	* REQUIRED. The schemas attribute is an array of Strings which allows introspection of the supported schema version
+	*/
+	schemas?: string[];
+}
 /**
-* JWT Bearer Grant (RFC 7523) Configuration
-*
-* Used for SPIFFE-style workload identities where services have their own
-* cryptographic identity and sign their own JWT assertions.
+* Creates a StandardSchemaV1 for validating SCIM User resources.
+* @param vendor - The name of the vendor creating this schema
+* @returns A StandardSchemaV1 instance for SCIM User resources
+*/
+declare function userSchema(vendor: string): StandardSchemaV14<Record<string, unknown>, User2>;
+/**
+* Creates a StandardSchemaV1 for validating SCIM Group resources.
+* @param vendor - The name of the vendor creating this schema
+* @returns A StandardSchemaV1 instance for SCIM Group resources
+*/
+declare function groupResourceSchema(vendor: string): StandardSchemaV14<Record<string, unknown>, GroupResource>;
+/**
+* Stored group data with required id and tracking metadata.
 *
-* @example
-* ```json
-* {
-*   "token_url": "https://auth.example.com/oauth/token",
-*   "jwks_uri": "https://auth.example.com/.well-known/jwks.json",
-*   "workload_id": "spiffe://trust-domain/ns/service",
-*   "audience": "https://auth.example.com/oauth/token",
-*   "private_key": "-----BEGIN PRIVATE KEY-----...",
-*   "algorithm": "RS256"
-* }
-* ```
+* @template TExtended - Type-safe custom data that consumers can add to groups
 */
-type JwtBearerWorkloadConfig = WorkloadConfigBase & {
+type StoredGroup<TExtended = {}> = {
 	/**
-	* Workload identifier (e.g., SPIFFE ID: spiffe://trust-domain/namespace/service)
-	* REQUIRED for JWT Bearer Grant mode
+	* Required unique identifier for the group.
+	* This is the primary key for group storage.
 	*/
-	workloadId: string;
+	id: string;
 	/**
-	* PEM-encoded private key for signing JWT assertions
-	* REQUIRED for client role in JWT Bearer Grant mode
+	* Required human-readable name for the group.
 	*/
-	privateKey: string;
+	displayName: string;
 	/**
-	* Key ID (kid) to include in JWT header for key rotation support
+	* Optional external identifier from provisioning client.
 	*/
-	keyId?: string;
+	externalId?: string;
 	/**
-	* JWT signing algorithm
-	* @default 'RS256'
+	* List of members in the group.
 	*/
-	algorithm?: "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512";
-};
-/**
-* OAuth2 Client Credentials Configuration
-*
-* Standard OAuth2 Client Credentials Grant (RFC 6749 Section 4.4).
-* Used with identity providers like Keycloak for service-to-service authentication.
-*
-* @example
-* ```json
-* {
-*   "token_url": "https://sso.example.com/realms/myrealm/protocol/openid-connect/token",
-*   "jwks_uri": "https://sso.example.com/realms/myrealm/protocol/openid-connect/certs",
-*   "client_id": "my-service",
-*   "client_secret": "secret-from-idp",
-*   "issuer": "https://sso.example.com/realms/myrealm",
-*   "scope": "api:read api:write"
-* }
-* ```
-*/
-type ClientCredentialsWorkloadConfig = WorkloadConfigBase & {
+	members?: GroupMember[];
 	/**
-	* OAuth2 client identifier registered with the authorization server
-	* REQUIRED for Client Credentials mode
+	* Timestamp when the group was first stored.
 	*/
-	clientId: string;
+	createdAt: Date;
 	/**
-	* OAuth2 client secret
-	* REQUIRED for Client Credentials mode
+	* Timestamp when the group was last updated.
 	*/
-	clientSecret: string;
-};
-/**
-* Server-Only Workload Configuration
-*
-* Used when a service only needs to validate incoming workload tokens,
-* not acquire tokens for outbound calls. Requires only jwks_uri for
-* public key retrieval.
-*
-* @example
-* ```json
-* {
-*   "jwks_uri": "https://sso.example.com/realms/myrealm/protocol/openid-connect/certs",
-*   "issuer": "https://sso.example.com/realms/myrealm"
-* }
-* ```
-*/
-type ServerOnlyWorkloadConfig = WorkloadConfigBase & {
-	jwksUri: string;
-};
+	updatedAt: Date;
+} & TExtended;
 /**
-* Workload Identity Authentication Configuration
-*
-* Union type supporting multiple authentication modes. The mode is automatically
-* detected based on which fields are present:
+* Abstract interface for group storage backends.
 *
-* - **JWT Bearer Grant**: Requires `workload_id` + `private_key`
-* - **Client Credentials**: Requires `client_id` + `client_secret`
-* - **Server-Only**: Only `jwks_uri` (and optionally `issuer`) for token validation
+* Consumers can implement this interface to use different storage backends:
+* - In-memory (for development/testing)
+* - Redis (for production with fast lookups)
+* - Database (PostgreSQL, MySQL, etc.)
 *
-* The developer uses the same API regardless of mode - the library handles the details.
-*/
-type WorkloadConfig = JwtBearerWorkloadConfig | ClientCredentialsWorkloadConfig | ServerOnlyWorkloadConfig;
-/**
-* Workload Identity extracted from validated tokens
+* @template TExtended - Type-safe custom data that consumers can add to groups
 */
-type WorkloadIdentity = {
+interface GroupStore<TExtended = {}> {
+	/**
+	* Retrieve a group by its unique identifier.
+	*
+	* @param id - The group's unique identifier
+	* @returns The group if found, null otherwise
+	*/
+	get(id: string): Promise<StoredGroup<TExtended> | null>;
+	/**
+	* Retrieve a group by its external identifier.
+	*
+	* @param externalId - The external identifier from the provisioning client
+	* @returns The group if found, null otherwise
+	*/
+	getByExternalId(externalId: string): Promise<StoredGroup<TExtended> | null>;
+	/**
+	* Retrieve a group by its display name.
+	*
+	* @param displayName - The group's display name
+	* @returns The group if found, null otherwise
+	*/
+	getByDisplayName(displayName: string): Promise<StoredGroup<TExtended> | null>;
+	/**
+	* List all groups in the store.
+	*
+	* @returns Array of all stored groups
+	*/
+	list(): Promise<StoredGroup<TExtended>[]>;
 	/**
-	* Workload identifier (for JWT Bearer Grant tokens)
+	* Create or update a group in the store.
+	*
+	* If a group with the same `id` exists, it will be updated.
+	* Otherwise, a new group will be created.
+	*
+	* @param group - The group data to store
 	*/
-	workloadId?: string;
+	upsert(group: StoredGroup<TExtended>): Promise<void>;
 	/**
-	* Client identifier (for OAuth2 Client Credentials tokens)
+	* Delete a group by its unique identifier.
+	*
+	* @param id - The group's unique identifier to delete
 	*/
-	clientId?: string;
+	delete(id: string): Promise<void>;
 	/**
-	* Granted scopes
+	* Add a member to a group.
+	*
+	* @param groupId - The group's unique identifier
+	* @param member - The member to add
 	*/
-	scope?: string;
+	addMember(groupId: string, member: GroupMember): Promise<void>;
 	/**
-	* Full JWT claims from the token
+	* Remove a member from a group.
+	*
+	* @param groupId - The group's unique identifier
+	* @param memberId - The member's value/id to remove
 	*/
-	claims: JWTAssertionClaims;
-};
+	removeMember(groupId: string, memberId: string): Promise<void>;
+}
 /**
-* Workload Identity Authentication Interface
+* In-memory group store implementation using Maps.
+*
+* Suitable for:
+* - Development and testing
+* - Single-server deployments
+* - Applications without high availability requirements
+*
+* NOT suitable for:
+* - Multi-server deployments (groups not shared)
+* - High availability scenarios (groups lost on restart)
+* - Production applications with distributed architecture
+*
+* For production, implement GroupStore with Redis or a database.
+*
+* @template TExtended - Type-safe custom data that consumers can add to groups
 */
-type Workload = {
-	config: WorkloadConfig;
-	getToken: (scope?: string) => Promise<string>;
-	refreshToken: (scope?: string) => Promise<WorkloadTokenResponse>;
-	generateJWTAssertion: (scope?: string) => Promise<string>;
-	revokeToken: (token: string) => Promise<void>;
-	validateToken: (token: string) => Promise<TokenValidationResult>;
-	getWorkloadIdentity: (request: Request) => Promise<WorkloadIdentity | undefined>;
-	parseJWT: (token: string) => Promise<JWTAssertionClaims>;
-	handler: (request: Request) => Promise<Response>;
-};
-declare function workload(validators: WorkloadValidators, fromVault?: Partial<WorkloadConfig>, fromCode?: Partial<WorkloadConfig>): Workload | undefined;
+declare class InMemoryGroupStore<TExtended = {}> implements GroupStore<TExtended> {
+	/** Primary storage: id -> group */
+	private groups;
+	/** Secondary index: externalId -> id */
+	private externalIdIndex;
+	/** Secondary index: displayName (lowercase) -> id */
+	private displayNameIndex;
+	get(id: string): Promise<StoredGroup<TExtended> | null>;
+	getByExternalId(externalId: string): Promise<StoredGroup<TExtended> | null>;
+	getByDisplayName(displayName: string): Promise<StoredGroup<TExtended> | null>;
+	list(): Promise<StoredGroup<TExtended>[]>;
+	upsert(group: StoredGroup<TExtended>): Promise<void>;
+	delete(id: string): Promise<void>;
+	addMember(groupId: string, member: GroupMember): Promise<void>;
+	removeMember(groupId: string, memberId: string): Promise<void>;
+}
 /**
 * SCIM Error response structure
 */
@@ -1382,7 +1798,7 @@ type IAMConfig = {
 	groupsUrl?: string;
 };
 type IAMValidators = {
-	user: StandardSchemaV15<unknown, User>;
+	user: StandardSchemaV15<unknown, User2>;
 	group: StandardSchemaV15<unknown, GroupResource>;
 };
 /**
@@ -1473,7 +1889,7 @@ type IAM = IAMConfig & {
 	* Create a new user/account in the external IAM provider
 	* Only available when `url` is configured.
 	*/
-	createUser?: (user: User, options?: CreateUserOptions) => Promise<ScimResult<User>>;
+	createUser?: (user: User2, options?: CreateUserOptions) => Promise<ScimResult<User2>>;
 	/**
 	* Get the configured external SCIM base URL
 	*/
@@ -1511,184 +1927,6 @@ type IAM = IAMConfig & {
 */
 declare function iam(validators: IAMValidators, workload?: Workload, fromVault?: Partial<IAMConfig>, fromCode?: Partial<IAMConfig>): IAM | undefined;
 import { StandardSchemaV1 as StandardSchemaV16 } from "@standard-schema/spec";
-/**
-* Session management for tracking user sessions and enabling backchannel logout.
-*
-* Session stores are optional - the package works with JWT cookies alone.
-* Sessions are only required for backchannel logout functionality.
-*
-* ## Session Validation Strategies
-*
-* When using a session store, you can configure when sessions are validated:
-*
-* ### 'always' (default)
-* Validates session on every authenticated request.
-* - **Security**: Maximum - immediate session revocation
-* - **Performance**: InMemory ~0.00005ms, Redis ~1-2ms per request
-* - **Backchannel Logout**: Takes effect immediately
-* - **Use when**: Security is paramount, using InMemory or Redis backend
-*
-* ### 'refresh-only'
-* Validates session only during token refresh (typically every 5-15 minutes).
-* - **Security**: Good - 5-15 minute revocation window
-* - **Performance**: 99% reduction in session lookups
-* - **Backchannel Logout**: Takes effect within token TTL (5-15 min)
-* - **Use when**: Performance is critical AND delayed revocation is acceptable
-* - **WARNING**: Compromised sessions remain valid until next refresh
-*
-* ### 'disabled'
-* Never validates sessions against the store.
-* - **Security**: None - backchannel logout doesn't work
-* - **Performance**: No overhead
-* - **Use when**: Cookie-only mode without session store
-* - **WARNING**: Do not use with sessionStore configured
-*
-* ## Performance Characteristics
-*
-* | Backend      | Lookup Time | Impact on Request | Recommendation         |
-* |--------------|-------------|-------------------|------------------------|
-* | InMemory     | <0.00005ms  | Negligible        | Use 'always'           |
-* | Redis        | 1-2ms       | 2-4% increase     | Use 'always' or test   |
-* | Database     | 5-20ms      | 10-40% increase   | Use Redis cache layer  |
-*
-* ## Example Usage
-*
-* ```typescript
-* import { sso, InMemorySessionStore } from '@enterprisestandard/react/server';
-*
-* // Maximum security (default)
-* const secure = sso({
-*   // ... other config
-*   sessionStore: new InMemorySessionStore(),
-*   session_validation: 'always', // Immediate revocation
-* });
-*
-* // High performance
-* const fast = sso({
-*   // ... other config
-*   sessionStore: new InMemorySessionStore(),
-*   session_validation: {
-*     strategy: 'refresh-only' // 5-15 min revocation delay
-*   }
-* });
-* ```
-*/
-/**
-* Core session data tracked for each authenticated user session.
-*
-* @template TExtended - Type-safe custom data that consumers can add to sessions
-*/
-type Session<TExtended = {}> = {
-	/**
-	* Session ID from the Identity Provider (from `sid` claim in ID token).
-	* This is the unique identifier for the session.
-	*/
-	sid: string;
-	/**
-	* Subject identifier (user ID) from the Identity Provider.
-	* From the `sub` claim in the ID token.
-	*/
-	sub: string;
-	/**
-	* Timestamp when the session was created.
-	*/
-	createdAt: Date;
-	/**
-	* Timestamp of the last activity in this session.
-	* Can be updated to track session activity.
-	*/
-	lastActivityAt: Date;
-	/**
-	* Allow consumers to add runtime data to sessions.
-	*/
-	[key: string]: unknown;
-} & TExtended;
-/**
-* Abstract interface for session storage backends.
-*
-* Consumers can implement this interface to use different storage backends:
-* - Redis
-* - Database (PostgreSQL, MySQL, etc.)
-* - Distributed cache
-* - Custom solutions
-*
-* @template TExtended - Type-safe custom data that consumers can add to sessions
-*
-* @example
-* ```typescript
-* // Custom session data
-* type MySessionData = {
-*   ipAddress: string;
-*   userAgent: string;
-* };
-*
-* // Implement custom store
-* class RedisSessionStore implements SessionStore<MySessionData> {
-*   async create(session: Session<MySessionData>): Promise<void> {
-*     await redis.set(`session:${session.sid}`, JSON.stringify(session));
-*   }
-*   // ... other methods
-* }
-* ```
-*/
-interface SessionStore<TExtended = {}> {
-	/**
-	* Create a new session in the store.
-	*
-	* @param session - The session data to store
-	* @throws Error if session with same sid already exists
-	*/
-	create(session: Session<TExtended>): Promise<void>;
-	/**
-	* Retrieve a session by its IdP session ID (sid).
-	*
-	* @param sid - The session.sid from the Identity Provider
-	* @returns The session if found, null otherwise
-	*/
-	get(sid: string): Promise<Session<TExtended> | null>;
-	/**
-	* Update an existing session with partial data.
-	*
-	* Commonly used to update lastActivityAt or add custom fields.
-	*
-	* @param sid - The session.sid to update
-	* @param data - Partial session data to merge
-	* @throws Error if session not found
-	*/
-	update(sid: string, data: Partial<Session<TExtended>>): Promise<void>;
-	/**
-	* Delete a session by its IdP session ID (sid).
-	*
-	* Used for both normal logout and backchannel logout flows.
-	*
-	* @param sid - The session.sid to delete
-	*/
-	delete(sid: string): Promise<void>;
-}
-/**
-* In-memory session store implementation using Maps.
-*
-* Suitable for:
-* - Development and testing
-* - Single-server deployments
-* - Applications without high availability requirements
-*
-* NOT suitable for:
-* - Multi-server deployments (sessions not shared)
-* - High availability scenarios (sessions lost on restart)
-* - Production applications with distributed architecture
-*
-* For production, implement SessionStore with Redis or a database.
-*
-* @template TExtended - Type-safe custom data that consumers can add to sessions
-*/
-declare class InMemorySessionStore<TExtended = {}> implements SessionStore<TExtended> {
-	private sessions;
-	create(session: Session<TExtended>): Promise<void>;
-	get(sid: string): Promise<Session<TExtended> | null>;
-	update(sid: string, data: Partial<Session<TExtended>>): Promise<void>;
-	delete(sid: string): Promise<void>;
-}
 type SSOConfig<
 	TSessionData = {},
 	TUserData = {}
@@ -1750,11 +1988,12 @@ type SSO<
 	TUserData = {}
 > = {
 	config: SSOConfig<TSessionData, TUserData>;
-	getUser: (request: Request) => Promise<User2 | undefined>;
-	getRequiredUser: (request: Request) => Promise<User2>;
+	getUser: (request: Request) => Promise<User | undefined>;
+	getRequiredUser: (request: Request) => Promise<User>;
 	getJwt: (request: Request) => Promise<string | undefined>;
 	initiateLogin: (config: LoginConfig, requestUrl?: string) => Promise<Response>;
 	logout: (request: Request, config?: LoginConfig) => Promise<Response>;
+	logoutBackChannel: (request: Request) => Promise<Response>;
 	callbackHandler: (request: Request) => Promise<Response>;
 	handler: (request: Request) => Promise<Response>;
 };
@@ -1852,7 +2091,7 @@ type TenantValidators = {
 /**
 * Configuration for tenant management
 */
-type TenantConfig = {};
+type TenantConfig = Record<string, never>;
 /**
 * Tenant service interface
 */
@@ -1950,7 +2189,7 @@ type StoredTenant<TExtended = {}> = {
 	* Serialized Enterprise Standard configuration.
 	* This is a JSON-serializable version of the ESConfig with non-serializable items excluded.
 	*/
-	config?: any;
+	config?: unknown;
 } & TExtended;
 /**
 * Abstract interface for tenant storage backends.
@@ -2068,12 +2307,15 @@ type DevConfig = {
 type VaultConfig = LfvConfig | AzureConfig | AwsConfig | GcpConfig | OpenBaoConfig | DevConfig;
 declare function vault(config?: VaultConfig): Vault;
 /**
-* Helper gets the user from the Request using the supplied EnterpriseStandard or the default instance
+* Helper gets the user from the Request using the supplied EnterpriseStandard or the default instance.
+* Checks SSO first, then CIAM if SSO returns undefined.
 */
-declare function getUser2(request: Request, es?: EnterpriseStandard): Promise<User2 | undefined>;
-declare function getRequiredUser2(request: Request, es?: EnterpriseStandard): Promise<User2>;
+declare function getUser2(request: Request, es?: EnterpriseStandard): Promise<User | undefined>;
+declare function getRequiredUser2(request: Request, es?: EnterpriseStandard): Promise<User>;
 declare function initiateLogin2(config: LoginConfig, es?: EnterpriseStandard): Promise<Response>;
 declare function callback(request: Request, es?: EnterpriseStandard): Promise<Response>;
+declare function logout(request: Request, es?: EnterpriseStandard): Promise<Response>;
+declare function logoutBackChannel2(request: Request, es?: EnterpriseStandard): Promise<Response>;
 import { StandardSchemaV1 as StandardSchemaV18 } from "@standard-schema/spec";
 /**
 * Parse and validate a tenant creation request.
@@ -2264,7 +2506,7 @@ declare function getDefaultInstance(): EnterpriseStandard | undefined;
 * @param message - The message to include in the response.
 * @returns A 400 Response with the issues if it does, otherwise null.
 */
-declare function validationFailureResponse(issues: any, message: string): Response;
+declare function validationFailureResponse(issues: unknown, message: string): Response;
 /**
 * Serializes an ESConfig or EnterpriseStandard instance to a JSON-serializable format
 * by removing non-serializable properties like stores, validators, and functions.
@@ -2275,7 +2517,7 @@ declare function validationFailureResponse(issues: any, message: string): Respon
 * @param configOrES - The ESConfig object or EnterpriseStandard instance to serialize
 * @returns A JSON-serializable version of the config
 */
-declare function serializeESConfig(configOrES: any): any;
+declare function serializeESConfig(configOrES: unknown): unknown;
 /**
 * Get the workload identity from an incoming request.
 * Returns undefined if no valid workload token is present.
@@ -2406,9 +2648,10 @@ type EnterpriseStandard = {
 	iam?: IAM;
 	workload?: Workload;
 	tenants?: Tenant;
+	ciam?: CIAM;
 	/**
 	* Framework-agnostic request handler that routes requests to the appropriate
-	* standard handler (SSO, IAM, or Workload) based on the configured URLs.
+	* standard handler (SSO, IAM, Workload, or CIAM) based on the configured URLs.
 	*/
 	handler: (request: Request) => Promise<Response>;
 };
@@ -2419,6 +2662,7 @@ type ESConfig = {
 	iam?: IAMConfig;
 	workload?: WorkloadConfig;
 	tenant?: TenantConfig;
+	ciam?: CIAMConfig;
 	validators?: ESValidators;
 };
 type ESValidators = {
@@ -2428,4 +2672,4 @@ type ESValidators = {
 	tenant: TenantValidators;
 };
 declare function enterpriseStandard(appId: string, initConfig?: ESConfig): Promise<EnterpriseStandard>;
-export { workloadTokenResponseSchema, workloadHandler, workload, vault, validationFailureResponse, validateWorkloadToken, userSchema, tokenResponseSchema, tenant as tenantManagement, sso, serializeESConfig, sendTenantWebhook2 as sendTenantWebhook, revokeWorkloadToken, parseTenantRequest2 as parseTenantRequest, oidcCallbackSchema, jwtAssertionClaimsSchema, initiateLogin2 as initiateLogin, idTokenClaimsSchema, iam, groupResourceSchema, getWorkloadToken, getWorkload, getUser2 as getUser, getRequiredUser2 as getRequiredUser, getDefaultInstance, enterpriseStandard, callback, X509Certificate, WorkloadValidators, WorkloadTokenStore, WorkloadTokenResponse, WorkloadIdentity, WorkloadConfig, Workload, Vault, UsersInboundHandlerConfig, UserStore, User2 as User, TokenValidationResult, TokenResponse, TenantWebhookPayload, TenantValidators, TenantStore, TenantStatus, TenantRequestError, TenantConfig, Tenant, StoredUser, StoredTenant, StoredGroup, SessionStore, ServerOnlyWorkloadConfig, User as ScimUser, ScimResult, ScimListResponse, ScimError, SSOValidators, SSOHandlerConfig, SSOConfig, SSO, Role, PhoneNumber, OidcCallbackParams, Name, JwtBearerWorkloadConfig, JWTAssertionClaims, InMemoryWorkloadTokenStore, InMemoryUserStore, InMemoryTenantStore, InMemorySessionStore, InMemoryGroupStore, IdTokenClaims, IAMValidators, IAMUsersInbound, IAMHandlerConfig, IAMGroupsOutbound, IAMGroupsInbound, IAMConfig, IAM, GroupsInboundHandlerConfig, GroupStore, GroupResource, GroupMember, Group, EnvironmentType, EnterpriseUser, EnterpriseStandard, EnterpriseExtension, Email, ESValidators, CreateUserOptions, CreateTenantResponse, CreateTenantRequest, CreateGroupOptions, ClientCredentialsWorkloadConfig, CachedWorkloadToken, BaseUser, Address };
+export { workloadTokenResponseSchema, workloadHandler, workload, vault, validationFailureResponse, validateWorkloadToken, userSchema, tokenResponseSchema, tenant as tenantManagement, sso, serializeESConfig, sendTenantWebhook2 as sendTenantWebhook, revokeWorkloadToken, parseTenantRequest2 as parseTenantRequest, oidcCallbackSchema, logoutBackChannel2 as logoutBackChannel, logout, jwtAssertionClaimsSchema, initiateLogin2 as initiateLogin, idTokenClaimsSchema, iam, groupResourceSchema, getWorkloadToken, getWorkload, getUser2 as getUser, getRequiredUser2 as getRequiredUser, getDefaultInstance, enterpriseStandard, ciam, callback, X509Certificate, WorkloadValidators, WorkloadTokenStore, WorkloadTokenResponse, WorkloadIdentity, WorkloadConfig, Workload, Vault, UsersInboundHandlerConfig, UserStore, User, TokenValidationResult, TokenResponse, TenantWebhookPayload, TenantValidators, TenantStore, TenantStatus, TenantRequestError, TenantConfig, Tenant, StoredUser, StoredTenant, StoredGroup, SessionStore, ServerOnlyWorkloadConfig, User2 as ScimUser, ScimResult, ScimListResponse, ScimError, SSOValidators, SSOHandlerConfig, SSOConfig, SSO, Role, PhoneNumber, OidcCallbackParams, Name, MagicLinkStore, MagicLink, JwtBearerWorkloadConfig, JWTAssertionClaims, InMemoryWorkloadTokenStore, InMemoryUserStore, InMemoryTenantStore, InMemorySessionStore, InMemoryMagicLinkStore, InMemoryGroupStore, IdTokenClaims, IAMValidators, IAMUsersInbound, IAMHandlerConfig, IAMGroupsOutbound, IAMGroupsInbound, IAMConfig, IAM, GroupsInboundHandlerConfig, GroupStore, GroupResource, GroupMember, Group, EnvironmentType, EnterpriseUser, EnterpriseStandard, EnterpriseExtension, Email, ESValidators, CreateUserOptions, CreateTenantResponse, CreateTenantRequest, CreateGroupOptions, ClientCredentialsWorkloadConfig, CachedWorkloadToken, CIAMConfig, CIAM, BaseUser, Address };